StoneOS CLI User Guide Complete Book 5.5R10

Hillstone Networks
StoneOS CLI User Guide

Complete Book
Version 5.5R10
TechDocs | docs.hillstonenet.com
Copyright 2023 Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software described in this doc-
ument is furnished under a license agreement or nondisclosure agreement. The software may be used or
copied only in accordance with the terms of those agreements. No part of this publication may be repro-
duced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical,
including photocopying and recording for any purpose other than the purchaser's personal use without
the written permission of Hillstone Networks.
Hillstone Networks
Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
http://www.hillstonenet.com/about-us/contact/
About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks StoneOS .
For more information, refer to the documentation site: https://docs.hillstonenet.com.
To provide feedback on the documentation, please write to us at:
[email protected]
Hillstone Networks
TWNO: TW-WUG-UNI-A-5.5R10-EN-V1.1-1/25/2023
Contents
Contents 1
About This Guide 1
Content 1
CLI 1
WebUI 2
Command Line Interface 2
Overview 2
CLI Modes and Prompts 2
Execution Mode 2
Global Configuration Mode 2
Sub-module Configuration Mode 3
Switching between CLI Modes 3
CLI Error Message 3
Command Input 4
Command Short Form 4
Listing Available Commands 4
Completing Partial Commands 5
Using CLI 5
Previous Commands 5
Shortcut Keys 5
TOC - 1
Filtering Output of Show Commands 6
CLI Page Display 7
Specifying Screen Size 8
Specifying Connection Timeout 8
Redirecting the Output of Show Commands 9
Diagnostic Commands 10
Viewing device Processes 10
Chapter 1 Firewall 1
Configuration Environment 3
Overview 3
Accessing a Device via Console Port 3
Accessing a Device via Telnet 4
Accessing a Device over SSH 5
Accessing a Device via WebUI 6
Logging in by Using Certificate Authentication 7
Configuring the Device Side 8
Configuring the Client Side 9
Unfreezing the WebUI 10
Application Mode 11
Overview 11
Transparent Mode 11
Mix Mode 11
TOC - 2
Routing Mode 12
VSwitch 13
Basic Concepts 13
L2 Zones 13
L2 Interfaces 14
Forwarding Rules in VSwitch 14
Configuring a VSwitch 16
Viewing MAC Table Information 16
Virtual Wire 17
Configuring a Virtual Wire 18
Enabling Virtual Wire 18
Configuring a Virtual Wire Interface Pair 18
Viewing Virtual Wire Configuration Information 19
NSH Proxy 19
Enabling NSH layer 2 Proxy 20
NSH Proxy Debugging 20
Viewing the NSH Packets on Interfaces 20
Viewing the NSH Sessions 20
Viewing Virtual Wire and NSH Proxy Configurations 21
VLAN Transparent in the Transparent Mode 21
Configuration Example 22
Configuration Steps 23
TOC - 3
Configuring Transparent ARP 25
Configuring a VRouter 25
Enabling and Disabling Mult-VR 25
Creating a VRouter 26
Viewing VRouter Information 26
Deployment Mode 27
Overview 27
Inline Mode 27
Bypass Mode 27
Mix Mode 28
Working Principle of Bypass Mode 29
Configuring Bypass Mode 29
Creating a Tap Zone 30
Binding an Interface to a Tap Zone 30
Configuring a Bypass Control Interface 30
Specifying a Statistical Range 31
Configuring a Linkage Firewall 32
Example of Configuring Bypass Mode 33
Topology 33
StoneOS Architecture 35
Overview 35
TOC - 4
Interfaces 35
Zones 35
VSwitches 36
VRouter 36
Policy 37
VPN 37
Packet Handling Process 38
Deny Session 41
Configuring the Deny Session Function 42
Specifying the Deny Session Type 42
Specifying the Maximum Number of Deny Sessions 43
Specifying the Timeout Value 44
Viewing the Deny Session Configuration Information 44
Viewing the Deny Session Information 44
TCP RST Packet Check 44
Global Network Parameters 45
Configuring MSS 45
TCP Sequence Number Check 45
TCP Three-way Handshaking Timeout Check 46
TCP Connection State Age-time 46
TCP SYN Packet Check 47
IP Fragment 48
TOC - 5
SYN packets dropping 49
Enabling/Disabling SYN Packets Dropping 49
Show the state of the function of SYN packets dropping 49
Jumbo Frame 50
Session Information 51
Showing Session Information 51
Clearing Session Information 53
Delay Deleting Session 55
Enable delaying deleting session 55
Show the state of the function of delaying deleting session 55
RTO Query Optimization 55
Enabling/Disabling RTO Query Optimization 56
Displaying the State of RTO Query Optimization 56
Low Latency Mode 57
Zone 58
Overview 58
Predefined Security Zone 58
Configuring a Security Zone 58
Viewing the Zone Information 59
Creating a Zone 59
Specifying the Description 59
Binding a Layer 3 Zone to a VRouter 60
TOC - 6
Binding a Layer 2 Zone to a VSwitch 60
Interface 62
Overview 62
Interface Types 62
Interface Dependency 64
Viewing Interface Information 65
Viewing All Interfaces 65
Viewing a Specific Interface 67
Configuring an Interface 67
Binding an Interface to a Zone 69
Configuring an Interface IP Address 70
Configuring Interface Secondary IP 71
Configuring an Interface MTU Value 72
Configuring Interface Force Shutdown 72
Specifying the Track Object 73
Configuring Interface ARP Timeout 73
Configuring an Interface Protocol 74
Configuring FTP on the Interface 74
Configuring Interface Mirroring 75
Configuring Mirror Filter 76
TOC - 7
Configuring Traffic Mirroring 78
Configuring a Mirror Profile 78
Mirroring Traffic to an Interface 79
Mirroring Traffic to an IP Address 79
Binding a Mirror Profile to a Policy 80
Viewing Mirror Profile Information 80
Interface Reverse Route 81
Configuring Interface Backup 82
Configuring Hold Time 82
Configuring an Out-of-band Management Interface 83
Configuring the Keepalive Function of Interface 84
Configuring the Interface Group 84
Configuring Local Property 85
Hillstone Secure Defender 86
Disabling Recording Interface IP Address Conflict Log Triggered by DAD Mode ARP
Packets 86
Configuring Interface Proxy ARP 87
PnP IP Configuration Example 88
Configuring a Loopback Interface 90
Creating a Loopback Interface 90
Configuring an Ethernet Interface 90
Configuring an Ethernet Sub-interface 90
TOC - 8
Entering the Ethernet Configuration Mode 91
Configuring an Interface Duplex Mode and Speed 91
Cloning a MAC Address 92
Configuring a Combo Type 92
Configuring a VSwitch Interface 93
Creating a VSwitch Interface 93
Configuring a VLAN Interface 94
Creating a VLAN Interface 94
Configuring a Super-VLAN Interface 94
Creating a Super-VLAN Interface 94
Configuring an Aggregate Interface 95
Creating an Aggregate Interface and Sub-interface 95
Adding a Physical Interface 96
Example of Configuring an Aggregate Interface 96
Configuring a Redundant Interface 97
Creating a Redundant Interfaces and Sub-interface 97
Adding a Physical Interface 97
Specifying the Primary Interface 98
Enabling/Disabling alarm logs of ARP loops 98
Example of Configuring a Redundant Interface 99
Configuring a Tunnel Interface 99
Creating a Tunnel Interface 99
TOC - 9
Binding a Tunnel 100
Multi-tunnel OSPF 101
Borrowing an IP Address (IP Unnumbered) 101
Viewing Tunnel Information 102
Configuring a PPPoE Sub-interface 102
Link Aggregation 102
LACP 103
Member Status in an Aggregate Group 103
Configuring LACP 104
Enabling/Disabling LACP 104
Specifying LACP System Priority 104
Specifying Interface LACP Priority 105
Specifying LACP Timeout 105
Specifying the Maximum Active Links 106
Specifying the Minimum Active Links 106
Specifying the Load Balance Mode 107
Viewing Aggregate Group Information 108
Bypassing the Device 108
Network Layout with Bypass Module 108
Built-in Bypass Modules 109
External Bypass Module 110
Enabling External Bypassing 111
TOC - 10
Viewing External Bypassing 112
Enable / Disable Forced Bypass 112
Monitor the Status of Ports 113
PoE 114
Configuring PoE Settings 114
Enabling PoE Function 114
Configuring Detection Method 114
Specifying Maximum Power Supplied by PoE Interface 115
Viewing Power Supply Status of PoE Interfaces 115
Viewing Power Information of PoE Interfaces and PoE Module 115
Viewing Information of PoE Module 116
Address 117
Overview 117
Address Entry 117
Configuring an Address Book 117
Adding or Deleting an Address Entry 118
Specifying the IP Range of an Address Entry 118
Excluding Address Entries 122
Exlcuding an IPv4 Address Entry 122
Excluding IPv6 Address Entries 123
Renaming an Address Entry 123
Viewing the Reference Address of an Address Entry 124
TOC - 11
Viewing the Address Book Details 125
Address Book Configuration Example 126
Configuration Example 1 126
Configuration Example 2 126
Service and Application 127
Service Overview 127
Viewing Service or Service Group Information via CLI 127
Viewing Service References 129
Predefined Services 130
RSH 130
Sun RPC 130
MS RPC 131
Predefined Service Group 131
User-defined Service 131
Creating/Deleting a User-defined Service 132
Adding/Deleting a User-defined Service Entry 132
Renaming a User-defined Service Entry 134
Service Group 135
Creating/Deleting a Service Group 136
Adding/Deleting a Service/Service Group 136
Adding/Deleting Description to a Service/Server Group 137
TOC - 12
Renaming a Service Group 137
Application Overview 137
Predefined Application 138
Predefined Application Groups 138
Userdefined Application 138
Creating/Deleting the User-defined Applications 139
Configuring the Category/Subcategory of User-defined Applications 139
Configuring the Technology Used by User-defined Applications 142
Configuring Signatures for User-defined Applications 142
Viewing the Configuration of User-defined Applications 143
Enabling the User-defined Application Signature Configuration Mode 143
Creating/Deleting the User-defined Application Signature Rule 143
Configuring Rules in User-defined Application Signature Configuration Mode 144
Configuring Rules in Application Signature Rule Configuration Mode 145
Configuring the Entry of the User-defined Application Signature Rule 145
Configuring the Application Timeout Value 147
Modifying the Order of the User-defined Application Signature Rule 148
User-defined Application Group 148
Creating/Deleting an Application Group 149
Adding/Deleting an Application or Application Group 149
Adding/Deleting a Description for an Application or Application Group 150
Application Identification 150
TOC - 13
Dynamic Identification 150
SIP Deep Identification 151
Enabling/Disabling SIP Deep Identification 151
Viewing the Status of SIP Deep Identification 152
Application Identification Bypass 152
Enabling/Disabling Application Identification Bypass 152
Configuring CPU Usage Range 153
Viewing Information of Application Identification Bypass 153
Application Identification Cache Table 153
Enabling/Disabling Application Identification Cache Table 154
Specifying a Working Mode for the Dynamic Application Identification Cache

Table 154
Clearing the Application Identification Cache Table 155
Viewing Application Identification Cache Table Information 155
Updating the Signature Database 155
Configuring an Update Protocol 156
Specifying a HTTP Proxy Server 156
Specifying an Update Schedule 157
Application Filter Group 157
Creating Application Filter Group 158
Specifying Application Category 158
Specifying Application Subcategory 158
TOC - 14
Specifying Application Technology 158
Specifying Risk Value for Application 159
Specifying Application Characteristics 159
DNS 161
Overview 161
Configuring a DNS Server 161
Configuring a Domain Name 161
Configuring a DNS Domain Name Server 162
Configuring a DNS Proxy 162
Configuring a DNS Proxy Rule 163
Creating a DNS Proxy Rule 164
Configuring the Filtering Condition of a DNS Proxy rule 164
Specifying Ingress Interface 164
Specifying Source Address 164
Specifying Destination Address 165
Specifying Domain Name 166
Specifying the Action of a DNS Proxy Rule 166
Configuring DNS Proxy Servers 167
Modifying/Deleting the Descriptions of a Proxy Rule 167
Enabling/Disabling DNS Proxy Log 168
Enabling/Disabling a DNS Proxy Rule 168
TOC - 15
Moving a DNS Proxy Rule 168
Configuring Time Interval of Tracking for DNS Proxy 169
Enabling/Disabling Calculating the Checksum of UDP Packet for DNS Proxy 169
Specifying the TTL for DNS-proxy Response Packets 169
DNS Proxy Hit Analysis 170
Viewing DNS Proxy Statistical Information 170
Clearing DNS Proxy Statistical Information 170
Viewing the DNS Proxy Rule 170
Resolution 171
Specifying the Timeout of DNS Requests 171
Specifying the Retry Times of DNS Requests 171
Specifying the TTL for DNS Resolution Cache 172
Enabling the DNS Resolution Log 172
DNS Cache 172
Adding a Static DNS Mapping 173
Viewing a DNS Mapping 173
Deleting a Dynamic DNS Mapping 173
DNS Snooping 174
Specifying the Domain Name Resolution Mode 175
Specifying the Maximum Mapping IP Addresses for a Specific Domain Name 175
Specifying the Forward Delay of DNS Response Packets 176
Specifying the Maximum Wildcard Domain Names 176
TOC - 16
Specifying the TTL for DNS Snooping Mapping Cache 177
Viewing the Configuration Information of DNS Snooping 177
Viewing the Mapping information of DNS Snooping 178
Enabling/Disabling DNS 178
Viewing DNS configuration information 178
DNS Configuration Example 178
Requirement 178
DDNS 180
Configuring DDNS 180
Configuring a DDNS Name 181
Specifying the DDNS Provider 181
Specifying the DDNS Server Name and Port 182
Specifying the Minimum Update Interval 182
Specifying the Maximum Update Interval 183
Specifying the DDNS Username/Password 183
Binding a DDNS Name to an Interface 183
Viewing DDNS Information 184
Example of Configuring DDNS 184
Requirement 184
DHCP 187
TOC - 17
DHCP on Hillstone Devices 187
Configuring a DHCP Client 187
Obtaining an IP Address via DHCP 188
Releasing and Renewing the IP Address 188
Configuring the Route Priority (Administration distance) and Route Weight 189
Enable/ Disable Classless Static Routing Options 189
Viewing DHCP Client Configuration Information 190
Configuring a DHCP Server 190
Basic Configuration of the DHCP Address Pool 191
Configuring an IP Range 191
Configuring a Reserved Address 191
Configuring a Gateway 192
Configuring a Netmask 192
Configuring a DHCP Lease Time 192
Configuring Auto-config 193
Configuring DNS/WINS Servers and Domain Name for the DHCP Client 193
Configuring SMTP/ POP3/news Servers for the DHCP Client 194
Configure the IP Address of the Relay Agent 195
IP-MAC Binding 195
Binding the Address Pool to an Interface 196
Configuring DHCP Options 196
Configuring Option 43 196
TOC - 18
Configuring the VSI Carried by Option 43 for DHCP Server 196
Verifying VCI Carried by Option 60 198
Configuring the VCI Carried by Option 60 for DHCP Server 198
Viewing DHCP Configuration Information 201
Configuring a DHCP Relay Proxy 202
Specifying the IP Address of the DHCP Server 202
Enabling DHCP Relay Proxy on an Interface 202
Enabling the Function of Replacing the Source IP of the DHCP Relay Packets 203
PPPoE 204
Configuring PPPoE 204
Configuring a PPPoE Instance 205
Specifying the Access Concentrator 205
Specifying the Authentication Method 205
Configuring a PPPoE Connection Method 206
Specifying the Netmask 207
TOC - 19
Specifying the Route Distance/Weight 207
Specifying the Service 207
Specifying the Static IP 208
Specifying the PPPoE User Information 208
Configuring the Schedule 208
Specifying the MAC Address of the PPPoE Server 209
Configuring Connection Status Detection 210
Obtaining an IP Address via PPPoE 210
Binding a PPPoE Instance to an Interface 211
Manually Connecting or Disconnecting PPPoE 211
Viewing PPPoE Configuration Information 211
Example of Configuring PPPoE 212
Requirement 212
NAT 214
Overview 214
Basic Translation Process 214
NAT of Hillstone Devices 215
Configuring a NAT Rule 216
Creating a BNAT Rule 216
Moving an BNAT Rule 219
Specifying a Schedule for a BNAT Rule 219
TOC - 20
Creating an SNAT Rule 220
Enabling/Disabling SNAT Rule 224
Moving an SNAT Rule 225
Enabling/Disabling Expanded PAT Port Pool 225
Deleting an SNAT Rule 226
Modifying/Deleting the Descriptions of a SNAT Rule 226
Specifying a Schedule for an SNAT Rule 226
Configuring the SNAT Rule Port Resource Monitor Function 227
Viewing the SNAT Rule Port Usage Monitor Function Configuration 227
Viewing SNAT Configuration Information 228
Viewing SNAT Source Utilization 228
Viewing Tracked Failed Information of SNAT Translated Address 229
Creating a DNAT Rule 229
Enableing/Disabling DNAT Rule 233
Moving a DNAT Rule 233
Modifying/Deleting the Descriptions of a DNAT Rule 234
Deleting a DNAT Rule 234
Specifying a Schedule for a DNAT Rule 234
Viewing DNAT Configuration Information 235
Configuring an Excluding Port Rule 237
Creating a SNAT Port Group 237
Specifying the Description of SNAT Port Group 237
TOC - 21
Specifying the Excluding Port Number 238
Binding the SNAT Port Group to VRouter 238
Viewing the SNAT Port Group Information 238
Viewing the SNAT Port Group References 239
Redundancy Check 239
DNS Rewrite 240
Configuring DNS Rewrite Rules 240
Modifying/Deleting DNS Rewrite Rule Description 241
Viewing DNS Rewrite Ruls 241
Adjusting the Priority of DNS Rewrite Rule 242
Enabling/Disabling DNS Rewrite Rule Rematch 242
NAT444 243
Configuring NAT444 243
Monitoring the Port Utilization and Port Block Utilization 246
Viewing NAT444 Configuration Information 246
Viewing IP Addresses and Port Resources Allocation Mode 247
Full-cone NAT 247
Viewing Full-cone NAT Configuration Information 248
Bounce NAT 249
Example of Configuring NAT 250
Requirement 251
TOC - 22
Application Layer Identification and Control 255
Overview 255
Fragment Reassembly 255
Application Layer Gateway (ALG) 255
HTTP, P2P and IM 256
Configuring ALG 257
Specifying SIP Proxy Server Mode 259
Showing ALG SIP 259
Examples of Configuring Application Layer Identification and Control 260
Configuration Steps for Example 1 260
Configuration Steps for Example 2 261
VLAN 263
Configuring a VLAN 263
Creating a VLAN 263
Configuring a Switch Mode and its VLAN 264
Creating a VLAN Interface 265
Viewing VLAN Configuration 265
Super-VLAN 266
Configuring a Super-VLAN 266
Creating a Super-VLAN 267
Adding a Super-VLAN Interface 267
Adding a Sub-VLAN 268
TOC - 23
Viewing Super-VLAN Configuration 268
RSTP 269
Configuring RSTP 269
Creating RSTP 270
Enabling RSTP on the Device 270
Enabling RSTP on an Interface 270
Configuring the Bridge Priority 270
Configuring the Hello Interval 271
Configuring the Forward Delay Time 271
Configuring the Maximum Age of BPDU Message 272
Configuring the RSTP Priority on an Interface 272
Configuring the RSTP Cost on an Interface 273
Viewing RSTP Configuration 273
Requirement 273
Wireless Access Mode 277
Introduction 277
WLAN 277
Configuring WLAN Settings 277
Enabling WLAN Function 278
Creating WLAN Profile 278
TOC - 24
Configuring SSID 278
Enabling/Disabling SSID Broadcast 279
Configuring Security Mode and Authentication Encryption Method 279
Enabling/Disabling User Isolation 281
Configuring Maximum User Numbers 281
Specifying the Authentication Server 281
Binding the WLAN Profile to a WLAN Interface 282
Configuring Global Parameters 282
Configuring the Country/Region Code 282
Configuring the Operation Mode 289
Configuring the Channel 290
Specifying the Maximum Transmit Power 290
Enabling/Disabling Wireless Multimedia Function 291
Viewing WLAN Settings 291
WLAN Configuration Example 291
Requirement 291
3G/4G 295
Configuring 3G/4G Function 296
Configuring Basic Parameters 296
Configuring the Access Point Name 297
Enabling/Disabling the 3G/4G Function 297
TOC - 25
Specifying the Connection Mode 298
Configuring the Dial-up String 298
Specifying the Verification Method 298
Specifying the Route Distance and Weight 299
Specifying the Static IP Address 299
Specifying the Online Mode 300
Specifying the User Information 301
Configuring the Schedule 301
Manually Connect/Disconnect the 3G/4G Connection 301
Managing the PIN Code 302
Enabling/Disabling the PIN Code Protection 302
Automatically Verifying the PIN Code 303
Manually Verifying the PIN Code 303
Modifying the PIN Code 303
Unlocking the PIN Code 303
Viewing the 3G/4G Configurations 304
3G Configuration Example 304
Requirement 304
LLDP 306
LLDP Work Mode 307
Configuring LLDP 307
TOC - 26
Enabling/Disabling Global LLDP 308
Enabling/Disabling LLDP of Port 308
Configuring LLDP Work Mode 309
Configuring the Initialization Delay of Port 309
Configuring the Transmission Delay of LLDP Messages 310
Configuring the Transmission Interval of LLDP Messages 310
Configuring TTL Multiplier 310
Displaying LLDP Local Information 311
Displaying LLDP Neighbor Information of Port 311
Displaying LLDP Statistical Information 311
Displaying LLDP Status Information 312
Chapter 2 Policy 313
Security Policy 314
Overview 314
Basic Elements of Policy Rules 314
Defining a Policy Rule 315
Introduction to Profile 315
QoS Tag 315
Configuring Access Control for a Policy 315
Configuring an ACL Profile 316
Configuring an Access Control Rule 316
Configuring the Default Action 317
TOC - 27
Viewing ACL Profile Information 317
Configuring a Policy Rule 317
Entering the Policy Configuration mode 318
Switching to the Multi-Zone Mode 318
Creating a Policy Rule 318
Editing a Policy Rule 321
Enabling/Disabling a Policy Rule 326
Log Management of Policy Rules 327
Configuring the Service Rule 328
Specifying the Default Action 330
Moving a Policy Rule 330
Viewing Resource Usage in Policy Rules 331
show policy resource 331
Rule Redundancy Check 332
Configuring Policy Audit Function 332
Enabling/Disabling the Policy Audit Function 332
Adding the Audit Comment 332
Viewing Policy Audit Enabled Status 333
Policy Group 333
Configuring Policy Group 333
Creating/Deleting a Policy Group 334
Enabling/Disabling a Policy Group 334
TOC - 28
Modifying/Deleting the Descriptions of a policy group 334
Adding/Deleting a Policy Rule Member 335
Renaming a Policy Group 335
Configuring a policy group for VSYS Profile 335
Viewing Policy Group Information 336
User Online Notification 336
Configuring the User Online Notification URL 337
Configuring the Idle Time 337
Customizing the Logo Picture 338
Viewing Online Notification Users 338
Viewing Policy Rule Information 338
Viewing the current policy configuration information of the device 342
Policy Hit Count 342
Configuring the Policy Assistant 345
Enabling/Disabling the Policy Assistant 345
Viewing the Policy of the Policy Assistant Enabled 345
Aggregate Policy 346
Creating an Aggregate Policy 346
Adding an Aggregate Policy Member 347
Removing an Aggregate Policy Member 348
Deleting an Aggregate Policy 349
Adjusting Position 349
TOC - 29
Enabling/Disabling an Aggregate Policy 350
Adding/Deleting an Aggregate Policy Description 351
Share Access 352
Share Access Rule 352
Creating Share Access Rules 352
Configuring Share Access Rules 353
Viewing Share Access Rules 355
Viewing Statistics of Share Access 355
Share Access Signature Database 356
Configuring the Update Mode of Share Access Signature Database 357
Updating Share Access Signature Database 358
Importing a Share Access Signature File 358
Viewing Update Information of Share Access Signature Database 359
Viewing Information of Share Access Signature Database 359
Viewing Statistics of Share Access 359
Share Access Log 360
Configuring the Status of Share Access Log 360
Configuring the Output Destination of Share Access Log 361
Viewing Share Access Logs 361
Chapter 3 Routing 362
Enabling/Disabling Static Routing Query 363
Enabling/Disabling the Route Rematch by Session 363
TOC - 30
VRouter 365
Specifying the Maximum Number of Routing Entries 366
Importing VRouter Routing Entries 366
Disable the Highest Priority of Direct Route 366
Destination Route 367
Configuring a Destination Route 367
Adding a Destination Route 367
Viewing destination routing information 369
Destination Interface Route 369
Adding a Destination Interface Route 369
Viewing Destination Interface Route Information 371
Viewing FIB Information about Destination Interface Route 371
ISP Route 371
Configuring the ISP Information Database 372
Configuring the Update Mode of the ISP Information Database 373
Configuring the Transmission Protocol for Update 373
Configuring the Update Server 373
Specifying the HTTP Proxy Server 374
Specifying the Update Time 375
Updating Immediately 375
Importing Predefined ISP Profiles 375
Deleting Predefined ISP Profiles 376
TOC - 31
Deleting Predefined IPv4 ISP Profiles 376
Deleting Predefined IPv6 ISP Profiles 377
Displaying Information about the ISP Information Database 377
Displaying the Update Configuration of the ISP Information Database 378
Configuring IPv4 ISP Information 379
Adding a Subnet Entry 379
Adding an IPv4 ISP Information Entry 380
Configuring an IPv4 ISP Route 380
Viewing IPv4 ISP Route Configuration Information 381
Uploading/Downloading a User-defined IPv4 ISP Profile 382
Uploading a User-defined IPv4 ISP Profile 383
Downloading a User-defined IPv4 ISP Profile 383
Configuring IPv6 ISP Information 383
Adding an IPv6 Subnet Entry 384
Adding an IPv6 ISP Information Entry 384
Configuring an IPv6 ISP Route 385
Viewing IPv6 ISP Information 386
Uploading/Downloading a User-defined IPv6 ISP Profile 386
Uploading a User-defined IPv6 ISP Profile 387
Downloading a User-defined IPv6 ISP Profile 388
Source Route 388
Adding a Source Route 388
TOC - 32
Viewing Source Route Information 389
Src-If Route 389
Adding a Src-If Route 390
Viewing Src-If Route Information 391
Policy-based Route 391
Creating a PBR Policy 391
Creating a PBR Rule 391
Editing a PBR Rule 393
Enabling/Disabling a PBR Rule 395
Moving a PBR Rule 395
Configuring Prioritized Destination Routing Lookup 396
Applying a PBR Rule 396
Configuring the Global Match Order of PBR 396
Viewing the the Global Match Order of PBR 397
Configuring TTL Range for a PBR Rule 397
Viewing PBR Rule Information 398
DNS Redirect 398
Configuration Example of Web Video Traffic Redirection 399
Domain Name Route 401
Configuring a Domain Name Route 402
Dynamic Routing 403
Configuring RIP 404
TOC - 33
Basic Options 404
Specifying a Version 404
Specifying a Metric 405
Specifying a Distance 405
Configuring the Default Information Originate 405
Specifying a Timer 406
Configuring Redistribute 407
Configuring a Passive IF 407
Configuring a Neighbor 408
Configuring a Network 408
Configuring a Distance 408
RIP Database 409
Configuring RIP for Interfaces 409
Configuring an Authentication Mode 409
Specifying RIP Version 410
Configuring Split Horizon 411
Viewing System RIP Information 411
Configuring OSPF 411
Configuring OSPF Protocol 412
Configuring a Router ID 414
Configuring Area Authentication 414
Specifying the Network Type for an Interface 414
TOC - 34
Configuring Route Aggregation for an Area 415
Configuring the Default Cost for an Area 416
Configuring the Virtual Link for an Area 416
Configuring a Stub Area 418
Configuring a NSSA Area 418
Configuring the Reference Bandwidth for OSPF 419
Configuring the Default Metric 419
Configuring the Default Distance 420
Configuring a Timer for OSPF 420
Specifying an OSPF Network Interface 421
Configuring a Route Map 422
Continuing to Match Another Matching Rule 426
Modifying Attributes of Introduced Routing Information 427
Configuring a Route Access-list 427
Configuring a Distance 429
Configuring Route Filters Based on the Route Access-list 430
Configuring OSPF for an Interface 430
Configuring OSPF Authentication for an Interface 431
Specifying the Link Cost for an Interface 431
TOC - 35
Configuring the Timer for an Interface 432
Specifying the Router Priority for an Interface 433
Specifying the Network Type for an Interface 434
Viewing OSPF Route Information 434
Configuring IS-IS 436
Basic Settings 437
Configuring the Router Type 438
Enabling IS-IS at Interfaces 438
Configure the Interface Type 438
Configuring the Network as Point-to-Point Type 439
Routing Information Settings 439
Configuring the NET Address 439
Configuring the Administrative Distance 439
Configuring the Metric Style 440
Configuring the Interface Metric 440
Configuring the Default Route Advertisement 441
Network Optimization 442
Configuring the Interval for Sending Hello Packets 442
Configuring the Multiplier for Hello Packets 442
Configuring Padding for Hello Packets 443
Configuring Priority for DIS Election 443
TOC - 36
Configuring the Passive Interface 444
Configuring LSP Generation Interval 444
Configuring Maximum Age of LSPs 444
Configuring LSP Refresh Interval 445
Configuring SPF Calculation Interval 445
Configuring the Overload Bit 445
Configuring Hostname Mappings 446
Authentication 446
Configuring the Authentication Methods 446
Configuring the Interface Authentication 447
Viewing IS-IS Information 448
Configuring BGP 449
Configuring BGP Protocol 450
Entering the BGP Configuration Mode 452
Specifying a Router ID 452
Creating a Route Aggregation 453
Adding a Static BGP Route 453
Configuring a Timer 454
Specifying the Administration distance of BGP Route 454
Specifying the Default Metric 455
Creating a BGP Peer Group 455
Adding a BGP Peer-to-peer Group 456
TOC - 37
Configuring a BGP Peer 456
Configuring BGP MD5 Authentication 457
Activating a BGP Connection 457
Configuring Description 458
Configuring a BGP Peer Timer 459
Configuring the Next Hop as Itself 459
Configuring EBGP Multihop 460
Disabling a Peer/Peer Group 460
Resetting a BGP Connection 461
Configuring an AS-path Access List 461
Configuring BGP Communities 462
Redistributing Routes into BGP 463
Configuring a Route Map 464
Modifying Attributes of Introduced Routing Information 467
Configuring Route Filters Based on the AS-path Access List 468
Sending Communities Path Attributes to Peers or Peer Groups 468
Configuring Route Filters Based on the Route Map 469
Configuring Equal Cost Multipath Routing 469
Viewing BGP Information 470
Enabling/Disabling multipath-relax of EBGP 471
Configuring BGP GR 471
TOC - 38
ECMP 475
Configuring ECMP 475
Configuring ECMP Route Selection 476
Static Multicast Routing 476
Enabling/Disabling a Multicast Route 477
Configuring a Static Multicast Route 477
Specifying an Ingress/Egress Interface 478
Viewing Multicast Route Information 478
Viewing Multicast FIB Information 479
IGMP 479
IGMP Proxy 479
Enabling an IGMP Proxy 480
Configuring an IGMP Proxy Mode for an Interface 481
Viewing IGMP Proxy Information 481
IGMP Snooping 482
Enabling IGMP Snooping 482
Configuring IGMP Snooping 483
Dropping Unknown Multicast 483
Viewing IGMP Snooping Information 483
BFD 484
BFD Work Mode 484
BFD Echo 485
TOC - 39
Configuring BFD 485
Configuring the BFD Detection Methods 486
Configuring the BFD Session Parameters 486
Enabling/Disabling the Echo Function 487
Specifying the Interval of Receiving Echo Packets 488
Configuring the Source IP Address of the Echo Packets 488
Configuring BFD Multi-hop Detection 489
Creating a BFD Multi-hop Detection Template 489
Specifying the Encrypted Authentication Mode of BFD Control Packets 490
Configuring BFD Multi-hop Session Parameters. 490
Integrating BFD with Routing Protocols 491
Integrating BFD with the Static Route 491
Integrating BFD with the OSPF Route 492
Integrating BFD with the BGP Route 492
Integrating BFD with the IS-IS Route 492
Viewing BFD Session Information 493
MPLS 493
Protocol Independent Multicast (PIM) 494
Basic Principles of PIM-SM 495
Configuring PIM-SM 496
Basic Configurations 497
Enabling/Disabling the PIM-SM 497
TOC - 40
Configuring a Candidate RP 498
Configuring a Candidate BSR 498
Configuring a Static RP 499
Configuring the Switchover to SPT 500
Configuring PIM-SM for Interfaces 501
Enabling/Disabling the PIM-SM for Interfaces 501
Configuring the Priority of DR 501
Specifying the Interval for Sending the Hello Packets 502
Specifying the Interval for Sending IGMP General Query Messages 502
Specifying the IGMP General Query Timeout 503
Specifying the Maximum Response Time for IGMP General Query 503
Viewing PIM-SM Information 504
PIM-SSM 505
Configuring PIM-SSM 505
Configuring Address Range of PIM-SSM Multicast Group 506
Configuring IGMP Packets Filtering 506
Adding Multicast Router Interface to Multicast Group 507
Examples of Configuring Routes 509
Example of Configuring Static Route Query 509
Example of Configuring Multi-VR 511
Independent Multi-VR Forwarding 512
TOC - 41
Inter-VR Forwarding 514
Example of Configuring Static Multicast Route 515
Requirement 516
Example of Configuring IGMP Proxy 518
Requirement 518
Example of Configuring IGMP Snooping 520
Requirement 521
Example of Configuring BFD 523
Requirement 523
Integrating BFD with the Static Route 524
Integrating BFD with the OSPF Route 525
Integrating BFD with the BGP Route 526
Example of Configuring LLB 527
Requirement 527
Example of Configuring PIM-SM 530
TOC - 42
Requirement 530
Chapter 4 System Management 532
Naming Rules 533
Configuring a Host Name 533
Configuring the Displayable Length of the Host Name 534
Viewing the Displayable Length of the Host Name 534
Configuring Tab Title at WebUI Login 534
Configuring System Admin Users 535
Creating Administrator Roles 538
Specifying Administrator Role's Privileges 538
Specifying Administrator Role's Description 539
Creating an Admin User 539
Assigning a Role 539
Configuring Password 540
Configuring Password Policy for Admin Users 540
Viewing Password Policy for Admin Users 543
Configuring the Function of Resetting the Administrator Password by Security Ques-

tion 543
Configuring Accesses for Admin Users 545
Configuring Single Sign-on (SSO) 546
Enabling/Disabling SSO 546
TOC - 43
Specifying the SSO scheme as CAS_QIMING 547
Specifying the SSO Scheme as CTYUN 547
Viewing/Deleting the Token Information of CTYUN 547
Specifying the SSO Scheme as 360_YUNZHEN 548
Viewing the Token Information of 360_YUNZHEN 548
Viewing the SSO Information 548
Configuring Two-factor Authentication for Admin Users Logging in to the WebUI 548
Enabling SMS/Email Two-factor Authentication 548
Configuring the Mobile Number for an Administrator 549
Configuring the Email Address for an Administrator 550
Configuring an API Token for an Administrator 550
Creating an API Token 550
Changing the Validity Period of the API Token 550
Updating the API Token 550
Renewing the API Token 551
Enabling the API Token 551
Disabling the API Token 551
Deleting the API Token 551
Viewing API Token 551
Configuring Log Types for Auditors 552
Specifying Login Limit 554
Specifying Login Limit 554
TOC - 44
Configuring the Maximum Number of Admin Users 556
Configuring Login Options for the Default Administrator 556
Enabling Telnet/HTTP Login Type for the Default Administrator 557
Viewing Admin roles 557
Viewing Admin Users 557
VSYS Admin Users 558
Creating a Trusted Host 561
Creating an IPv6 Trusted Host 563
Viewing Trusted Host IP 563
Configuring NetBIOS Name Resolution 563
Enabling NetBIOS Name Resolution 564
Resolving an IP to NetBIOS Name 564
Clearing NetBIOS Cache 565
Viewing NetBIOS Cache 565
Management of System User 565
Configuring Users 567
Binding an IP/MAC Address to a User 567
Configuring Users in the Local AAA Servers 568
Configuring Password 568
Specifying a User Expiration Date 569
Describing a User 569
Specifying an IKE ID 570
TOC - 45
Specifying a User Group 570
Viewing User/User Group Information 571
Configuring a User Group 571
Configuring a Role 572
Creating a Role 572
Creating a Role Mapping Rule 573
Configuring a User Attribute Instance 574
Configuring a Role Combination 576
Viewing Role Information 577
Configuring a MGT Interface 577
Configuring a Console MGT Port 577
Configuring the Baud Rate 577
Configuring Timeout 578
Configuring a Telnet MGT Interface 578
Configuring a SSH MGT Interface 579
Configuring a WebUI MGT Interface 581
Viewing MGT Interface Configuration Information 584
Configuring a Storage Device 584
Formatting a Storage Device 584
Removing a Storage Device 585
Upgrading Database Data 585
Viewing Upgrade Status of Database Data 586
TOC - 46
Configuring Storage Management 586
Configuring Threshold Alarm 586
Enabling/Disabling Threshold Alarm 587
Configuring Storage Space of Log 588
Configuring Storage Space of Report 588
Configuring Long-term Monitor Storage Size 588
Configuring a Packet Loss Storage Size 589
Managing Configuration Files 589
Managing Configuration Information 589
Viewing Configuration Information 589
Rolling Back to Previous Configurations 592
Exiting the Configuration Rollback Mode 593
Configuring the Action 594
Deleting a Configuration File 594
Saving Configuration Information 594
Backing up Configuration File Automatically 595
Viewing backing up configuration file automatically Information 596
Exporting Configuration Information 596
Importing Configuration Information 598
Enabling /Disabling Importing Configuration in USB Automatically 599
Restoring Factory Defaults 600
Switching the Working Mode of Fiber-optic Interfaces 600
TOC - 47
Switching Mode 601
Configuring the Negotiation Mode of Fiber-optic Interfaces 602
Enabling/Disabling the Optical Fiber-to-Copper Module 603
Deleting Configuration Information of Expansion Slots 603
Viewing the Configuration of Current Object 604
Viewing the Information of Optical Module 605
Deleting Configuration Information of a virtual NIC 607
Configuring Banner 608
System Maintenance and Debugging 609
Ping 609
Traceroute 610
System Debugging 612
Collecting and Saving Tech-support Information to File 613
Viewing the Tech-support Information 613
Collecting the Tech-support Information Automatically 614
Viewing the Information of Nvramlog or Watchdoglog File 614
Deleting the Function of Automatically Collecting Tech-support Information 615
Rebooting the System 615
Upgrading StoneOS 615
Starting Process 616
Bootloader 616
StoneOS Quick Upgrading (TFTP) 616
TOC - 48
Other Upgrading Methods 619
Upgrading StoneOS via FTP 619
Upgrading StoneOS via USB 620
Introduction to Sysloader Menu 620
Upgrading StoneOS Using CLI 621
Upgrading StoneOS via Hot Patch 622
Backing up and Restoring Data 623
Synchronizing the Firmware 624
Graceful Shutdown 624
SCM HA 625
Device HA Switchover When Switch Module failed 626
License Management 627
CloudEdge License 639
CloudEdge Platform Licenses 639
CloudEdge Sub Licenses 640
CloudEdge Function Licenses 642
Applying for a License 644
Installing a License 645
Connecting to License server 645
Managing a License Using CLI 646
Generating a Request for License 646
Installing/Uninstalling a License 647
TOC - 49
Verifying the Licenses 647
Viewing License Summary Information 648
Configuring HA Backup Device to Communicate with LMS through Master Device 650
Replacing the Digital Certificate used for Connecting CloudEdge and LMS 651
View LMS Information 651
Batch Installing Licenses 651
Batch Installing Procedure 651
Installing a License 652
Simple Network Management Protocol (SNMP) 653
Hillstone SNMP 653
Supported RFCs 654
Supported MIBs 655
Supported Traps 655
Configuring SNMP 655
Enabling/Disabling the SNMP Agent Function 656
Configuring the SNMP Port Number 656
Configuring SNMP Engine ID 657
Creating an SNMPv3 User Group 657
Creating an SNMPv3 User 658
Configuring the IP Address of the Management Host 659
Configuring Recipient of SNMP Trap 659
Configuring sysContact 660
TOC - 50
Configuring sysLocation 661
Specifying the VRouter on Which the SNMP is Enabled 661
Configuring SNMP Server 661
Clearing the ARP Table Information of SNMP Server 662
Viewing the SNMP Server Information 662
Viewing SNMP Information 662
SNMP Configuration Examples 663
Requirements 663
Example 1 663
Example 2 664
Network Configuration Protocol (NETCONF) 665
Enabling/Disabling the NETCONF Agent 667
Enabling/Disabling the NETCONF candidate 667
Configuring the NETCONF Timeout 668
Viewing NETCONF Agent Configuration Information 668
HSM Agent 668
Configuring HSM Agent 669
Changing Digital Certificate 672
Enabling/Disabling HSM Agent 673
Viewing HSM Agent Configuration Information 673
Network Time Protocol (NTP) 673
Configuring NTP 674
TOC - 51
Configuring System Clock Manually 674
Configuring Time Zone Manually 674
Configuring Summer Time 675
Viewing System Clock Configuration Information 677
Configuring NTP Service 677
Enabling/Disabling NTP Service 677
Configuring an NTP Server 678
Configuring the Max Adjustment Value 678
Configuring the Query Interval 679
Enabling/Disabling NTP Authentication 679
Configuring NTP Authentication 679
Viewing NTP Status 680
NTP Configuration Example 680
Configuring Schedule 681
Creating a Schedule 681
Configuring an Absolute Schedule 681
Configuring a Periodic Schedule 682
Configuring a Track Object 683
Track by ICMP Packets 684
Dynamic Ping Message ID 685
Track by IPv6 ICMP Packets 686
Track by HTTP Packets 687
TOC - 52
Track by ARP Packets 688
Track by DNS Packets 688
Track by TCP Packets 689
Interface Status Track 690
Interface Bandwidth Track 690
Interface Quality Track 691
Configuring a Threshold 692
Monitor Object FailureThreshold 693
Fail Close 693
Enabling/Disabling Fail Close 693
Viewing Fail Close Status 694
Enabling/Disabling Application Layer Security Bypass 694
Viewing Application Layer Security Bypass Status 694
Monitor Alarm 694
CPU Cache Error Monitor 697
The Maximum Concurrent Sessions 698
Adjusting the Maximum Concurrent Sessions 713
Connecting to Hillstone Cloud Service Platform 714
Configuring the Cloud Service Platform Server 715
Changing Digital Certificate 716
Enabling CloudView 717
Enabling CloudVista 719
TOC - 53
Joining the User Experience Improvement Program 719
Showing Configurations of the Cloud Service Platform 720
Configuring the RESTful API Interface to Upload Files 720
Clearing Alarm Status of Indicators 720
Automatically Clearing Alarm Status of Indicators 721
Chapter 5 Virtual System (VSYS) 722
VSYS Objects 722
Root VSYS and Non-root VSYS 722
Administrator 723
VRouter, VSwitch, Zone, Interface 726
Shared VRouter 727
Shared VSwitch 728
Shared Zone 728
Shared Interface 728
Interface Configuration 728
Configuring VSYS 728
Creating a Non-root VSYS 729
Configure the Alias of Non-root VSYS 729
Specifying the Description for VSYS 730
Creating a VSYS Profile 730
Configuring Resource Quota 731
Configuring the Quota of Log Buffer 734
TOC - 54
Configuring URL Filter 734
Configuring IPS 735
Configuring Anti-Virus 736
Configuring Perimeter Traffic Filtering 737
Configuring QoS 738
Enabling/Disabling the CPU Resource Quota 738
Binding a VSYS Profile to a VSYS 739
Entering the VSYS 739
Configuring the Shared Property 741
Exporting a Physical Interface 742
Allocating a Logical Interface 742
Binding a Track Object 743
Monitoring a Specified VSYS 744
Rolling Back to Previous Configurations 744
Exiting the Configuration Rollback Mode 745
Configuring the Action 746
Configuring VSYS Log 747
Configuring Cross-VSYS Traffic Forwarding 747
Enabling/Disabling the Cross-VSYS Traffic Forwarding 748
Configuring a Simple-Switch 748
Creating a Simple-Switch 748
Binding the L2 Zone to the Simple-Switch 748
TOC - 55
Creating a VWANIF interface 749
Creating a VPort Interface 749
Configuring the VWANIF Interface 750
Allocating a VWANIF Interface 750
Viewing Cross-VSYS Traffic Forwarding Information 750
Viewing the VWANIF interface Configuration Information 751
Viewing the VWANIF Interface IPv6 Configuration Information 751
Viewing VSYS Information 751
Viewing VSYS Profile Information 751
VSYS Configuration Examples 752
Example 1: L3 Traffic Transmitting in a Single VSYS 752
Example 2: L3 Traffic Transmitting among Multiple VSYSs via Shared VRouters 754
Example 3: L2 Traffic Transmitting among Multiple VSYSs via Shared VSwitch 760
Example 4: Traffic transmitting among multiple VSYSs via Simple-Switch 765
Chapter 6 High Availability (HA) 770
Overview 770
HA Cluster 771
HA Group 771
TOC - 56
HA Node 772
HA Group Interface and Virtual MAC 772
HA Selection 772
HA Synchronization 772
Configuring HA 774
Configuring an HA Group 774
Specifying the Priority 775
Specifying the Hello Interval 775
Specifying the Hello Threshold 776
Specifying the Hello Transport Protocol 776
Configuring the Preempt Mode 777
Specifying the Gratuitous ARP Packet Number 777
Sending Gratuitous ARP Packets 778
Specifying the Track Object 779
Configuring an HA group interface 779
Configuring the Next-hop IP Address of the Interface 781
Configuring SNAT Port Distribution 781
Configuring a HA Link 782
Specifying an HA Link Interface 783
Specifying the Work Mode of HA Link Interface 784
Specifying the IP Address of HA link 785
TOC - 57
Specifying an HA Assist Link Interface 785
Specifying the MAC Address of HA Link Interface on ClouldEdge 786
Enable the Real MAC Address of Interface On CloudEdge 787
Configuring HA Negotiation through Two Layer Unicast Mode 787
Specifying the MTU Value of HA link Interface 788
Configuring a HA Cluster 788
Configuring HA VMAC Prefix 789
Viewing HA VMAC Prefix 790
Configuring a Management IP 790
Configuring the Layer 3 Port Down-up Function 790
Manually Synchronizing HA Information 791
Enabling/Disabling Automatic HA Session Synchronization 795
Enabling/Disabling Scheduled Comparison of HA Configurations 795
Manually Switching Main and Backup Device Status of HA 795
Backing up Statistical Data 796
Configuring Backup Device Configuration Mode 797
Viewing the Backup Status of Statistical Data 797
Configure the Deployment Mode of HA on Cloudplatform 797
Specifying the Cloud platform of HA deploying 798
Viewing the HA Cloud Deployment Information 798
Specifying the AccessKey of Cloud Platform 798
Checking the Connectivity to Cloud Platform API 799
TOC - 58
Verifying the Access ID and Password of the Cloud platform 799
Viewing the AccessKey of Cloud Platform 799
Enabling/Disabling Platform Checking of HA devices 799
Viewing the Status of HA Platform checking 800
Configuring HA Traffic 800
Enabling HA Traffic 801
Configuring HA Traffic Delay 801
Configuring First Packet Forwarding 802
Configuring First Packet Forwarding Bounce Back 802
Configuring HA Route Rematch by Session 803
Viewing HA Configuration 804
Enabling HAVIP function that Alibaba Cloud provides to deploy HA 805
Configuring the Accesskey of Alibaba Cloud 806
HSVRP 806
Typical Scenario 806
Basic Concepts 807
HSVRP Group 807
Referencing an HSVRP Group by an Interface 807
HSVRP Group Status 809
Configuring HSVRP 810
Creating an HSVRP Group 810
Configuring the Virtual IP Address of an HSVRP Group 810
TOC - 59
Viewing an HSVRP Group 811
Referencing an HSVRP Group by an Interface 812
Twin-mode HA 814
Introduction 814
Twin-mode HA Deployment Scenarios 815
Twin-mode HA Synchronization 817
Configuring Twin-mode HA 818
Specifying the deployment mode and synchronization mode 819
Specifying the Node 820
Specifying the Priority 820
Configuring the Preempt Mode 821
Specifying the Hello Threshold 822
Configuring Twin-mode HA Link 822
Specifying a Twin-mode HA Link Interface 822
Specifying the IP Address of Twin-mode HA link Interface 823
Specifying the Peer IP Address 824
Enabling/Disabling Twin-mode HA 824
Specifying the Forwarding Mode of Asymmetric Traffic 825
Configuring Twin-mode HA First Packet Forwarding Bounce Back 825
Configuring Twin-mode HA Gateway 826
Configuring the Switching Mode of Twin-mode HA Session State 827
TOC - 60
Manually Synchronizing Twin-mode HA Configuration Information 828
Viewing/Clearing the Transfer Packet Count of Twin-mode HA 828
Viewing Twin-mode HA Configuration 828
Examples of HA 830
Example 1: Example of HA in A/P Mode 830
Requirement 830
Example 2: Example of HA Peer Mode and HA Traffic 834
Requirement 834
Chapter 7 IPv6 838
Configuring an IPv6 Address 839
Specifying a Global IPv6 Address 840
Configuring an IPv6 General Prefix 840
Specifying Address Auto-config 841
Specifying an EUI-64 Address 841
Specifying a Link-local Address 842
Specifying an IPv6 MTU 842
Viewing IPv6 Configuration 843
Configuring IPv6 Neighbor Discovery Protocol 843
Configuring DAD 844
Specifying Reachable Time 845
TOC - 61
Specifying RA Parameters 845
Specifying a Hop Limit 845
Advertising MTU 845
Specifying DNS Configuration Options 846
Specifying an Auto-config Type Flag 847
Specifying an IPv6 Prefix and Parameters 848
Specifying a RA Interval 849
Specifying RA Lifetime 849
Specifying DRP 850
Configuring RA Suppress on LAN Interfaces 850
Adding/Deleting a IPv6 Neighbor Cache Entry 851
IPv6 System Management 852
Configuring IPv6 SNMP 854
Configuring an IPv6 Management Host 854
Configuring an IPv6 Trap Destination Host 855
Creating an SNMPv3 User 856
Configuring IPv6 Debugging 857
Configuring IPv6 Routing 857
Configuring an IPv6 DBR Entry 857
Configuring an IPv6 SBR Entry 858
Configuring an IPv6 SIBR Entry 859
Configuring an IPv6 DIBR Entry 861
TOC - 62
Viewing IPv6 Routing Information 862
Configuring RIPng 862
Basic Options 863
Specifying a Default Metric 863
Specifying a Default Distance 864
Specifying a Timer 864
Configuring a Network 866
Configuring Split Horizon 867
Configuring Poison Reverse 867
Viewing RIPng Information 867
Configuring OSPFv3 868
Configuring a Router ID 870
Enabling Encryption and Authentication for an Area and on an Interface 870
Enabling AH Authentication for an Area 872
Enabling AH Authentication on an Interface 872
Enabling ESP Authentication for an Area 873
Enabling ESP Authentication on an Interface 874
Configuring the Virtual Link for an Area 874
Configuring the Default Metric 875
TOC - 63
Configuring the Default Administrative Distance 875
Configuring the Interface Area and Instance 876
Configuring a Passive Interface 878
Configuring the Timer for an Interface 878
Configuring the Router Priority for an Interface 879
Configuring the Link Cost for an Interface 880
Configuring the MTU Check for an Interface 880
Configuring the Network Type for an Interface 881
Disabling or Enabling OSPFv3 881
Viewing OSPFv3 Information 882
Configuring IPv6 BGP 884
Entering the IPv6 Unicast Routing Configuration Mode 885
Configuring IPv6 Unicast Route Redistribute 885
Activating a BGP Connection 885
Sending Community Path Attributes to a Peer/Peer Group 886
Specifying Upper Limit of Prefixes 886
Viewing BGP Routing Information 887
Configuring IPv6 Policy-based Route 888
Creating a PBR Policy 888
Creating a IPv6 PBR Rule 888
TOC - 64
Configuring IPv6 IS-IS 890
Enabling IPv6 IS-IS at interfaces 891
Configuring the Interface Metric 892
Entering into the IPv6 Unicast Routing Configuration Mode 892
Configuring the Default Route Advertisement 892
Configuring the Administrative Distance 893
Configuring the Overload Bit 894
Configuring the SPF Calculation Interval 894
Configuring Multiple-Topology Routing 895
Viewing IPv6 IS-IS Information 895
Configuring IPv6 Static Multicast Routing 896
Configuring an IPv6 Static Multicast Route Entry 896
Specifying an Ingress/Egress Interface 896
Viewing IPv6 Multicast Route Information 897
Viewing IPv6 Multicast FIB Information 898
Configuring IPv6 BFD 898
Configuring the Source IP Address of the Echo Packets 899
Integrating BFD with the IPv6 Static Route 899
Integrating BFD with the OSPFv3 Route 900
Viewing IPv6 BFD Session Information 900
Configuring IPv6 DHCP 901
TOC - 65
Configuring a DHCP Client 901
Obtaining an IPv6 address via DHCP 901
Releasing and Renewing the IPv6 Address 902
Configuring a DHCP Server 902
Basic Configuration of the DHCP Address Pool 903
Configuring an IP Range 903
Configuring Domain Name for the DHCP Client 903
Configuring DNS Servers for the DHCP Client 904
Binding the Address Pool to an Interface 904
Configuring a DHCP Relay Proxy 905
Enabling DHCP Relay Proxy on an Interface 905
Specifying the IP Address of the DHCP Server 905
Viewing DHCP Configuration Information 905
Configuring IPv6 DNS 906
Configuring a IPv6 DNS Proxy Rule 906
Specifying IPv6 Source Address 907
Specifying IPv6 Destination Address 907
Configuring IPv6 DNS Proxy Servers 908
Configuring IPv6 DNS Servers 909
Configuring an IPv6 DNS Proxy Server List 909
Enabling/Disabling IPv6 DNS Proxy 910
Adding a Static IPv6 DNS Mapping Entry 910
TOC - 66
Clearing a Dynamic IPv6 DNS Mapping Entry 911
Viewing IPv6 DNS Mapping Entries 911
Viewing IPv6 DNS Configuration 911
Configuring PMTU 911
Configuring User-defined Application 913
Creating/Deleting the User-defined Applications 913
Enabling the User-defined Application Signature Configuration Mode 914
Enabling the Application Signature Rule Configuration Mode 914
Configuring IPv6 Source Address 914
Configuring IPv6 Destination Address 915
Configuring a User-defined ICMPv6 Application Rule 915
Configuring an IPv6 Policy Rule 915
Configuring an IPv6 Address Entry 916
Configuring an IPv6 Service 917
Configuring an Action for IPv6 Policy Rule 918
Configuring an IPv6 Policy Rule 918
Editing an IPv6 Policy Rule 919
Configuring Access Control for an IPv6 Policy 920
Configuring an ACL Profile 921
Configuring an Access Control Rule 921
Configuring the Default Action 922
Binding the ACL Profile to a Policy Rule 923
TOC - 67
Viewing ACL Profile Information 923
Configuring IPv6 ALG 923
NDP Protection 924
IP-MAC Binding 925
Adding a Static IP-MAC Binding Entry 925
One-click Binding 926
Permitting Static IP-MAC Binding Hosts Only 926
Viewing IP-MAC Binding Information 926
Clearing Dynamic IP-MAC Binding Information 927
NDP Learning 927
NDP Learning Limit 927
NDP Inspection 928
Enabling/Disabling NDP Inspection 928
Configuring a Trusted Interface 929
Denying RA Packets 929
Configuring an NDP Packet Rate Limit 929
Viewing NDP Inspection Configuration 930
Configuring NDP Spoofing Defense 930
Viewing NDP Spoofing Statistics 931
NDP Spoofing Prevention 931
Attack Defense 931
Configuring an IPv6 6to4 Tunnel 933
TOC - 68
Creating a Tunnel 934
Specifying an Egress Interface 934
Specifying a Destination Address for the Manual Tunnel 935
Specifying IPv6 6to4 Subtunnel Limit 935
Binding a Tunnel to the Tunnel Interface 935
Viewing IPv6 6to4 Tunnel Configuration 936
Configuring an IPv6 4to6 Tunnel 936
Creating a Tunnel 936
Specifying the Source Address/Interface 937
Specifying a Destination Address for the Tunnel 937
Binding a Tunnel to the Tunnel Interface 938
Viewing IPv6 4to6 Tunnel Configuration 938
Configuring an ISATAP Tunnel 939
Creating an ISATAP Tunnel 940
Specifying ISATAP Subtunnel Limit 940
Specifying an Egress Interface of ISATAP Tunnel 940
Binding an ISATAP Tunnel to the Tunnel Interface 941
Viewing ISATAP Tunnel Configuration 941
Configuring DS-lite 941
Creating a DS-lite Tunnel 942
Specifying an Interface and IP Address for the DS-lite Tunnel 942
Specifying the Maximum Number of Sub Tunnels 943
TOC - 69
Viewing DS-lite Tunnel Information 943
Configuring NAT-PT 943
Configuring a NAT-PT Rule 944
Creating an SNAT Rule 944
Moving an SNAT Rule 947
Deleting an SNAT Rule 947
Viewing SNAT Configuration Information 947
Moving a DNAT Rule 950
Deleting a DNAT Rule 951
Viewing DNAT Configuration Information 951
Configuring DNS64 and NAT64 951
Enabling/Disabling DNS64 952
Configuring DNS64 Server 952
Configuring DNS64 Prefix 953
Creating a DNS64 Rule 953
Configuring a IPv6 Track Object 955
Track by IPv6 ICMP Packets 956
Track by IPv6 HTTP Packets 957
Track by IPv6 DNS Packets 958
Track by NDP Packets 958
TOC - 70
Track by IPv6 TCP Packets 959
IPv6 Configuration Examples 960
Example 1: IPv6 Transparent Mode Configuration 960
Example 2: IPv6 Routing Mode Configuration 963
Example 3: Manual IPv6 Tunnel Configuration 965
Example 4: IPv6 6to4 Tunnel Configuration 969
Example 5: IPv6 SNMP Configuration 974
Viewing IPv6 MIB Information via an IPv4 Network 974
Viewing IPv6 MIB Information via an Ipv6 Network 975
Example 6: IPv6 NAT-PT Configuration 975
Requirement 1 976
Requirement 2 977
Example 7：IPv6 DNS64 and NAT64 Configuration 979
Appendix 1: ICMPv6 Type and Code 981
Chapter 8 User Authentication 986
Authentication, Authorization and Accounting 987
Overview 987
External Authentication Procedure 988
Configuring an AAA Server 988
Creating an AAA Server 989
Configuring a Local Authentication Server 990
Configuring the Password Control 990
TOC - 71
Allowing Password Change by Local Users 991
Configuring Change Password after First Login 991
Configuring the Password Validity and Password Expiry Warning 992
Configuring the History Password Check 992
Configuring the Password Complexity 993
Specifying User Name Format 994
Configuring a Role Mapping Rule 995
Configuring a User Blacklist 995
Configuring a Backup Authentication Server 995
Configuring the Brute-force Cracking Defense 996
Enabling/Disabling the Brute-force Cracking Defense 996
Configuring the Number of Attempts 997
Configuring the Lockout Time 997
Viewing the Lockout Information 997
Unlocking the User / IP 998
Configuring a RADIUS Authentication Server 998
Configuring LOCAL NAS IP for RADIUS Authentication 999
Configuring the IP Address, Domain Name, or VRouter of the Primary Server 1000
Configuring the IP Address, Domain Name, or VRouter of the Backup Server 1 1000
Configuring the Port Number 1001
Configuring the Secret 1001
TOC - 72
Configuring the Retry Times 1002
Configuring the Timeout 1002
Specifying a Role Mapping Rule 1003
Enabling / Disabling the Authentication Policy 1007
Adding Authentication Policy to Aggregate Policy 1008
Importing Dictionary 1008
Configuring an Active-Directory Authentication Server 1010
Configuring the IP Address, Domain Name, and VRouter of the Primary Server 1011
Configuring the IP Address, Domain Name, VRouter of the Backup Server 1 1012
Configuring the IP Address or Domain Name of the Backup Server 2 1012
Configuring the Authentication or Synchronization Method 1013
Specifying the Base-DN 1014
TOC - 73
Specifying the Synchronization Base-DN 1014
Specifying the Synchronization Object 1015
Specifying the Authentication Base-DN 1015
Specifying the Login DN 1016
Specifying sAMAccountName 1016
Specifying the Login Password 1016
Enabling/Disabling the SSL Encrypted Connection 1017
User Synchronization 1021
Enable or Disable User Synchronization 1021
Configuring User Synchronization 1021
Configuring User Filter 1022
Configuring Synchronization Mode of User Information 1023
TOC - 74
Configuring the User-Groups under Base-DN Synchronization 1025
Configuring an LDAP Authentication Server 1026
Configuring the IP Address, Domain Name, or VRouter of the Primary Server 1027
Configuring the IP Address, Domain Name, VRouter of the Backup Server 2 1028
Configuring the Authentication or Synchronization Method 1029
Specifying the Base-DN 1029
Specifying the Synchronization Base-DN 1030
Specifying the Synchronization Object 1030
Specifying the Authentication Base-DN 1030
Specifying the Login DN 1031
Specifying Authid 1031
Configuring the Login Password 1032
Enabling/Disabling the SSL Encrypted Connection 1032
Specifying the Name Attribute 1032
Specifying the Name Attribute 1033
Specifying the Group-class 1033
Specifying the Member Attribute 1033
TOC - 75
User Synchronization 1037
Enable or Disable User Synchronization 1037
Configuring User Synchronization 1037
Configuring User Filter 1038
Configuring Synchronization Mode of User Information 1040
Configuring a Backup AAA Server 1040
Configuring TACACS+ Authentication Server 1041
Configuring IP or Domain Name of Primary Authentication Server 1042
Configuring IP Address or Domain Name of Backup Server 1 1042
Configuring IP Address or Domain Name of Backup Server 2 1043
Configuring Port Number of TACACS+ Server 1043
Configuring Secret of TACACS+ Server 1044
Specifying Role Mapping Rule 1045
Configuring TACACS+ Server 1045
TOC - 76
Configuring a RADIUS Accounting Server 1049
Enabling/Disabling the Accounting Function 1049
Configuring the IP Address or Domain Name of the Primary/Backup Server 1050
Configuring the Secret 1051
Enabling/Disabling the Offline Management of Accounting User 1051
Configuring the Extended Password Encryption Algorithm of SM4 1051
Configuring Authentication and Authorization for the Server 1052
Configuring Authentication and Authorization for the Server 1052
Viewing the Authorization Information of the Authentication Server 1053
Viewing Local Server Authentication Enabled Status 1053
Configuring the Authentication Server for the administrator 1053
Viewing and Debugging AAA 1054
Radius Dynamic Authorization 1056
Enabling / Disabling Radius dynamic authorization 1056
Configuring a Radius Dynamic Authorization Server 1056
TOC - 77
Viewing Radius Dynamic Authorization Server Configurations 1057
Radius Snooping 1058
Entering the Radius Snooping Configuration Mode 1058
Enabling the Radius Snooping Function 1058
Specifying the AAA Server 1058
Specifying the Force Timeout Time 1059
Configuring the Heartbeat Timeout Value 1060
Configuring the Username Filter 1060
Viewing the Radius Snooping Configuration Information 1061
Requirement 1061
User Identification 1064
Overview 1064
Web Authentication 1064
Entering the WebAuth Configuration Mode 1064
Enabling/Disabling WebAuth 1064
Configuring the WebAuth Mode 1065
Configuring the Single Authentication Mode 1065
Configuring the Combined Authentication Mode 1066
Configuring the Protocol Type of Authentication 1067
TOC - 78
Specifying the WebAuth Global Default Configuration of Interface 1067
Specifying HTTP Proxy Server Port 1068
Configuring the HTTPS Trust Domain 1069
Specifying the Address Type 1069
Configuring Multi-logon Function 1070
Configuring Auto-kickout Function 1070
Enabling/Disabling Proactive WebAuth 1071
Enabling/Disabling the WebAuth of Interface 1072
Configuring the WebAuth Domain Name 1072
Disconnecting a User 1073
Configuring a Policy Rule for WebAuth 1075
Customizing WebAuth Login Pages 1076
Customizing the Login Page 1077
Exporting the Login Page 1078
Password Authentication 1078
Configuring the Re-auth Interval 1079
Configuring the Redirect URL Function 1079
Configuring the Forced Timeout Value 1080
Configuring the Idle Timeout Value 1080
Configuring the Heartbeat Timeout Value 1081
TOC - 79
SMS Authentication 1082
Configuring the Forced Timeout Value 1082
Configuring the Verification Code Interval 1083
Specifying the Sender Name or Sign Name 1083
Configuring the Verification Code Length 1084
Specifying the Template Code 1084
Specifying SMS Modem to Send SMS 1085
Specifying SMS Gateway to Send SMS 1085
NTLM Authentication 1085
Configuring Forced Timeout Value 1086
Using the Compatibility Mode 1086
Viewing the WebAuth Configuration Information 1087
Viewing the Online User Information 1087
Single Sign-On 1088
Configuring AD Scripting for SSO 1088
Entering the AD Scripting Configuration Mode 1088
Enabling the AD Scripting Function 1088
Configuring Simultaneously Online Settings 1090
TOC - 80
Viewing Configuration Information 1090
Viewing the User Mapping Information 1090
Viewing the Authenticated User Table 1090
Deleting the User Mapping Information 1090
Configuring SSO Radius for SSO 1091
Receiving Radius Accounting Packets 1091
Specifying the Port Number for Receiving Radius Packets 1092
Configuring the Radius Client 1092
Configuring the Shared Secret 1092
Configuring the Heartbeat Timeout 1093
Configuring Idle Timeout 1093
Configuring Forced Timeout 1094
Viewing the SSO Radius Configuration Information 1094
Viewing the Authentication User Table 1095
SSO via Agile Controller 1095
Entering the Agile Controller Configuration Mode 1095
Enabling/Disabling Agile Controller 1095
Specifying the Port for StoneOS to Receive Agile Controller Packets 1096
TOC - 81
Specifying Query Address Range 1096
Specifying the Query Rate 1097
Specifying the Query Interval 1097
Specifying the Maximum IPs Queried Each Time 1097
Specifying Forced Timeout 1098
Configuring an Agile Controller Client 1098
Specifying the IP Address of the Agile Controller Server 1098
Configuring the Shared Key 1099
Configuring the Encryption Algorithm 1099
Enabling/Disabling Active Query 1100
Displaying Configuration Information of the Agile Controller 1100
Configuring AD Polling for SSO 1100
Creating an AD Polling Profile 1100
Enabling / Disabling the AD Polling Function 1101
Specifying the Authentication Server 1101
Specifying the Account 1102
Specifying the Password 1102
Specifying the AD Polling Interval 1103
Specifying the Client Probing Interval 1103
Specifying the Force Timeout Time 1103
Viewing the AD Polling Configuration 1104
TOC - 82
Viewing the Authenticated User Table 1104
Configuring SSO Monitor for SSO 1105
Creating SSO Monitor Profile 1105
Enabling/Disabling the SSO Monitor Function 1106
Specifying the External Server 1106
Specifying the Port 1107
Specifying the Organization Source 1108
Specifying the Disconnection Timeout 1109
Specifying Forced Timeout of SSO Monitor 1109
Viewing the SSO Monitor Configuration 1110
Configuring TS Agent for SSO 1111
Creating TS Agent Profile 1111
Enabling / Disabling the TS Agent Function 1112
Specifying the TS Agent Server 1112
Specifying the TS Agent Port 1112
TOC - 83
Specifying the Disconnection Timeout 1113
Specifying the Traffic IP 1113
Viewing the TS Agent Configuration 1114
Viewing the TS Agent Status 1114
Portal Authentication 1115
Configuring a Policy Rule that Triggers the Portal Authentication 1116
Example of Configuring WebAuth 1116
Example of Configuring HTTP WebAuth 1116
Example of Configuring NTLM Authentication 1119
Example of Configuring SSO 1121
Example of Configuring AD Scripting for SSO 1121
Example of configuring AD Polling for SSO 1126
Configuration Examples of Using SSO Monitor for SSO 1127
Configuration Examples of SSO Radius Login 1131
Example of Configuring TS Agent for SSO 1132
Example of Configuring Agile Controller for SSO 1134
Example of Configuring Portal Authentication 1136
802.1X Authentication 1139
Overview 1139
TOC - 84
802.1X Architecture 1139
802.1X Authentication Process 1140
Authenticating by EAP-MD5 Method 1140
Authenticating by EAP-TLS Method 1141
Configuring 802.1X Authentication 1141
Configuring an 802.1X Profile 1142
Configuring the Maximum Retry Times 1142
Configuring the Re-auth Period 1142
Configuring the Quiet Period 1143
Configuring the Client Timeout 1143
Configuring the Server Timeout 1144
Specifying the 802.1X Authentication Server 1144
Configuring 802.1X Attributes on Port 1145
Enabling/Disabling 802.1X Authentication 1145
Binding 802.1X Profile to a Port 1145
Configuring the Port Access Control Mode 1145
Configuring the Port Access Control Method 1146
Configuring 802.1X Global Parameters 1146
Configuring the Maximum User Number 1146
Configuring the Timeout of Authenticated Clients 1147
Configuring Multi-logon Function 1147
Configuring Auto-kickout Function 1147
TOC - 85
Configuring Manual Kick-out Client 1148
Viewing 802.1X Configurations 1148
PKI 1149
Overview 1149
PKI Function of Hillstone Devices 1150
Configuring PKI 1150
Generating/Deleting a PKI Key Pair 1151
Configuring a PKI Trust Domain 1152
Specifying an Enrollment Type 1152
Specifying a Key Pair 1153
Configuring Subject Content 1153
Adding the Subject Alternative Name 1154
Configuring a CRL 1155
Configuring Online Certificate Status Protocol 1156
Specifying the OCSP Responder 1157
Configuring the Random Number for OCSP Requests 1157
Specifying the Invalidity Time for OCSP Response Information 1158
Importing a CA Certificate 1158
Importing a Key 1159
Importing a Key Pair 1159
Generate a Certificate Request 1160
Importing a Local Certificate 1160
TOC - 86
Obtaining a CRL 1161
Importing/Exporting a PKI Trust Domain 1161
Exporting the PKI Trust Domain Information 1161
Importing the PKI Trust Domain Information 1162
Importing a Trust Certificate 1163
Exporting/Importing a Local Certificate 1164
Exporting a Local Certificate 1164
Importing a Local Certificate 1165
Importing Customized Certificate for HTTPS WebAuth 1166
Importing Customized Certificate 1166
Viewing Importing Customized Certificate Information 1167
Certificate Expiry Configurations 1167
Viewing the PKI Configuration Information 1167
Configuring a Certificate Chain 1168
Creating a Certificate Chain 1168
Importing a Certificate Chain 1169
Exporting a Certificate Chain 1170
Viewing Certificate Chain Information 1170
Configuring Certificate Validity Check 1171
Enabling/Disabling Certificate Validity Check 1171
Configuring Certificate Validity Check 1171
Viewing Check Configuration and Check Result of Certificate Validity 1171
TOC - 87
Example for Configuring IKE 1172
Requirement 1172
Chapter 9 VPN 1181
IPsec Protocol 1182
Overview 1182
Security Association 1182
Establishing a SA 1183
Phase 1 SA 1183
Phase 2 SA 1184
Hash Algorithm 1185
Encryption Algorithm 1186
Compression Algorithm 1186
References 1186
Applying an IPsec VPN 1187
Configuring an IPsec VPN 1187
Improving the Decrypting Performance of IPSec VPN 1188
Improving the New Session Processing Performance of IPSec VPN 1188
Configuring the Number of CPU Cores Used By the System Data Plane 1188
Enabling/Disabling the VPN Multi-Process Function 1189
The asynchronous mode of IPSec 1189
Enabling/Disabling the asynchronous mode of IPSec 1190
TOC - 88
Viewing the Information of the Hardware Accelerator 1190
View Statistics on Encryption and Decryption Queues 1190
Manual Key VPN 1191
Creating a Manual Key VPN 1191
Specifying the Encapsulation Mode of IPsec Protocol 1191
Specifying a SPI 1191
Specifying a Protocol Type 1192
Specifying an Encryption Algorithm 1192
Specifying a Hash Algorithm 1193
Specifying a Compression Algorithm 1193
Specifying a Peer IP Address 1194
Configuring a Hash Key for the Protocol 1194
Configuring an Encryption Key for the Protocol 1194
IKEv1 VPN 1195
Configuring a P1 Proposal 1195
Creating a P1 Proposal 1196
Specifying an Authentication Method 1196
Selecting a DH Group 1198
Specify the Lifetime of SA 1199
TOC - 89
Configuring an ISAKMP Gateway 1200
Creating an ISAKMP Gateway 1200
Binding an Interface to the ISAKMP Gateway 1200
Configuring an IKE Negotiation Mode 1201
Configuring the Custom IKE Negotiation Port 1201
Configuring the Custom IKE Negotiation Port Pool 1201
Binding the Custom IKE Negotiation Port Pool 1203
Specifying the IP Address and Peer Type 1203
Accepting the Peer ID 1204
Specifying a P1 Proposal 1204
Configuring a Pre-shared Key 1204
Configuring the Trust Domain of Peer Certificate 1205
Configuring the Trust Domain of Encryption Certificate 1205
Configuring the Negotiation Protocol Standard 1206
Configuring a Local ID 1206
Configuring a Peer ID 1207
Specifying a Connection Type 1207
Enabling NAT Traversal 1208
Configuring Auto Routing 1208
Configuring DPD 1209
Specifying Description 1210
TOC - 90
Enabling/Disabling ISAKMP SA and IPSec SA Negotiation Separation Mode 1210
Specifying a Compression Algorithm 1213
Configuring PFS 1213
Specifying a Lifetime 1214
Configuring the smart link 1215
Configuring the Smart Link Profile 1216
Creating a Link 1216
Configuring the Link Detection Parameters 1217
Configuring the Threshold of Link Quality Parameters 1218
Configuring the Threshold of Cycle Switching Times 1218
Enabling/Disabling Link Detection and Switch 1219
Activating a Link for Negotiation 1219
Adjusting Link Order 1219
Configuring Silence Period 1219
Configuring a Tunnel 1220
Creating an IKE Tunnel 1220
Enabling /Disabling an IKE Tunnel 1220
TOC - 91
Specifying the Encapsulation Mode of IPsec Protocol 1221
Specifying an ISAKMP Gateway 1221
Specifying a Smart Link Profile 1221
Specifying a Phase 2 ID 1222
Configuring IPsec VPN Traffic Distribution and Limitation 1223
Accepting All Proxy ID 1224
Configuring Auto-connection 1224
Configuring DF-bit 1225
Configuring Anti-replay 1225
Configuring VPN Track and Redundant Backup 1226
Enabling/Disabling Notification of VPN Tunnel Status 1229
Setting a Commit Bit 1229
IKEv2 VPN 1230
Specifying a PRF Algorithm 1231
Specifying the Lifetime of SA 1233
TOC - 92
Configuring an IKEv2 Peer 1233
Creating an IKEv2 Peer 1233
Binding an Interface to the IKE Peer 1234
Specifying the Remote IP Address 1234
Creating a IKEv2 Profile 1236
Configuring a Remote ID 1237
Configuring the Secured Data Traffic 1237
Specifying a Lifetime 1241
Creating an IKEv2 Tunnel 1241
Specifying the Operation Mode 1242
TOC - 93
Specifying an IKEv2 Peer 1242
Configuring Auto-connection 1243
XAUTH 1243
Enabling an XAUTH Server 1244
Configuring an XAUTH Address Pool 1244
Binding an Address Pool to the XAUTH Server 1246
Configuring IP Binding Rules 1246
Changing the Sequence of IP-Role Binding 1247
Configuring a WINS/DNS Server 1248
Kicking out an XAUTH Client 1248
Configuring Tunnel Quota for Non-root VSYS 1249
Viewing IPsec Configuration 1249
Examples of Configuring IPsec VPN 1251
Example of Configuring Manual Key VPN 1252
Requirement 1252
Example of Configuring IKE VPN 1257
Requirement 1257
Example of Configuring Route-based VPN Track and Redundant Backup 1264
Requirement 1264
TOC - 94
Example of Configuring Policy-based VPN Track and Redundant Backup 1272
Requirement 1272
Example of Configuring XAUTH 1280
Requirement 1280
Example of Using IPsec VPN in HA Peer Mode 1284
SSL VPN 1289
Overview 1289
Configuring SSL VPN Server 1289
Configuring an IPv4 Access Address Pool 1290
Configuring an IP Range of the Address Pool 1291
Configuring Reserved Addresses 1292
Binding an IP to a User 1293
Binding an IP to a Role 1293
Configuring a WINS Server 1294
Viewing IPv4 Address Pool 1295
TOC - 95
Configuring Resources List 1302
Adding Resource Items 1303
Viewing Resource List 1303
Configuring a UDP Port 1304
Configuring an SSL VPN Instance 1304
Specifying the Service Type 1305
Specifying an Access Address Pool 1306
Specifying a Server Interface 1306
Specifying an SSL Protocol Version 1307
Specifying a PKI Trust Domain 1308
Specifying an Encryption Trust Domain 1308
Specifying Tunnel Cipher Suite 1309
Specifying an AAA Server 1309
TOC - 96
Specifying an HTTPS Port Number 1310
Configuring the Transport Protocol 1311
Configuring an SCVPN Tunnel Route 1311
Configuring an IPv4 Tunnel Route to the Specified Network Segment 1311
Configuring an IPv6 Tunnel Route to the Specified Network Segment 1312
Configuring a Tunnel Route to the Specified Domain Name 1312
Configuring Packet Fragmentation 1314
Configuring Idle Time 1314
Configuring Multi-logon 1315
Configuring URL Redirection 1315
URL Format 1316
Clearing Cache Data of the Host that Uses the SSL VPN Client 1316
Using SSL VPN in HA Peer Mode 1316
Binding L2TP VPN Instance 1318
Binding Resources 1318
Enabling/Disabling the Browser Download Function 1319
Binding SSL VPN Instance to a Tunnel Interface 1319
Authentication with USB Key Certificate 1320
Enabling USB Key Certificate Authentication 1321
Importing a USB Key Certificate to a Trust Domain 1321
Specifying a Trust Domain for the CA Certificate 1322
TOC - 97
Two-Step Verification 1322
Enabling/Disabling Two-Step Verification 1322
Specifying the Type of Two-Step Verification 1323
Token Authentication 1323
Configuring Prompt Message 1323
Modem Authentication 1324
Configuring a Mobile Phone Number for SMS Authentication 1325
Configuring Expiration Time of SMS Auth-code 1325
Configuring the SMS Verification Code Length 1326
Configuring the SMS Verification Content 1326
Configuring a Maximum SMS Number 1326
Sending a Test Message 1327
Viewing SMS Modem Settings 1327
SMS Gateway Authentication 1327
Specifying the Default Protocol Type of SMS gateway 1328
Creating an SP Instance 1328
Specifying the VRouter 1331
Specifying the Request Method 1331
Specifying the Charset 1331
Specifying the UMS/ACC/ALIYUNSMS/CAS/BEIKE Protocol 1332
Specifying the URL 1332
TOC - 98
Specifying the Success Code 1332
Specifying the Attributes 1333
Specifying the Gateway Address and Port Number 1334
Specifying the Number to Send Auth-message 1335
Specifying the Device ID 1335
Specifying the Username and Password 1336
Specifying the Template Parameter 1336
Specifying a Maximum SMS Number 1336
Enabling/Disabling the Sending Sign Code Function 1337
Sding a Test Message 1337
Specifying the Company Code 1338
Specifying the AccessKeyId 1338
Specifying the AccessKeySecret 1338
Specifying Instance of SMS Gateway 1339
Enabling/Disabling SMS Gateway Authentication 1339
Specifying the Request Type 1341
Specifying the Organization Code 1341
Specifying the SMS Service Type 1342
Specifying the Trading Code 1342
TOC - 99
Specifying the Channel 1342
Viewing SMS Gateway Settings 1343
Viewing SMS Statistic Information 1343
Email Authentication 1343
Configuring the Email Address 1344
Specifying the Email Server 1344
Configuring the Lifetime of Email Verification Code 1345
Configuring the Sender Name 1346
Configuring the Email Verification Content 1346
Host Binding 1346
Enabling Host Binding 1347
Approving a Candidate 1348
Configuring a Super User 1348
Configuring a Shared Host 1348
Increasing/Decreasing Pre-approved Hosts 1349
Clearing a Binding List 1350
Exporting/Importing a Binding List 1350
Host Check 1351
Checked Factors 1351
Role Based Access Control and Host Check Procedure 1352
Configuring a Host Check Profile 1353
TOC - 100
Configuring a Host Check Profile via WebUI 1353
Referencing a Host Check Profile to a Rule 1357
Selecting an Optimal Path 1359
Kicking out an SSL VPN Client 1362
Configuring Change Password URL of the Client 1363
Configuring Forgot Password URL of the Client 1363
Exporting and Importing a User-list File 1363
Exporting a User-list File 1364
Importing a User-list File 1365
Control the Access by Using the Radius Server 1366
Configuring Radius Server 1367
General Configuration 1367
Configuring SSL Cipher Suite 1368
Customizing Client Download Source 1369
Viewing Secure Connect Client Information 1371
Customizing the Background Picture of Client Download Page 1371
Configuring Upgrade URL for Windows Type Client 1372
Customizing the Page Title 1373
1373
Viewing SSL VPN Settings 1373
Hillstone Secure Connect Client for Windows 1374
TOC - 101
Downloading and Installing the Client 1375
Starting Up and Connecting 1376
Editing and Deleting Login Entry 1384
Viewing Connection and Statistics Information 1384
Viewing Interface and Routing Information 1386
Viewing Log Information 1387
Third-party USB Key 1387
Client Menu 1389
Uninstalling the Client 1390
Hillstone Secure Connect Client for Linux 1390
Client Menu 1399
Hillstone Secure Connect Client for Android 1400
TOC - 102
Viewing Connection Information 1405
Hillstone Secure Connect Client for iOS 1407
Viewing Connection Information 1411
Hillstone Secure Connect Client for macOS 1412
Client Menu 1421
Uninstalling the Client 1422
Example of Configuring URL Redirect 1422
Examples of Configuring SSL VPN 1425
Requirement 1425
Example 1 1426
TOC - 103
Example 2 1428
Preparations 1428
Example of Configuring Host Check 1430
Requirements 1430
Example of Configuring Optimal Path 1438
Requirement 1 1438
Using SSL VPN Server to Choose an Optimal Path 1439
Using SSL VPN Client to Choose an Optimal Path 1442
Requirement 2 1443
Using SSL VPN Server to Choose an Optimal Path 1444
Using SSL VPN Client to Choose an Optimal Path 1446
Dial-up VPN 1448
Overview 1448
Applying Dial-up VPN 1448
Configuring the Center Device 1448
Configuring P1 Proposal 1449
TOC - 104
Specifying a SA Lifetime 1452
Configuring an ISAKMP Gateway 1452
Creating an ISAKMP Gateway 1452
Specifying an AAA Server for ISAKMP Gateway 1453
Binding an Interface to the ISAKMP Gateway 1453
Configuring an IKE Negotiation Mode 1453
Specifying a Peer Type 1454
Specifying P1 Proposal 1454
Enabling NAT Traversal 1456
Configuring DPD 1456
Configuring P2 Proposal 1457
Creating P2 Proposal 1457
TOC - 105
Specifying a Lifetime/Lifesize 1460
Creating an IKE Tunnel 1461
Specifying an IPsec Mode 1461
Specifying an ISAKMP Gateway 1461
Specifying P2 Proposal 1462
Specify a Phase 2 ID 1462
Creating an IPSec SA When There is Inclusion Relation for ID 1463
Configuring IPSec Balancing and Filtering 1463
Enabling Auto Connection 1463
Configuring Commit Bit 1465
Configuring a Dial-up User 1467
Creating a Dial-up User Account 1467
Generating a Pre-shared Key for Dial-up User 1467
Configuring the Dial-up Client 1468
Example of Configuring Dial-up VPN 1468
Requirement 1468
TOC - 106
Configuring the Center Device 1468
Configuring Dial-up Client 1 1471
Configuring Dial-up Client 2 1473
PnPVPN 1476
Overview 1476
PnPVPN Workflow 1476
PnPVPN Link Redundancy 1477
Configuring a PnPVPN Server 1477
Configuring a PnPVPN Server Using CLI 1477
Configuring User’s Network 1478
Configuring Tunnel Network 1479
Configuring Wildcard of ISAKMP Gateway’s Peer 1480
Configuring Tunnel Interface of PnPVPN Client 1480
Configuring a PnPVPN Sever Using WebUI 1481
Configuring a User 1482
Configuring IKE VPN 1482
Configuring a Tunnel Interface 1485
Configuring a Route 1486
Configuring a Policy 1486
Configuring a PnPVPN Client 1486
Example of Configuring PnPVPN 1488
Requirement 1488
TOC - 107
Configuring the Server 1490
Configuring the Clients 1494
GRE 1496
Overview 1496
Configuring GRE 1496
Configuring a GRE Tunnel 1496
Specifying a Source Interface/Address 1497
Specifying a Destination Address 1497
Specifying an IPsec VPN Tunnel 1498
Specifying a Verification Key 1498
Binding the GRE Tunnel to a Tunnel Interface 1499
Viewing GRE Tunnel Information 1499
Example of Configuring GRE Tunnel 1499
Requirement 1500
Configuring the Center 1500
Configuring the Branch 1503
L2TP 1507
Overview 1507
Typical L2TP Tunnel Network 1507
TOC - 108
L2TP over IPSec 1508
Configuring LNS 1509
Configuring an Address Pool 1509
Configuring the IP Range of the Address Pool 1510
Configuring the Reserved IP Address 1510
Configuring a Static IP Binding Rule 1511
Configuring a Role-IP Binding Rule 1512
Moving a role-IP Binding Rule 1512
Configuring a L2TP Instance 1513
Specifying the IP Address Assignment Method 1514
Specifying an Address Pool 1514
Specifying the Egress Interface of the Tunnel 1515
Specifying a PPP Authentication Protocol 1516
Enabling Tunnel Authentication 1517
Specifying the Secret String 1518
Specifying the Local Name of LNS 1518
Enabling AVP Hidden 1518
TOC - 109
Specifying the Window Size of the Tunnel Data 1519
Configuring Multi-Logon 1519
Enabling/Disabling User-Specified Client IP 1519
Specifying the Retry Times of Control Packets 1520
Referencing an IPsec Tunnel 1520
Configuring Mandatory LCP Phase 1521
Enabling/Disabling Calculating the Checksum of UDP Packet 1521
Binding the L2TP Instance to a Tunnel Interface 1521
Specifying the ACF Information Carried by PPP Data 1522
Kicking out a User 1523
Restarting a Tunnel 1523
Viewing L2TP Information 1523
Configuring L2TP Client 1524
Configuring Device as L2TP Client 1524
Configuring a L2TP Client Instance 1524
Specifying the Tunnel Interface 1525
Specifying IP Address of LNS 1526
Specifying Keepalive of Tunnel 1526
Configuring Auto Connect 1526
Specifying a PPP Authentication Protocol 1527
Specifying the LCP-echo Interval and Transmit Retries 1527
Specifying the User Name and Password of L2TPClient 1528
TOC - 110
Specifying the Retry Times of Control Packets 1528
Clear L2TP Client Connection 1528
View L2TP Client Instance Information 1529
Configuring L2TPv3 Tunnel 1529
Example of Configuring L2TP 1531
Requirement 1531
Configurations on LNS 1532
Configurations on the Client 1534
Creating a L2TP Dial-up Connection 1535
Configuring L2TP Dial-up Connection 1535
Modifying the Registry 1538
Connecting to LNS from the Client 1539
Example of Configuring L2TP over IPsec 1540
Requirement 1540
Configurations on LNS 1541
Configurations on the Client 1544
Creating L2TP Dial-up Connection 1544
Configuring the L2TP Dial-up Connection 1545
Enabling IPsec Encryption 1546
Connecting LNS from the Client 1546
TOC - 111
VXLAN 1546
Overview 1546
Creating VXLAN Static Tunnel 1547
Viewing VXLAN Configuration 1548
Chapter 10 Zero Trust Network Access (ZTNA) 1549
Introduction 1549
Configuring ZTNA Service 1551
Configuring Endpoint Tag 1551
Creating an Endpoint Tag 1552
Configuring a Criteria Set 1553
Configuring a Condition 1553
Configuring a Tip 1554
Viewing Endpoint Tag Configuration Information 1555
Managing Endpoint Items 1557
Windows Endpoint Item Management 1558
Configuring a Custom Windows Endpoint Item 1561
Defining Registry Key as Endpoint Item 1561
Defining Running Process as Endpoint Item 1562
Defining Running Service as Endpoint Item 1562
Defining Installed Service as Endpoint Item 1563
Defining File as Endpoint Item 1564
Defining Hot Fix as Endpoint Item 1564
TOC - 112
Viewing Windows Endpoint Item Configuration Information 1565
macOS Endpoint Item Management 1565
Configuring a Custom macOS Endpoint Item 1567
Defining AD Domain Name as Endpoint Item 1567
Viewing macOS Endpoint Item Configuration Information 1570
Linux Endpoint Item Management 1570
Configuring a Custom Linux Endpoint Item 1572
Viewing Linux Endpoint Item Configuration Information 1574
iOS Endpoint Item Management 1575
Configuring a Custom iOS Endpoint Item 1576
Defining Device Model as Endpoint Item 1576
Defining WiFi SSID as Endpoint Item 1577
Defining ZTNA Client Version as Endpoint Item 1577
Viewing iOS Endpoint Item Configuration Information 1578
TOC - 113
Android Endpoint Item Management 1578
Configuring a Custom Android Endpoint Item 1579
Defining Device Model as Endpoint Item 1579
Defining WiFi SSID as Endpoint Item 1580
Defining ZTNA Client Version as Endpoint Item 1580
Viewing Android Endpoint Item Configuration Information 1581
Configuring the Endpoint Monitoring Period 1581
Viewing Endpoint Monitoring Configuration Information 1582
Viewing Endpoint Information Database 1582
Configuring Application Resource/Application Resource Group 1583
Creating an Application Resource 1583
Configuring an IP-Based Application Resource Entry 1584
Configuring an IP Range-Based Application Resource Entry 1585
Configuring a Domain Name-Based Application Resource Entry 1586
Configuring Hyperlink for an Application Resource 1587
Configuring Description for an Application Resource 1587
Renaming an Application Resource 1588
Viewing Application Resource Configuration Information 1588
Viewing Application Resource Configuration Information According to Filter Condi-

tions 1589
Viewing Reference Information of an Application Resource 1590
Creating an Application Resource Group 1590
TOC - 114
Adding Members to an Application Resource Group 1591
Configuring Description for an Application Resource Group 1591
Renaming an Application Resource Group 1591
Viewing Application Resource Group Configuration Information 1592
Viewing Reference Information of an Application Resource Group 1592
Configuring ZTNA Policy 1594
Creating a ZTNA Policy 1596
Configuring the ZTNA Policy Name 1597
Binding an Application Resource/Application Resource Group 1597
Binding an Endpoint Tag 1598
Binding a User/User Group 1598
Configuring a Schedule 1599
Specifying the Action 1599
Enabling/Disabling a ZTNA Policy 1600
Configuring Description for a ZTNA Policy 1600
Log Management of ZTNA Policies 1600
Binding Anti-Virus Profile 1601
Binding Sandbox Profile 1602
Binding IPS Profile 1602
Binding File Filter Profile 1603
Binding File Content Filter Profile 1603
Entering Global ZTNA Policy Configuration Mode 1603
TOC - 115
Specifying the Default Action 1604
Enabling/Disabling ZTNA Session Rematch 1604
Log Management of ZTNA Default Policy 1605
Moving a ZTNA Policy 1605
Viewing ZTNA Policy Configuration Information 1605
Viewing ZTNA Policy Statistics Information 1607
Clearing ZTNA Policy Statistics Information 1607
Configuring Access Address Pool 1608
TOC - 116
Configuring ZTNA Instance 1620
Specifying the Service Type 1621
Specifying an Access Address Pool 1621
Specifying a Server Interface 1622
Specifying an SSL Protocol Version 1622
Specifying a PKI Trust Domain 1623
Specifying an Encryption Trust Domain 1624
Specifying a Tunnel Cipher Suite 1624
Specifying an SSL Port Number 1626
Configuring the Transport Protocol 1626
Configuring a ZTNA Tunnel Route 1626
Configuring a ZTNA Tunnel Route to the Specified IPv4 Network Segment 1627
Configuring a ZTNA Tunnel Route to the Specified IPv6 Network Segment 1627
Configuring a ZTNA Tunnel Route to the Specified Domain Name 1628
Configuring Anti-Replay 1629
TOC - 117
Configuring Multi-Logon 1630
Configuring Multi-Gateway Address 1631
Configuring URL Redirection 1632
URL Format 1632
Enabling/Disabling the Browser Download Function 1633
Binding ZTNA Instance to a Tunnel Interface 1633
Authentication with USB Key Certificate 1633
Enabling USB Key Certificate Authentication 1634
Importing a USB Key Certificate to a Trust Domain 1634
Specifying a Trust Domain for the CA Certificate 1635
Configuring Two-Step Verification 1636
Enabling/Disabling Two-Step Verification 1636
Specifying the Type of Two-Step Verification 1636
Token Authentication 1637
Configuring Prompt Message 1637
Modem Authentication 1637
Configuring a Mobile Phone Number for SMS Authentication 1638
Configuring Expiration Time of SMS Authentication Code 1639
Configuring the SMS Authentication Code Length 1639
Configuring the SMS Authentication Code Content 1639
TOC - 118
Configuring a Maximum SMS Number 1640
Viewing SMS Modem Settings 1641
SMS Gateway Authentication 1641
Specifying the Default Protocol Type of SMS Gateway 1641
Creating an SP Instance 1642
Specifying the VRouter 1644
Specifying the Request Method 1644
Specifying the Charset 1645
Specifying the UMS/ACC/ALIYUNSMS/CAS/BEIKE Protocol 1645
Specifying the URL 1645
Specifying the Success Code 1646
Specifying the Attributes 1646
Specifying the Gateway Address and Port Number 1648
Specifying the Template Parameter 1648
Enabling/Disabling the Sending Sign Code Function 1649
Specifying the Number to Send Auth-message 1649
Specifying the Device ID 1650
Specifying the User Name/User ID and Password 1650
Specifying a Maximum SMS Number 1651
Specifying the Company Code 1651
Specifying the AccessKeyId 1651
TOC - 119
Specifying the AccessKeySecret 1652
Specifying Instance of SMS Gateway 1652
Specifying the Request Type 1653
Specifying the Organization Code 1654
Specifying the SMS Service Type 1654
Specifying the Trading Code 1655
Specifying the Channel 1655
Viewing SMS Gateway Settings 1656
Viewing SMS Statistic Information 1656
Email Authentication 1656
Configuring the Email Address 1657
Specifying the Email Server 1658
Configuring the Lifetime of Email Verification Code 1658
Configuring the Sender Name 1659
Configuring the Email Verification Content 1659
Configuring Single Packet Authorization (SPA) 1660
Enabling/Disabling SPA 1660
Configuring Local Knock Port 1661
TOC - 120
Configuring the Hidden IP and Port Number 1661
Viewing SPA Configuration Information 1662
Viewing SPA Permit Entries 1662
Managing Endpoint Tag Logs 1663
Enabling/Disabling Endpoint Tag Log 1663
Clearing Endpoint Tag Logs 1663
Sending Endpoint Tag Logs 1663
Configuring Disk Storage Space Threshold 1664
Configuring the Quota of Endpoint Tag Log Buffer 1664
Viewing Endpoint Tag Logs 1665
ZTNA Portal 1666
Other Configurations 1667
Force Disconnecting a ZTNA User 1667
Configuring Change Password URL of the Client 1667
Configuring Forgot Password URL of the Client 1668
Configuring Client Auto-Connection 1668
Configuring SSL Cipher Suite 1669
Customizing Client Download Source 1671
Viewing Secure Connect Client Information 1672
Customizing the Background Picture of Client Download Page 1672
TOC - 121
Configuring Upgrade URL for Windows Type Client 1674
Customizing the Page Title 1675
Viewing ZTNA Information 1675
Example of Configuring ZTNA 1677
Networking and Requirement 1677
Chapter 11 Traffic Management 1682
QoS /iQoS 1683
Swichting iQoS/QoS 1683
iQoS 1683
iQoS Implement 1684
Function Overview 1685
Multiple-level Pipes 1685
Process of iQos 1687
Configuring iQoS 1689
Specifying Traffic Control Level 1689
Enabling/Disabling Traffic Control Level/Root Pipe/Sub Pipe 1690
Enabling/Disabling NAT IP Matching 1690
Creaing a Root Pipe 1691
Creating a Sub Pipe 1692
Configuring a Traffic Matching Condition 1693
Configuring a Traffic White List 1695
TOC - 122
Configuring the trigger threshold for the maximum floating bandwidth 1697
Configuring Traffic Management Actions for a Root Pipe 1698
Configuring Traffic Management Actions for a Sub Pipe 1701
Configuring a Traffic Control Mode for a Root Pipe 1703
Configuring a Schedule for a Root Pipe 1704
Configuring a Schedule for a Sub Pipe 1705
Binding a Root Pipe to the QSM Moduel 1705
Viewing Configurations of Traffic Control Levels and Pipes 1705
Configuring Threshold Alarm 1706
Enabling/Disabling Threshold Alarm 1706
Specifying the Alarm Threshold 1706
Show the Status of Threshold Alarm 1706
QoS 1707
Overview 1707
QoS Implementation 1707
Classification and Marking 1708
Classification 1708
Marking 1709
802.1Q/p 1709
IP Precedence and DSCP 1709
Policing and Shaping 1710
Token Bucket Algorithm 1711
TOC - 123
Congestion Management 1712
Congestion Avoidance 1713
Configuring QoS 1713
Configuring a Class 1713
Configuring an Application Matching Condition 1714
Configuring a DSCP Matching Condition 1715
Configuring a CoS Matching Condition 1715
Configuring an IP Range Matching Condition 1716
Configuring an Address Entry Matching Condition 1716
Configuring a QoS Tag Matching Condition 1717
Configuring an IP Precedence Matching Condition 1717
Configuring an Ingress Interface Matching Condition 1718
Configuring a Role/User/User Group Matching Condition 1718
Viewing the Class Information 1718
Configuring a QoS Profile 1719
Specifying the Minimum Bandwidth 1721
Configuring Policing 1721
Configuirng Shaping 1723
Configuring IP-based QoS (IP QoS) 1724
Configuring an IP QoS Priority 1726
Configuring LLQ 1727
Configuring Congestion Avoidance 1727
TOC - 124
Configuring CoS 1728
Configuring DSCP 1728
Configuring IP Precedence 1729
Configuring a Matching Priority 1729
Configuring an Exception Policy 1729
Configuring Role-based QoS (Role QoS) 1731
Nesting a QoS Profile 1733
Specifying a QoS Operation for the Egress Interface 1733
Disabling a Class 1734
Binding to an Interface 1734
Viewing QoS Information of an Interface 1735
Viewing QoS Profile Information 1735
FlexQoS 1736
Configuring Global FlexQoS 1736
Configuring FlexQoS for a Class 1737
Multi-level QoS 1737
Examples of Configuring QoS 1738
Example 1: Configuring a Matching Priority 1739
Example 2: Classification and Marking 1740
Example 3: Policing and Shaping 1741
Example 4: Application QoS 1742
Example 5: CBWFQ 1743
TOC - 125
Example 6: LLQ & Congestion Avoidance 1744
Example 7: IP QoS (1) 1746
Example 8: IP QoS (2) 1747
Solution 1 1747
Solution 2 1749
Example 9: Multi-VR Application in IP QoS 1751
Example 10: IP QoS Priority 1755
Example 11: Role QoS 1757
Example 12: Nest QoS Profile 1759
Example 13: Multi-level QoS 1762
Configuring First-level Application QoS 1763
Configuring Second-level IP QoS 1765
Example 14: Comprehensive QoS Application 1767
Requirement 1767
Configuration Recommandations 1777
Load Balancing 1778
Server Load Balancing 1779
Adding/Deleting SLB Server Pool 1779
Configuring Parameters for SLB Server Pool Entry 1780
Assigning an Algorithm for SLB 1781
Adding/Deleting Track Rule for SLB 1782
TOC - 126
Configuring Threshold Value 1783
Binding SLB Server Pool Entry to DNAT Rule 1783
Viewing SLB Status 1784
Load Balancing 1784
Inbound LLB 1785
Enabling SmartDNS 1785
Configuring a SmartDNS Rule Table 1785
Creating a SmartDNS Rule Table 1785
Specifying the Domain Name 1786
Specifying the Return IP 1786
Outbound LLB 1788
Configuring LLB Profile 1788
Viewing the Link Detection Result for a Specified Domain Name 1793
Configuring LLB Rule 1793
Viewing LLB Configuration 1794
Example of Configuring LLB 1796
Requirement 1796
Session Limit 1800
Creating a Session Limit Rule 1800
Viewing Session Limit 1802
Pre-discarding Packets of Receiving Queue 1802
TOC - 127
Configuring Pre-discarding Packets of Receiving Queue 1803
Viewing the Information of Pre-discarding Packets of Receiving Queue 1803
Traffic Quota 1803
Configuring Traffic Quota 1804
Creating a Traffic Quota Profile 1804
Specifying the Daily Quota/ Monthly Quota 1804
Creating a User Traffic Quota Rule 1805
Specifying the User of User Traffic Quota Rule 1805
Binding a Traffic Quota Profile to a User Traffic Quota Rule 1806
Creating a User Group Traffic Quota Rule 1806
Specifying the User Group of User Group Traffic Quota Rule 1806
Binding a Traffic Quota Profile to a User Group Traffic Quota Rule 1807
Adjusting Traffic Quota Rule Priority 1807
Enabling/Disabling the Traffic Quota Function in the Zone 1808
Resetting the User Used Traffic 1808
Viewing the Traffic Quota Profile Information 1809
Viewing the User Traffic Quota Rule Information 1809
Viewing the User Group Traffic Quota Rule Information 1809
Viewing the Zone with Traffic Quota Function Enabled 1809
Viewing the Traffic Quota Statistics 1809
Chapter 12 Threat Prevention 1810
Host Defense 1812
TOC - 128
Host Blacklist 1812
Adding a Blacklist Entry 1813
Modifying a Schedule 1814
Enabling or Disabling a Blacklist Entry 1814
Enabling or Disabling Blacklist Logs 1815
Viewing the Host Blacklist Content 1815
Deleting a Host Blacklist Entry 1815
IP-MAC Binding 1816
Static Binding 1816
Adding a Static IP-MAC Binding 1817
Adding a Static IP-Port Binding 1817
Only Allowing Hosts with Static IP-MAC Binding Accessing the Internet 1818
Dynamic IP-MAC-Port Binding 1818
ARP Learning 1818
ARP Learning Limit 1819
MAC Learning 1819
Viewing IP-MAC-Port Binding Information 1820
Clearing ARP Binding Information 1820
Forcing Dynamic MAC-Port Binding 1820
DHCP Snooping 1821
Enabling/Disabling DHCP Snooping 1821
Configuring DHCP Snooping 1822
TOC - 129
Configuring DHCP Packet Rate Limit 1822
Viewing DHCP Snooping Configuration Information 1823
DHCP Snooping List 1823
ARP Inspection 1824
Enabling/Disabling ARP Inspection 1825
Configuring a Trusted Interface 1825
Configuring an ARP Rate 1826
ARP Defense 1826
Attack Defense 1827
Common Network Attacks 1827
IP Address Spoofing 1827
ARP Spoofing 1827
Land Attack 1827
Smurf Attack 1828
Fraggle Attack 1828
Teardrop Attack 1828
WinNuke Attack 1828
SYN Flood 1829
ICMP Flood and UDP Flood 1829
ICMP Redirect Attack 1829
IP Address Sweep and Port Scan 1829
Ping of Death Attack 1830
TOC - 130
IP Fragment Attack 1830
IP Option Attack 1830
Huge ICMP Packet Attack 1830
TCP Flag Attack 1830
DNS Query Flood Attack 1831
DNS Reply Flood Attack 1831
TCP Split Handshake Attack 1831
SIP Flood 1831
Configuring Attack Defense 1831
Configuring IP Address Sweep Attack Defense 1833
Configuring ICMP Redirect Attack Defense 1834
Configuring IP Protocol Scan Attack Defense 1835
Configuring TCP Port Scan Attack Defense 1835
Configuring UDP Port Scan Attack Defense 1836
Configuring IP Address Spoofing Attack Defense 1837
Configuring SYN Flood Attack Defense 1837
Configuring SYN-Proxy 1839
Configuring SIP Flood Attack Defense 1840
Configuring ICMP Flood Attack Defense 1841
Configuring UDP Flood Attack Defense 1842
Configuring Flood Protection Threshold Learning 1843
Configuring Large ICMP Packet Attack Defense 1846
TOC - 131
Configuring WinNuke Attack Defense 1846
Configuring Ping of Death Attack Defense 1847
Configuring Teardrop Attack Defense 1847
Configuring IP Option Attack Defense 1847
Configuring TCP Option Anomaly Attack Defense 1848
Configuring Land Attack Defense 1849
Configuring IP Fragment Attack Defense 1849
Configuring Smurf and Fraggle Attack Defense 1850
Configuring ARP Spoofing Attack Defense 1850
Configuring DNS Query Flood Attack Defense 1851
Configuring DNS Reply Flood Attack Defense 1853
Configuring TCP Split Handshake Attack Defense 1854
Configuring an Attack Defense Whitelist 1855
Viewing the Attack Defense Configuration and Statistics of the Security Zone 1856
Examples of Configuring Attack Defense 1856
Example of Configuring Land Attack Defense 1856
Requirement 1856
Example of Configuring SYN Flood Attack Defense 1858
Requirement 1859
Example of Configuring IP Address Sweep Attack Defense 1860
TOC - 132
Requirement 1860
Anti-Virus 1863
Configuring Anti-Virus 1863
Configuring Log Aggregation and Aggregation Time 1864
Creating an AV Profile 1865
Enabling Malicious Website Detection 1865
Specifying Malicious Website Detection Action 1866
Specifying a File Type 1868
Label Email 1870
Enabling/Disabling Label Email 1871
Configuring Email Signature 1871
Binding an AV Profile to a Security Zone 1871
Binding an AV Profile to a Policy Rule 1872
Viewing AV Profile Information 1874
Configuring Decompression Control Function 1874
Updating AV Signature Database 1874
Configuring an AV Signature Update Mode 1875
Configure an Update Server 1875
Specifying an HTTP Proxy Server 1876
TOC - 133
Updating Now 1877
Importing an AV Signature File 1877
Viewing AV Signature Information 1878
Viewing AV Signature Update Information 1878
Examples of Configuring Anti-Virus 1878
Sandbox 1881
Preparation for Configuring Sandbox 1882
Configuring Sandbox 1882
Enabling/Disabling the Cloud Sandbox or the Local Sandbox 1884
Configuring the Local Sandbox 1884
Creating a Sandbox Profile 1885
Enabling White List 1885
Configuring Certificate Verification 1885
Configuring File Filter 1886
Specifying Actions for a Sandbox Profile 1887
Disabling Suspicious File Uploading 1888
Binding a Sandbox Profile to a Policy Rule 1888
Enabling Benign File 1888
Enabling the Greyware File function 1889
Configuring the File Size Limit 1889
Adding Items to the Trust List 1890
TOC - 134
Viewing Sandbox Information 1891
Updating Sandbox Whitelist Database 1891
Configuring a Sandbox Whitelist Update Mode 1892
Updating Now 1894
Importing a Sandbox Whitelist File 1895
Viewing Sandbox Whitelist Information 1895
Viewing Sandbox Whitelist Update Information 1895
IPS 1896
IPS Detection and Submission Procedure 1896
Signatures 1896
Updating IPS Signature Database 1897
Specifing the HTTP Proxy Server 1899
IPS Working Modes 1899
Configuring IPS 1900
Configuration Suggestions 1901
Performing IPS Detection on HTTPS Traffic 1902
IPS Commands 1904
action 1904
TOC - 135
affected-software 1905
attack-type 1906
banner-protect enable 1906
brute-force 1907
brute-force lookup 1908
bulletin-board 1909
command-injection-check 1910
confidence 1910
cc-url 1911
cc-url-limit 1912
check-weakpassword 1913
custom-password add 1915
custom-password delete 1915
deny-method 1916
disable 1917
disable protocol-anomaly 1917
disable signature 1918
domain 1919
dst-ip 1920
enable 1920
enable 1921
equal-username-check 1922
TOC - 136
exec block-ip add 1922
exec block-ip remove 1923
exec block-service add 1924
exec block-service remove 1925
exec ips 1925
external-link 1926
external-link-check 1927
filter-class 1928
ftp-anonymous-login-check 1929
http-request-flood auth 1929
http-request-flood enable 1931
http-request-flood proxy-limit 1931
http-request-flood request-limit 1933
http-request-flood statistics 1934
http-request-flood white-list 1934
http-request-flood x-forward-for 1935
http-request-flood x-real-ip 1936
iframe-check 1937
iframe width 1938
ips buffer-capture enable 1939
ips enable 1939
ips log aggregation 1941
TOC - 137
ips log http-proxy-ip 1941
ips mode 1942
ips profile 1943
ips signature 1944
ips sigset 1944
ips suspicious-ua-detection whitelist 1945
ips suspicious-ua-detection user-define 1946
ips whitelist 1947
issue-date 1947
length 1948
max-arg-length 1949
max-bind-length 1950
max-black-list 1952
max-cmd-line-length 1952
max-content-filename-length 1954
max-content-type-length 1955
max-failure 1957
max-input-length 1958
max-path-length 1960
max-reply-line-length 1961
max-request-length 1963
max-rsp-line-length 1964
TOC - 138
max-scan-bytes 1966
max-text-line-length 1966
max-uri-length 1968
max-white-list 1969
min-character-type 1970
pcap 1971
protocol-check 1971
protocol 1973
referer-white-list 1974
referer-white-list-check 1974
response-bypass 1975
reverse-shell 1976
reverse-shell action 1977
reverse-shell level 1978
search-class 1979
search-condition 1980
sensitive-file-scan action 1980
sensitive-file-scan enable 1982
sensitive-file-scan warning-value 1982
serial-character-check 1983
severity 1984
signature id 1985
TOC - 139
signature-id 1985
sigset 1986
sql-injection 1987
sql-injection-check 1987
src-ip 1989
suspicious-ua-detection 1989
suspicious-ua-detection action 1990
system 1991
vr 1992
web-acl 1992
web-acl-check 1993
web-server 1994
xss-injection 1995
xss-check enable 1996
show ips 1997
Abnormal Behavior Detection 2000
Overview 2000
Configuring Abnormal Behavior Detection 2001
Enabling/Disabling Abnormal Behavior Detection 2001
DNS Mapping 2002
Viewing the Entry of DNS Mapping 2002
Viewing Detection Status of Dos Attacks 2002
TOC - 140
Updating Abnormal Behavior Model Database 2002
Configuring an Abnormal Behavior Model Update Mode 2003
Specifying an Automatic Update Period 2003
Updating Now 2003
Importing an Abnormal Behavior model File 2004
Viewing Abnormal Behavior Model Update Information 2004
Advanced Threat Detection 2005
Overview 2005
Configuring Advance Threat Detection 2005
Updating Malware Behavior Model Database 2006
Configuring a Malware Behavior Model Update Mode 2006
Updating Now 2007
Importing a Malware Behavior Model File 2007
Viewing Malware Behavior Model Update Information 2008
Perimeter Traffic Filtering 2009
Overview 2009
Configuring Perimeter Traffic Filtering 2009
Enabling/Disabling Perimeter Traffic Filtering 2009
Configuring Static IP Blacklist 2010
Configuring Redundancy Check of Static IP Blacklist 2011
Configuring MAC Blacklist 2011
TOC - 141
Configuring Blacklist Library 2012
Configuring Dynamic IP Blacklist 2016
Configuring Real IP Blacklist 2017
Configuring Service Blacklist 2018
Enabling Log of Blacklist 2019
Configuring Session Rematch of Blacklist 2019
Viewing the Hit Count Statistics of Blacklist 2019
Clearing the Hit Count Statistics of Blacklist 2019
Viewing the Blacklist Log 2020
Enabling/Disabling IP BlackList TCP Reset 2020
Viewing the Status of IP BlackList TCP Reset 2020
Configuring IP Reputation Filtering 2020
Enablign IP Reputation Filtering 2021
Configuring an IP Reputation Update Mode 2022
Importing an IP Reputation File 2024
Viewing IP Reputation Information 2025
Viewing IP Reputation Update Information 2025
Mitigation 2026
TOC - 142
Overview 2026
Mitigation Rule 2026
Enabling/Disabling Auto Mitigation 2026
Configuring the Mitigation Rule 2027
Viewing the Status of Auto Mitigation 2027
Updating Mitigation Rule Database 2027
Configuring a Mitigation Rule Update Mode 2028
Updating Now 2028
Importing a Mitigation Rule File 2028
Viewing Mitigation Rule Update Information 2029
Correlation Analysis 2030
Updating Correlation Analysis Engine/Rules 2030
Critical Assets 2031
Specifying Critical Asset Name 2031
Specifying Critial Asset IP Address 2032
Specifying Critial Asset Zone 2032
Enabling/Disabling Web Server Advanced Protection 2032
Renaming a Critical Asset 2033
Viewing Critical Asset Object Configurations 2033
Hot Threat Intelligence 2033
Enabling /Disabling Hot Threat Intelligence Pushing 2034
TOC - 143
Updating Hot Threat Intelligence Manually 2034
Geolocation Information Database 2035
Overview 2035
Updating Geolocation Information Database 2035
Configuring a Geolocation Information Database Update Mode 2036
Updating Now 2038
Importing a Geolocation Information Database File 2038
Viewing Geolocation Information Database Information 2039
Viewing Geolocation Information Database Update Information 2039
Botnet Prevention 2040
Preparing 2040
Configuring Botnet Prevention 2041
Creating a Botnet Prevention Profile 2041
Enabling/Disabling DGA Detection 2042
Enabling/Disabling the DNS Tunnel Detection 2043
Specifying Log Aggregation Type and Aggregation Time 2044
Configuring the DNS Tunnel Log Interval 2045
TOC - 144
Address Liberary Management 2046
Configuring the Custom Block List 2046
Configuring the Custom Exclude List 2047
Viewing Custom Signature Entry 2047
Configuring the Sinkhole IP address 2049
Binding a Botnet Prevention Profile to a Security Zone 2049
Binding a Botnet Prevention Profile to a Policy Rule 2050
Viewing Botnet Prevention Profile Information 2050
Viewing Botnet Prevention Status 2050
Updating Botnet Prevention Signature Database 2050
Configuring the Botnet Prevention Signature Update Mode 2051
Updating Now 2053
Importing a Botnet Prevention Signature File 2054
Viewing Botnet Prevention Signature Information 2054
Viewing Botnet Prevention Signature Update Information 2055
Antispam 2056
Overview 2056
Configuring Antispam 2056
TOC - 145
Creating an Antispam Profile 2056
Specifying a Mail Protocol Type 2057
Specifying the Spam Category 2057
Specifying the Whitelist of Sender 2058
User-defined Blacklist Spam 2058
Enabling/Disabling User-defined Blacklist 2059
Adding/Deleting User-defined Blacklist 2059
Binding an Antispam Profile to a Security Zone 2059
Binding an Antispam Profile to a Policy Rule 2060
Configuring the Mail Scan Maximum Limit 2060
Viewing Antispam Profile Information 2060
Viewing the Antispam Status Information 2061
Viewing the Global Configuration 2061
End Point Protection 2062
Configuring the End Point Protection 2063
Preparation for Configuring End Point Protection 2063
Configuring End Point Protection 2063
Configuring Endpoint Security Control Center Parameters 2063
Specifying the Name of the Endpoint Security Control Center Server 2063
Specifying the Address of the Endpoint Security Control Center Server 2064
Specifying the Port of the Endpoint Security Control Center Server 2064
Specifying the Synchronization Period 2065
TOC - 146
Enabling/Disabling the Timeout Entry 2065
Creating an End Point Protection Profile 2065
Specifying the Protection Action 2066
Specifying the Exception Address 2067
Binding an End Point Protection Profile to a Security Zone 2067
Binding an End Point Protection Profile to a Policy Rule 2068
Manually Synchronizing the Endpoint Data Information 2068
Viewing End Point Protection Profile Information 2068
Viewing the End Point Status 2068
Viewing the End Point Information Synchronization Status 2068
Viewing the Endpoint Security Control Center Information 2069
IoT 2070
Configuring IoT 2070
Preparations 2070
Configuring IoT 2070
Configuring Admittance List 2071
Creating Admittance List 2072
Configuring the IP/MAC Admittance List 2072
Configuring the IP Admittance List 2073
Specifying IP 2073
Specifying IP Range 2074
Configuring the MAC Admittance List 2075
TOC - 147
Importing Admittance List 2075
Configuring the IoT Monitor Profile 2076
Creating IoT Monitor Profile 2076
Binding Admittance List to the IoT Monitor Profile 2077
Enabling/Disabling the End-point Identification 2077
Enabling/Disabling the End-point Behavior Monitor 2078
Binding the IoT Monitor Profile to Zone 2078
Deleting IoT Monitor List Entry 2079
Modifying IoT Monitor List Entry 2080
Viewing Admittance List Information 2080
Viewing IoT Monitor Profile Information 2081
Viewing the IoT Monitor List Information 2081
Viewing IoT Monitor List Statistics 2082
Chapter 13 Data Security & URL Filtering 2083
Data Security 2084
Overview 2084
Introduction to Data Security 2084
Content Filter 2087
File Content Filter 2087
Configuring File Content Filter via CLI 2087
Creating a File Content Filter Profile 2088
Specifying the File Type 2088
TOC - 148
Specifying the Keyword Category and Action 2089
Specifying the Protocol Type and Direction 2089
Binding the File Content Filter Profile to a Policy Rule 2090
Binding the File Content Filter Profile to a Security Zone 2090
Viewing File Content Filter Profile Information 2091
Web Content 2091
Configuring Web Content via CLI 2091
Creating a Web Content Profile 2091
Specifying the Control Range 2092
Excluding HTML Tags 2093
Binding the Web Content Profile to a Policy Rule 2093
Binding the Web Content Profile to a Security Zone 2094
Viewing Web Content Profile Information 2094
Web Posting 2094
Configuring Web Posting via CLI 2094
Creating a Web Posting Profile 2095
Specifying the Control Type and Action of Web Posting 2095
Specifying the Control Range 2096
Binding the Web Posting Profile to a Policy Rule 2096
Binding the Web Posting Profile to a Security Zone 2097
Viewing Web Posting Profile Information 2097
TOC - 149
Email Filter 2098
Configuring Email Filter via CLI 2098
Creating a Mail Filter Profile 2098
Specifying the Control Type 2099
Controlling All the Emails and Specifying the Action 2099
Specifying the Sender/Recipient and Action 2099
Specifying the Control Type 2100
Specifying the Action for other emails 2101
Specifying the Account Exception 2101
Binding the Email Filter Profile to a Policy Rule 2101
Binding the Email Filter Profile to a Security Zone 2102
Viewing Email Filter Profile Information 2102
APP Behavior Control 2103
Configuring APP Behavior Control via CLI 2103
Creating an APP Behavior Control Profile 2103
Controlling FTP Application 2104
Controlling HTTP Application 2105
Controlling TELNET Application 2105
Binding the APP Behavior Control Profile to a Policy Rule 2106
Binding the APP Behavior Control Profile to a Security Zone 2106
Viewing APP Behavior Control Profile Information 2107
TOC - 150
File Filter 2108
Configuring File Filtering 2108
Creating a File Filter Profile 2109
Creating a File Filter Rule 2109
Specifying the File Size 2110
Specifying the File Name 2110
Configuring the Description 2110
Specifying the Protocol 2111
Specifying the File Type 2111
Specifying the Action 2112
Binding the File Filter Profile to a Policy Rule 2112
Viewing File Filter Profile 2113
Configuring Decompression Control Function 2113
Enabling / Disabling Decompression Function 2113
Specifying the Maximum Decompression Layer 2114
Specifying an Action for Encrypted Compressed Files 2114
Viewing Decompression Control Configuration Information 2114
Network Behavior Record 2116
Configuring Network Behavior Recording via CLI 2116
Creating a Network Behavior Record Profile 2116
IM Audit 2117
Configuring Timeout Value 2117
TOC - 151
Recording Web Surfing Log 2118
Binding the NBR Profile to a Policy Rule 2118
Binding the NBR Profile to a Security Zone 2119
Viewing NBR Profile Information 2119
Log Management 2120
Log Severity and Format 2120
Output Destinations 2120
Configuring Log 2120
Data Security Configuration Examples 2122
Example1: URL Filter Configuration 2123
Preparations 2123
Configuration Steps on CLI 2123
Example 2: Web Content Configuration 2125
Preparations 2125
Example 3: Web Posting Configuration 2127
Preparations 2127
Example 4: Email Filter Configuration 2128
Example 5: Network Behavior Record Configuration 2129
TOC - 152
Object Configuration 2133
Predefined URL Database 2133
Updating the Predefined URL Database 2133
User-defined URL Database 2136
URL Lookup 2137
Configuring a URL Inquiry Server 2137
Keyword Category 2138
Keyword Matching Rules 2139
Warning Page 2140
Configuring Block Warning 2140
Configuring Audit Warning 2142
Bypass Domain 2144
User Exception 2144
First Access of Uncategorized URL 2145
Specifying the Waiting Time of Query 2145
Enabling/Disabling the Block Action after Waiting Timeout 2146
Viewing Configurations of First Access of Uncategorized URL 2146
URL Filtering 2147
Configuring URL Filter via CLI 2147
Creating a URL Filter Profile 2147
Specifying the URL Category and Action 2148
TOC - 153
Inspecting SSL Negotiation Packets 2148
Specifying the URL Keyword and Action 2149
Enabling Safe Search 2149
Binding the URL Filtering Profile to a Security Zone 2150
Binding the URL Filtering Profile to a Policy Rule 2151
Viewing URL Filtering Profile Information 2153
URL Blacklist/Whitelist 2153
Configuring the URL Blacklist 2154
Configuring the URL Whitelist 2155
Viewing the URL Blacklist Information 2155
Viewing URL Whitelist Information 2155
SSL Proxy 2156
Work Mode 2156
Working as Gateway of Web Clients 2158
Configuring SSL Proxy Parameters 2158
Specifying the PKI Trust Domain of Device Certificate 2159
Obtaining the CN Value 2159
Importing a Device Certificate to a Web Browser 2160
Configuring an SSL Proxy Profile 2161
Configuring the Session Reuse Function 2162
Choosing a Work Mode 2165
Specifying an Application to be Proxied by the SSL Proxy Function 2166
TOC - 154
Setting the URL Whitelist 2166
Enabling the Root Certificate Push 2167
Configuring the Actions to the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS

Traffic 2168
Checking the SSL Protocol Version 2168
Checking the Unkown Failure 2169
Checking the Encryption Algorithm 2170
Checking Whether the SSL Server Certificate is Overdue 2170
Checking Whether the SSL Server Verifies the Client Certificate 2171
Configuring an Action When Server Certificate Verification Fails 2171
Prioritizing the Low-intensity Encryption Algorithm 2172
Updating the Trusted Root Certificate Database 2173
Configuring the Update Mode of the Trusted Root Certificate Database 2173
Updating Trusted Root Certificate Database 2174
Importing a Trusted Root Certificate Database File 2174
Viewing Update Information of the Trusted Root Certificate Database 2175
Viewing Information of the Trusted Root Certificate Database 2175
Working as Gateway of Web Servers 2175
Configuring an SSL Proxy Profile 2176
Configuring the Session Reuse Function 2176
Choosing a Work Mode 2180
TOC - 155
Specifying Trust Domain 2180
Specifying HTTP Port Number 2181
Enable Warning Page 2181
Binding the SSL Proxy Profile to a Policy Rule 2182
Configuring the SSL Proxy Filter Rule 2182
Adding the SSL Proxy Filter Rule 2182
Deleting the SSL Proxy Filter Rule 2183
Viewing the SSL Proxy Filter Rule Information 2183
Configuring Asynchronous Acceleration 2183
Configuring Domain White List 2184
Configuring a User-defined Domain White List 2184
Configuring the IP Whitelist 2185
Configuring the Static IP Whitelist 2185
Configuring the Validity Time of Dynamic IP Whitelist 2185
Clearing the IP Whitelist 2186
Viewing SSL Proxy Information 2186
Chapter 14 Monitor 2188
Monitor 2189
Overview 2189
User Monitor 2190
Configuring Monitor Address Book 2190
TOC - 156
Viewing Address Book Statistical Information 2190
Configuring Subnet Monitor Address Book 2191
Viewing Subnet Monitor Address Entry Information 2191
Viewing the Stat-set for User Monitor 2191
Application Monitor 2192
Configuring Monitor Application Group 2193
Viewing Application-based Statistical Information 2193
Viewing the Stat-set for Application Monitor 2194
Threat Monitor 2195
Viewing the Stat-set for Threat Monitor 2195
QoS Monitor 2195
Service/Network Node Monitor（For T Series） 2195
host…type dns 2195
host…type ftp 2196
host…type http 2198
host…type icmp 2199
host…type imap4 2200
host…type ldap 2201
host…type pop3 2202
host…type smtp 2203
host…type {tcp | udp} 2204
show monitor host config 2206
TOC - 157
show monitor host status 2206
Device Monitor 2207
Viewing Interface-based Statistical Information 2207
Viewing the Stat-set for Device Monitor 2207
Viewing the Information of Hard Disk Module 2208
Viewing the Utilization of Virtual Hard Disk of CloudEdge Devices 2208
Viewing Memory Usage 2209
URL Hit 2209
Link State Monitor 2210
Enabling/Disabling Link User Experience Monitor 2210
Enabling/Disabling Application Switch for Interface 2211
Specify the Description of Interface 2211
Viewing Link Configuration Information 2211
Viewing Statistics Information of Link User Experience 2211
Configuring the Link Detection Destination 2212
Viewing Link Detection Monitor Configuration Information 2213
Application Block 2214
Keyword Block 2214
Authentication User 2215
show auth-user 2215
show auth-user groupname 2216
show dp-auth-user 2216
TOC - 158
show pseudo-group 2217
show auth-user agent 2217
show auth-user dot1x 2218
show auth-user interface 2219
show auth-user ip 2219
show auth-user l2tp 2220
show auth-user mac 2220
show auth-user radius-snooping 2221
show auth-user static 2222
show auth-user scvpn 2222
show auth-user endpoint-tag 2223
show auth-user ztna 2224
show auth-user ad-scripting 2224
show auth-user ad-polling 2225
show auth-user sso-radius 2226
show auth-user sso-monitor 2226
show auth-user webauth-ntlm 2227
show auth-user xauth 2227
show auth-user webauth 2228
show auth-user vrouter 2229
User-defined Monitor 2229
Creating a Stat-set 2230
TOC - 159
Configuring the Type of Statistical Data 2230
Configuring a Data Grouping Method 2231
Configuring a Filter 2243
Enabling/Disabling Stat-set 2246
Viewing Stat-set Information 2246
Diagnostic Center 2247
Always Collecting 5-Tuple Statistics of Packet Loss 2248
Configuring a Packet Loss Threshold 2248
Configuring a Packet Loss Growth Rate Threshold 2249
Long-term Monitor 2249
Enabling/disabling Long-term Monitor 2250
Alarm 2251
Overview 2251
Alarm Commands 2251
action 2251
alarm 2252
alarm-expiration-time 2252
alarm-receiver 2253
alarm-rule (application) 2254
alarm-rule (network) 2255
alarm-rule (resource) 2256
alarm-rule (service) 2257
TOC - 160
app-name 2258
disable 2258
enable 2259
level 2260
receiver 2260
schedule 2261
warning 2261
resource bandwidth 2263
resource concurrent-sessions 2264
resource cpu 2265
resource memory 2266
resource rampup 2266
resource storage 2267
resource temperature 2268
show alarm-rule 2268
show alarm-receiver 2269
show alarm-expiration-time 2270
Logs 2271
Overview 2271
Log Severity 2272
Log Output 2273
Log Format 2274
TOC - 161
Configuring System Logs 2274
Enabling/Disabling the Log Function 2275
Sending and Filtering Event Logs 2275
Configuring a Mobile Phone Number 2277
Sending Threat Logs 2278
Sending Configuration/Operation/Debug/Network Logs 2280
Sending Debug Logs to a File 2282
Configuring the Conditions of Using the Debug Function 2283
Sending Traffic Logs 2284
Sending Data Security Logs 2284
Sending Cloudsandbox logs 2286
Sending EPP logs 2286
Sending IoT Logs 2287
Configuring the Output Log Format 2288
Optimizing the Function of Exporting Session Logs and NAT Logs to the Local Disk 2289
Binding the Log Processing Process and Database Storage Process to Core MAX 2289
Configuring the Speed at Which Logs are Sent to Log Processing Process 2290
Configuring a Syslog Server 2291
Specify the Sending Sourceport Number 2293
Specifying a Facility 2294
Displaying Hostname/Username in the Traffic Logs 2294
Displaying Username in the Threat Logs 2295
TOC - 162
Sending Logs to an Email Account 2295
Configuring an Email Address 2295
Configuring a SMTP Server Instance 2296
Configuring PBR Log Function 2297
Enabling PBR Log Function 2297
Sending PBR Logs 2298
Displaying Hostname/Username in PBR Logs 2298
Viewing PBR Logs 2299
Configuring Log Parameter 2299
Disabling the Log Generation 2299
Configuring Log Level 2299
Enabling/Disabling the Record User Information Function for Threat Log 2300
Viewing Log Entries for Configuring Log Parameters 2300
Viewing Log Configurations 2300
Viewing Logs 2301
Exporting Logs 2302
Clearing Logs 2303
Sending Traffic Logs to Syslog Servers 2304
Example of Configuring Logs 2305
Example 1: Sending Event Logs to the Console 2305
Example 2: Sending Event Logs to the Syslog Server 2306
Example 3: Sending Traffic Logs to a Local File 2306
TOC - 163
Diagnostic Tool 2307
Introduction 2307
Commands 2308
Packet Capture Commands 2308
Configuring Packet Capture Task 2308
packet-capture task 2308
interface 2309
direction 2309
task-info 2310
filter-rule 2311
exec packet-capture 2312
export packet-capture-file 2313
clear packet-capture task 2314
Packet Capture Global Configuration 2315
packet-capture save-mem 2315
packet-capture save-time 2316
Show Commands 2316
show packet-capture status 2316
show packet-capture task 2317
Packet Path Detection Commands 2318
Emulation Packet 2318
troubleshooting packet-trace emulation-template 2318
TOC - 164
exec troubleshooting packet-trace emulation-template 2319
exec troubleshooting packet-trace stop 2320
export troubleshooting packet-trace emulation-template 2320
Online Packet 2321
troubleshooting packet-trace filter 2321
exec troubleshooting packet-trace filter 2322
export troubleshooting packet-trace packet-capture-file 2323
Imported Packet 2324
import troubleshooting packet-trace 2324
troubleshooting packet-trace filter 2325
exec troubleshooting packet-trace filter 2326
NetFlow 2328
Overview 2328
Configuring NetFlow 2328
Enabling NetFlow 2328
Creating a NetFlow Profile 2328
Configuring the Template Refresh Rate 2329
Configuring the Active Timeout Value 2329
Configuring the NetFlow Server 2330
Containing the Enterprise Field 2330
TOC - 165
Specifying the Source Interface 2330
Binding a NetFlow Profile to an Interface 2331
Viewing NetFlow Information 2331
TOC - 166
About This Guide
This document follows the conventions below:
Content
l Tip: provides reference.
l Note: indicates important instructions for you better understanding, or cautions for possible
system failure.
l Bold font: indicates links, tags, buttons, checkboxes, text boxes, or options. For example,
“Click Login to log into the homepage of the Hillstone device”, or “Select Objects >
Address Book from the menu bar”.
CLI
l Braces ({ }): indicate a required element.
l Square brackets ([ ]): indicate an optional element.
l Vertical bar (|): separates multiple mutually exclusive options.
l Bold: indicates an essential keyword in the command. You must enter this part correctly.
l Italic: indicates a user-specified parameter.
l The command examples may vary from different platforms.
l In the command examples, the hostname in the prompt is referred to as host-name.
l All the configurations should be in UTF-8 code if not particularly indicated.
About This Guide 1

WebUI
When clicking objects (menu, sub-menu, button, link, etc.) on WebUI, the objects are separated
by an angled bracket (>).
Command Line Interface
Overview
A command line interface (CLI) is a mechanism for you to interact with the operating system by
typing commands which instruct the device to perform specific tasks. This chapter describes how
to use StoneOS command line interface.
Notes: All command keywords are not case sensitive, but user input is case sens-
itive.
CLI Modes and Prompts

StoneOS CLI commands and statements are organized under various hierarchical modes. Some of
the CLI commands can work only under a particular mode, which can prevent accidental mis-
operations. For example, configuration commands can only be used in configuration modes.
StoneOS uses different prompts to indicate modes.
Execution Mode
When you log in StoneOS CLI, you are in the execution mode. Execution mode prompt is a
pound sign (#):
hostname#
Global Configuration Mode
Commands in the global configuration mode are used to change device settings. To enter the
global configuration mode, in the execution mode, use the command configuration. The global
2 About This Guide

configuration mode prompt is shown as follows:
hostname(config)#
Sub-module Configuration Mode
StoneOS has various functional modules. Some CLI commands only work in their corresponding
sub-module configuration modes. To enter a sub-module configuration mode, in the global con-
figuration mode, type a certain command. For example, to enter interface ethernet0/0 con-
figuration mode, type interface ethernet0/0, and its command prompt is shown as follows:
hostname(config-if-eth0/0)#
Switching between CLI Modes
When you log into StoneOS CLI, you are in the execution mode. To switch to other CLI mode,
type the commands in the table below.
Mode Command
From execution mode to global con- configure

figuration mode
From global configuration mode to sub- The command may vary, specifically depend-
module configuration mode ing on the sub-module configuration mode
you want to enter
Return to a higher hierarchy exit
From any mode to execution mode end
CLI Error Message

StoneOS CLI checks the command syntax. Only correct command can be executed. StoneOS
shows error message for incorrect syntax. The following table provides messages of common com-
mand errors:
About This Guide 3

Message Description
Unrecognized command StoneOS is unable to find the command or

keyword
Incorrect parameter type
Input value excesses its defined value range
Incomplete command User input is incomplete
Ambiguous command User input is not clear
Command Input
To simplify input operation, you can use the short form of CLI commands. In addition, StoneOS
CLI can automatically list available command keywords and fill incomplete commands.
Command Short Form
You can use only some special characters in a command to shorten your typing. Most of the com-
mands have short form. For example, you can use sho int to check the interface information
instead of typing show interface, and use conf to enter the configuration mode to replace the com-
plete command configure.
Listing Available Commands
When you type a question mark (?), the system completes the unfinished commands or gives a list
of available commands.
l If you type a question mark (?) behind an incomplete command, the system gives available
commands (with short description) started with the last typed letter.
l If you type a question mark (?) at any level, the system displays a list of the available com-
mands along with a short description of each command.
4 About This Guide

Completing Partial Commands
Command completion for command keywords is available at each level of the hierarchy. To com-
plete a command that you have partially typed, press the Tab key. If the partially typed letters
begin a string that uniquely identifies a command, pressing the Tab key completes the command;
otherwise, it gives a list of command suggestions. For example, type conf in the execution mode
and press TAB, the command configure appears.
Using CLI
This topic describes how to view previously typed commands and how to use CLI shortcut keys.
Previous Commands
StoneOS CLI can record the latest 64 commands. To scroll the list of the recently executed com-
mands, press the up arrow key or use Ctrl-P; to scroll forward the list, press the down arrow key
or use Ctrl-N. You can execute or edit the command texts displayed in the prompt.
Shortcut Keys
StoneOS CLI supports shortcut keys to save time when entering commands and statements. The
following table gives the supported shortcut keys and their functions.
Shortcut Key Action
Ctrl-A Moves cursor to the beginning of the command line.
Ctrl-B Moves cursor back one letter.
Ctrl-D Deletes the letter at the cursor.
Ctrl-E Moves cursor to the end of the command line.
Ctrl-F Moves cursor forward one letter.
Ctrl-H Deletes the letter before the cursor.
Ctrl-K Deletes all characters from the cursor to the end of the com-
mand line.
About This Guide 5

Shortcut Key Action
Ctrl-N Scrolls forward the list of recently executed commands.
Ctrl-P Scrolls backward the list of recently executed commands.
Ctrl-T Switches the character at the cursor and the one before it.
Ctrl-U Deletes all characters on the command line.
Ctrl-W Deletes all characters before the cursor.
META-B Moves cursor to the beginning of the word.
META-D Deletes the word after the cursor.
META-F Moves cursor to the end of the word.
META-Backspace Deletes the word before the cursor.
META-Ctrl-H Deletes the word before the cursor.
Tip: For the computer without the META key, press ESC first and then press the
letter. For example, to use shortcut key META-B, press ESC and then press B.
Filtering Output of Show Commands

In StoneOS CLI, the show commands display device configuration information. You can filter
command output according to filter conditions separated by the pipe symbol (|). The filter con-
ditions include:
l include {filter-condition}: Shows results that only match the filter condition. The filter con-
dition is case sensitive.
l exclude {filter-condition}: Shows results that do not match the filter condition. The filter con-
dition is case sensitive.
6 About This Guide

l begin {filter-condition}: Shows results that match the filter condition from the first one. The
filter condition is case sensitive.
CLI output filter syntax is shown as follows:

hostname# show command | {include | exclude | begin} {filter-condition}
In this syntax, the first pipe symbol (|) is part of the command, while other pipe symbols just sep-
arate keywords, so they should not appear in the command line.
The filter conditions comply with the format of regular expression. The table below shows some
common regular expressions and their meanings.
Regular Expression Meaning
. (period) Represents any character.
* (star) Indicates that there is zero or more of the preceding ele-

ment.
+ (plus) Indicates that there is one or more of the preceding ele-

ment.
^ (caret) Used at the beginning of an expression, denotes where a

match should begin.
$ (dollar) Used at the end of an expression, denotes that a term

must be matched exactly up to the point of the $ char-
acter.
[] (square bracket) Matches a single character that is contained within the

brackets.
- (hyphen) Separates the start and the end of a range.
CLI Page Display

The output messages of a command may be more than one page. When the output texts exceed
one page, the CLI shows -- More -- at the end of a page to indicate that there are more messages.
In such a situation, you can make the following operations:
About This Guide 7

l To view the next line: press Enter.
l To terminate the output display: press the Q key.
l To view the next page, press any key other than Enter and Q.
Specifying Screen Size

You can specify the width and length of the CLI output screen which determines the extent of
the output displayed before -- More -- appears. The default screen length is 25 lines and the width
is 200 characters.
To change the size of output screen, use the following commands:
l Width: terminal width character-number

character-number – Specifies the number of characters. The value range is 64 to 512.
l Length: terminal length line-number

line-number – Specifies the number of lines. CLI displays message lines one line less than
the value specified here, but if the value is 1, the screen shows one line. The value range is 0
to 256. Setting the length to 0 disables page display option, which means it displays all mes-
sages without page split.
These settings are only available for the current connection and won’t be saved to the con-
figuration file of the device. If you close the terminal and login again, the screen width and length
are restored to their default values.
Specifying Connection Timeout

Specifying connection timeout value is to set the maximum time that a session (over Console,
SSH or Telnet) can be idle before the user is forced to log out.
To set the timeout value, in the global configuration mode, use the following commands:
console timeout timeout-value
8 About This Guide

l timeout-value – Specifies the timeout value for Console session. The range is 0 to 60
minutes. 0 means the session will never time out. The default value is 10.
To restore to the default value, in the global configuration mode, use the command no console
timeout.
ssh timeouttimeout-value
l timeout-value - Specifies the timeout value for SSH session. The range is from 1 to 60
minutes. The default value is 10.
To restore to the default value, in the global configuration mode, use the command no ssh
timeout.
telnet timeout timeout-value
l timeout-value - Specifies the timeout value for Telnet session. The range is 1 to 60 minutes.
The default value is 10.
To restore to the default value, in the global configuration mode, use the command no telnet
timeout.
Redirecting the Output of Show Commands

StoneOS allows you to redirect the output messages of show commands to other destinations
including FTP server and TFTP server.
To redirect the output of show commands, use the following command:
show command | redirect dst-address
The destination address (dst-address) can be one of the following formats:
l FTP – ftp://[username:password@]x.x.x.x[:port]/filename
l TFTP – tftp://x.x.x.x/filename
About This Guide 9

Diagnostic Commands
You can use ping to determine if a remote network is reachable, or use traceroute to trace the
route to a network device.
Viewing device Processes

You can view device process information, including the CPU usage, running time, status, memory
usage, and IPC queue length of different processes.
To view the information, in any mode, use the following command:
show process
Example:
hostname(config)# sh o w p ro cess
Tasks: 84 total, 11 running, 73 sleeping, 0 stopped

Pid Process State Priority Cpu(%) Memory(%) Runtime Fdnum ipcRecvqlen
（process ID, process, status, priority, CPU usage, memory usage, running time,
number of open files, IPC queue length）
1674 chassisd R 18 0.6 0.4 0:05.95 13 0（R indicates that the process is running, the
length of the IPC queue indicates the length of messages pending for the pro-
cess, and 0 indicates that the process currently has no pending messages .）
4491 d-plane R 0 0.2 0.5 89:30.09 8 0
1639 monitord S 0 0.0 0.4 0:16.23 10 0（S indicates that the process is sleeping.）
1675 licensed S 20 0.0 0.7 0:10.05 9 0
10 About This Guide

Chapter 1 Firewall
The chapter introduces the following topics:
l Configuration Environment describes how to access a device via Console port, Telnet, SSH
and WebUI.
l Application Mode describes three types of application modes: transparent mode, mix mode,
and routing mode.
l Deployment Mode describes three types of deployment modes: inline mode, bypass mode,
and mix mode.
l StoneOS Architeture describes the basic components of StoneOS: interface, zone, VSwitch,
VRouter, policy rule, and VPN.
l Zone describes the zone. Zones divide network into multiple segments, for example, trust,
untrust, and so on.You can apply proper policy rules to zones to make the devices control the
traffic transmission among zones.
l Interface describes the interface. Interfaces are used to connect devices, and transmit data.
l Address describes the address book. The address book contains address information, and can
be used by multiple modules, such as policy rules, NAT rules, QoS, session limit rules, etc.
l Service and Application describes the service book and application book. All of these applic-
ations and applications groups are stored in and managed by application book. All these ser-
vice and service groups are stored in and managed by service book.
l DNS describes the function of Domain Name System. It is designed for TCP/IP network to
look for Internet domain names (e.g., www.xxxx.com) and translate them into IP addresses
(e.g., 10.1.1.1) to locate related computers and services.
l DDNS describes the function of Dynamic Domain Name Server. It is designed to resolve
fixed domain names to dynamic IP addresses.
l DHCP describes the function of Dynamic Host Configuration Protocol. It is designed to

allocate appropriate IP addresses and related network parameters for subnets.
l PPPoE describes the function of Point-to-Point Protocol over Ethernet. It combines PPP pro-
tocol and Ethernet to implement access control, authentication and accounting on clients dur-
ing IP address allocation.
l NAT describes the protocol for IP address translation in an IP packet header. When the IP
packets pass through a firewall or router, the device or router will translate the source IP
address and/or the destination IP address in the IP packets.
l Application Layer Identification and Control describes the function of Application Layer
Gate. It can assure the data transmission for the applications that use multiple channels and
assure the proper operation of VoIP applications in the strictest NAT mode.
l VLAN describes the function of Virtual LAN. A physical LAN can be divided into multiple
broadcast domains.
l Super-VLAN describes the function of VLAN aggregation. It allows network devices that
belong to different VLANS in one physical switching network to be allocated to one IPv4 sub-
net, and share one default gateway, thus optimizing IP address allocation.
l RSTP describes the function of Rapid Spanning Tree Protocol. It is designed to block the
redundant links to avoid broadcast storm.
l Wireless Access Mode describes the wireless access mode: WLAN and 3G. You can use the
wireless mode to access the network.
2 Chapter 1 Firewall
Configuration Environment
Overview
When the device has been properly installed, you need to set up an initial configuration envir-
onment before enabling the device to forward traffic. Use the following methods to set up con-
figuration environment:
l Accessing a Device via Console Port
l Accessing a Device over Telnet
l Accessing a Device over SSH
l Accessing a Device via WebUI
Accessing a Device via Console Port

To directly connect a device using a cable inserted into the Console port, take the following
steps:
1. Take a standard RS-232 cable. Connect one end of the cable to a computer’s serial port,
and the other end to a device’s console port (labeled CON), as shown below:
2. In PC, start the terminal emulation program (HyperTerminal) and use the following para-
meters:
Parameter Value
Baud 9600 bit/s

Note:For A series, K series(except
K2680 and K2380), and X8180, the
default value is 115200bit/s.
Data 8
Parity None
Stop 1
Flow Control None
3. Power on the device and StoneOS starts up. Type the default login name (hillstone) and
password (hillstone), and press Enter. Follow the prompts to change the default password,
and then you can log in again with the new password.
4. You can use command line to configure the device and view its status. You can also type a
question mark (?) for help.
Accessing a Device via Telnet

If you want to use Telnet to connect a device, make sure the following conditions have been be
established in advance:
l An IP address has been assigned to the access port with Telnet service enabled. (To enable
Telnet on an interface, in the interface configuration mode, use the command manage tel-
net.When the Telnet service is enabled, the system will prompt that the protocol is not
secure.)
l There is a correct route between the computer and the device.
To access to a device over Telnet, take the following steps:
1. Take a standard Ethernet cable. Connect one end of the cable to a PC, and put the other end
into a device’s Ethernet port (or into a hub or switch), as shown below:
2. In the StoneOS command line interface, type the manage telnet command in the interface
configuration mode to enable Telnet on that interface. (For more information about how to
configure an interface, see Configuring an Interface Protocol).
3. Run a Telnet client program in your computer.
4. Type telnet and the IP address. If the connection is successfully established, the Telnet win-
dow shows “login”. Type the default login name (hillstone) and password (hillstone), and
press Enter. Follow the prompts to change the default password, and then you can log in
again with the new password.
5. You can use command line to configure the device and view its status. For help inform-
ation, type a question mark (?).
Notes: If you use Telnet to configure the device, do not change the IP address used
for Telnet connection. Otherwise, you cannot access the device over Telnet.
Accessing a Device over SSH

Secure Shell or SSH uses encryption to provide confidentiality and integrity for data in an insec-
ure network environment. Hillstone device allows multiple SSH connections working
simultaneously.
To access a device over SSH, take the following steps:
1. Take a standard Ethernet cable. Connect one end of the cable to a PC, and put the other end
into a device’s Ethernet port (or into a hub or switch).
2. In the StoneOS command line interface, type the command manage ssh in the interface con-
figuration mode to enable SSH service on that interface. (For more information about how
to configure an interface, see Configuring an Interface Protocol).
3. Run a SSH client software in your computer. You need to configure some SSH parameters,
including IP address of the device, SSH version and RSA key, etc.
4. If the connection is successfully established, a login: prompt will appear. Enter the default
administrator username “hillstone” and press Enter. Behind the prompt for password,
enter the default password “hillstone” and press Enter to log in.
5. You can use command line to configure the device and view its status. For help inform-
ation, type a question mark (?).
Accessing a Device via WebUI

Web User Interface (WebUI) provides a more direct and effective method for you to interact with
the device and view its responses.
Interface ethernet0/0, with default IP address 192.168.1.1/24, has its SSH, PING, SNMP and
HTTPS services enabled. When you use a new Hillstone device, you can visit its Web User Inter-
face after finishing the following steps:
1. Assign an IP address to your PC. The address should be of the same subnet with
192.168.1.1/24. Use an Ethernet cable to connect your PC and the ethernet0/0 port.
2. In the PC, launch a Web browser and visit the address https://192.168.1.1. The login page
is shown below.
3. In the login interface, type the default username and password: hillstone/hillstone.
4. At the first sign of address, the user needs to read and accept the EULA ( end-user license
agreements ), click EULA to view the details of EULA.
5. Click Login, follow the prompts to change the default password, and then log in again with
the new password.
Now, you can view or configure the device as needed.
Logging in by Using Certificate Authentication
To improve the security, you can log into the device by using the certificate authentication func-
tion of the client. The certificate includes the digital certificate of users and secondary CA cer-
tificate signed by the root CA.Certificate authentication is one of two-factor authentication. Two-
factor authentication is not only needing the user name and password authentication, but also
needing other authentication methods,such as certificate or fingerprint. After enabling this authen-
tication method and logging into the device over HTTPS, you need to first select certificate and
then enter the password.
Notes:
l The digital certificate of client is signed by root CA.
l Secondary CA certificate is trusted by root CA so that the system can authen-

ticate user.
To enabling this authentication mehod, configure the settings in both the device side and the cli-
ent side.
Configuring the Device Side
To enable the certificate authentication of the client, take the following steps:
1. To enable the certificate authentication of the client:

In the global configuration mode, execute the https client-auth enablecommand.
2. To configure the PKI trust domain and import the CA root certificate:
a. aIn the global configuration mode, execute the pki trust-domain trust-domain-name
command to create a new PKI trust domain.
b. In the execution mode, execute the import pki trust-domain-name cacert from {ftp
server ip-address [user user-name password password] | tftp server ip-address |
usb0 | usb1} file-name command to import the CA root certificate to PKI trust
domain from many storages including FTP,TFTP and USB.
c. In the global configuration mode, execute the https client-auth trust-domain trust-
domain-name command to specify the trust domain of certificate authentication.
The system verifies the validity of the CA signature of the certificate in the client
by using the CA root certificate stored in this PKI trust domain. The trust domain
is the one that you create in the above steps.
3. If needed, you can configure the CN Check function. In this case, the system checks the
CN field of the client certificate when the user logs into the device. Only when the CN
field of the client certificate matches the username can the user successfully log into the
device..
In the global configuration mode, execute the https client-auth match cncommand. This
function is enabled by default.
Configuring the Client Side
You may import one or two certificates into your client’s Web browser or USB Key. If you have
imported two certificates, choose one when selecting certificate.After configuring the device side,
you will need to configure the client side. The steps below use the certificates in the client Web
browser to authenticate as an example:
1. Import the digital certificate to the client Web browser.
a. In the Web browser, for example, Internet Explorer, select Tools > Internet
options > Content > Certificate > Personal.
b. Click Import.
c. In the pop-up window, follow the wizard to import the certificate.
2. In the PC, launch a Web browser and visit the address https://IP-Address(IP-Address
refers to the IP address of manageable interface).
3. A dialog appears and asks you to select the proper certificate from the certificate list.
4. Click OK. The login page appears.
5. Enter the username and password and click Login. If you have configured the https client-
auth match cn command, the username you entered must be the same as the CN value of
the CA certificate.
Notes: To authenticate with the certificates in the client Web browser, you should
be noted that:
l Make sure the USB Key has been inserted into the USB interface of PC
before logging.
l Feitianchengxin USB Key(the authentication USB Key issued by Hillstone)

comes with driver and Hillstone Usertools. After installing driver and this
tool following the installation wizard, you can import digital certificates to the
USB Key with Hillstone Usertools.
l You need to enter USB Key user password(1234 by default) when importing
digital certificates to the USB Key.
Unfreezing the WebUI
This function can be used only for CloudEdge deployed on the e Cloud. When CloudEdge is
deployed on the e Cloud, the e Cloud can manage CloudEdge via License Management System
(LMS). If the authorization of CloudEdge purchased on the e Cloud expires (that is, the available
period of CloudEdge authorized by the e Cloud expires), the e Cloud will freeze the WebUI of
CloudEdge through LMS. During the freeze period, you cannot access the WebUI of CloudEdge.
If you try to log in to the WebUI of CloudEdge with your user name and password, the login page
will prompt: "Error: WebUI is frozen, cannot use WebUI". When the user renews the author-
ization of CloudEdge on the e Cloud (that is, renews the available period of CloudEdge), the e
Cloud will unfreeze the WebUI of CloudEdge through LMS.
Usually, the freezing and unfreezing operations are automatically performed by e Cloud and LMS.
When CloudEdge loses contact with LMS, the freezing and unfreezing operations will fail. In this
case, you can unfreeze the WebUI via CLI.
To unfreeze the WebUI of CloudEdge, in any mode, use the command:
exec webui unfreeze
Application Mode
Overview
Hillstone devices support three types of application modes: transparent mode, mix mode, and
routing mode. The system will choose a proper mode according to the packets received. This
chapter will describe the three applications modes in details.
Transparent Mode
To build the transparent application mode, you must create some L2 zones, bind interfaces to the
L2 zones and then bind the L2 zones to the VSwitch. If necessary, you can create multiple
VSwitches. The transparent mode takes the following advantages:
l Do not have to change the IP addresses of the protected network.
l No NAT rules are needed.
As shown above, an interface the L2 Trust Zone connects to the Intranet, and an interface in the
L2 Untrust Zone connects to the Internet.
Mix Mode
To build the mix application mode, you must bind some interfaces to L2 zones and some inter-
faces to L3 zones, and configure IP addresses for VSwitchIF and L3 interfaces. Figure below
shows the topology of the mix mode.
Routing Mode
To build the routing mode, you must bind the interfaces to L3 zones, configure IP address to the
interfaces according to network topology and security requirements, and configure proper policy
rules. Under the routing mode, the device performs both the routing function and the security
function. And also NAT is supported under this mode. In such a case, the device is deployed
between the trust zone and the untrust zone. Figure below Fshows the topology of the routing
mode.
VSwitch
Hillstone devices might allow packets between some interfaces to be forwarded in Layer 2
(known as transparent mode), and packets between some interfaces to be forwarded in Layer 3
(known as routing mode), specifically depending on actual requirement. To facilitate a flexible con-
figuration of mix mode of Layer 2 and Layer3, StoneOS introduces the concept of Virtual Switch
(VSwitch). By default StoneOS ships with a VSwitch known as VSwitch1. Each time you create a
VSwitch, StoneOS will create a corresponding VSwitch interface (VSwitchIF) for the VSwitch
automatically. You can bind an interface to a VSwitch by binding that interface to a security zone,
and then binding the security zone to the VSwitch.
A VSwitch acts as a Layer 2 forwarding zone, and each VSwitch has its own independent MAC
address table, so the packets of different interfaces in one VSwitch will be forwarded according to
Layer 2 forwarding rules. You can configure policy rules conveniently in a VSwitch. A VSwitchIF
virtually acts as an upstream switch interface, allowing packets forwarding between Layer 2 and
Layer 3.
Tip: For more information about VSwitch configuration, see Interface.
Basic Concepts
This section describes two basic concepts: L2 zones and L2 interfaces.
L2 Zones
To support policy rules for VSwitches, here introduces the concept of L2 zones. When creating a
zone, you have to identify whether it is a L2 zone. To bind an interface to a VSwitch, you must
bind it to a L2 zone first and then bind the L2 zone to the VSwitch. Figure below shows the rela-
tionship among VSwitch, L2 zone, and L2 interface.
L2 Interfaces
A physical interface and its sub-interfaces can belong to different interfaces. An interface bound
to a L2 zone is a L2 interface. But only the interface with no IP configured can be bound to a L2
zone. A VSwitchIF is a L3 interface which cannot be bound to a L2 zone.
Forwarding Rules in VSwitch
StoneOS creates a MAC address table for a VSwitch by source address learning. Each VSwitch has
its own MAC address table. StoneOS handles with the packets according to the types of the pack-
ets, including IP packets, ARP packets, and non-IP-non-ARP packets.
The forwarding rules for IP packets are:
1. Receive a packet.
2. Learn the source address and update the MAC address table.
3. If the destination MAC address is a unicast address, the system will look up the egress inter-
face according to the destination MAC address. And in this case, two situations may occur:
l If the destination MAC address is the MAC address of the VSwitchIF with an IP con-
figured, the system will forward the packet according to the related routes; if the des-
tination MAC address is the MAC address of the VSwitchIF with no IP configured,
the system will drop the packet.
l Figure out the egress interface according to the destination MAC address. And if the
egress interface is the source interface of the packet, the system will drop the packet;
otherwise, forward the packet from the egress interface.
If no egress interfaces (unknown unicast) is found in the MAC address table, jump to
Step 6 directly.
4. Figure out the source zone and destination zone according to the ingress and egress inter-
faces.
5. Look up the policy rules and forward or drop the packet according to the matched policy
rules.
6. If no egress interface (unknown unicast) is found in the MAC address table, the system will
send the packet to all the other L2 interfaces. The sending procedure is: take each L2 inter-
face as the egress interface and each L2 zone as the destination zone to look up the policy
rules, and then forward or drop the packet according to the matched policy rule. In a word,
forwarding of unknown unicast is the policy-controlled broadcasting. Process of broad-
casting packets and multicasting packets is similar to the unknown unicast packets, and the
only difference is the broadcast packets and multicast packets will be copied and handled in
Layer 3 at the same time.
For the ARP packets, the broadcast packet and unknown unicast packet are forwarded to all the
other interfaces in the VSwitch, and at the same time, the system sends a copy of the broadcast
packet and unknown unicast packet to the ARP module to handle with.
For the non-IP-non-ARP packets, you can specify the action using the following command in the
global configuration mode:
l2-n o n ip -actio n {dro p | fo rward}
l drop – Drops the packet.
l forward– Forwards the packet.
Configuring a VSwitch
There is a default VSwitch named VSwtich1 in the system. You cannot delete VSwitch1. You can
create new VSwitches according to your needs. And also you can view the VSwitch configuration
information at any time.
When you create a new VSwitch, a corresponding VSwitchIF is created automatically.
To create a VSwitch, in the global configuration mode, use the following command:
vswitch vswitch Number
l Number– Specifies the numeric identification for the VSwitch. The value range varies from
different platforms. For example, the command vswitch vswitch2 creates a VSwitch named
VSwitch2 and the corresponding VSwitchIF named VSwitchif2, and at the same time, you
enter the VSwitch2 configuration mode. If the specified VSwitch name exists, you will enter
the VSwitch configuration mode directly.
To delete the VSwitch with its VSwitchIF, in the global configuration mode, use the following
command:
n o vswitch vswitch Number
To view the configuration information of the VSwitch, in any mode, use the following command:
sh o w vswitch [ vswitch-name ]
l vswitch-name– View the information of the specified VSwitch.
Viewing MAC Table Information

You can view or clear the MAC table information of all the VSwitches or specified interfaces.
sh o w mac [gen eric] | [in terface interface-name ]
l generic– Shows the statistics of the MAC table, including how many entries in the table and
how many entries are being used.
l interface interface-name– Shows the MAC entries of the specified interface.
To clear the MAC entries, in the execution mode, use the following command:
clear mac [in terface interface-name ]
Virtual Wire
Hillstone devices support VSwitch-based Virtual Wire. With this function enabled and Virtual
Wire interface pair configured, two Virtual Wire interfaces form a virtual wire that connects the
two sub-networks attaching to Virtual Wire interface pair together. The two connected sub-net-
works can communicate directly on Layer 2, without other sub-network's forwarding. Fur-
thermore, controls of policy rules or other functions are still available when Virtual Wire is used.
Virtual Wire operates in two modes, which are Strict and Non-Strict mode respectively, as
detailed below:
l Strict Virtual Wire mode: In this mode, Hillstone devices does not need to perform MAC
address learning. Packets can only be transmitted between Virtual Wire interfaces, and the
VSwitch cannot operate in the mix mode. Any PC connected to the Virtual Wire interface can
neither manage the device nor access Internet over this interface.
l Non-Strict Virtual Wire mode: In this mode, Hillstone can perform MAC address learning.
Packets can be transmitted between Virtual Wire interfaces, and the VSwitch also supports
data forwarding in Mix mode. That is, this mode only restricts Layer 2 packets' transmission
between Virtual Wire interfaces, and does not affect Layer 3 packets' forwarding.
Table below lists packet transmission conditions in Strict Virtual Wire and Non-Strict Virtual
Wire mode. You can choose an appropriate Virtual Wire mode according to the actual require-
ment.
Packet Strict Non-Strict
Egress and ingress are interfaces of one Virtual Wire interface Allow Allow
Packet Strict Non-Strict
pair
Ingress is not Virtual Wire's interface Deny Deny
Egress and ingress are interfaces of different Virtual Wire Deny Deny
interface pairs
Ingress of to-self packet is a Virtual Wire’s interface Deny Allow
Ingress is a Virtual Wire's interface, and egress is a L3 inter- Deny Allow

face
Configuring a Virtual Wire
To configure the Virtual Wire function, you need to enable the Virtual Wire function of the
VSwitch and configure the Virtual Wire interface pair.
Enabling Virtual Wire
By default, the Virtual Wire function of VSwitch is disabled. To enable the Virtual Wire function,
in the VSwitch configuration mode, use the following command:
virtual-wire en ab le [strict | un strict]
l strict | unstrict – Specifies the Virtual Wire mode. It can be strict (strict) or non-strict
(unstrict). The strict mode will be used if you keep this parameter un-configured.
To disable the Virtual Wire function, in the VSwitch configuration mode, use the following com-
mand:
n o virtual-wire en ab le
Configuring a Virtual Wire Interface Pair
A Virtual Wire interface pair forms a virtual wire to transmit the conformed L2 packets. The sup-
ported maximum number of Virtual Wire interface pairs varies from different platforms.
To configure a Virtual Wire interface pair, in the VSwitch configuration mode, use the following
command:
virtual-wire set interface-name1 interface-name2
l interface-name1 interface-name2 – Specifies the interface for the interface pair. The two
interfaces of one Virtual Wire cannot be the same, and the same one interface cannot belong
to two interface pairs.
To delete the specified interface pair, in the VSwitch configuration mode, use the following com-
mand:
n o virtual-wire set interface-name1 interface-name2
Viewing Virtual Wire Configuration Information
In any mode, use command show vswtich vswitch-nameto view the Virtual Wire status and
mode. To view the configuration information of Virtual Wire interface pair, in any mode, use the
following command:
sh o w virtual-wire [vswitch vswitch-name ]
l vswitch vswitch-name – Views the Virtual Wire interface pair information of specified
VSwitch. All the configured Virtual Wire interface pair information will be displayed if you
keep this parameter un-configured.
NSH Proxy
Only Hillstone CloudEdge virtual firewall supports the NSH proxy function. NSH (Network Ser-
vice Header) is a protocol used to provide Service Chain in SFC (Service Function Chain) archi-
tecture. The definition and instantiation of an ordered set of service functions and its subsequent
"forwarding" of traffic through them is called SFC. It is mainly used for end-to-end services. It
adds NSH in the original messages to make the messages pass through multiple Service devices in
sequence according to the specified path.
CloudEdge supports the layer 2 NSH proxy function , which can encapsulate and forward layer 2
NSH packets. Generally, there are two modes when you arrange services through SFC: two-armed
mode and one-armed mode. In the two-arm mode, packets come in and get out through different
interfaces; while in the one-arm mode, packets come in and get out though the same interface.
Enabling NSH layer 2 Proxy
To enable the NSH layer 2 proxy function, in the VSwitch configuration mode, use the following
command:
virtual-wire set interface-name1 interface-name2 n sh -p ro xy
l interface-name1 interface-name2 – Specify the egress and ingress interfaces for forwarding
NSH layer 2 proxy traffic. In the two-arm mode of SFC, the egress and ingress interfaces
should be configured as two different interfaces. In the one-arm mode, the egress and ingress
interfaces need to be configured as the same interface.
To disable the NSH layer 2 proxy function, in the VSwitch configuration mode, use the following
command:
n o virtual-wire set interface-name1 interface-name2
NSH Proxy Debugging
To enable the NSH Proxy debugging , in any mode, use the following command:
deb ug dp n sh
To disable the NSH Proxy debugging , in any mode, use the following command:
un deb ug dp n sh
Viewing the NSH Packets on Interfaces
To view the packets on the NSH proxy interfaces, in any mode, use the following command:
sh o w n sh -p ro xy-co un ter
Viewing the NSH Sessions
To view the NSH sessions, in any mode, use the following command:
sh o w sessio n n sh
Viewing Virtual Wire and NSH Proxy Configurations
In any mode, you can use the command show vswtichvswitch-nameto view the status and mode
of virtual wire . To view the configuration information of virtual wire interface pair and NSH
proxy , in any mode, use the following command:
sh o w virtual-wire [vswitch vswitch-name ]
l vswitchvswitch-name – Displays the virtual wire interface pair and NSH proxy information
of the specified VSwitch. If the parameter is not specified, all the configured virtual wire inter-
face pair and NSH proxy information will be displayed.
VLAN Transparent in the Transparent Mode

In the transparent mode, when there are multiple VLANs on the physical interfaces,, you have to
configure the corresponding sub-interfaces and multiple L2 forwarding zones (VSwitch) to trans-
mit all the VLAN packets. In this case, the traffic can be fine-grained controlled with policy rules
among different VLANs. However, the more VLANs there are, the more complex the con-
figuration is. To simplify the configuration, the system provides the VSwitch based VLAN trans-
parent function. With this function, you do not have to configure the sub-interfaces, and the
system forwards the VLAN tagged packets transparently without tag changed.
By default, VLAN transparent in the VSwitch is disabled. To enable it, in the VSwitch con-
figuration mode, use the following command:
fo rward-tagged-p acket
To disable VLAN transparent, in the VSwitch configuration mode, use the following command:
n o fo rward-tagged-p acket
VSwitch supports the double-tagged VLAN transparent function in the QinQ scenario. To enable
this function, in the VSwitch configuration mode, use the following command:
fo rward-do ub le-tagged-p acket
To disable the double-tagged VLAN transparent function in the QinQ scenario, in the VSwitch
configuration mode, use the following command:
n o fo rward-do ub le-tagged-p acket
Notes: When configuring and using the VLAN transparent function, you should
keep in mind that:
l VSwitch that contains sub-interfaces cannot enable VLAN transparent.
l The L2 zone in the VSwitch with VLAN transparent enabled cannot bind
sub-interfaces.
l Transparently transmitted VLAN tagged packets cannot be transmitted in

Layer 3.
Configuration Example
The Hillstone device is applied in the transparent mode. The interface ethernet0/0 connects to
Internet, and ethernet0/1 connects the Intranet, the Intranet address is 192.168.10.1/24. Both
ethernet0/0 and etherent0/1 should carry the VLAN tagged packets from 0 (means no ID) to
4094.
The goal is to specially control the VLAN packets tagged 2 by a policy rule and control other
VLAN tagged packets with a common policy rule. Figure below shows the topology.
Configuration Steps
Step 1: Configure VSwitch1, and make the system forward the VLAN tagged packets (except for
the packets with ID 2) transparently through VSwitch1
hostname(config)# vswitch vswitch 1
hostname(config-vswitch)# fo rward-tagged-p acket
hostname(config-vswitch)# exit
hostname(config)# in terface eth ern et0/1
hostname(config-if-eth0/1)# zo n e l2-trust
hostname(config-if-eth0/1)# exit
hostname(config-if-eth0/0)# zo n e l2-un trust
hostname(config)#
Step 2: Create VSwitch2 for the VLAN packets tagged 2
hostname(config)# zo n e l2-trust2 l2
hostname(config-zone-l2-tru~)# b in d vswitch 2
hostname(config-zone-l2-tru~)# exit
hostname(config)# zo n e l2-un trust2 l2
hostname(config-zone-l2-tru~)# b in d vswitch 2
hostname(config)# in terface eth ern et0/0.2
hostname(config-if-eth0/0.2)# zo n e l2-un trust2
hostname(config-if-eth0/0.2)# exit
hostname(config)#
Step 3: Configure the policy rules
hostname(config)# address address1
hostname(config-addr)# ip 192.168.10.1/24
hostname(config-addr)# exit
hostname(config)# p o licy-glo b al
hostname(config-policy)# rule fro m address1 to an y fro m-zo n e l2-trust2 to -zo n e l2-

un trust2 service an y p ermit
hostname(config)# rule id 2
hostname(config-policy-rule)# src-zo n e l2-trust2
hostname(config-policy-rule)# dst-zo n e l2-un trust2
hostname(config-policy-rule)# exit
hostname(config-policy)# exit
hostname(config-policy)# rule fro m an y to an y fro m-zo n e l2-trust to -zo n e l2-un trust

service an y p ermit
Rule id 3 is created
hostname(config)#
Configuring Transparent ARP

In the transparent application mode, ARP learning is disabled by default. You can enable or dis-
able ARP learning manually to obtain IP-MAC binding information. To enable or disable ARP
learning, in the VSwitch configuration mode, use the following command:
l Enable: arp-l2mode
l Disable: no arp-l2mode
Configuring a VRouter
There is a default VRouter in the system named trust-vr. The default VRouter cannot be deleted.
After enabling the multi-VR function, you can create more VRouters according to your own
needs.
Enabling and Disabling Mult-VR
By default, the multi-VR function is disabled, and you cannot create other VRs.
To enable or disable the multi-VR function, in any mode, use the following command:
l Enable: exec vrouter enable
l Disable: exec vrouter disable
After multi-VR is enabled or disabled, the system must reboot to make it take effect. After reboot-
ing, system's max concurrent sessions might decrease if the function is enabled, or restore to nor-
mal if the function is disabled. For more information about the maximum concurrent sessions, see
"The Maximum Concurrent Sessions" on Page 698.
If multi-VR is enabled, traffic can traverse up to 3 VRs, and any traffic that has to traverse more
than 3 VRs will be dropped.
Creating a VRouter
After enabling the multi-VR function and rebooting the system, to create a new VRouter and
enter the VRouter configuration mode, in the global configuration mode, use the following com-
mand:
ip vro uter vrouter-name
l vrouter-name – Specifies the name of the VRouter to be created. If the specified name
exists, you will enter the VRouter configuration mode directly.
To delete the specified VRouter, in the global configuration mode, use the following command:
n o ip vro uter vr-name
Viewing VRouter Information
To view the VRouter information, in any mode, use the following command:
sh o w ip vro uter [ vrouter-name ]
l vrouter-name – View the information of the specified VRouter. Information of all the
VRouters in the system will be displayed if you keep this parameter un-configured.
Deployment Mode
Overview
Hillstone device supports three types of deployment modes, which are inline mode, bypass mode,
and mix mode. This chapter introduces the three modes in brief and describes the principle and
configuration of the bypass mode in details.
Inline Mode
In most of the situations, Hillstone device will be deployed inline mode. Under this mode, the
device will analyze, control, and forward the network traffic. Figure below shows the inline mode
topology.
Bypass Mode
Some functions on the device can work in both the inline mode and the bypass mode, such as
IPS, AV, statistics, and network behavior control. When the device is working under the bypass
mode, it monitors, scans, and logs the traffic without forwarding them. In this case, the device fail-
ure will not impact the traffic transmitting in the network. The bypass mode is a better choice for
the auditing-only situations. Figure below shows the bypass mode topology.
Mix Mode
Hillstone device works under the inline mode naturally. After configuring the bypass mode on the
device, it works under the mix mode of inline and bypass. Figure below shows the mix mode topo-
logy.
Working Principle of Bypass Mode
The bypass mode of Hillstone device is realized by configuring related parameters on interfaces.
Bind a physical interface to a Tap zone (function zone for bypass mode) to make it a bypass inter-
face. And then the device will monitor, scan, or record the traffic received in the bypass interface.
Figure below shows the working principle illustration of bypass mode.
As shown in the illustration above, the Hillstone device deployed in the network under the
bypass mode. The interface e1 is the bypass interface and e2 is the bypass control interface. The
interface e0 is the mirror interface of the switch.
The switch mirrors the traffic to e1 and Hillstone device will monitor, scan, and log the traffic
received from e1.
After configuring IPS, AV, or network behavior control on the Hillstone device, if the device
detects network intrusions, virus, or illegal network behaviors, it will send TCP RST packet from
e2 to the switch to tell it to reset the connections.
Configuring Bypass Mode

Configurations of bypass mode include:
l Creating a Tap Zone
l Binding an Interface to a Tap Zone
l Configuring a Bypass Control Interface
l Specifying a Statistical Range
l Configuring a Linkage Firewall
Creating a Tap Zone
To deploy the device in the bypass mode, you must create a Tap zone and bind a physical inter-
face to the Tap zone.
To create a Tap zone, in the global configuration mode, use the following command:
zo n e zone-name tap
l zone-name - Specifies the name of the zone.
If the specified name exists, you will enter the zone configuration mode directly.
After configuring a Tap zone, the system will automatically create a policy rule whose source and
destination zones are both the created Tap zone.
To delete the specified zone, in the global configuration mode, use the command
no zone zone-name.
Binding an Interface to a Tap Zone
An interface bound to a Tap zone is a bypass interface. A physical interface, an aggregate interface,
a tunnel interface or a redundant interface can be configured as a bypass interface. A bypass inter-
face cannot have sub-interfaces.
To bind an interface to a Tap zone, in the interface configuration mode, use the following com-
mand:
zo n e zone-name
To cancel the binding, in the interface configuration mode, use the command no zone.
Configuring a Bypass Control Interface
A bypass control interface is used to send control packets (TCP RST packet is supported in cur-
rent version). After configuring IPS, AV, or network behavior control on the Hillstone device, if
the device detects network intrusions, virus, or illegal network behaviors, it will send TCP RST
packet from e2 to the switch to tell it to reset the connections.
By default, the bypass control interface is the bypass interface itself. For tunnel interfaces, if the
interface itself is used as the control interface, the control message sent by the tunnel interface
may not be processed correctly. It is recommended that bypass tunnel interfaces be configured
with other interfaces as control interfaces. When configuring, ensure that the control interface can
send messages to the switch normally.
To configure a bypass control interface, in the bypass interface configuration mode, use the fol-
lowing command:
tap co n tro l-in terface interface-name
l interface-name - Specifies the name of the interface.
To cancel the specified bypass control interface, in the bypass interface configuration mode, use
the command no tap control-interface.
Specifying a Statistical Range
When the statistic set grouped by IP is enabled, in order to get more precise statistical data, you
can specify a LAN address, namely the statistical range. Packets whose source IP is out of the spe-
cified range will not be counted.
To specify the statistical range, in the bypass interface configuration mode, use the following com-
mand:
tap lan -address { ipv4-address-entry | ipv6-address-entry }
l ipv4-address-entry - Specifies the name of the IPv4 address entry. Generally speaking, this
address entry should contain all the IPv4 LAN addresses on the monitored device.
l ipv6-address-entry - Specifies the name of the IPv6 address entry. Generally speaking, this
address entry should contain all the IPv6 LAN addresses on the monitored device.
To cancel the specified statistical range, in the bypass interface configuration mode, use the com-
mand no tap lan-address.
Configuring a Linkage Firewall
Users can configure a linkage firewall, when current device is working in the TAP mode and the
bypass interface is the one that receives the mirror traffic, if one or more of the following con-
figurations are made, the device will send the matched traffic information to the linkage firewall
which will block the traffic:
l The source zone and destination zone in the security policy is the TAP zone with this inter-
face bound, and the action of the IPS rule that referenced by the security policy is Block IP or
Block service;
l The source zone of the share access rule is the TAP zone with this interface bound, and the
action of the share access rule is Block;
l The source zone and destination zone in the security policy is the TAP zone with this inter-
face bound, and the action of the end point profile that referenced by the security policy is
Block;
l The zone of the perimeter traffic filtering is the TAP zone with this interface bound, and the
action of the perimeter traffic filtering is Block IP.
To configure a linkage firewall, in the bypass interface configuration mode, use the following com-
mand:
tap firewall {ip ipv4-address | ipv6 ipv6-address} [protocol ssh [port port-number]] username
username password password [vrouter vrouter-name]
l ip ipv4-address | ipv6 ipv6-address - Specifies the IPv4 or IPv6 address of the linkage fire-
wall.
l protocol ssh [port port-number] - Specifies the port number of the SSH protocol. The range is
1 to 65535. The default value is 22.
l username username password password - Specifies the username (username username) and
password (password password to log in to the linkage firewall. The range of the username is 1
to 31 characters. The range of the password is 1 to 31 characters.
l vrouter vrouter-name - Specifies the VRouter of the linkage firewall. The default value is the
default VRouter in the system named trust-vr.
In the bypass interface configuration mode, use the command no tap firewall [ip | ipv6] to cancel
the specified linkage firewall.
Example of Configuring Bypass Mode

This section describes a bypass mode configuration example.
Topology
A Hillstone device is deployed in the network under the bypass mode. The IPS function is
enabled. The interface ethernet0/0 is configured as the bypass interface which is used to receive
the mirrored traffic from the switch. Figure belowshows the topology.
Configuration Steps
Step 1: Create the Tap zone and bind an interface to the Tap zone
hostname(config)# zo n e tap 1 tap
hostname(config-zone-tap1)# exit
hostname(config-if-eth0/0)# zo n e tap 1
hostname(config)#
Because etherent0/0 is configured as the bypass inter-

face, it also is the default bypass control interface
Step 2: Bind the IPS profile to the Tap zone
Bind the configured IPS profile named ips-profile1 to the Tap zone
hostname(config)# zo n e tap 1
hostname(config-zone-tap1)# ip s en ab le ip s-p ro file1
hostname(config-zone-tap1)# exit
hostname(config)#
StoneOS Architecture
Overview
StoneOS is the firmware running on the Hillstone devices. The basic components of StoneOS
include interface, zone, VSwitch, VRouter, policy rule, and VPN.
Interfaces
Interfaces allow inbound and outbound traffic to security zones. An interface must be bound to a
security zone so that traffic can flow into and from the security zone. Furthermore, for the Layer
3 security zone, an IP address should be configured for the interface and the corresponding policy
rules should also be configured to allow traffic transmission between different security zones. Mul-
tiple interfaces can be bound to one security zone, but one interface cannot be bound to multiple
security zones.
Tip: For more information about interfaces, see Interface.
Zones
Zones divide network into multiple segments, for example, trust (usually refers to the trusted seg-
ments such as the Intranet), untrust (usually refers to the untrusted segments where security
treats exist), and so on. You can apply proper policy rules to zones to make the devices control
the traffic transmission among zones. There are eight predefined security zones in StoneOS,
which are trust, untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpnhub (VPN functional zone) and
ha (HA functional zone).
Tip: For more information about zones and policy rules, see Zone and Policy.
VSwitches
VSwitch is short for Virtual Switch. A VSwitch functions as a switch in Layer 2. After binding a
Layer 2 zone to a VSwitch, all the interfaces in the zone are also bound to the VSwitch. There is a
default VSwitch named VSwitch1. By default, all Layer 2 zones will be bound to VSwitch1. You
can create new VSwitches and bind Layer 2 zones to VSwitches.
Each VSwitch is a Layer 2 forwarding zone with its own MAC address table which supports the
Layer 2 traffic transmission for the device. Furthermore, the VSwitchIF helps on the traffic trans-
mission between Layer 2 and Layer 3.
Tip: For more information about VSwitch, see Deployment Mode.
VRouter
VRouter is the short form for Virtual Router and also abbreviated as VR. A VRouter functions as
a router with its own routing table. There is a default VR named trust-vr. By default, all the Layer
3 zones will be bound to trust-vr automatically. The system supports the multi-VR function and
the max VR number varies from different platforms. Multiple VRs make the device work as mul-
tiple virtual routers, and each virtual router uses and maintains its own routing table. The multi-
VR function allow a device to achieve the effects of the address isolation between different route
zones and address overlapping between different VRs, as well as to avoid route leaking to some
extent, enhancing route security of network. For more information about the relationship between
interface, security zone, VSwitch and VRouter, see the following diagram:
As shown above, the binding relationships among them are:
l Interfaces are bound to security zones. Interfaces bound to Layer 2 security zones and Layer 3
security zones are known as Layer 2 interfaces and Layer 3 interfaces respectively. One inter-
face can be only bound to one security zone; interface and its sub interface can belong to dif-
ferent security zones.
l Security zones are bound to a VSwitch or VRouter. Layer 2 security zones are bound to a
VSwitch (by default the predefined Layer 2 security zone is bound to the default VSwitch1),
and Layer 3 security zones are bound to a VRouter (by default the predefined Layer 3 security
zone is bound to the default trust-vr), thus realizing the binding between the interfaces and
VSwitch or VR. One security zone can be only bound to one VSwtich or VR.
Policy
Policy is the basic function of Hillstone devices that is designed to control the traffic forwarding
between security zones/segments. By default Hillstone devices will deny all traffic between secur-
ity zones/segments, while the policy can identify which flow between security zones or segments
will be permitted, and which will be denied, specifically based on policy rules.
VPN
StoneOS supports IPsec VPN, SSL-based remote access solution - Secure Connect VPN
(SCVPN), dial-up VPN, PnPVPN, and L2TP VPN. You can configure VPN tunnels and choose
the VPN application mode:
l Policy-based VPN: Bind VPN tunnels to policy rules to transfer the specified traffic through
tunnels.
l Route-based VPN: Bind VPN tunnels to tunnel interfaces, and then make the tunnel interface
the next hop of the static routes. The specified traffic will be transmitted through VPN tun-
nels.
Packet Handling Process

For the information about Layer 2 packet handling process, see Forwarding Rules in VSwitch.
Layer 3 packet handling process is shown below. In addition, the system supports the deny ses-
sion function which will impact the handling process in both Layer 2 and Layer 3. For more
information about deny session, see Deny Session.
1. Identify the logical ingress interface of the packet to determine the source zone of the
packet. The logical ingress interface may be a common interface or a sub-interface.
2. The system performs sanity check to the packet. If the attack defense function is enabled
on the source zone, the system will perform AD check simultaneously.
3. Session lookup. If the packet belongs to an existing session, the system will perform Step
11 directly.
4. DNAT operation. If a DNAT rule is matched, the system will mark the packet. The DNAT
translated address is needed in the step of route lookup.
*If BNAT rule exists, the packet will be checked if it matches any BNAT rule. When the
packet matches a BNAT rule, it will follow BNAT configuration, and will not check for reg-
ular DNAT rules.
5. Route lookup. The route lookup order from high to low is: PBR > SIBR > SBR > DBR >
ISP route.
Till now, the system knows the logical egress and destination zone of the packet.
6. SNAT operation. If a SNAT rule is matched, the system will mark the packet.
*If BNAT rule exists, the packet will be checked if it matches any BNAT rule. When
packet matches a BNAT rule, it will follow BNAT configuration, and will not check for reg-
ular SNAT rules.
7. VR next hop check. If the next hop is a VR, the system will check whether it is beyond the
maximum VR number (current version allows the packet traverse up to three VRs). If it is
beyond the maximum number, the system will drop the packet; and if it is within the max-
imum number, return to Step 4. If the next hop is not a VR, go on with policy lookup.
8. Policy lookup. The system looks up the policy rules according to the packet’s source/des-
tination zones, source/destination IP and port, and protocol. If no policy rule is matched,
the system will drop the packet; if any policy rule is matched, the system will deal with the
packet as the rule specified. And the actions can be one of the followings:
l Permit: Forwards the packet.
l Deny: Drops the packet.
l Tunnel: Forwards the packet to the specified tunnel.
l Fromtunnel: Checks whether the packet originates from the specified tunnel. The sys-
tem will forward the packet from the specified tunnel and drop other packets.
l WebAuth: Performs WebAuth on the specified user.
9. First time application identification. The system tries to identify the type of the application
according to the port number and service specified in the policy rule.
10. Establish the session.
11. If necessary, the system will perform the second time application identification. It is a pre-
cise identification based on the packet contents and traffic action.
12. Application behavior control. After knowing the type of the application, the system will
deal with the packet according to the configured profiles and ALG.
13. Perform operations according to the records in the session, for example, the NAT mark.
14. Forward the packet to the egress interface.
Deny Session
The deny session function dramatically improves the system performance when the device suffers
attacks. Usually, before creating a new session, the system will do some related actions to the
packet, such as AD check , SNAT/DNAT mark, policy rule lookup, application identification,
and so on (refer to the packet handling process in the previous section). Doing the related actions
consumes lots of CPU resource which leads to a performance degrading and gives the attackers
chances. To address this problem, StoneOS provides the deny session function.
Here describes the working principle of deny session. After configuring the deny session func-
tion, the system will create deny sessions for the packets that cannot create sessions for some reas-
ons. When a packet enters the device, the system will check its 5-tuple, and if the packet matches
an existing deny session, the system will drop it. Thus the system performance is improved.
The system will create deny sessions in the following situations:
l Failed in AD check (Layer 2 and Layer 3 IP address spoofing attack defense);
l Failed in policy rule matching;
l Failed in forward or reverse route matching;
l The to-self packet is denied;
l The session limitation is exceeded.
In the following situations, the deny sessions will be deleted:
l The deny sessions age out automatically. The existing deny sessions will age out when the
time is up and the system will deleted the aged deny sessions. You can specify the age out
time.
l If the reverse traffic is allowed to create a session, the corresponding deny session will be
deleted.
Configuring the Deny Session Function
Deny session configurations can be performed in the flow configuration mode. To enter the flow
configuration mode, in the global configuration mode, use the commandflow.
Specifying the Deny Session Type
You can specify the situations to create deny sessions. In the flow configuration mode, use the fol-
lowing command:
den y-sessio n den y-typ e {all | ad | p o licy | ro ute | self | sessio n -limit}
l all – Creates deny sessions in all the 5 situations the system supports.
l ad – Creates deny sessions when the packet fails in AD check (Layer 2 and Layer 3 IP
address spoofing attack defense).
l policy – Creates deny session when the packet cannot find a matched policy rule or matched
a deny rule.
l route – Creates deny sessions when the packet cannot find a forward or reverse route.
l self – Creates deny sessions when the to-self packet is denied.
l session-limit – Creates deny sessions when the packet is out of the configured session lim-
itation.
To remove the deny session type configuration, in the flow configuration mode, use the following
command:
n o den y-sessio n den y-typ e {all | ad | p o licy | ro ute | self | sessio n -limit}
Specifying the Maximum Number of Deny Sessions
It refers to the maximum number of deny sessions the system supports. To specify the maximum
number of deny session, in the flow configuration mode, use the following command:
den y-sessio n p ercen tage number
l number – Specifies the percentage of deny sessions in the total sessions. The value range is 0
to 10. The value of 0 means to disable the deny session function. The default value is 2,
which means up to 2% deny sessions among the total sessions can be created.
To restore the default deny session number, in the flow configuration mode, use the following
command:
n o den y-sessio n p ercen tage
Specifying the Timeout Value
The timeout value refers to the time duration after which the deny session will age out and be
deleted from the system. To specify the timeout value, in the flow configuration mode, use the
following command:
den y-sessio n timeo ut time
l time – Specifies the timeout value. The value range is 1 to 3 seconds. The default value is 3.
To restore to the default timeout value, in the flow configuration mode, use the following com-
mand:
n o den y-sessio n timeo ut
Viewing the Deny Session Configuration Information
The deny session configuration information include type, maximum number, and timeout value.
sh o w flo w den y-sessio n
Viewing the Deny Session Information
To view the existing deny session information, in any mode, use the following command:
sh o w sessio n den y
TCP RST Packet Check

StoneOS supports TCP RST packet check. After enabling this function, if TCP RST packet is the
first packet, the system will not create any session. To enable TCP RST packet check, in the flow
tcp-rst-bit-check
To disable TCP RST packet check, in the flow configuration mode, use the following command:
no tcp-rst-bit-check .
Global Network Parameters
To provide a better traffic transmission service, the device supports a set of global network para-
meters, including TCP MSS (Maximum Segment Size), TCP sequence number check, TCP three-
way handshaking timeout check, TCP SYN packet check, IP fragment and Jumbo Frame options.
Configuring MSS
MSS is a parameter of the TCP protocol that specifies the largest amount of data that the device
can receive in a single TCP segment. You can specify the MSS value for all the TCP SYN/ACK
packets or the IPsec VPN TCP SYN/ACK. A proper MSS value can reduce the number of IP
fragment. To specify the MSS value, in the global configuration mode, use the following com-
mand:
tcp -mss {all | tun n el} size
l all – Specifies the MSS value for all the TCP SYN packets.
l tunnel – Specifies the MSS value for TCP packets of the IPsec VPN /SSL
VPN/GRE/L2TP tunnel etc.
l size – Specifies the MSS value. The value range is 64 to 65535. The default value of TCP
SYN/ACK packets is 1448. The default value of IPsec VPN TCP SYN/ACK packets is
1380.
To restore to the default MSS value, in the global configuration mode, use the following com-
mand:
n o tcp -mss {all | tun n el}
TCP Sequence Number Check
The TCP sequence number check function checks the TCP sequence number of the packet, and
if the sequence number exceeds the TCP window, the system will drop the packet. This function
is enabled by default. To configure the TCP sequence number check function, in the global con-
figuration mode, use the following commands:
• Disable: tcp-seq-check-disable
• Enable: no tcp-seq-check-disable
TCP Three-way Handshaking Timeout Check
The device can check the TCP three-way handshaking time, and if the three-way handshaking has
not been completed after timeout, the connection will be reset. To configure this function, in the
global configuration mode, use the following command:
tcp -syn -ch eck [ timeout-value ]
l timeout-value – Specifies the timeout value. The value range is 1 to 1800 seconds. The
default value is 20.
To disable the TCP three-way handshaking timeout check function, in the global configuration
mode, use the following command:
n o tcp -syn -ch eck
TCP Connection State Age-time
The system uses age-time to calculate the living time of the TCP connection. And if do not
receive any data within the age-time, system will delete the TCP connection. You can specify age-
time for each state of TCP connection. The age time you can specified for the following TCP con-
nection state:
l ESTABLISHED
l FIN-WAIT-1
l FIN-WAIT-2
l TIME-OUT
To specify age-time in ESTABLISHED state, in the global configuration mode, use the following
command:
tcp -estab lish -ch eck [ timeout-value ]
l timeout-value – Specifies age-time for the ESTABLISHED state. After a three-way hand-
shake, the TCP connection moves to the ESTABLISHED state without any TCP data trans-
mitting and use the defined age-time of this state. The value range is from 1 to 1800 seconds.
If this parameter is not specified, system will use the default value 300 seconds.
To specify age-time in FIN-WAIT-1 state, in the global configuration mode, use the following
command:
tcp -fin -wait-1-ch eck [ timeout-value ]
l timeout-value – Specifies age-time for the FIN-WAIT-1 state. The value range is from 1 to
1800 seconds. If this parameter is not specified, system will use the default value 120
seconds.
To specify age-time in FIN-WAIT-2 state, in the global configuration mode, use the following
command:
tcp -fin -wait-2-ch eck [ timeout-value ]
l timeout-value – Specifies age-time for the FIN-WAIT-2 state. The value range is from 1 to
1800 seconds. If this parameter is not specified, system will use the default value 120
seconds.
To specify age-time in TIME-OUT state, in the global configuration mode, use the following com-
mand:
tcp -time-wait-ch eck [ timeout-value ]
l timeout-value – Specifies age-time for the TIME-OUT state. The value is form 1 to 1800
seconds. If this parameter is not specified, system will use the default value 5 seconds.
TCP SYN Packet Check
System supports the TCP SYN packet check function, when establishing a TCP connection, the
device will check the received packets:
l When the received packet is a TCP SYN packet, the TCP connection will be established.
l When the received packet is a TCP non-SYN packet, the packet will be processed according
to the specified action.
This function is disabled by default. To configure this function and specify the action for TCP
non-SYN packet, in the global configuration mode, use the following commands:
tcp-syn-bit-check {drop | reset}
l drop –When the received packet is a TCP non-SYN packet, the system will drop the packet.
l reset –When the received packet is a TCP non-SYN packet, the system will drop the packet
and send RST packet to the peer device.
To disable TCP SYN check function, in the global configuration mode, use the following com-
mands:
no tcp-syn-bit-check
IP Fragment
For the fragmented packets, you can specify the maximum fragment number (any IP packet that
contains more fragments than this number will be dropped) and the fragment reassembling
timeout value (if the device has not received all the fragments after timeout, the packet will be
dropped).
To specify the maximum fragment number, in the global configuration mode, use the following
command:
fragmen t ch ain number
l number – Specifies the maximum fragment number allowed by the system. The value range
is 1 to 1024. The default value is 48.
To restore to the default maximum fragment number, in the global configuration mode, use the
command no fragment chain.
To specify the reassembling timeout value, in the global configuration mode, use the following
command:
fragmen t timeo ut time
l time – Specifies the timeout value. The value range is 1 to 60 seconds. The default value is
2.
To restore to the default timeout value, in the global configuration mode, use the command no
fragment timeout.
SYN packets dropping
Enabling/Disabling SYN Packets Dropping
System supports to drop SYN packets of the same five-tuple array during the delay-deleting time
of TCP sessions, which means during the delay-deleting time of TCP sessions, system drops SYN
packets of the same five-tuple array. If this function is disabled, TCP sessions match and forward
SYN packets during the delay-deleting time, which can lead to the loss of new packets because
the they cannot match correct sessions which are already deleted.
This function is disabled by default.
In the Flow mode, use the following command to enable or disable SYN packets dropping:
l Enable: tcp-out-of-state-syn-drop
l Disable: no tcp-out-of-state-syn-drop
Show the state of the function of SYN packets dropping
In the execution mode, use the following command to show the state of the function of SYN
packets dropping:
show flow tcp-out-of-state-syn-drop
Jumbo Frame
In the process of packet forwarding, if the device gets a frame that the size exceeds the MTU
value of the outbound interface, the data is either fragmented into smaller frames, or dropped.
With the function of Jumbo Frame enabled, the system can forward packets less than or equal to
9216 bytes as follows:
l For IPv4/IPv6 packets that are less than the MTU value of the outbound interface, forward
them directly.
l For IPv4 packets that are larger than the MTU value of the outbound interface, the packets
are forwarded in fragments.
l For IPv6 packets that are larger than the MTU value of the outbound interface, an "ICMPv6
Packet Too Big" error message will be sent to the source node of the packets, and the sender
is urged to shorten the length of the packets.
The Jumbo Frame function is disabled by default. To enable or disable the function, in the flow
jumbo-frame-transceiver {enable | disable}
l enable - Enable the Jumbo Frame function.
l disable - Disable the Jumbo Frame function.
Notes:
l When the Jumbo Frame function is enabled, the MTU configuration range of
the interface will be changed. For more information about the MTU value
configuration of the interface, see Configuring an Interface MTU Value and
Specifying an IPv6 MTU.
l SG-6000-K9180 and SG-6000-X8180 do not support the Jumbo Frame func-
tion.
To view the status of the Jumbo Frame function, in the interface configuration mode, use the fol-
lowing command:
show flow jumbo_frame_transceiver
Session Information
You can perform the following actions on the session information:
l Show session information
l Clear session information
l Delaying Deleting Session
Showing Session Information
In any mode, use the following commands to show the session information in the system:
sh o w sessio n [gen eric | h 323]
l generic – Shows the overview of the session information.
l h323 – Shows the H323 session information.
sh o w sessio n [id number [ end-id ]] [src-ip A.B.C.D [ netmask | wildcard ]] [dst-ip A.B.C.D [ net-
mask | wildcard ]] [p ro to co l protocol-number ][src-p o rt port-number [ port-number ]] [dst-p o rt
port-number [ port-number ]] [src-mac src-mac-address ] [dst-mac dst-mac-address ] [src-zo n e
zone-name ] [dst-zo n e zone-name ] [ap p licatio n name ] [p o licy policy-id ] [vro uter vrouter-
name ] [vsys vsys-name ] [slo t slot-number ] [cp u cpu-number ] [ ipv4 ] [ ipv6 ] [sn at-rule id ]
[dn at-rule id ] [b n at-rule id ] [ detail ] [tcp -state-3h an dsh ake] [tcp -state-estab lish ed] [tcp -state-
clo sin g]
l id number [end-id] – Shows the session information of the specified ID. To show the ses-
sion information of a specified range of IDs, continue entering the end ID of the range.
l src-ip A.B.C.D – Shows the session information of the specified source IP address or spe-
cified range of IP addresses.
l dst-ip A.B.C.D – Shows the session information of the specified destination IP address or
specified range of IP addresses.
l netmask | wildcard – Specifies the netmask or the wildcard mask.
l protocol-number – Shows the session information of the specified protocol number.
l src-port port-number [port-number] – Shows the session information of the specified source
port.
l dst-port port-number [port-number] – Shows the session information of the specified des-
tination port.
l src-mac src-mac-address– Shows the session information of the specified source MAC
address.
l dst-mac dst-mac-address– Shows the session information of the specified destination MAC
address.
l src-zone zone-name– Shows the session information of the specified source security zone.
l dst-zone zone-name– Shows the session information of the specified destination security
zone.
l application name – Shows the session information of the specified application.
l policy policy-id – Shows the session information of the specified policy.
l vrouter vrouter-name – Shows the session information of the specified virtual router.
l vsys vsys-name – Shows the session information of the specified VSYS.
l lotslot-number – Shows the session information of the specified slot.
l cpucpu-number – Shows the session information of the specified CPU.
l ipv4 – Shows the session information of the IPv4 protocol.
l ipv6 – Shows the session information of the IPv6 protocol.
l snat-rule id– Shows the session information of the specified SNAT rule.
l dnat-rule id– Shows the session information of the specified DNAT rule.
l bnat-rule id– Shows the session information of the specified BNAT rule.
l detail – Shows the detail session information.
l tcp-state-3handshake – Shows the session information of the TCP three-way handshaking

state.
l tcp-state-established – Shows the session information of the TCP connection in the

ESTABLISHED state.
l tcp-state-closing – Shows the session information of the TCP connection in the terminated
state.
Clearing Session Information
In any mode, use the following command to clear the session information in the system:
clear sessio n [h 323] [id number [ end-id ]] [src-ip A.B.C.D [ netmask | wildcard ]] [dst-ip
A.B.C.D [ netmask | wildcard ]] [p ro to co l protocol-number ][src-p o rt port-number [ port-num-
ber ]] [dst-p o rt port-number [ port-number ]] [vro uter vrouter-name ] [vsys vsys-name ] [slo t
slot-number ] [cp u cpu-number ][ ipv4 ] [ ipv6 ] [ detail ]
l h323 – Clears the H323 session information.
l id number [end-id] – Clears the session information of the specified ID. To show the session
information of a specified range of IDs, continue entering the end ID of the range.
l src-ip A.B.C.D – Clears the session information of the specified source IP address or spe-
cified range of IP addresses.
l dst-ip A.B.C.D – Clears the session information of the specified destination IP address or
specified range of IP addresses.
l netmask | wildcard – Clears the netmask or the wildcard mask.
l protocol-number – Clears the session information of the specified protocol number.
l src-port port-number [port-number] – Clears the session information of the specified source
port.
l dst-port port-number [port-number] – Clears the session information of the specified des-
tination port.
l vrouter vrouter-name – Clears the session information of the specified virtual router.
l vsys vsys-name – Clears the session information of the specified VSYS.
l slot slot-number – Clears the session information of the specified slot.
l cpu cpu-number – Clears the session information of the specified CPU.
l ipv4 – Clears the session information of the IPv4 protocol.
l ipv6 – Clears the session information of the IPv6 protocol.
l detail – Clears the detail session information.
Delay Deleting Session
The system provides the function of delaying deleting sessions, i.e. when the device receives
FIN/RST packets, the device will delete the sessions when the specified time before sessions are
deleted is over, rather than immediately delete related sessions. If user's server ends the sessions
only after receiving the second FIN/RST packets, delaying deleting sessions can enable the
second FIN/RST packets to successfully match the sessions, and then arrive at user's server and
end the related sessions, which can help avoid abnormal increase of sessions in user's server.
Enable delaying deleting session
By default, this function is enabled and the time before sessions are deleted is 2 seconds.
In the flow mode, use the following command to enable delaying deleting session and specify the
time before sessions are deleted:
tcp-session-close-wait [timeout-value]
l timeout-value–Specify the time before sessions are deleted. The default value is 2 seconds.
The value range is 1 to 30 seconds.
In the flow mode, use the negative form of the above command to disable delaying deleting ses-
sions as below. When this function is disabled, the device will immediately delete sessions after
receiving FIN/RST packets.
no tcp-session-close-wait
Show the state of the function of delaying deleting session
In the execution mode, use the following command to show the state of the function of delaying
deleting session (if the state is "enabled", the time before sessions are deleted will also be shown):
show flow tcp-session-close-wait
RTO Query Optimization

The RTO query optimization includes the following functions:
l Enabling/Disabling RTO query optimization
l Displaying the state of RTO query optimization
Enabling/Disabling RTO Query Optimization
In default, the process of some devices (SG-6000-X7180/SG-6000-X9180/SG-6000-

X10800/SG-6000-K9180) selecting modules to create new sessions is as follows:
1. Based on the configuration of the session distribution mode (use the session-schedule-mode
command to configure in the flow configuration mode), the IOM modules will select an
SSM module to create new sessions;
2. During the process of creating sessions, the system will again create new sessions on the cor-
responding SSM modules according to ALG or Full-cone NAT business.
When selecting again SSM modules to create new sessions, the system will conduct query on
RTO. RTO (Real-time Object) refers to the information dynamically created by data packets in
the processing procedure, such as the Pinhole information, the Full-cone NAT table items and
the application identification cache tables.
To improve the system performance, the user can enable the RTO query optimization. When the
user disables Full-cone NAT or the Full-cone NAT business is not included in the user scenario,
the system will not conduct RTO query on the HTTP new session traffic (TCP 80/8080), and
will not select SSM modules again.
In default, RTO query optimization is disabled. To enable or disable this function, in the Flow
l Enable：rto-query-optimization enable
l Disable：no rto-query-optimization enable
Displaying the State of RTO Query Optimization
To display the state of RTO query optimization, in any mode, use the following command:
show flow rto-query-optimization
Low Latency Mode
System support to shorten the delay by adjusting the internal send and receive packet parameters.
To enable the low latency mode, in the flow configuration mode, use the following command:
low-latency-mode
To disable the low latency mode, in the flow configuration mode, use the following command:
no low-latency-mode
Notes: After enabling the low-latency mode, the throughput of device may be
reduced.
To show if the low latency mode is enabled, in any mode, use the following commands:
show flow low-latency-mode
Zone
Overview
In StoneOS, zone is a logical entity. One or more interfaces can be bound to one zone. A zone
with policy applied is known as a security zone, while a zone created for a specific function is
known as a functional zone. Zones have the following features:
l An interface should be bound to a zone. A Layer 2 zone is bound to a VSwitch, while a Layer
3 zone is bound to a VRouter. Therefore, the VSwitch of a Layer 2 zone is the VSwitch of the
interfaces in that zone, and the VRouter of a Layer 3 zone is the VRouter of the interfaces in
that zone.
l Layer 2 interfaces work in Layer 2 mode and Layer 3 interfaces work in Layer 3 mode.
l StoneOS supports internal zone policies, like trust-to-trust policy rule.
Predefined Security Zone
There are 9 predefined security zones in StoneOS, which are trust, untrust, dmz, L2-trust, L2-
untrust, L2-dmz, mgt, vpnhub (VPN functional zone) and ha (HA functional zone). You can also
customize security zones. Actually predefined security zones and user-defined security zones
make no difference in functions, and you can use them as needed.
Configuring a Security Zone

You can perform the following operations to a security zone:
l Viewing the zone information
l Creating a zone
l Specifying the description
l Binding a Layer 2 zone to VSwitch
l Binding a Layer 3 zone to VRouter
Viewing the Zone Information
To view the zone information, in any mode, use the following command:
sh o w zo n e [ zone-name ]
l zone-name – Specifies the zone name to view its information.
Creating a Zone
Unless it is specified as a Layer 2 zone, a new zone will be a Layer3 zone by default. To create a
zone, in the global configuration mode, use the following command:
zo n e zone-name [l2 | tap ]
l zone-name - Specifies a name for the zone.
l l2 – Specifies the zone as a Layer 2 zone.
l tap -Specifies the zone as a Tap zone. A Tap zone is a functional zone in Bypass mode.
If the specified zone name exists, the system will directly enter the zone configuration mode.
To delete an existing zone, in the global configuration mode, use the command
no zone zone-name [l2].
Notes: The predefined zones cannot be deleted.
Specifying the Description
To specify the description for a specific zone, use the following command in the zone con-
figuration mode:
descrip tio n description
l description – Specifies the description of the zone.
To delete the description of the zone, use the command no description.
Binding a Layer 3 Zone to a VRouter
If a Layer 3 zone is bound to a VRouter, all the interfaces in that zone are bound to this VRouter.
All the Layer 3 zones are bound to trust-vr by default. To assign a different VRouter to a layer-3
zone, in the zone configuration mode, use the following command:
vro uter vrouter-name
l vrouter-name – Specifies the name of the VRouter to which the Layer 3 zone are bound.
To restore to the default zone-trust-vr binding setting, in the zone configuration mode, use com-
mand no vrouter.
Notes: Before changing the VRouter of a zone, make sure there is no binding inter-
face in that zone.
Binding a Layer 2 Zone to a VSwitch
If a Layer 2 zone is bound to a VSwitch, all the interfaces in that zone are bound to this VSwitch.
All the Layer 2 zones are bound to VSwitch1 by default. To assign a different VSwitch to a Layer
2 zone, in the zone configuration mode, use the following command:
b in d vswitch-name
l vswitch-name - Specifies the name of VSwitch to which the Layer 2 zone is bound.
To restore to the default zone-VSwtich1 binding setting, in the zone configuration mode, use
command no bind.
Notes: When changing the VSwitch to which a zone belong, make sure there is no
binding interface in the zone.
The goal is to create VSwitch2 and Layer 2 zone named zone1, then bind zone1 to VSwitch2, and
bind ethernet0/2 to zone1. Use the following commands:
hostname(config)# zo n e zo n e1 l2
hostname(config-zone-zone1)# b in d vswitch 2
hostname(config-zone-zone1)# exit
hostname(config-if-eth0/2)# zo n e zo n e1
hostname(config)#
Interface
Overview
In StoneOS, interface is a point where packets enter and leave the device. To allow data traffic go
through a zone, you must bind the interface to that zone and if it is a Layer 3 zone, you should
assign an IP address to the interface. Moreover, to allow traffic forwarding among interfaces of dif-
ferent zones, a policy should be applied. A zone can be bound with more than one interface, but
an interface can only be bound to one zone.
Interface Types
Hillstone products provide a variety of interface types. According to the nature of interface, the
interfaces consist of physical interface and logical interface.
l Physical interface: Every Ethernet port on the device is a physical interface. The name of phys-
ical interface is predefined, consisting of port type, slot number and port number, e.g. eth-
ernet2/1 or ethernet0/2.
l Logical interface: Logical interface includes BGroup interface, sub-interface, VSwitch inter-
face, Vlan interface, loopback interface, tunnel interface, aggregate interface, Super-VLAN
interface and redundant interface.
According to the binding zone, the interfaces can also be categorized into Layer 2 interface and
Layer 3 interface.
l Layer 2 interface: an interface which belongs to a Layer 2 zone, a BGroup or a VLAN.
l Layer 3 interface: an interface which belongs to a Layer 3 zone. Only Layer 3 interface is able
to work in NAT/Route mode.
Different interface has different functions. Table below describes all logical interfaces.
Type Description
Sub-interface The naming rule of sub-interface is to add an extension number to the
Type Description
name of its source interface, e.g. ethernet0/2.1. StoneOS supports the

following types of sub-interface: Ethernet sub-interface, aggregate sub-
interface, PPPoE sub-interface and redundant sub-interface. An Inter-
face and its sub-interface can be bound to the same zone or to different
zones.
VSwitch inter- VSwitch interface is Layer 3 interface. It is an assembled interface of

face all interfaces in VSwitch. The VSwitch interface is actually working as
the upstream port of a switch, and it allows packets to be forwarded
between Layer 2 and Layer 3.
VLAN interface VLAN interface is Layer 3 interface, and it represents all Ethernet
ports in the VLAN. If one of the VLAN Ethernet ports is in the UP
status, the VLAN interface is up. The VLAN interface is the outgoing
interface of all the devices in the VLAN. Normally, the IP address of
the VLAN interface is the address of the gateway in the VLAN.
Loopback inter- Loopback interface is a logical interface. As long as the device which
face the loopback interface belongs to is in the working status, the loop-
back interface is in the working status. Therefore, loopback interface is
often stable.
Tunnel interface Tunnel interface is the ingress port of VPN tunnel. Data flow accesses
and leaves the VPN tunnel by going through the tunnel interface. Tun-
nel interface must be a Layer 3 interface.
Aggregate inter- An aggregate interface is an assembly of 1 to 16 physical interfaces.

face The physical interfaces equally share the data flow that passes the
aggregate interface. Therefore, the aggregate interface can increase the
available bandwidth for one IP address. If one of the physical inter-
faces malfunctions, other physical interfaces can carry on to process
Type Description
the data flow, only that the available bandwidth will become smaller.
Redundant inter- Redundant interface refers to the binding of two physical interfaces. A
face physical interface works as the master interface and processes the data
flow, and the alternative interface stands by. The alternative interface
will go on to process the data flow when the master interface fails to
function.
PPPoE interface A logical interface based on Ethernet interface that allows connection
to PPPoE servers over PPPoE protocol.
Virtual forward In HA environment, the Virtual forward interface is HA group's inter-

interface face designed for traffic transmission.
Interface Dependency
Some types of the interfaces are related to each other. The following figure illustrates the rela-
tionship of aggregate interface and its sub-interfaces and the relationship of redundant interface
and its sub-interfaces. The following figure illustrates the relationship of VSwitch interface and
other Layer 2 interfaces. The dotted line in the figures indicates that there can be more interfaces.
As shown in the above figure, a redundant interface (Red IF) is a binding interface of two physical
interfaces (PHY IF) and it allows redundant sub-interfaces (Red SubIF) to be created. An aggreg-
ate interface (Agg IF) is a binding interface of up to 16 physical interfaces and it also allows aggreg-
ate sub-interfaces (Agg SubIF).
As shown in the above figure, a VSwitch interface represents all physical and logical interfaces in
that VSwitch. Packets can be transferred in Layer 2 and Layer 3 by going through the VSwitch
interface (VSwitch IF).
Viewing Interface Information

You can view the interface information in the interface list which shows all physical interfaces and
other types of interfaces as long as they have been created and defined, including sub-interfaces,
redundant interfaces, aggregate interfaces, BGroup interfaces and tunnel interfaces.
Viewing All Interfaces
To view all interfaces using the CLI, use the command show interface. The interface list will dis-
play the information by categories.
Item Description
Interface name Shows the name of interface.
IP address/mask Shows the IP address of interface.
Zone name Shows the bound zone of interface.
Vsys Shows the VSYS name of interface.
H (Physical state) Shows the physical availability state of interface ：U: up, D:
down, K: ha keep up, C: lacp down.
A (Admin state) Shows the administration availability state of the interface: U:

up, D: down, C: lacp down.
L (Link state) Shows the link availability state of the interface: U: up, D:
Item Description
down, K: ha keep up, C: lacp down.
P (Protocol state) Shows the protocol availability state of the interface: U: up,
D: down, K: ha keep up, C: lacp down.
MAC address Shows the interface MAC address.
Description Shows the interface description.
The following description explains the meaning of H, A, L and P states, and the value of states are
U: up, D: down, K: ha keep up, C: lacp down:
l H (Physical state): the physical connectivity state of the interface. The UP state indicates that
the interface is physically connected, while the DOWN state means otherwise, in HA mode,
the ha keep up state indicates that the HA interface is keep connected.
l A (Admin state): the manageability state of the interface. To enable an interface, use the com-
mand no shutdown command; to disable an interface, use the command shutdown. If an inter-
face’s A status is UP, it a manageable interface, and DOWN state means otherwise.
l L (Link state): the linking state of the interface. The link state depends on the states of H and
A. If both H and A states are UP, the L state is UP, in HA mode, the ha keep up state indic-
ates that the HA interface is keep connected.
l P (Protocol state): the protocol state of the interface. When the L state is UP and the interface
has been allocated with an IP address, the P is UP, in HA mode, the ha keep up state indicates
that the HA interface is keep connected.
Here is an example of the show interface command:
Viewing a Specific Interface
To view the information about a specific interface, type the interface name after the command
show interface, i.e. show interface interface-name. Figure below gives an example of the com-
mand show interface ethernet0/0.
Configuring an Interface
To configure an interface, you need to enter into one of the seven interface modes below as
needed:
l Route mode: Interface in router mode is a Layer 3 interface bound to a Layer 3 zone.
l VSwitch mode: Interface in VSwitch mode is a Layer 2 interface bound to a Layer 2 zone.
l VLAN mode: Interface in VLAN mode is a Layer 2 interface bound to a Layer 2 zone.
l Super-VLAN mode: Interface in super-VLAN mode is a Layer 2 interface bound to a Layer 2

zone.
l Aggregate mode: Interface in aggregate mode belongs to an aggregate interface and cannot be
bound to any zone.
l Redundant mode: Interface in redundant mode belongs to a redundant interface and cannot be
bound to any zone.
l BGroup mode: Interface in BGroup mode belongs to a BGroup interface and cannot be
bound to any zone.
l Tunnel mode: Interface in tunnel mode is a Layer 3 interface bound to a Layer 3 zone.
This section introduces the basic interface configuration and operation, including:
l Binding an interface to a zone
l Configuring an interface IP address
l Configuring an interface MTU value
l Configuring interface force shutdown
l Specifying the Track Object
l Configuring interface ARP timeout
l Configuring an interface protocol
l Configuring interface proxy ARP
l Configuring interface mirroring
l Configuring traffic mirroring
l Configuring an interface reverse route
l Configuring interface backup
l Configuring a loopback interface
l Configuring an Ethernet interface
l Configuring a VSwitch interface
l Configuring a VLAN interface
l Configuring a super-VLAN interface
l Configuring an aggregate interface
l Configuring a redundant interface
l Configuring a tunnel interface
l Configuring a PPPoE sub-interface
l Bypassing the device
l Configuring an Out-of-band Management Interface
l Configuring the keepalive function of interface
l Disabling Recording Interface IP Address Conflict Log Triggered by DAD Mode ARP
Packets
Binding an Interface to a Zone
A physical interface can be bound to an existing Layer 2 or Layer 3 zone. To bind the interface to
a zone, in the interface configuration mode, use the following command:
zo n e zone-name
To unbind the interface from a zone, use the command no zone. Before unbinding a Layer 3 inter-
face, you need to clear the IP address of the interface first.
Notes: When binding an interface to a zone, note that:
l To make the interface work in Layer 2, you need to bind the interface to a
Layer 2 zone.
l To change a Layer 2 interface to a Layer 3 interface, you need to clear the IP

address of that interface first.
To specify the description of the interface, use the following command in the interface con-
figuration mode:
l description – Specifies the description of the interface.
To delete the description, use the command in the interface configuration mode no description.
Configuring an Interface IP Address
The IP addresses of interfaces on a device must belong to different subnets. You can assign a
static IP address to the interface, or use DHCP or PPPoE for the interface to get a dynamic
address.
To configure the IP address for an interface, in the interface configuration mode, use the fol-
lowing command:
ip address { ip-address/mask | dh cp [setro ute] | p p p o e [setro ute]}
l ip-address/mask – Specifies the static IP address for the interface.
l dhcp [setroute] – Specifies the IP address which is allocated by DHCP. If setroute is con-
figured, the system will set the gateway address provided by DHCP server as the default gate-
way route.
l pppoe [setroute] – Specifies the IP address which is allocated by PPPoE. If setroute is con-
figured, the system will set the gateway address provided by PPPoE server as the default gate-
way route.
Here is an example of IP address configuration. To assign IP address 1.1.1.1 to interface eth-

ernet0/0, use the following commands:
Enter the interface ethernet0/0 configuration mode:

hostname(config)# interface ethernet0/0
Configure the primary IP address for ethernet0/0:

hostname (config-if-eth0/0)# ip address 1.1.1.1/24
Exit the interface ethernet0/0 configuration mode:

hostname(config-if)# exit
Pay attention to the following two points:
l StoneOS supports two styles of subnet mask, i.e. 1.1.1.1/24 can also be represented as
1.1.1.1 255.255.255.0.
l To have an IP address, the interface must be bound to a zone.
To clear the IP address of an interface, use the command no ip address [ip-address/mask | dhcp |
pppoe].
Configuring Interface Secondary IP
A static IP address can have up to ten secondary IP addresses.

To assign a secondary IP address to an interface, in the interface configuration mode, use the fol-
lowing command:
ip address ip-address/mask seco n dary
l ip-address/mask – Specifies the secondary IP address.
To clear the secondary IP address, use the command no ip address ip-address/mask secondary. If
you want to delete the IP address of a primary interface, you need to clear its secondary IP
addresses first.
Notes: The secondary IP address of the configured interface and the current IP
address of the interface must be in different network segments.
Configuring an Interface MTU Value
To set the Maximum Transmission Unit (MTU) value, in the interface configuration mode, use
the following command:
ip mtu value
l value - Specifies the MTU value. The default MTU value is 1500 bytes. The range is 1280
bytes to 1800/2000 bytes (The max MTU may vary on different platforms. ). If the Jumbo
Frame function is enabled, the MTU value range is changed to 1280 bytes to 9300 bytes and
the default MTU value is 1500 bytes. For more information about the Jumbo Frame function,
see Jumbo Frame.
To restore to the default value, use the command no ip mtu.
Configuring Interface Force Shutdown
You can not only enforce to shut down a specific interface, but also control the time of shutdown
by schedule, or control the shutdown according to the link status of tracked objects.
To shutdown an interface via CLI, in the interface configuration mode, use the following com-
mand:
sh utdo wn [track track-object ] [sch edule schedule-name ]
l shutdown – Shut down the interface immediately.
l track track-object – Specifies the name of tracked object. If this parameter is specified, the
interface will shut down when the track object fails to work. For information on the tracked
object, see Configuring a Track Object of System Management.
l schedule schedule-name – Specifies a schedule. If this parameter is specified, the interface

will remain shut during the schedule time. For information on the time schedule, see Creating
a Schedule of System Management.
To cancel force shut-down and clear all previous shutdown settings, use the command no shut-
down.
Specifying the Track Object
The track object is used to monitor the working status of the interface. When the interface cannot
work normally, the system will take the corresponding action. To specify the track object, in the
interface configuration mode, use the following command:
mo n ito r track track-object-name
l track-object-name – Specifies the name of the track object configured in the system.
To cancel the track object, in the interface configuration mode, use no monitor command.
Configuring Interface ARP Timeout
By default, the interface ARP timeout value is 1200 seconds. This can be changed within the
range from 5 to 65535 seconds when necessary.
To change the ARP timeout value, in interface configuration mode, use the following command:
arp timeo ut value
To restore to the default value, use the command no arp timeout.
Configuring an Interface Protocol
To manage and configure devices through an interface using SSH, Telnet, Ping, SNMP, HTTP,
HTTPS, FTP, Traceroute, or NETCONF, you need to enable the corresponding protocol first.
To enable a protocol above, in the interface configuration mode, use the following command:
man age {ssh | teln et | p in g | sn mp | h ttp | h ttp s | ftp | tracero ute | n etco n f}
l ssh - Enables the SSH protocol on the interface.
l telnet - Enables the Telnet protocol on the interface.
l ping - Enables the Ping protocol on the interface.
l snmp - Enables the SNMP protocol on the interface.
l http - Enables the HTTP protocol on the interface.
l https - Enables the HTTPS protocol on the interface.
l ftp - Enables FTP protocol on the interface.
l traceroute - Enables Traceroute service of UDP on the interface. When enabled, the device
can be tracked by other vendors' devices via the traceroute command.
l netconf - Enables the NETCONF protocol on the interface.
To disable a protocol, use the corresponding command no manage {ssh | telnet | ping | snmp |
http | https | ftp |traceroute}.
Configuring FTP on the Interface
You can obtain log and configuration information via the FTP service on the interface. If the inter-
face is enabled with FTP, you can create an FTP user and modify the FTP port number.
To create an FTP user, in the global configuration mode, use the following command:
ftp user user-name p asswo rd password
l user user-name – Specifies the username for FTP.
l password password – Specifies the password for FTP.
You can configure up to three FTP users. To cancel the FTP user configuration, in the global con-
figuration mode, use the command no ftp user user-name.
To modify the FTP port number, in the global configuration mode, use the following command:
ftp p o rt number
l number – Specifies the FTP port number. The value range is 1 to 65535. The default value
is 21.
To restore to the default FTP settings, in the global configuration mode, use the command no ftp
port.
After the default FTP port is modifies, if the client logs in with the passive mode, then you need
to enable application identification for the security zone the interface belongs to. In the security
zone configuration mode, use the command application-identify.
To view the FTP configuration, in any mode, use the following command:
sh o w ftp {p o rt | user}
l port – Shows the FTP port number.
l user – Shows the FTP username, password and login status.
Configuring Interface Mirroring
The Ethernet interface mirroring allows users to mirror the traffic of one interface to another inter-
face (analytic interface) for analysis and monitoring.
To configure an analytic interface, in the global configuration mode, use the following command:
mirro r to interface-name
l interface-name – Specifies the name of the analytic interface. The analytic interface must
have no other configuration, such as binding to a zone.
To enable interface mirroring, in the interface configuration mode, use the following command:
mirro r en ab le {b o th | rx | tx}
l both | rx | tx – Specifies traffic type to be mirrored. both indicates the ingress and egress
traffic, rx indicates the ingress traffic (traffic entering the interface), and tx indicates the egress
traffic (traffic exiting the interface). The default value is both.
To cancel the interface mirroring settings, in the interface configuration mode, use the command
no mirror.
Configuring Mirror Filter
The interface with mirroring configured will mirror all the traffic to the analytic interface. Under
heavy traffic, the mirroring might fail due to high load. To address this problem, the system is
designed with mirror filter that allows user to filter the traffic to be mirrored, thus reducing the
load.
The system supports the following filtering conditions:
l Source IP, source port
l Destination IP, destination port
l Protocol type
l Traffic direction (upstream/downstream)
To configure a mirror filter rule, in the global configuration mode, use the following command:
mirro r filter in terface interface-name {[src-ip address-entry ][src-p o rt port-num ][dst-ip
address-entry ][dst-p o rt port-num ][p ro to {icmp | tcp | udp | protocol-number }] [direct
{do wn | up }]}
l interface interface-name – Specifies the interface that enables mirror filter.
l src-ip address-entry – Specifies the source IP of the traffic. The system only mirrors traffic
originating from the IP address to the analytic interface.
l src-port port-num – Specifies the source port of the traffic. The value range is 1 to 65535.
The system only mirrors traffic originating from the port to the analytic interface.
l dst-ip address-entry – Specifies the destination IP of the traffic. The system only mirrors
traffic destined to the IP address to the analytic interface.
l dst-port port-num – Specifies the destination port of the traffic. The value range is 1 to
65535. The system only mirrors traffic destined to the port to the analytic interface.
l proto {icmp | tcp | udp| protocol-number } – Specifies the protocol type. The system will
only mirror traffic over the specified protocol to the analytic interface. You can specify the
protocol type directly, namely icmp, tcp and udp, or specify the protocol number in the range
of 1 to 255.
l direct {down | up} – Specifies the traffic direction. The system only mirrors the upstream
(up) or downstream (down) traffic to the analytic interface.
After creating a mirror filter rule by the above command, the system will assign a rule ID for the
new rule. To view the rule ID and related configuration information, in any mode, use the com-
mand show mirror filter.
To delete the specified mirror filter rule, in the global configuration mode, use the following com-
mand:
n o mirro r filter id id
l id id – Specifies the ID of the mirror filter rule to be deleted.
Notes:
l Not all platforms support mirror filter. Refer to the actual product for the
application of the function.
l NAT interfaces do not support mirror filter.
l The mirrored traffic should not exceed the workload of the analytic interface.
l The logical interfaces do not support the mirror filter.
Configuring Traffic Mirroring
Notes: After you configure mirror Profile, the data forwarding performance of the
device will be affected. Exercise caution when you run this command. Since net-
working complexity varies with users, we recommend that you contact the technical
engineers from Hillstone before you enable the function. If you do not have require-
ments or finish location debugging, disable the function as soon as possible.
By configuring a mirror profile in the device and binding it to a policy, StoneOS can achieve the
traffic mirroring function. This function can mirror the traffic that matches the specified policy to
the particular interface or IP address. Generally, configuring policy-based traffic mirroring, take
the following two steps:
1. Configure a mirror profile. The mirror profile defines the interface/IP address that the
traffic is mirrored to.
2. Bind the mirror profile to the policy.
Configuring a Mirror Profile
To configure a mirror profile, in the global configuration mode, use the following command to
enter the mirror profile configuration mode first.
mirro r-p ro file mirror-profile-name
l mirror-profile-name - Enter the name of the mirror profile. After executing this command,
StoneOS will create a mirror profile and enter the mirror profile configuration mode. If the
entered name already exists, StoneOS will enter the mirror profile configuration mode. One
mirror profile can include four rules of the same type.
In the global configuration mode, use the following command to delete the specified mirror pro-
file:
n o mirro r-p ro file mirror-profile-name
In the mirror profile configuration mode, you can specify the action for the traffic that matched
the policy. If you want to mirror the traffic to the interface, you need to specify the destination
interface and the direction of the traffic; if you want to mirror the traffic to the IP address, you
need to specify the destination IP address, egress interface, next-hop address, and the direction of
the traffic.
Mirroring Traffic to an Interface
StoneOS can mirror traffic that matches the policy to the specified interface (including ethernet or
tunnel interface) . By default, bidirectional traffic that matches the policy will be mirrored to the
interface. Besides, you can filter the traffic based on the direction. You can specify a direction
option, including forward, backward, or bidirectional. Then the traffic of the specified direction
will be mirrored to the interface. In the mirror profile configuration mode, use the following com-
mand to specify the interface and configure the filter settings:
destin atio n in terface { interface-name | tunnel-interface [ tunnel-gateway-ip ]} [directio n { fo r-
ward | b ackward | b idirectio n }]
l interface-name - Specify the interface name. The traffic that matches the policy will be
mirrored to this interface.
l tunnel-interface [ tunnel-gateway-ip ]- Specify the destination tunnel interface name for the
mirrored traffic.Tunnel gateway IP (tunnel-gateway-ip) can also be specified as needed to dis-
tinguish between different GRE tunnels bound to the same tunnel interface.
l direction {forward | backward | bidirection} - Use forward to only mirror the forward traffic
to the specified interface; use backward to only mirror the backward traffic to the specified
interface. Use bidirection to mirror both forward traffic and backward traffic to the specified
interface.
To delete this rule, use the following command in the mirror profile configuration mode:
n o destin atio n in terface interface-name
Mirroring Traffic to an IP Address
StoneOS can mirror traffic that matches the policy to the specified destination IP address. By
default, bidirectional traffic that matches the policy will be mirrored to the IP address. Besides,
you can filter the traffic based on the direction. You can specify a direction option, including for-
ward, backward, and bidirectional. Then the traffic of the specified direction will be mirrored to
the destination IP address. In the mirror profile configuration mode, use the following command
to specify the interface and configure the filter settings:
destin atio n ip ip-address-1 interface-name [ ip-address-2 ] [directio n {fo rward | b ackward}]
l ip-address-1 – Specify the destination IP address. The traffic that matches the policy will be
mirrored to this IP address.
l interface-name – Specify the egress interface of the traffic that matches the policy.
l ip-address-2 – Specify the next-hop IP address. The traffic that matches the policy will be
forwarded to this IP address via the egress interface.
l direction {forward | backward} – Use forward to only mirror the forward traffic to the spe-
cified IP address; use backward to only mirror the backward traffic to the specified IP
address. Use bidirection to mirror both forward traffic and backward traffic to the specified IP
address.
To delete this rule, use the following command in the mirror profile configuration mode:
n o destin atio n ip ip-address
Binding a Mirror Profile to a Policy
After configuring a mirror policy, you need to bind it to a policy to make it take effect. To bind a
mirror profile to a policy, use the following command in the policy configuration mode:
mirro r profile-name
l profile-name - Specify the name of the mirror profile. This profile will be bound to the policy.
To cancel the binding settings, in the policy configuration mode, use the following command:
n o mirro r profile-name
Viewing Mirror Profile Information
To view the mirror profile information, use the following command in any mode:
sh o w mirro r-p ro file [ mirror-profile-name ]
l mirror-profile-name – Enter the mirror profile name. The information of this profile will be
displayed. Without name specified, information of all mirror profiles will be displayed.
Interface Reverse Route
Reverse route is used for forwarding the reverse path data. A reverse path is in the opposite dir-
ection in relation to the initial data flow direction. It only works on Layer 3 interfaces.
To enable reverse route on an interface, use the following command:
reverse-route {force | prefer| direct-forward [ per-packet ]}
l force – Forces to use reverse route. If the reverse path is found, forward the reverse data by
reserve route; if not, drop the packet. By default, reverse route is forced on Layer 3 interfaces.
l prefer – Uses reverse path in preference to other route. If the reverse route is found, use it
to forward data; if not, use the original return path (i.e. the current interface).
l direct-forward - Disable the reverse route. All the reverse data backtracks and no reverse
route check is carried out.
l per-packet - Enable per-packet check. When the reverse route is disabled and this parameter
is specified, the per-packet check is enabled and the system check the MAC information of
session by packet. If the MAC information of session is not consistent with the source MAC
information of the forward data, the MAC information of session will be modified according
to the source MAC information of the forward data. By default, this function is disabled.
To disable the reverse route, use the command no reverse-route. All the reverse data backtracks
and no reverse route check is carried out.
Notes: If the egress and ingress interfaces of the reverse route are not in the same
zone, packets will be discarded.
Configuring Interface Backup
If an interface is specified as a backup to another one, it will replace the primary interface to take
over its traffic when the schedule takes effect or track object fails, and stops working when the
configured condition expires so that the traffic are processed by the primary interface again.
To specify an interface as the backup interface, in the interface configuration mode, use the fol-
lowing command:
b ackup -in terface interface-name {sch edule schedule-name [o verlap -time time ] | track track-
object-name [sch edule schedule-name [o verlap -time time ]]}
l interface-name – Specifies which interface is the backup interface.
l schedule-name – Specifies the schedule. During the specified schedule time period, data
flow is directed to the backup interface.
l time - The migrating time before data being completely switched to the backup interface. The
value range is 1 to 60 seconds. The parameter is disabled by default, i.e. all data flow is trans-
ferred to the backup interface immediately without migrating time.
l track-object-name – Specifies the track object. If the track object fails to response, data flow
will be migrated from the primary to backup interface. If the object tracking is restored to nor-
mal, data flow will be switched back to the primary interface.
To cancel the backup interface settings, use the following command:

n o b ackup -in terface
Configuring Hold Time
A physical interface can be in two connection states: up and down. During the hold time, the
state switches of the physical layer between the two states will not be notified to the system; after
the hold time, if the state is not restored, the change will be notified to the system. This function
can avoid instable network problems caused by frequent changes of physical interface states
within a short period.
To configure hold time, in the interface configuration mode (only applicable to physical inter-
faces), use the following commands:
l holddown time - Specifies the holddown time. With this parameter configured, the system
will not determine the up state unless the state of an interface is switched from down to up
and keeps for X seconds (X is specified by time). The value range is 1*500 to 3600* 500 mil-
liseconds. For example, parameter holddown 10 indicates the holddown time is 5 seconds.
l holdup time - Specifies the holdup time. With this parameter configured, the system will not
determine the down state unless the state of an interface is switched from up to down and
keeps for X seconds (X is specified by time). The value range is 1*500 to 3600* 500 mil-
liseconds. For example, parameter holdup 10 indicates the holdup time is 5 seconds.
To cancel the specified hold time, in the interface configuration mode, use the command no hold-
down or no holdup.
Configuring an Out-of-band Management Interface
Some devices, including SG-6000-G3150, SG-6000-G5150, SG-6000-M6560, and SG-6000-

M6860, support the function of interface out-of-band management. When the traffic reaches the
maximum number or the CPU utilization over 99%, you can continue to interact with the device.
When the Digital Certificate Only authentication is configured on the server, for the file cer-
tificate, take the following steps to download and install the SCVPN client software - Hillstone
Secure Connect:
1. Create a zone named mgt.

In the global configuration mode, use the command zonemgt.
2. Bind the ethernet0/0 interface to the mgt zone.

In the interface configuration mode, use the command zonemgt.
Notes:
l This function only supports some devices (SG-6000-G3150, SG-6000-
G5150, SG-6000-M6560, SG-6000-M6860).
l You can only bind the ethernet0/0 interface to the mgt zone, other interfaces
invalid.
l After configure the out-of-band management interface, please do not use eth-
ernet0/0 interface to forward traffic.
Configuring the Keepalive Function of Interface
After the system use PPPoE for the interface to get a dynamic address, if PPPoE function is not
used for a long time, the interface address will age out automatically and then be deleted. The
keepalive function prevent the aging out of PPPoE interface and keep the interface alive.
To configure the keepalive function, in the interface configuration mode, use the following com-
mand:
keep alive IP-address
l IP-address – Specifies the IP address of PPPoE server.
To cancel the keepalive function, in the interface configuration mode, use the following com-
mand:
n o keep alive
Configuring the Interface Group
The interface group function binds the status of several interfaces to form a logical group. If any
interface in the group is faulty, the status of the other interfaces will be Down. After all the inter-
faces return to normal, the status of the interface group will be Up. The interface group function
can binds the status of interfaces on different expansion modules.
To create an interface group and enter the interface group configuration mode, in the global con-
in terface-gro up group-name typ e lin kage
l group-name– Specifies the name of the interface group. The length is 1 to 31 characters.
To add interfaces to the interface group, in the interface group configuration mode, use the fol-
lowing command:
in terface interface-name
l interface-name – Specifies the interface name which will be added to the interface group.
The maximum number of interfaces is 8.
For example, adding ethernet0/0 and ethernet0/1 to the interface group test to achieve the inter-
face linkage, in the global configuration mode, use the following command:
hostname(config)# in terface-gro up test typ e lin kage
hostname(config-if-group)# in terface eth ern et0/0
hostname(config-if-group)# in terface eth ern et0/1
In the global configuration mode, use the no form to delete the specified interface group:
n o in terface-gro up group-name
To view the status of the specified interface group, in any mode, use the following command:
sh o w in terface-gro up group-name
Configuring Local Property
Sytem supports to configure an editable Local property for all interfaces (except VSwitch) to
avoid the duplicate MAC address when managing huge amount of HA devices in the same Layer 2
Network. The sub-interface and virtual forward interface don’t need to configure Local prop-
erty, which inherit the primary interface directly. If you configure Local property foran interface ,
the system will not synchronize this configuration with the backup device. In the interface con-
lo cal
To delete HA Local property, in interface configuration mode, use command no local.
Hillstone Secure Defender
ARP authentication client (Hillstone Secure Defender) can be installed in computers with oper-
ation systems of Windows 2000/2003/XP/Vista.
To download and install the Hillstone Secure Defender, use the following steps:
1. Use the command authenticated-arp force to enable the ARP authentication function on the
interface and force the PC to install the ARP client.
2. Use a computer to access to the Internet through the interface, and then follow the instruc-
tions on the pop-up download page to download HillstoneSecureDefender.exe.
3. When the download is finished, double click HillstoneSecureDefender.exe and install the cli-
ent by following the prompts of the install wizard.
To uninstall Hillstone Secure Defender, navigate to the Start menu and click All Programs > Hill-
stone Secure Defender > Uninstall.
Disabling Recording Interface IP Address Conflict Log Triggered by DAD Mode

ARP Packets
DAD （Duplicate Address Detection）mode ARP packets is a special type of gratuitous ARP
packets, its source IP is 0.0.0.0, and the destination IP is the specific IP address of packets detec-
tion. It is mainly used to detect address conflict.
By default, system will determine whether the received the ARP packets is a DAD mode ARP
packet. If it is DAD mode ARP packet, and its destination IP address is in conflict with the inter-
face IP address or the address in the NAT address pool, system will record the interface IP
address conflict log. To improve device performance and reduce device memory utilization and
false positives, you can disable the function of recording interface IP address conflict logs
triggered by DAD mode ARP packets.
To disable the function of recording interface IP address conflict log, in the interface con-
no dad-alarm
To re-enable the function of recording interface IP address conflict log, in the interface con-
dad-alarm
Configuring Interface Proxy ARP
When the device receives ARP request with a destination IP of a different network segment,
proxy ARP feature allows the device to reply with its own MAC address as the source address.
Proxy ARP can work only on Layer-3 interface.
To enable proxy ARP, in the interface configuration mode, use the following command:
p ro xy-arp [dn s]
l proxy-arp – Enables proxy ARP on the interface.
l dns – This parameter is for PnP IP
To disable proxy ARP, use the command no proxy-arp.

To view the IP address of the ARP proxy, in any mode, use the following command:
show proxy {arp|nd} [vrouter]
l arp - Displays the IPv4 address of the ARP proxy.
l nd - Displays the IPv6 address of the ARP proxy.
l vrouter - Displays the proxy address of the specified VRouter.
If an interface has been enabled with proxy ARP (with the parameter dns configured) and DNS
proxy, it is a plug-and-play (PnP) interface, which means the internal computers with dynamic IP
and DNS are able to access to the Internet through this interface. However, you should keep in
mind that:
l If a computer and the PnP interface are in the same network segment, to allow the computer
to visit the Internet, make sure that the computer uses the interface IP address as its gateway.
For instance, an interface IP is 192.168.1.1/24 and a computer IP is 192.168.1.55/24. In
order to allow the computer to visit the Internet through this interface, make the computer
gateway address as 192.168.1.1.
l It is suggested to assign an unusual IP address with 32 bit mask to a PnP interface, like
10.199.199.199/32, which can ensure that there will be no identical IP address in the subnet.
Tip: For information on DNS proxy configuration, see Configuring a DNS Proxy.
PnP IP Configuration Example
The goal is to enable the PnP IP function on an interface to allow LAN users to visit the Internet.
The topology is shown in Figure below: ethernet0/0 is connected to the Internet; ethernet0/1 is
connected to the Intranet; DNS server IP is 202.106.1.1.
Take the following steps:

Step1: Configure an interface
hostname(config-if-eth0/0)# zo n e un trust
hostname(config-if-eth0/1)# zo n e trust
hostname(config-if-eth0/1)# ip address 192.168.1.1/24
hostname(config)#
Step 2: Configure a DNS server
hostname(config)# ip n ame-server 202.106.1.1
hostname(config)# dn s-p ro xy rule
hostname(config-dns-proxy-rule)# in gress-in terface eth ern et0/1
hostname(config-dns-proxy-rule)# src-addr an y
hostname(config-dns-proxy-rule)# dst-addr an y
hostname(config-dns-proxy-rule)# do main an y
hostname(config-dns-proxy-rule)# actio n p ro xy
hostname(config-dns-proxy-rule)# n ame-server 202.106.1.1
hostname(config-dns-proxy-rule)# exit
Step 3: Configure the PnP IP feature (i.e. DNS proxy and proxy ARP)
hostname(config-if-eth0/1)# dn s-p ro xy
hostname(config-if-eth0/1)# p ro xy-arp dn s
hostname(config)#
Step 4: Configure a policy
hostname(config-policy)# rule fro m an y to an y fro m-zo n e trust to -zo n e un trust ser-

vice an y p ermit
hostname(config)#
Configuring a Loopback Interface
As a logical interface, loopback interface always remains in working state until the device shuts
down. The naming rule for loopback interface is loopbackNumber (Number is an integer number
from 1 to 256). The unique identifier for a loopback interface is its name.
Creating a Loopback Interface
To create a loopback interface, in the global configuration mode, use the following command:
in terface lo o p b ack Number
• Number – The ID number of the loopback interface.

If loopback interface already exists, this command leads you into the interface configuration mode
directly.
For example, to create a loopback named loopback1, in the global configuration mode, use the fol-
lowing command:
hostname(config)# in terface lo o p b ack1
hostname(config-if-loo1)#
To delete a loopback interface, in the global configuration mode, use the command no interface
loopback Number.
Configuring an Ethernet Interface
All the Ethernet interfaces of Hillstone devices are gigabit interfaces. Gigabit Ethernet interface
conforms to 1000Base-T physical layer specifications. They can work under the rate of 10Mbit/s,
100Mbit/s and 1000Mbit/s. Both full-duplex and half-duplex modes are supported, but Gigabit
half-duplex mode is not supported.
Configuring an Ethernet Sub-interface
Ethernet interface is allowed to have sub-interfaces.

To create a sub-interface, in the global configuration mode, use the following command:
in terface eth ern etm/n .tag
l .tag – Specifies a number to mark the sub-interface. The value range is 1 to 4094. For
example, the command interface ethernet0/0.1 creates a sub-interface named ethernet0/0.1
for interface ethernet0/0.
If the sub-interface exists, this command leads you into the interface configuration mode directly.
To delete a sub-interface, use the command no interface ethernetm/n.tag.
The Ethernet sub-interface supports PPPoE. One Ethernet interface can only be bound to one
PPPoE instance.
Entering the Ethernet Configuration Mode
You must the enter Ethernet configuration mode in order to configure settings like interface
speed, duplex modes and Combo type, etc.
To enter the Ethernet configuration mode, in the global configuration mode, use the following
command:
in terface ethernetm/n
l ethernetm/n – Specifies the Ethernet interface.
Configuring an Interface Duplex Mode and Speed
Ethernet copper interface can work under full and half duplex mode, and can adapt to link speed
of 10Mbit/s, 100Mbit/s and 1000Mbit/s,while Gigabit Ethernet fiber-optic interface can work
only in full duplex mode, and it does not need speed setting.
To configure a duplex mode and speed for an interface, in interface configuration mode, use the
following command:
dup lex method [sp eed value ]
l method - This parameter can be auto, full (for full-duplex mode) or half (for half-duplex
mode). When it is specified as auto, the interface rate will will automatically be auto. You
don't need to continue to specify the rate. At this time, the system will automatically select
the best duplex mode and rate.The default duplex method is auto, which means the system
assigns a proper mode for the interface.
l value - This parameter can be auto, 10, 100 or 1000. auto is the default value, which means
the system automatically detects and assigns a proper link speed. The link speed specified
here must conform to the actual network link speed of this end and of the peer device.
To restore to the default value, use the command no duplex.
Notes: For the expansion modules IOM-P100-300, IOM-P100-300, and SIOM-

P100D-300 supported by SG-6000-X10800 、SG-6000-X9180, the expansion
modules SIOM-P100-260 supported by SG-6000-X8180, the expansion modules
IOM-P100-300ZKA supported by SG-6000-K9180，their SFP+ interface, when
switching to 1G working mode using the command channel-speed 1000,you can
configure the interface to work in a fixed full duplex mode and a fixed 1000Mbit/s
rate by command duplex full speed 1000 , and other duplex modes and rates are not
supported.
Cloning a MAC Address
To clone a MAC address to the Ethernet sub-interface, in the Ethernet sub-interface con-
mac-clo n e H.H.H
l H.H.H – Specifies the MAC address.
To delete the specified MAC address, in the Ethernet sub-interface configuration mode, use the
command no mac-clone.
If the MAC address changes after the PPPoE connection has been established, you need to re-con-
nect the PPPoE client to make the new MAC address take effect.
Configuring a Combo Type
A Combo port is the combination of a fiber-optic port and a copper port. By default, if both of
the ports have cables connected, fiber-optic port has the priority. If the copper port was used at
first, after restarting the device, the fiber-optic port will be activated and used to transfer data if it
is connected with cable. You can also select one of the two ports via CLI.
To select a copper or fiber-optic port, in the interface configuration mode, use the following com-
mand:
co mb o {co p p er-fo rced | co p p er-p referred | fib er-fo rced | fib er-p referred}
l copper-forced – Forces to use the copper port.
l copper-preferred – Prioritizes the copper port.
l fiber-forced – Forces to use the fiber-optic port.
l fiber-preferred – Prioritizes the fiber-optic port. When this parameter is configured, the data
flow will switch from the copper port to the fiber-optic port automatically and there is no
need to restart device.
To resume to the default setting, use the command no combo.
Configuring a VSwitch Interface
VSwitch interface is a Layer-3 interface. It is an assembly of all interfaces in the VSwitch. When
you create a VSwitch, its corresponding VSwitch interface is automatically created.
Creating a VSwitch Interface
To create a VSwitch interface, in the global configuration mode, use the following command:
l Number - Specifies a number as the identifier of the VSwitch and its interface. The value
range may vary from different platform models.
To clear the VSwitch and its corresponding interface, use the command no vswitch vswitchNum-
ber.
Configuring a VLAN Interface
VLAN interface is a Layer 3 interface. A VLAN has one corresponding VLAN interface. VLAN
interface allows Layer 3 communication among different VLANs.
Creating a VLAN Interface
To create a VLAN interface, in the global configuration mode, use the following command:
in terface vlan id
l id – Specifies the ID of the VLAN interface. If the specified VLAN interface does not exist,
this command creates a VLAN interface and leads you to its configuration mode. If the spe-
cified VLAN interface exists, you will enter its configuration mode directly.
To clear the specified VLAN interface, use the command no interface vlanid.
Configuring a Super-VLAN Interface
Super-VLAN interface is a Layer-3 interface. A super-VLAN has a corresponding super-VLAN

interface. Super-VLAN allows the sub-VLANs to communicate in Layer 3.
Creating a Super-VLAN Interface
To create a super-VLAN interface, in the global configuration mode, use the following command:
in terface sup ervlan X
l X – Specifies the ID of the super-VLAN interface. This command creates a super-VLAN

interface and leads you to the super-VLAN configuration mode. If the specified super-VLAN
interface exists, you will directly enter its configuration mode. The value range of this para-
meter may vary from different models.
To delete a super-VLAN interface, use the command no interface supervlanX.
Configuring an Aggregate Interface
An aggregate interface is an assembly of two or more physical interfaces. The data flow passing
through the aggregate interface is shared equally by its physical interfaces. This method can
increase the usable bandwidth. If one of the interfaces fails to work, other interface(s) can take
over its data flow and process data, but bandwidth is reduced. The following sections introduce
basic configurations of aggregate interface.
Creating an Aggregate Interface and Sub-interface
To create an aggregate interface, in the global configuration mode, use the following command:
in terface aggregate Number
l Number - Specifies the ID of the aggregate interface. For different product models, the range
of Number is different. For example, the command interface aggregate2 creates an aggregate
interface named “aggregate2”.
This command leads you into the aggregate interface configuration mode. If the specified inter-
face exists, you will enter its configuration mode directly.
To delete an aggregate interface, in the global configuration mode, use the command
no interface aggregateNumber. Before deleting it, you must clear all the settings and zone ref-
erencing of the interface.
To create a sub-interface for an aggregate interface, in the global configuration mode, use the fol-
lowing command:
in terface aggregateNumb er .tag
l .tag – Specifies the ID of the sub-interface. The parameter is an integer number from 1 to
4094. For example, the command interface aggregate2.1 creates a sub-interface named aggreg-
ate2.1 for aggregate interface named aggregate2.
To delete an aggregate sub-interface, in the global configuration mode, use the command no inter-
face aggregateNumber.tag. Before deleting an interface, you should clear all settings of it, includ-
ing the binding and referencing with other interfaces and zones, etc.
Adding a Physical Interface
An aggregate interface includes two or more physical interfaces.

To add a physical interface to an aggregation interface, in the physical interface configuration
aggregate aggregatenumber
l aggregatenumber - Specifies the name of the aggregation interface to which the physical inter-
face is added. Ensure that the physical interface does not belong to any other interface or
zone.
To remove a physical interface from the aggregation interface, in the physical interface con-
figuration mode, use the command no aggregate.
Example of Configuring an Aggregate Interface
Here is a configuration example. The goal is to create aggregation interface aggregate2, and add eth-
ernet0/3 and ethernet0/4 to the aggregate2, then delete ethernet0/3 from it.
Use the following commands:
hostname(config)# in terface aggregate2
hostname(config-if-agg2)# exit
hostname(config-if-eth0/3)# aggregate aggregate2
hostname(config-if-eth0/4)# aggregate aggregate2
hostname(config-if-eth0/3)# n o aggregate
Configuring a Redundant Interface
A redundant interface consists of two physical interfaces, one of which works as the primary inter-
face processing the traffic flow through the redundant interface, the other one stands by and sub-
stitutes the primary interface to process data flow when it fails to work.
Creating a Redundant Interfaces and Sub-interface
To create a redundant interface, in the global configuration mode, use the following command:
in terface redun dan t Number
l Number - Specifies the ID of the redundant interface. For example, the command interface
redundant2 creates a redundant interface named redundant2.
This command takes you into the redundant interface configuration mode. If the specified inter-
face exists, you will directly enter its configuration mode.
To delete a redundant interface, in the global configuration mode, use the command no interface
redundant Number.
Before deleting it, you should clear all settings, including the binding and referencing with other
interfaces and zones, etc.
To create a sub-interface for an existing redundant interface, in the global configuration mode, use
in terface redun dan t Numb er .tag
l .tag – Specifies the ID of the sub-interface. This parameter should be an integer from 1 to
4094. For example, the command interface redundant2.1 creates a sub-interface called redund-
ant2.1 for the redundant interface named redundant2.
To delete a redundant sub-interface, in the global configuration mode, use the command no inter-
face redundant Number .tag.
Adding a Physical Interface
To add a physical interface to a redundant interface, in the physical interface configuration mode,
use the following command:
redun dan t interface-name
l interface-name – Specifies the name of the redundant interface to which the physical inter-
face is added. Make sure that the physical interface does not belong to any other interface or
zone.
To remove a physical interface from a redundant interface, use the command no redundant. If the
deleted interface serves as the primary interface, you need to clear the master interface setting
first.
Specifying the Primary Interface
To specify a physical interface in the redundant interface as the primary interface, in the redundant
p rimary interface-name
l interface-name - Specifies the name of the primary interface.
To cancel the primary interface, in the redundant interface configuration mode, use the command
no primary.
Enabling/Disabling alarm logs of ARP loops
After an interface receives ARP packets, system will judge whether the source MAC address of
packets is consistent with the MAC address of the interface. If it’s consistent, system will form
a loop. If the alarm logs feature of ARP loops is enabled, the alarm logs of ARP loops will be gen-
erated frequently. You can enable or disable the alarm logs by the following commands.
By default, the alarm logs feature of ARP loops in the interface is enabled. To disable the feature
for the redundant interface, in the redundant interface configuration mode, use the following com-
mand:
arp-loop-alarm-disable
To restore default values, in the interface configuration mode, using the following command:
no arp-loop-alarm-disable
Example of Configuring a Redundant Interface
Here is a configuration example. The goal is to create a redundant interface named redundant1,
add the interface ethernet0/4 and interface ethernet0/5 to redundant1, and to make ethernet0/4
as the primary interface, then remove ethernet0/5 from redundant1.
hostname(config)# in terface redun dan t1
hostname(config-if-red1)# exit
hostname(config-if-eth0/4)# redun dan t redun dan t1
hostname(config-if-eth0/5)# redun dan t redun dan t1
hostname(config)# in terface redun dan t1
hostname(config-if-red1)# p rimary eth ern et0/4
hostname(config-if-red1)# exit
hostname(config-if-eth0/5)# n o redun dan t
Configuring a Tunnel Interface
Tunnel interface serves as the entrance of VPN tunnel and the VPN traffic goes through the tun-
nel interface. Tunnel interface is a Layer-3 interface.
Creating a Tunnel Interface
To create a tunnel interface, in the global configuration mode, use the following command below:
in terface tun n el Number
l Number - Specifies the ID of the tunnel interface. For example, the command interface tun-
nel2 creates the tunnel interface named tunnel 2.
This command leads you to the tunnel interface configuration mode. If the tunnel interface of the
specified name exists, you will directly enter the tunnel interface configuration mode.
To delete a tunnel interface, use the command no interface tunnelNumber.
Binding a Tunnel
You can bind a tunnel interface to an IPsec VPN, GRE, SCVPN or L2TP tunnel. A tunnel inter-
face can be bound to multiple IPsec VPN or GRE tunnels, but only one SCVPN (or L2TP) tun-
nel.
To bind a tunnel to the tunnel interface, in the tunnel interface configuration mode, use the fol-
lowing command:
tunnel {ipsec [gw{ipv4-address | ipv6-address}] | gre tunnel-name [gw{ipv4-address | ipv6-
address | ipv4-address ipv6-address}] | scvpn vpn-name | l2tp tunnel-name }
l ipsectunnel-name– Specifies the tunnel type and its name.
l gw{ipv4-address | ipv6-address}– Specifies the next hop IP address of the tunnel interface,
which can be the IP address of the peer tunnel interface or the IP address of the egress inter-
face on the other end. This parameter is only valid for an interface which binds to multiple
IPsec VPN tunnels.
l gre tunnel-name– Specifies the tunnel type and its name.
l {ipv4-address | ipv6-address | ipv4-address ipv6-address}– Specifies the next hop IP

address of the tunnel interface, which can be the IP address of the peer tunnel interface or the
IP address of the egress interface on the other end. This parameter is only valid for an inter-
face which binds to multiple GRE tunnels. The next hop IP addresses can be specified to
IPv4 and/or IPv6 addresses.
l scvpn vpn-name – Specifies the name of SCVPN tunnel bound to this interface. A tunnel
interface can be bound to only one SCVPN tunnel.

l l2tp tunnel-name – Specifies the name of L2TP tunnel bound to this interface. A tunnel
interface can be bound to only one L2TP tunnel.
Repeat this command to bind more IPsec VPN tunnels or GRE tunnels.
To cancel the binding relationship, use the command no tunnel {ipsec vpn-name | gre tunnel-
name | scvpn vpn-name | l2tp tunnel-name }.
Multi-tunnel OSPF
In some site-to-site VPN connections, a tunnel interface binds with multiple tunnels. If OSPF
dynamic routing is used to manage data exchange among different sites, you need to enable point-
to-multipoint tunnel interface (the default tunnel interface is point-to-point network type).
To configure point-to-multipoint type, in the tunnel interface configuration mode, use the fol-
lowing command:
ip o sp f n etwo rk p o in t-to -multip o in t
To restore to the default point-to-point type, use the following command:

n o ip o sp f n etwo rk p o in t-to -multip o in t
Borrowing an IP Address (IP Unnumbered)
In some cases, like when tunnel interface is used to forward packets which go through the device,
configuring an IP address is not required for that interface. In situation like that, you can use the
IP address borrowing feature (IP unnumbered) to borrow IP addresses from other interfaces.
To enable the IP address borrowing feature, in the tunnel interface configuration mode, use the
following command:
ip address un n umb er interface-name
l interface-name – Specifies the name of the interface from which the IP address is borrowed.
To clear the borrowed IP, use following command:

n o ip address un n umb er

Notes: Interfaces on the two ends of the tunnel are not allowed to use borrowed IP
address at the same time.
Viewing Tunnel Information
To view tunnel information, in any mode, use the following command:

sh o w in terface b in d-tun n els tunnel-name
l tunnel-name – Specifies the name of the tunnel interface to be shown.
Configuring a PPPoE Sub-interface
One physical interface can have multiple PPPoE sub-interfaces so that multiple ISPs can be
accessed through this one interface.
To create a PPPoE sub-interface, in the global configuration mode, use the following command:
in terface eth ern et X/Y -p p p o e Z
l ethernetX/Y – Specifies the name of the Ethernet port. For instance, ethernet0/5.
l -pppoeZ – Specifies the name of PPPoE sub-interface. Z indicates the ID of the PPPoE
sub-interface. The value range varies with platforms.
To clear a PPPoE sub-interface, in the global configuration mode, use the following command:
n o in terface eth ern et X/Y -p p p o e Z
Link Aggregation
Link aggregation combines multiple network connections in parallel to increase throughput bey-
ond what a single connection could sustain, and to provide redundancy in case one of the links
fails.
The device supports forced link aggregation and LACP (Link Aggregation Control Protocol). The
forced link aggregation is implemented by the aggregate interface. For more information, see Con-
figuring an Aggregate Interface. This section mainly describes the usage of LACP.

LACP
LACP (Link Aggregation Control Protocol) is designed to control the bundling of several physical
ports together to form a single logical channel. LACP allows a network device to negotiate an auto-
matic bundling of links by sending LACP packets to the peer (directly connected device that is
also enabled with LACP).
Hillstone devices use the aggregate interface to implement the LACP function. The aggregate
interface with LACP enabled is named as aggregate group, and the physical interfaces in the aggreg-
ate group is the member of the aggregate group. After enabling LACP on an aggregate interface,
the member interface sends the LACPDU packets to the peer to notify its system priority, system
MAC address, port priority, port number, and operating key. The peer receives the LACPDU and
compare the information with the local information to select a proper member interface, thus the
both sides can decide which link will be used to transfer data.
Member Status in an Aggregate Group
There are four statuses for the member interfaces in an aggregate group:
l Unselected: The interface is selected by the aggregate group and cannot forward traffic. This
status is usually caused by physical reasons, e.g., the interface mode is non-duplex, rates of
both sides are inconsistent, physical connection failure, etc.
l Selected: The interface is in aggregate group, but its peer is not ready, so the interface cannot
forward traffic. When it receives LACPDU packets from the peer, and learns the status of its
peer is Selected, the status of the interface will switch to Active. The interface in Active
status can forward traffic.
l Standby: The interface is a backup interface, and cannot forward traffic. If the LACP priority
of the interface is promoted, the interface will replace the existing Selected interface and
change its own status to Selected, and the status of the replaced interface will switch to
Standby. When other interfaces become Unselected, the Standby interface will change to
Selected interface automatically.

l Active: The interface is aggregated successfully and forwards traffic. If the interface has not
received LACPDU packets from the peer in three LACPDU timeouts, it will be concluded as
link down. In such a case, the status of the interface will switch to Selected, and the interface
will stop forwarding traffic.
Configuring LACP
The configurations of LACP include:
l Enabling/Disabling LACP
l Specifying LACP System Priority
l Specifying Interface LACP Priority
l Specifying LACP Timeout
l Specifying the Maximum Active Links
l Specifying the Minimum Active Links
l Specifying Load Balance Mode
Enabling/Disabling LACP
LACP can be enabled on the aggregate interfaces (aggregate sub-interface, aggregate virtual for-
ward interface do not support LACP). To enable/disable LACP, in the aggregate interface con-
l Enable: lacp enable
l Disable: no lacp enable
Specifying LACP System Priority
LACP system priority is used to determine the priority between devices in both sides. The inter-
face with higher LACP system priority will be defined as the standard selected interface. The smal-
ler the number is, the higher the priority will be. If both sides have the same LACP system

priority, the system will choose the interface with smaller MAC address to be the standard selec-
ted interface.
To configure the LACP system priority, in the aggregate interface configuration mode, use the fol-
lowing command:
lacp system-p rio rity value
l value – Specifies the LACP system priority. The value range is 1 to 32768. The default value
is 32768.
To restore to the default LACP system priority, in the aggregate interface configuration mode, use
n o lacp system-p rio rity
Specifying Interface LACP Priority
Interface LACP priority determines the sequence of becoming the Selected status for the mem-
bers in the aggregate group. The smaller the number is, the higher the priority will be. Link in the
aggregate group that will be aggregated is determined by the interface LACP priority and the
LACP system priority.
To configure the interface LACP priority, in the configuration mode of the interface in the aggreg-
ate group, use the following command:
lacp p o rt-p rio rity value
l value – Specifies the interface LACP priority. The value range is 1 to 32768. The default
value is 32768.
To restore to the default interface LACP priority, in the configuration mode of the interface in the
aggregate group, use the following command:
n o lacp p o rt-p rio rity
Specifying LACP Timeout
The LACP timeout refers to the time interval for the members waiting to receive the LACPDU
packets. If the local member does not receive the LACPDU packet from its peer in three timeout
values, the peer will be conclude as down, and the status of the local member will change from

Active to Selected, and stop traffic forwarding. The system supports short timeout (1 second) and
long timeout (30 seconds, the default value).
To specify the LACP timeout for the member interface, in the configuration mode of the inter-
face in the aggregate group, use the following command:
lacp p erio d-sh o rt
To restore to long timeout, in the configuration mode of the interface in the aggregate group, use
n o lacp p erio d-sh o rt
Specifying the Maximum Active Links
The number of maximum active link refers to the maximum Active interface number. When the
Active interface number reaches the maximum number, status of other legal interfaces will
become Standby. For instance, there are 4 Active interfaces in the aggregate group. If the max-
imum active links is specified to 2, system will choose two interfaces as the Active interfaces
according to the priority, and the status of the other two interfaces with lower priority will
become Standby. When the Active interface down causes the link down, system will switch the
status of the Standby interface to Active, thus the LACP works as the redundant way.
To specify the maximum active links, in the aggregate interface configuration mode, use the fol-
lowing command:
lacp max-b un dle number
l number – Specifies the number of the maximum active links. The value range is 1 to 16. The
To restore to the default maximum active link number, in the aggregate interface configuration
n o lacp max-b un dle
Specifying the Minimum Active Links
The number of minimum active link refers to the minimum Active interface number. When the
number of Active interface is less than the minimum active link number in the aggregate group,

status of all the legal interfaces in the aggregate group will become Standby. The minimum active
links must be less than the maximum active links.
To specify the minimum active links, in the aggregate interface configuration mode, use the fol-
lowing command:
lacp min -b un dle number
l number – Specifies the number of the minimum active links. The value range is 1 to 8. The
default value is 1.
To restore to the default minimum active link number, in the aggregate interface configuration
n o lacp min -b un dle
Specifying the Load Balance Mode
You can specify the load balance mode for the aggregate group. System supports flow-based load
balance and 7-tuple based load balance. When the members of the aggregate group is Layer-2 inter-
faces, the system can only support the load balance mode based on the source MAC address and
destination MAC address. For instance, if the source IP is specified to be the load balance con-
dition, all the packets with the same source IP will be forwarded by the same interface in the
aggregate group. When the physical interfaces in the aggregation interface belong to different mod-
ules, the system supports the forwarding from the interface of the module where the packet is
sent.
To specify the load balance mode, in the aggregate interface configuration mode, use the fol-
lowing command:
lo ad-b alan ce mo de {flo w | tup le {dest-ip dest-mac dest-p o rt p ro to co l src-ip src-mac src-
p o rt}| adjacency-port }
l flow – Gets the load balance mode from the traffic. It is the default mode.
l tuple [dest-ip dest-mac dest-port protocol src-ip src-mac src-port] – Uses tuples as the load
balance condition. It can be one of the 5 tuples or the combination of the tuples.

l adjacency-port – Specify the load balance mode as forwarding from the interface of the mod-
ule where the packet is sent.
To restore to the default load balance mode, in the aggregate interface configuration mode, use
n o lo ad-b alan ce
Viewing Aggregate Group Information
You can view the LACP aggregate information in any CLI mode. To view the aggregate group
information, use the following command:
sh o w lacp aggregate-name
l aggregate-name – Specifies the name of the aggregate group you want to view.
Bypassing the Device

Some of Hillstone models are designed with bypass functionality. To reduce the risk of single
point of failure, bypassing the device can ensure network continuity during device reboot, power
failure or other malfunctions. When a bypass module is working, the networks accessed to the
security device are physically connected by the bypass module.
Notes:
l Not all Hillstone platforms support bypass functionality.
l Currently, only part of Hillstone devices (SG-6000-E5960, SG-6000-E3965,

SG-6000-E2860, SG-6000-E6160, SG-6000-E6360) support the external
bypass module.
Network Layout with Bypass Module
Based on the connection mode of the Bypass module, it can be classified into built-in Bypass mod-
ule and external Bypass module. Built-in bypass modules are bundled with Hillstone products.

External bypass module is the BSSF-CM-R, BSSF-CEM and BS1U-CEM-SS-EU-R module
provided by Silicom.
Built-in Bypass Modules
The built-in Bypass is classified into two types: the device interface support the Bypass function,
and the Bypass extension module.
l If the device interface supports the Bypass function, you only need to connect two inter-
connected Lans (such as LAN1 and LAN2) to one Bypass interface pair. For example, eth0/2
and eth0/3 are Bypass interface pairs. You only need to connect eth0/2 and eth0/3 to LAN1
and LAN2 respectively.
l For the Bypass extension module, install it into the expansion slot of the device according to
the installation manual. Then connect the two ports marked with NETWORK on the panel to
different LANs (as shown in Figure LAN1 and LAN2). Connect the two ports marked with
DEVICE on the panel to other ports on the device. For details, see the following figure. Solid
black lines indicate cable connection. ((As follows, take the IOC-A-2MM-BE/2SM-BE
Bypass extension as an example)
However, in particular situations like power failure or device rebooting, the device is

bypassed and LAN1 and LAN2 are physically connected through the bypass module.
External Bypass Module
For external bypass modules, connect the AUX port of the security device to Console port of
Silicom bypass module with a cable. See the figure below for cable connection (black line) and
traffic flow directions.
As shown above, connect LAN1 and LAN2 to the bypass module and connect the module Con-
sole port to the device AUX port. When the network functions well, the two LANs can gain
access to each other through the device.
However, in particular situations like power failure or device rebooting, the device is bypassed
and LAN1 and LAN2 are physically connected through the bypass module.

Note: The following points when you bypass the device with an external bypass module:
l Use fiber cable with LC-type connector.
l The heartbeat cable, a cable with RJ-45 connector on one end and RJ-11 on the other, which
is used to connect the device AUX port and bypass module Console port, is provided by
Silicom. Connect the RJ-45 end to the AUX port of device and RJ-11 end to the Console port
of bypass module.
l Make sure that the Tx and Rx are correctly connected.
l Make sure all cables are properly connected.
Enabling External Bypassing
If you choose to use external bypass module to bypass the device, you need to enable this feature,
which is off by default, when all connections are properly established.
To enable/disable external bypassing function, in the global configuration module, use the fol-
lowing commands:
l Enable: external-bypass enable
l Disable: no external-bypass enable

Viewing External Bypassing
To view the external bypass module working status, type, version, etc., in any mode, use the fol-
lowing command:
sh o w extern al-b yp ass
Here is an example:
hostname# sh o w extern al-b yp ass
===================================================-
================
external-bypass:enable
device status:present
current mode:normal
device info:BSFT,version 28
===================================================-
===============
Enable / Disable Forced Bypass
Only A , K series firewalls or bypass module IOM-8MM-B-260 (for X 8180) support this func-
tions. When a device fails to forward network traffic normally in a certain state (such as system
restart, abnormal operation, device power off), the system will enter the Bypass state. In the
Bypass state, the interface pairs (for example, eth0/0 and eth0/1 are Bypass interface pair 0
defaultly, which is identified in the front panel.) are physically directly connected like a cable, and
traffic flows directly through them. Bypass interface pairs do not connect when the device is in
normal operation, but forward traffic normally according to the functions configured by the inter-
face.
Example for bypass interface pairs: E0/0 and E0/1 are Bypass interface pair 0 defaultly, which is
identified in the front panel. The IOM-8MM-B-260 module has 16 optical ports which can group
four Bypass pairs, including pair0 (port 0' and port 1'), pair1 (port 2' and port 3'), pair2 (port 4' and
port 5') and pair3 (port 6' and port 7').

If you need to enable the forced Bypass function of the interface when the device is running nor-
mally, and system can enter the Bypass interface pair mode by using the following commands:
bypass slot slot-id pair pair-id
To enable the forced Bypassed function, use the following commands:
force-bypass
To disable the forced Bypassed function, use the following commands:
no force-bypass.
Notes:
l You can not enable the forced bypass function and HA function at the same
time.
l When device restart and system configuration information not be loaded com-
pletely , the device is in Bypass mode and Bypass interface pairs may still for-
ward traffic to each other like a cable .
Monitor the Status of Ports
The IOM-8MM-B-260 module has four Bypass pairs which can monitor the interfaces on other
expansion modules separately. For example, port0 is connected to "interface1" on another expan-
sion module and port1 is connected to "interface2" on the module. Port0 and port1 will be con-
nected directly when system monitors "interface1" or "interface2" cannot work normally, which
means the firewall is bypassed.
1. In the global configuration mode, use the following command to enter the Bypass interface
pair mode:
bypass slot slot-id pair pair-id
2. In the Bypass interface pair mode, use the following command to enable or disable the mon-
itor function:

l monitor interface1 interface2 - Disable this function.
l no monitor - Enable this function.
PoE
PoE (Power over Ethernet) is used to provide the power supply to the PD (powered device)
through the twisted pair cable and it facilitates the deployment of the low-power devices, such as
IP telephone, wireless AP, and IP camera. Only the Ethernet copper ports in the IOC-4GE-POE
module support the PoE function and partial product models support the IOC-4GE-POE mod-
ule.
Configuring PoE Settings
Configuring PoE settings include the following sections:
l Enabling the PoE function
l Configuring the detection method
l Specifying the maximum power supplied by the PoE interface
Enabling PoE Function
By default, the PoE function is disabled. To enable the PoE function, in the interface con-
poe enable
To disable the PoE function, in the interface configuration mode, use the following command:
no poe enable
Configuring Detection Method
Hillstone device determines whether a powered device is connected to a port by using detection.
Different powered devices use different detection methods. You need to configure the detection
method according to the powered devices. Note that changing the detection method might lead
to the power supply interruption.

To configure the detection method, in the interface configuration mode, use the following com-
mand:
p o e disco n n ect {ac | dc }
l ac – Use the AC detection.
l dc – Use the DC detection, also called IEEE standard or 802.3af standard detection.
Use the following command to restore the detection method to the default one:
n o p o e disco n n ect
Specifying Maximum Power Supplied by PoE Interface
For different product models, the range of maximum power is different. To specify the maximum
power of power supply, in the interface configuration mode, use the following command:
p o e max-p o wer max-power
l max-power – Specify the maximum power of power supply assigned to the PoE Ethernet.
Use the following command to restore the value to the default one:
n o p o e max-p o wer
Viewing Power Supply Status of PoE Interfaces
In any mode, use the following command to view the power supply status of the specified PoE
interface:
sh o w p o e in terface [in terface interface-name ]
l interface-name – View the power supply status of the specified PoE interface.
Viewing Power Information of PoE Interfaces and PoE Module
In any mode, use the following command to view the power information of PoE interfaces and
PoE module:
sh o w p o e p o wer-usage

Viewing Information of PoE Module
In any mode, use the following command to view the information of the PoE module:
sh o w p o e device

Address
Overview
In StoneOS, IP address is an important element for the configurations of multiple modules, such
as policy rules, NAT rules and session limit rules. Therefore, StoneOS supports address book to
facilitate IP address reference and flexible configuration. You can specify a name for an IP range,
and only reference the name during configuration. Address book is the database in StoneOS that
is used to store the mappings between IP ranges and the corresponding names. The mapping entry
between an IP address and its name in the address book is known as an address entry.
Address Entry
StoneOS provides a global address book. You need to specify an address entry for the global
address book. In an address entry, you can replace the IP range with a DNS name. You can use
them for NAT conveniently. Furthermore, an address entry also has the following features:
l All address books contain a default address entry named Any. The IP address of Any is
0.0.0.0/0, i.e., any IP address. Any can neither be edited nor deleted.
l One address entry can contain another address entry in the address book.
l If the IP range of an address entry changes, StoneOS will update other modules that reference
the address entry automatically.
Configuring an Address Book

You can perform the following operations on an address book through CLI:
l Adding or deleting an address entry
l Specifying the IP range of an address entry
l Viewing the address book information

Adding or Deleting an Address Entry
To add an address entry to the address book and enter the address configuration mode, in the
address address-entry [ ip v6]
l address-entry - Specifies the name of the address entry that will be added.
l ipv6 - Specifies the address entry as the type of IPv6. If not specified ,it will be the type of
IPv4.
To delete the specified address entry from the address book, in the global configuration mode,
n o address address-entry
Notes: The address entry being referenced by other modules or address entries can
not be deleted.
Specifying the IP Range of an Address Entry
In StoneOS, the IP range of an address entry is the collection of all the IP members within the
range. The members of the address entry consist of the following types:
l IP address: includes two types. One is IPv4 address/subnet mask or IPv6 address/subnet
mask, such as 10.100.2.0/24 or 2001::1/64; the other is IPv4 address with a wildcard mask
or IPv6 address with a wildcard mask, such as 192.168.0.1 255.255.0.255 or 2001::10
FF00::FFFF.
l Host name, such as host1.hillstonenet.com. Support the host name which contains the wild-
card, such as *.baidu.com.
l IP range, such as 10.100.2.3 - 10.100.2.100 or 2001::1 - 2001::10

l Country or region: A set of IP addresses that belong to a country or a region.
l Other address entries
To add an IP member to the specified address entry, or delete the specified member from the
address entry, in the address configuration mode, use the commands with the keywords ip or wild-
card.
To add/delete an IP address member of IPv4 address/subnet mask or IPv4 address with a wild-
card mask, use the following comands:
l ip {ip-address {netmask | wildcardmask }| ip/netmask }
l ip-address – Specifies the IP address of the IP member.
l netmask | wildcardmask – Specifies the subnet wildcard mask. StoneOS does not sup-
port the wildcard mask which has more than 8 zeros (consecutive or non-consecutive)
before the first 1 from the right side of its binary form. For example, 255.0.0.255 is an
invalid wildcard mask, while 255.0.255.0 and 255.32.255.0 are valid wildcard masks.
l ip/netmask – Specifies the IP and netmask of the IP member.
l no ip {ip-address {netmask | wildcardmask }| ip/netmask }
l wildcard ip-address wildcardmask
l ip-address wildcardmask – Specifies the IPv4 address (ip-address) and wildcard mask
(wildcardmask ) of the IP member. StoneOS does not support the wildcard mask which
has more than 8 zeros (consecutive or non-consecutive) before the first 1 from the
right side of its binary form. For example, 255.0.0.255 is an invalid wildcard mask,
while 255.0.255.0 and 255.32.255.0 are valid wildcard masks.
l no wildcard ip-address wildcardmask
To add/delete an IP address member of IPv6 address/subnet mask or IPv6 address with a wild-
card mask, use the following commands:

l ip ipv6-prefix/prefix-length
l ipv6-prefix/prefix-length– Specifies the IPv6 address prefix and prefix length of the
IP member. The value range of the prefix length is 0 to 128.
l no ip ipv6-prefix/prefix-length
l wildcard ipv6-address wildcardmask
l ipv6-address wildcardmask – Specifies the IPv6 address (ipv6-address) and wildcard

mask (wildcardmask ) of the IP member. The 128bit wildcard mask must consist of con-
secutive 8 (or integer multiples of 8) zeros or consecutive 8 (or integer multiples of 8)
1s, such as FF00::FFFF.
l no wildcard ipv6-address wildcardmask
To add a host member to an address entry or delete the specified member, in the address con-
l host host-name [vrouter vrouter-name]
l host-name – Specifies the host name. Support the host name which contains the wild-
card.You can specify up to 255 characters.
l vrouter-name - Specifies the VRouter of the host.
l no host host-name [vrouter vrouter-name]
To add an IP range member to an address entry, or delete the specified member from the address
entry, in the address configuration mode, use the following commands:
l range min-ip [max-ip]
l no range min-ip [max-ip]

To add a set of IP addresses that belong to a country or a region, in the address configuration
mode, use the country command. To delete this member from the address entry, use the no form
of this command.
l country country-name
l no country country-name
You can press the Tab key after the country keyword to see the available values of the country-
name parameter.
To add another address entry to an address entry, or delete the specified address entry from the
address entry, in the address configuration mode, use the following commands:
l member address-entry
l no member address-entry
Notes:
l The country or region member is supported in the address entry of the IPv4
type.
l Only the security policy and the policy-based route support the address entry
with the country or region member added.
l The address entry with the country or region member added does not support
the exclude range min-ip max-ip settings in Excluding Address Entries.
l In a device, you can use wildchart for up to 128 host members.
l A maximum of 8 address members of the IPv4 address with a wildcard mask

type or the IPv6 address with a wildcard mask type are allowed to be con-
figured in each address book entry.

l Only the security policy and the IPv6 address book support the address entry
with the IPv6/Wildcard member added.
Excluding Address Entries
Both IPv4 and IPv6 address entries are supported in address books. By configuring the excluded
entries, you can rule out IPv4 or IPv6 addresses from an address book. The types of address
entries that can be excluded are the following two types:
l IP address: IPv4 type: both IP/netmask (e.g. 10.100.2.0/24) and IP/wildcard netmask
(192.168.0.1 255.255.0.255) can be excluded; IPv6 type, like 2001::1/64, is also supported.
l IP range: a range of IP addresses, e.g. 10.100.2.3 – 10.100.2.100 or 2002::0-2002::10.
Notes: The maximum percentage of excluded members is 10% of the total number
in this address book.
Exlcuding an IPv4 Address Entry
To exclude an IPv4 address entry, under address book configuration mode, use the following com-
mand:
exclude ip ip-address { netmask | wildcardmask }
l ip-address – Specify the IP address to be excluded.
l netmask | wildcardmask – Specify the netmask or wildcardmask . Wildcard netmaks is to sig-

nify a sequence of less than 8 wildcard characters (i.e. less than eight zeros) in a binary net-
mask (the last binary number of the netmask must be 1, not 0). For example, 255.0.0.255 is
not supported in this wildcard netmask format; 255.0.255.0 and 255.32.255.0 are legitimate.
To resume an IPv4 address entry, use the command no exclude ip ip-address {netmask | wild-
cardmask }.

To exclude an IP range address entry, under address book configuration mode, use the following
command:
exclude ran ge min-ip max-ip
l min-ip max-ip– Specify the start and end IP addresses.
To resume an exclude address range, use the command no exclude range min-ip max-ip.
Excluding IPv6 Address Entries
To exclude IPv6 address entries from an address book, under this address book’s conifugraiton
exclude ip ipv6-prefix / prefix-length
l ipv6-prefix / prefix-length – Specify the IPv6 prefix and its length. The range is 65 to 128.
To resume an excluded IPv6 address entry, use the command no exclude ip ipv6-prefix / prefix-
length.
To exclude IPv6 range address entry from an address book, under address book configuration
exclude ran ge min-ipv6-address max-ipv6-address
l min-ipv6-address – Specify the start IPv6 address.
l max-ipv6-address – Specify the end IPv6 address.
To resume an excluded IP range back to address book, use the command no exclude range min-
ipv6-address max-ipv6-address.
Renaming an Address Entry
To rename an existing address entry, in the address configuration mode, use the following com-
mand:
rename name

l name - Specifies the new name for the address entry. If the name is repeated with an existing
one, the command will void.
Viewing the Reference Address of an Address Entry
In StoneOS, an address entry can be referenced by other modules, such as policy rules, NAT rules
or session limit rules. To view the reference of an address entry by other modules, i.e., the ref-
erence address of the address entry, in any mode, use the following command:
sh o w referen ce address address-entry
l address-entry - Shows the reference address of the specified address entry.
Example:
hostname(config)# sh o w referen ce address 10.101.0.194
===================================================-
==
Name: | 10.101.0.194 (name of the address entry)

-----------------------------------------------------
Address: | - (referenced by other address entries)

-----------------------------------------------------
Policy rule: | policy 20 src-addr (referenced by policy rules)

-----------------------------------------------------
SNAT rule: | - (referenced by SNAT rules)

-----------------------------------------------------
DNAT rule: | - (referenced by DNAT rules)

-----------------------------------------------------
Statistics: | - (referenced by stat-sets)

-----------------------------------------------------
Session limit: | rule 1 (referenced by session limit rules)

----------------------------------------------------
PBR: | - (referenced by PBR rules)

----------------------------------------------------
QoS: | - (referenced by QoS rules)

----------------------------------------------------
ExStats: | - (referenced by extended stat-sets)

===================================================-
=
Viewing the Address Book Details
To view the details of the global address book, including the entries of the address book, number
of the members, and detailed information of the members, and the address entries that are not ref-
erenced by other function modules, in any mode, use the following command:
sh o w address [filter-ip A.B.C.D [ filter-unreferenced ]] | [ address-entry ] | [ filter-unrefer-
enced ]
l show address - Shows the information of all the address entries in the address book.
l filter-ip A.B.C.D - Shows the information of address entries that contain the specified IP
address.
l address-entry - Shows the information of specified address entry.
l filter-unreferenced - Shows the information of the address entries that are not referenced by
other function modules.
To check where the IP address is from, in any mode, use the following command:
sh o w co un try ip A.B.C.D
l A.B.C.D – Enter the IP address to check which country or region this IP address belongs
to.

Address Book Configuration Example
The goal is to create address entries named address1 and address2 for the address book; add the
following members to address1: 10.200.1.0/16, 192.168.1.0/24, 192.168.0.1/255.255.0.255 and
hillstonenet.com; add the following members to address2: 10.100.3.1 to 10.100.3.10 and
address1. Use the following commands:
hostname(config-addr)# ip 192.168.1.0 255.255.255.0
hostname(config-addr)# ip 192.168.0.1 255.255.0.255
hostname(config-addr)# h o st h illsto n en et.co m
hostname(config-addr)# ran ge 10.100.3.1 10.100.3.10
hostname(config-addr)# memb er address1
hostname(config)#
Users can configure the host name which contains the wildcard in address book. To specify a host
name as *.baidu.com, use the following commands:
hostname(config)# addr b aidu
hostname(config-addr)# h o st *.b aidu.co m

Service and Application
This chapter introduces the following topics:
l Service
l Application
Service Overview
Service is information stream designed with protocol standards. Service has some specific fea-
tures, like corresponding protocol, port number, etc. For example, the FTP service uses TCP pro-
tocol, and its port number is 21. Service is an essential element for the configuration of multiple
StoneOS modules including policy rules, NAT rules, etc. StoneOS ships with over 100 pre-
defined services and over 10 service groups. Besides, you can also customize user-defined ser-
vices and service groups as needed. All these services and service groups are stored in and
managed by StoneOS service book. Each service in the service book contains its specific service
entry.
Viewing Service or Service Group Information via CLI
To view service information, in any mode, including the service type, name, protocol, destination
port, source port, and the service entries that are not referenced by other function modules, in any
sh o w service { predefined | userdefin ed | n ame service-name } | [ unreferenced ]
l predefined – Shows the predefined service information.
l userdefined – Shows the user-defined service information.
l name service-name - Shows the information of the specified service.
l unreferenced - Shows the information of the service entries that are not referenced by other
function modules.
show service protocol {tcp | udp} [dst-port {port-number | range min-port max-port}] [src-port
{port-number | range min-port max-port}]

l tcp | udp – Shows the service information with the protocol type of TCP or UDP.
l dst-port {port-number | range min-port max-port}– Shows the service information of the
specified destination port. port-numberis a single destination port number. If the destination
port number is in a range, min-port is the minimum destination port number, max-port is the
maximum destination port number, and the range is 0 to 65535.
l src-port {port-number | range min-port max-port}- Shows the service information of the spe-
cified source port. port-numberis a single source port number. If the source port number is in
a range, min-port is the minimum source port number, max-port is the maximum source port
number, and the range is 0 to 65535.
show service protocol {icmp | icmpv6} [type type-number [code {code-number | range min-
code max-code}]]
l icmp | icmpv6 – Shows the service information with the protocol type of ICMP or
ICMPv6.
l type type-number – Shows the service information with the specified ICMP type or ICMPv6
type.
l [code {code-number | range min-code max-code}] - Shows the service information of the
policy rule with the specified ICMP code or ICMPv6 code. code-numberis a single code. If
the code is in a range, min-codeis the minimum code, max- codeis the maximum code. The
code value of ICMP Protocol type ranges from 0 to 15, and that of ICMPv6 protocol type
ranges from 0 to 255.
show service protocol protocol-number
l protocol-number – Shows the service information with the specified protocol number. The
protocol number is from 1 to 255.
To view service group information, including predefined service groups, user-defined service
groups, and the service group entries that are not referenced by other function modules, in any

sh o w servgro up [ predefined ] | [userdefin ed] | [n ame servicegroup-name ] | [ unreferenced ]
l predefined - Shows the predefined service group information.
l userdefined - Shows the user-defined service group information.
l name servicegroup-name - Shows the information of the specified service group.
l unreferenced - Shows the information of the service group entries that are not referenced by
other function modules.
Viewing Service References
In StoneOS, a service can be referenced by other modules, such as policy rules, NAT rules or ses-
sion limit rules. To view the reference of a service or service group by other modules, i.e., the ser-
vice or service group address, in any mode, use the following command:
sh o w referen ce service service-name
l service-name – Shows the reference of the specified service or service group.
Example:
hostname(config)# sh o w referen ce service ftp
===================================================-
==
Name: | ftp (name of the service or service group)

-----------------------------------------------------
Service group: | SRV_INTERNET_PROTOCOL (reference by other service

groups)
-----------------------------------------------------
Policy rule: | policy 105 , policy 100 (reference by policy rules)

-----------------------------------------------------
DNAT rule: | - (reference by DNAT rules)

-----------------------------------------------------

SNAT rule: | - (reference by SNAT rules)
-----------------------------------------------------
Statistics: | - (reference by stat-sets)

-----------------------------------------------------
Policy route: | - (reference by PBR rules)

===================================================-
=
Predefined Services
StoneOS provides more than 100 predefined services. To view all the predefined services sup-
ported by the current version, use the above show command or WebUI.
The following section describes several common predefined services.
RSH
RSH ALG (Remote Shell) allows authenticated users to run shell command on the remote host.
Hillstone device supports RSH services of transparent mode, NAT mode and router mode.
Sun RPC
Sun RPC (Sun Remote Procedure Call) allows the program running on a host to call the programs
running on other hosts. Because of the large number of RPC services and the requirement for
broadcasting, RPC services’ transmission addresses are dynamically negotiated based on the num-
ber and version of the services. You can define some binding protocols to map the number of
RPC programs and service versions to the transmission addresses.
Hillstone devices support a predefined Sun RPC service for users to permit or deny traffic accord-
ing to policies configured. You can define a policy rule to permit or deny all the RPC requests.
For example, if you need to use the network file system (NFS), then configure a policy rule that
allows Sun RPC services.

MS RPC
Microsoft Remote Procedure Call (MS RPC) is the RPC implementation of the Microsoft dis-
tributed computing environment. MS RPC allows the program running on a host to call programs
running on other hosts. Because of the large number of RPC services and the requirement for
broadcasting, RPC services’ transmission addresses are dynamically negotiated based on the
UUID (Universal Unique Identifier) of the server.
Hillstone devices support a predefined MS RPC service for users to permit or deny traffic accord-
ing to policies configured. You can define a policy rule to permit or deny all the RPC requests.
For example, if you need to use the Outlook/Exchange or MSqueue service, configure a policy
rule that allows MS RPC services.
Predefined Service Group
The predefined service group includes some associated predefined services to facilitate users’
configuration. StoneOS provides more than 10 predefined service groups. The service group that
contains dynamically identified predefined services is known as a dynamically identified pre-
defined service group, and such a service group needs to be configured individually. When the
dynamically identified predefined services are updated by the signature database, the cor-
responding dynamically identified predefined service group will also be updated. You can view
and use the predefined service groups, but cannot edit or delete them.
To view the predefined service group, in any mode, use the following command:
sh o w servgro up p redefin ed
User-defined Service
Besides the above predefined services, you can also create your own user-defined services. A
user-defined service can include up to eight service entries. The parameters that you can specify
for the user-defined service entries are:
l Name
l Protocol type

l The source and destination port for TCP or UDP service, type and code value for ICMP ser-
vice.
l Timeout
l Application type
Creating/Deleting a User-defined Service
To create a service and add it to the service book via CLI, or to delete the specified service, in
the global configuration mode, use the following commands:
service service-name
n o service service-name
l service-name – Specifies the name of the user-defined service. The length is 1 to 31 char-
acters. The name must be unique in the entire system. After executing the command, the CLI
will enter the configuration mode of created service.
If you need to enable the long connection, in the global mode, use the longlife-sess-percent com-
mand to configure the percent of long connection. The default value is 0.
Adding/Deleting a User-defined Service Entry
Each user-defined service can contain up to 8 service entries. The command that is used to add a
service entry may vary from different protocol types of the service entries.
To add a service entry of TCP or UDP type, in the service configuration mode, use the following
command:
{tcp | udp } dst-p o rt min-port [ max-port ] [src-p o rt min-port [ max-port ]] [timeo ut time-out-
value | timeo ut-day time-out-value ]
l dst-port min-port [max-port] – Specifies the destination port number of the user-defined ser-
vice. If the destination port number is a number range, then min-port is the minimum des-
tination port number, and max-port is the maximum destination port number. The value range

is 0 to 65535, and the destination port number should not be a single 0. For example, the des-
tination port number can be 0 to 20, but cannot only be 0.
l src-port min-port [max-port] – Specifies the source port number of the user-defined service.
If the source port number is a number range, then min-port is the minimum source port num-
ber, and max-port is the maximum source port number. The value range is 0 to 65535.
l timeout time-out-value – Specify the timeout value. The unit is second. The value varies
from 1 to 65525. The connection will disconnect after the timeout.
l timeout-day time-out-value – Specify the timeout value of the persistent connection. The
unit is day. The value varies from 1 to 1000. The connection will disconnect after the
timeout. You need to set the persistent connection percent before configuring the timeout
value of the persistent connection in the global mode.
To add a service entry of ICMP type, in the service configuration mode, use the following com-
mand:
icmp typ e type-value [co de min-code [ max-code ]] [timeo ut time-out-value | timeo ut-day time-
out-value ]
l type-value – Specifies the ICMP type value of the user-defined service. The value range is 3
(Destination-Unreachable), 4 (Source Quench), 5 (Redirect), 8 (Echo), 11 (Time Exceeded),
12 (Parameter Problem), 13 (Timestamp), 15 (Information) and any (all the above type val-
ues).
l code min-code [max-code] – Specifies the ICMP code value for the user-defined service.
The value range is 0 to 5.

To add a service entry of other types, in the service configuration mode, use the following com-
mand:
p ro to co l protocol-number [timeo ut time-out-value | timeo ut-day time-out-value ]
l protocol-number – Specifies the protocol number of the user-defined service. The value
range is 1 to 255.
To delete the specified service entry, use one of the following commands. The service entries can
only be deleted but cannot be edited.
l no {tcp | udp} dst-port min-port [max-port] [src-port min-port [max-port]]
l no icmp type type-value [code min-code [max-code]]
l no protocol protocol-number
Renaming a User-defined Service Entry
To rename an existing user-defined service entry, in the service configuration mode, use the fol-
lowing command:
rename new-name
l new-name – Specifies the new name for the user-defined service entry.
You can also rename the user-defined service entry in the global configuration mode, use the fol-
lowing command:

rename serviceold-name new-name
l old-name – Specifies the old name for the user-defined service entry.
l new-name – Specifies the new name for the user-defined service entry.
The goal is to create a user-defined service named my-service, and add the following 3 service
entries to my-service:
l A service of TCP type, the destination port is 2121, and the source port is 80.
l A service of ICMP type, the type is 8, the code is 0.
l A service of other types, the protocol number is 47.
hostname(config)# service my-service
hostname(config-service)# tcp dst-p o rt 2121 src-p o rt 80
hostname(config-service)# icmp typ e 8 co de 0
hostname(config-service)# p ro to co l 47
hostname(config-service)# exit
hostname(config)#
Service Group
You can organize some services together to form a service group, and apply the service group to
StoneOS policies directly. The service group of StoneOS has the following features:
l Each service of the service book can be used by one or more service groups.
l A service group can contain both predefined services and user-defined services.
l A service group can contain another service group. The service group of StoneOS supports up
to 8 layers of nests.

The service group also has the following limitations:
l Service and service group should not use the same name.
l The service group being used by any policy cannot be deleted. To delete such a service group,
you must first end its association with other modules.
l If a user-defined service is deleted from the service group, the service will also be deleted
from all the service groups using it.
Creating/Deleting a Service Group
To create a service group and add the service group to the service book via CLI, in the global con-
servgro up servicegroup-name
Notes: The name of the service group must be unique.
After executing this command, the CLI will enter the service group configuration mode.
To delete a service group, in the global configuration mode, use the following command:
n o servgro up servicegroup-name
Adding/Deleting a Service/Service Group
The member of the service group can be either a service or a service group. To add a service to
the service group or delete a service from the service group, in the service group configuration
mode, use the following commands:
service { service-name | servicegroup-name }
n o service { service-name | servicegroup-name }
When adding a service or service group to the service group, note that:

l Service in the service group must be unique.
l Each service group can contain up to 64 services; one service group supports up to 8 layers of
nests of another service group.
Adding/Deleting Description to a Service/Server Group
To add description to a service/service group, in the service/service group configuration mode,

l description – Specifies the description of the service/service group.
Use no description to delete the description information.
Renaming a Service Group
To rename an existing service group, in the service group configuration mode, use the following
command:
renamenew-name
l new-name – Specifies the new name for the service group.
You can also rename the service group in the global configuration mode, use the following com-
mand:
rename servgroup old-name new-name
l old-name – Specifies the old name for the service group.
l new-name – Specifies the new name for the service group.
Application Overview
Application has some specific features, like corresponding protocol, port number, application
type, etc. Application is an essential element for the configuration of multiple StoneOS modules
including policy rules, NAT rules, application QoS management, etc. StoneOS ships with over

5000 predefined applications and over 50 predefined application groups (when installed with the
APP DB license). Besides, you can also customize user-defined application and application groups
as needed. All these applications and application groups are stored in and managed by StoneOS
application book.
If IPv6 is enabled, IPv6 applications will be recognized by StoneOS.
Predefined Application
StoneOS provides more than 100 predefined applications. You can view all the supported pre-
defined applications by using the show application predefined command.
Predefined Application Groups
The predefined application group includes some associated predefined applications to facilitate
users’ configuration. Upgrading the signature database will dynamically identify the predefined
applications. Currently, StoneOS provides more than 20 predefined application groups. You can
view and use the predefined application groups, but cannot delete or edit them.
Tip: For more information about upgrading signature database and dynamical iden-
tification, see Application Identification.
Userdefined Application
Besides the above predefined applications, you can also create your own user-defined applic-
ations. By configuring the customized application signature rules, StoneOS can identify and man-
age the traffic that crosses into the device, thus identifying the type of the traffic.
Configurations of user-defined application groups include the following items:
l Creating/Deleting the user-defined applications
l Configuring the category/subcategory of user-defined applications
l Configuring the technology used by user-defined applications

l Configuring signatures for user-defined applications
l Creating/Deleting the application signature rules
l Configure the entry of the application signature rule
l Configure the application timeout value
l Modifying the order of the user-defined application signature
Creating/Deleting the User-defined Applications
To create a user-defined application and add this newly-created one to the application book, use
the following command in the global configuration mode:
ap p licatio n application-name
After executing this command, the system enters the application configuration mode.
To delete the user-defined application, use the following command:
n o ap p licatio n application-name
Configuring the Category/Subcategory of User-defined Applications
The categories and subcategories of applications are maintained by the application signature data-
base. The category corresponds to the application group of level 1 in the signature database and
the subcategory corresponds to the application group of level 2 under level 1. When you con-
figure the category and subcategory of user-defined applications in the CLI, the system lists all
supported categories. The following table describes the supported categories and subcategories. If
any update occurs, the new table prevails. By default, user-defined applications are not configured
with a category.
Category Subcategory
APP_BUSINESS APP_BUSINESS_ERP
APP_EMAIL
APP_BUSINESS_DATABASE
APP_INDUSTRY
APP_MEDICAL

APP_IOT
APP_COMMUNICATION APP_IM
APP_MOBILE_IM
APP_VOIP
APP_GAME APP_PUZZLE_GAME
APP_MMO_GAME
APP_MOBILE_GAME
APP_INTERNET APP_SPEEDTEST
APP_REMOTE_DESKTOP
APP_GENERAL
APP_P2P
APP_INTERNET_UTILITY
APP_MOBILE_INTERNET_UTILITY
APP_FILE_SHARING
APP_SOCIAL_NETWORK
APP_MOBILE_SOCIAL_NETWORK
APP_PROXY
APP_SECURITY
APP_STOCK
APP_SHOPPING_PLATFORM
APP_MOBILE_SHOPPING_PLATFORM
APP_LIVING_SERVICE
APP_MOBILE_LIVING_SERVICE
APP_NEWS_READING
APP_MOBILE_NEWS_READING
APP_EBANK

APP_MEDIA APP_VIDEO_SURVEILLANCE
APP_MULTIMEDIA
APP_P2P_STREAM
APP_WEB_VIDEO
APP_MOBILE_WEB_VIDEO
APP_ONLINE_MUSIC
APP_MOBILE_ONLINE_MUSIC
APP_NETWORK APP_DIRECTORY_SERVICE
APP_VPN
APP_ROUTING_PROTOCOL
APP_NETWORK_MGMT
APP_COMMON_PROTOCOL
APP_OTHER_CATEGORY APP_DATA_TRANSFER
APP_ONLINE_INTERACTIVE
To configure the category and subcategory of user-defined applications, use the following com-
mand in application configuration mode:
category category-name [subcategory sub-category-name]
l category-name - Specifies the category name of applications. Valid values of the category are
the application group of level 1 in the application signature database.
l sub-category-name - Specifies the subcategory name of applications. Valid values of the sub-
category are the application group of level 2 under level 1 specifies by category-name.
To delete the category and subcategory configuration of user-defined applications, use the fol-
lowing command in global configuration mode:
no category

Configuring the Technology Used by User-defined Applications
The technologies used by applications are maintained by the application signature database. You
can configure one of the following technologies for applications. If any update occurs, the new
technologies prevails. By default, user-defined applications are not configured with a technology.
To configure the technology used by user-defined applications, use the following command in
application configuration mode:
l technology browser-based: Sets the technology used by applications to browser-based.
l technology client-server: Sets the technology used by applications to client-server.
l technology network-protocol: Sets the technology used by applications to network-protocol.
l technology peer-to-peer: Sets the technology used by applications to peer-to-peer.
To delete the configuration of technology used by user-defined applications, use the following
command in application configuration mode:
no technology
Configuring Signatures for User-defined Applications
The signatures of applications are maintained by the application signature database. You can con-
figure one or more of the following signatures for user-defined applications. If any update occurs,
the new signatures prevails. By default, user-defined applications are not configured with a sig-
nature.
To configure signatures for user-defined applications, use the following command in application
configuration mode:
l used-by-malware {yes | no}: Sets the signature of applications to used by malware or not
used by malware.
l evasive {yes | no}: Sets the signature of applications to evasive or non-evasive.
l prone-to-misuse {yes | no}: Sets the signature of applications to prone to misuse or not
prone to misuse.

l excessive-bandwidth {yes | no}: Sets the signature of applications to consume excessive
bandwidth or not consume excessive bandwidth.
l widely-used {yes | no}: Sets the signature of applications to widely used or not widely used.
l file-transfer {yes | no}: Sets the signature of applications to be able to transfer files or not be
able to transfer files.
l tunnels-other-apps {yes | no}: Sets the signature of applications to be used by other applic-
ations or not be used by other applications.
l known-vulnerabilities {yes | no}: Sets the signature of applications to known vulnerabilities

exist or no known vulnerabilities exist.
Viewing the Configuration of User-defined Applications
To view the configuration of a specified user-defined application, use the following command in
any mode:
show application userdefined [application-name]
l application-name - Specifies the name of the user-defined application.
To view the configuration of all user-defined applications, use the following command in any
mode:
show application userdefined
Enabling the User-defined Application Signature Configuration Mode
To enable the user-defined application signature configuration mode, use the following command
in the global configuration mode:
ap p -sign ature
Creating/Deleting the User-defined Application Signature Rule
System supports create an user-defined application signature rule in two configuration mode：

l User-defined application signature configuration mode：Configure all signatures of an user-
defined application.
l Application signature rule configuration mode: Configure any signature of an user-defined

application.
Configuring Rules in User-defined Application Signature Configuration Mode
In user-defined application signature configuration mode, use the following command:

sign ature fro m { src-addr | src-ip } to { dst-addr | dst-ip } p ro to co l {tcp | udp } dst-p o rt
min-port [ max-port ] [src-p o rt min-port [ max-port ]] ap p licatio n application-name
l src-addr – Specifies the source addresses of the address entry type.
l src-ip – Specifies the source addresses of the member IP type.
l dst-addr – Specifies the source addresses of the address entry type.
l dst-ip – Specifies the source addresses of the member IP type.
l dst-port min-port [max-port] – Specify the destination port number of the user-defined
application signature. If the destination port number is within a range, StoneOS will identify
the value of min-port as the minimum port number and identify the value of max-port as the
maximum port number. The range of destination port number is 0 to 66535. The port number
cannot be 0. For example, the destination port number is in the range of 0 to 20, but it cannot
be 0.
l src-port min-port [max-port] – Specify the source port number of the user-defined applic-
ation signature. If the source port number is within a range, StoneOS will identify the value of
min-port as the minimum port number and identify the value of max-portas the maximum port
number. The range of source port number is 0 to 66535.
l application-name – Specifies the application name of the signature rule.

Configuring Rules in Application Signature Rule Configuration Mode
In the user-defined application signature configuration mode, use the following command to cre-
ate a user-defined application signature rule and enter the application signature rule configuration
mode. If the specified ID already exists, the system will enter the application signature rule con-
figuration mode.
sign ature id id
To delete this user-defined application signature rule, use the following command in the user-
defined application configuration mode:
n o sign ature id id
Configuring the Entry of the User-defined Application Signature Rule
A user-defined application signature rule can contain multiple signature rule entries. The logical
relationship between each entry is AND. AND represents that StoneOS can identify the traffic
type when the traffic satisfies all entries in this user-defined application signature rule.
Configuring the entry of the user-defined application signature rule includes the following sec-
tions:
l Source security zone
l Source/destination IP address
l Source/destination port number of applications of TCP type or UDP type; The type value and
the code value of applications of ICMP type
l Application name
To specify the source security zone of the signature rule, use the following command in the applic-
ation signature rule configuration mode:
src-zo n e zone-name
l zone-name – Specifies the name of the source security zone.
To specify the source address of the address entry type, use the following command in the applic-

src-addr src-addr
l src-addr – Specifies the source addresses of the address entry type.
To specify the source address of the member IP type, use the following command in the applic-
src-ip src-ip
l src-ip – Specifies the source addresses of the member IP type.
To specify the destination address of the address entry type, use the following command in the
application signature rule configuration mode:
dst-addr dst-addr
l dst-addr – Specifies the source addresses of the address entry type.
To specify the destination address of the member IP type, use the following command in the
application signature rule configuration mode:
dst-ip dst-ip
l dst-ip – Specifies the source addresses of the member IP type.
For the application signature of TCP type or UDP type, specify the type and corresponding para-
meters using the following command in the application signature rule configuration mode:
p ro to co l {tcp | udp } dst-p o rt min-port [ max-port ] [src-p o rt min-port [ max-port ]]
l dst-port min-port [max-port] – Specify the destination port number of the user-defined
application signature. If the destination port number is within a range, StoneOS will identify
the value of min-port as the minimum port number and identify the value of max-port as the
maximum port number. The range of destination port number is 0 to 66535. The port number
cannot be 0. For example, the destination port number is in the range of 0 to 20, but it cannot
be 0.
l src-port min-port [max-port] – Specify the source port number of the user-defined applic-
ation signature. If the source port number is within a range, StoneOS will identify the value of

min-port as the minimum port number and identify the value of max-port as the maximum
port number. The range of source port number is 0 to 66535.
For the application signature of ICMP type, specify the type and corresponding parameters using
the following command in the application signature rule configuration mode:
p ro to co l icmp typ e type-value [co de min-code [ max-code ]]
l type-value – Specifies the value of the ICMP type of the application signature. The options
are as follows: 3 (Destination-Unreachable), 4 (Source Quench)， 5 (Redirect), 8 (Echo), 11
(Time Exceeded), 12 (Parameter Problem), 13 (Timestamp), 15 (Information), and any (any
represents all above values).
l code min-code [max-code] – Specifies the value of the ICMP code of the application sig-
nature. The ICMP code is in the range of 0 to 5. The default value is 0-5.
For the application signature of other types, use the following command in the application sig-
nature rule configuration mode:
protocol other-protocol protocol-number
l protocol-number – Specifies the protocol number of the application signature. The protocol
number is in the range of 1 to 255.
To specify the application name of the signature rule, use the following command in the applic-
ation signature rule configuration mode :
ap p licatio n application-name
l application-name – Specifies the application name of the signature rule.
To delete the signature rule, use the no form of the above commands. For the existing signature
rules, you cannot edit them but can delete them.
Configuring the Application Timeout Value
You can configure the application timeout value. If not, StoneOS will use the default value of the
protocol. To configure it, use the following command in the application configuration mode:
timeo ut {tcp | udp | icmp | o th er-p ro to co l} timeout-value

l tcp | udp | icmp | other-protocol– Specifies the protocol type.
l tiemout-value – Specifies the timeout value of the application. The range is 1 to 65535.
To specify the timeout period in days, use the following command in application configuration
mode:
timeout-day {tcp | udp | icmp | other-protocol} timeout-value
l tcp | udp | icmp | other-protocol– Specifies the protocol type.
l tiemout-value – Specifies the timeout value of the application. The range is 1 to 1000.
Modifying the Order of the User-defined Application Signature Rule
Each user-defined application signature rule has a unique ID. When traffic flows into the device,
StoneOS will search the user-defined application signature rule in the order of priority to see
which signature rule matches the traffic. Once the traffic satisfies a specific application signature
rule, StoneOS will process the traffic according to this matched rule. The order of searching sig-
nature rule is not related to the order of the signature ID but the order of priority. To view the
order of priority, use the show app-signature static command. And then StoneOS will list all
application signatures according to the priority. The signature rule with the highest priority will be
listed at the top and the signature rule with the lowest priority will be listed at the bottom. When
you create a signature rule, you can specify its priority. And you can also modify its priority in the
user-defined application signature configuration mode. You can adjust the priority of the signature
rule to be at the top or at the bottom or between two signature rules. To modify the priority, use
the following command in the user-defined application signature configuration mode:
move id {to p | b o tto m | b efo re id | after id }
User-defined Application Group
An application group contains multiple applications. You can apply the application group to the
policy. An application group has the following features:
l Each application in the application book can be used in one or more application groups.
l Each application group can contain predefined applications and user-defined applications.

l Each application group can contain one or more application groups. StoneOS supports the nes-
ted application group. An application group within an application group can continue ref-
erencing one or more application groups. StoneOS can support up to 8-level nested
application groups.
An application group also has its restrictions:
l The names of an application group and an application cannot be identical.
l The application group referenced by the policy cannot be deleted. To delete an application
group, make sure that no module references this application group.
l When you delete an application from the application book, this application will also be deleted
from the application groups that contain this application group.
Creating/Deleting an Application Group
To create an application group and add it to the application book, use the following command in
the global configuration mode:
ap p licatio n -gro up application-group-name
Notes: Make sure the application group name is unique in StoneOS.
After executing this command, the system enters the application group configuration mode.
To delete an application group, use the following command in the global configuration mode:
n o ap p licatio n -gro up application-group-name
Adding/Deleting an Application or Application Group
An application group can contain applications or application groups. To add an application to an

application group, use the following command in the application group configuration mode:
ap p licatio n { application-name | application-group-name }
Note the following matters when adding an application:

l The application in the application group must be unique.
l Each application group can contain up to 64 applications and support up to 8-level nested
application groups.
To delete an application or application group from an application group, use the following com-
mand in the application group configuration mode:
n o ap p licatio n { application-name | application-group-name }
Adding/Deleting a Description for an Application or Application Group
In the application configuration mode or the application group configuration mode, you can use
the following command to add the description:
l description – Specify the description for the application or application group. You can enter
up to 255 characters.
In the application configuration mode or the application group configuration mode, use the fol-
lowing command to delete the corresponding description:
n o descrip tio n
Application Identification
A number of functional modules in the system process data stream based on the type of applic-
ation (to view the mapping relationship between Application IDS and Application names, use the
command show application list), for example, stat-set and QoS. Therefore, system needs to
identify the data stream first, and then implements the statistics and management functions based
on the identification result (Application ID) and configuration.
Dynamic Identification
Dynamic identification allows the system to identify an application automatically by its signature.
The automatic identification of application is based on the security zone. By default, the auto-
matic identification function of all the security zones is disabled. To enable the dynamic

identification function of a security zone, in the security zone configuration mode, use the fol-
lowing command:
ap p licatio n -iden tify
With dynamic identification enabled, the system will identify all the supported dynamically iden-
tified application. To view the identified session information, use the command show session. To
disable the dynamic identification functions of a security zone, in the security zone configuration
n o ap p licatio n -iden tify
Even if the automatic identification function of a security zone is disabled, the system can still
identify some specific applications if being configured with appropriate policy rules. For example,
to identify QQ, configure the following two rules (take policy rules from the zone untrust to the
zone trust as the example):
hostname(config-policy)# rule fro m an y to an y ap p licatio n QQ p ermit
hostname(config-policy)# rule fro m an y to an y ap p licatio n an y p ermit
hostname(config)#
SIP Deep Identification
SIP is an application layer protocol that is typically used to set up, connect and disconnect mul-
timedia sessions, such as Internet phone calls. SIP Protocol can deliver multimedia session data,
such as voice, video, or text. When the result of application identification is SIP, the system can
further identify whether the packets use GB/T 28181 or GB/T 35114.
Enabling/Disabling SIP Deep Identification
To enable/disable SIP Deep Identification, in the global mode, use the following commands:

l To enable: app deep-identify protocol SIP enable
l To disable: no app deep-identify protocol SIP enable
Viewing the Status of SIP Deep Identification
To view the status of SIP Deep Identification, in the global mode, use the following command:
show app deep-identify status
Notes: Update the application signature DB before enabling this function.
Application Identification Bypass
When a large number of newly created sessions occur in the device, it will consume a large
amount of the device CPU to perform application identification for all new sessions. After the
application identification bypass function is configured, the device, with a certain probability, only
performs service identification and cache table identification for the new sessions but not further
identification. Therefore, the CPU usage of the device is controlled, and other functional modules
are not influenced. By default, this function is disabled.
You can configure the CPU usage range according to your own needs. According to the con-
figured CPU range and the current CPU usage, the device processes newly created sessions in dif-
ferent ways. If the current CPU usage is lower than the configured minimum CPU usage, the
device performs application identification for all newly created sessions. If the current CPU usage
is higher than the minimum CPU usage but lower than the configured maximum CPU usage, the
device performs application identification for the newly created sessions in a certain probability.
The probability is approximately equal to (current CPU usage - minimum CPU usage)/(maximum
CPU usage - minimum CPU usage). If the current CPU usage is higher than the maximum CPU
usage, the device only performs service identification and cache table identification for all newly
created sessions.
Enabling/Disabling Application Identification Bypass
To enable/disable application identification bypass, in the global configuration mode, use the fol-
lowing commands:

app-ident-bypass {enable | disable}
l enable–Enables the application identification bypass.
l disable–Disables the application identification bypass.
Configuring CPU Usage Range
To configure the CPU usage range, in the global configuration mode, use the following com-
mands:
app-ident-bypass-threshold start_value end_value
l start_value–Specifies the minimum CPU usage. The value range is 0 to 100. The default
value is 60. The unit is %.
l end_value–Specifies the maximum CPU usage. The value range is 0 to 100. The default
value is 80. The unit is %.
Viewing Information of Application Identification Bypass
To view the status of the application identification bypass and the configured CPU usage range, in
the global configuration mode, use the show app-ident-bypass command.
Application Identification Cache Table
Application identification cache table can store application information to provide support for
application identification and PBR. The system supports dynamic and static application iden-
tification cache tables.
l Dynamic application identification cache table: stores application information that is dynam-
ically learned (the result of dynamic application identification).
l Static application identification cache table: stores static application information. This table is
included in the application signature database.
You can configure application cache tables as needed for different scenarios.

Enabling/Disabling Application Identification Cache Table
Both the dynamic and static application identification cache tables are enabled by default. If the
dynamic application identification cache table is disabled, the system will still write entries to the
table, but will not identify any application based on the entries in the table. The static application
identification cache table will not take effect unless the dynamic application identification cache
table is enabled, i.e., disabling the dynamic application identification cache table will also disable
the static application identification cache table.
To disable/enable the dynamic application identification cache table, in the global configuration
l Disable: app cache disable
l Enable: no app cache disable
To disable/enable the static application identification cache table, in the global configuration
l Disable: app cache static disable
l Enable: no app cache static disable
Specifying a Working Mode for the Dynamic Application Identification Cache Table
To specify a working mode for the dynamic application identification cache table, in the global
ap p cach e {cach e-strict | resp o n se-ch eck | p b r-ch eck-strict}
l cache-strict – Applicable for SNAT scenarios (Intranet users visit Internet via NAT
devices). In such a scenario, enabling this option can effectively evade false positive. This
option is disabled by default.
l response-check – When the system is possibly subjected to single-directional packet attacks,

this option is recommended to assure the accuracy of application identification. This option is
disabled by default.

l pbr-check-strict – Specifies the application identification method for PBR. By default even if
the system has already identified the application in PBR based on dynamic application iden-
tification cache table, it will still go on with the identification procedure and select a policy-
based route based on the final identification result. With this option enabled, the system will
not go on with the identification procedure once the application is identified based on the
dynamic application identification cache table, and will directly select a policy-based route
based on the above identification result.
To cancel the above configuration, in the global configuration mode, use the following command:
n o ap p cach e {cach e-strict | resp o n se-ch eck | p b r-ch eck-strict}
Clearing the Application Identification Cache Table
To clear all the entries in the dynamic application identification cache table, in any mode, use the
following command:
clear ap p cach e tab le
To clear all the entries in the static application identification cache table, in any mode, use the fol-
lowing command:
clear ap p cach e tab le static
Viewing Application Identification Cache Table Information
To view if the dynamic or static application identification cache table is enabled and related con-
figuration information, in any mode, use the command show app cache status.
Updating the Signature Database
Applications are updated frequently. Hillstone devices allow you to update the application sig-
nature database to assure the devices can adapt to these changes in time and identify the latest soft-
ware version. You can download the latest signature file and upload to the device. Hillstone
regularly uploads new signature files on the Hillstone website. You need to download the files,
and then upload them to the device.
To upload the signature file via CLI, in the execution mode, use the following command:

imp o rt ap p licatio n -sign ature fro m {ftp server ip-address [user user-name p asswo rd
password ] | tftp server ip-address } file-name
l ip-address – Specifies the name of the FTP or TFTP server.
l user user-name password password – Specifies the username and password of the FTP
server.
l file-name – Specifies the name of the signature file that will be uploaded.
After uploading the signature file, restart the device if new application is added; do not restart if
there is no new application and only existing applications are updated.
Configuring an Update Protocol
The system supports to update the signature database through HTTP and HTTPS, and the default
protocol is HTTPS. To configuring the update protocol as HTTP, in the global configuration
app update protocol HTTP
In the global configuration mode, use the command no app update protocol HTTP to restore the
default value.
Specifying a HTTP Proxy Server
When the device accesses the Internet through a HTTP proxy server, you need to specify the IP
address and the port number of the HTTP proxy server. With the HTTP proxy server specified,
various signature database can update automatically and normally.
To specify the HTTP proxy server for the application signature database updating, use the fol-
lowing command in the global configuration mode:
ap p up date p ro xy-server {main | b ackup } ip-address port-number
l main | backup – Use the main parameter to specify the main proxy server and use the
backup parameter to specify the backup proxy server.
l ip-address port-number – Specify the IP address and the port number of the proxy server.

To cancel the proxy server configurations, use the no app update proxy-server {main | backup}
command.
Specifying an Update Schedule
By default, system automatically updates the application identification database every day. To
reduce the update server's workload, the time of daily update is random. To specify the schedule
and specific time for the update, in the global configuration mode, use the following command:
ap p up date sch edule {daily | weekly {mo n | tue | wed | th u | fri | sat | sun } | mo n th ly
date } [ HH:MM ]
l daily – Updates the database every day.
l weekly {mon | tue | wed | thu | fri | sat | sun} – Updates the database every week. Para-
meter mon | tue | wed | thu | fri | sat | sun is used to specify the specific date in a week.
l monthly date - Updates the database every month. Parameter date is used to specify the spe-
cific date in a month., the range is 1 to 31. If a month does not contain the specified date (eg,
there is no 30th in February), the database will not be automatically updated this month.
l HH:MM – Specifies the time of update, for example, 09:00.
Application Filter Group
Application Filter Group allows you to create a gourp to filter applications according to applic-
ation category, sub-category, technology, risk, and attributes.
Configure the application filter group as follows:
1. To create a application filter group
2. To specify application category
3. To specify application subcategory
4. To specify application technology

5. To specify risk value for application
6. To specify characteristic for application
Creating Application Filter Group
To create an application filter group, in the global configuration mode, use the following com-
mands:
ap p licatio n -filter filter-name
l filter-name – Specifies a name for the application filter group.
Use no application-filter filter-name to delete the application filter group.
Specifying Application Category
To specify application category, in the application-filter-group configuration mode, use the fol-
lowing commands:
catego ry category-type
l category-type – Specifies the category type for the application filter group.
Use no category category-type to delete the category type.
Specifying Application Subcategory
To specify application subcategory, in the application-filter-group configuration mode, use the fol-
lowing commands:
sub catego ry subcategory-type
l subcategory-type – Specifies the subcategory type for the application filter group.
Use no subcategory subcategory-type to delete the subcategory type.
Specifying Application Technology
To specify application technology, in the application-filter-group configuration mode, use the fol-
lowing commands:
tech n o lo gy technology-type

l technology-type – Specifies the technology type for the application filter group.
Use no technology technology-type to delete the technology type.
Specifying Risk Value for Application
To specify the risk value, in the application-filter-group configuration mode, use the following
commands:
risk risk-value
l risk-value – Specifies the application risk value. The range is from 1 to 5. 5 means the
highest risk.
Use no risk risk-value to delete the risk value.
Specifying Application Characteristics
To specify the application characteristics, in the application-filter-group configuration mode, use

the following commands:
l Specifies “evasive” attributes: evasive [yes | no]
l Specifies “excessive bandwidth” attributes: excessive-bandwidth [yes | no]
l Specifies “file transfer” attributes: file-transfer [yes | no]
l Specifies “known vunerabilities” attributes: known-vunerabilities [yes | no]
l Specifies “prone to misuse” attributes: prone-to-misuse [yes | no]
l Specifies “tunnels other apps” attributes: tunnels-other-apps [yes | no]
l Specifies “used by malware” attributes: used-by-malware [yes | no]
l Specifies “widely used” attributes: widely-used [yes | no]

In the configuration example, you create an application named my-application and configure the
following settings for this application:
l Create a user-defined application signature rule for my-application and specify the ID of the
signature as 1.
l Configure the entry of the application signature rule as follows:
l Source zone: untrust
l Source address: any
l Destination address: any
l Application type: TCP type; destination port number: 2121
See the following detailed commands:
hostname(config)# ap p -sign ature
hostname(config-appsig)# sign ature id 1
hostname(config-appsig-rule)# ap p licatio n my-ap p licatio n
hostname(config-appsig-rule)# src-zo n e un trust
hostname(config-appsig-rule)# src-addr an y
hostname(config-appsig-rule)# dst-addr an y
hostname(config-appsig-rule)# p ro to co l tcp dst-p o rt 2121
hostname(config-appsig-rule)# exit
hostname(config-appsig)# exit
hostname(config)#
After completing the configurations, traffic that satisfies the signature rule 1 will be identified as
the application of my-application.

DNS
DNS, the abbreviation for Domain Name System, is a computer and network service naming sys-
tem in form of domain hierarchy. DNS is designed for TCP/IP network to look for Internet
domain names (e.g., www.xxxx.com) and translate them into IP addresses (e.g., 10.1.1.1) to locate
related computers and services.
Overview
Hillstone devices’ DNS provides the following functions:
l Server: Configures DNS servers and default domain names for the Hillstone device.
l Proxy: The Hillstone device acts as a DNS proxy server and provides proxy service for the
connected PCs and other clients. Besides, the Hillstone device can also choose different DNS
servers according to domain names.
l Resolver: Sets retry times and timeout for Hillstone device's DNS service.
l Cache: Stores DNS mappings to cache to speed up query.
Configuring a DNS Server

The configuration of DNS server includes:
l Configuring a domain name for the device
l Configuring a DNS domain name server for the device
Configuring a Domain Name
You can specify a domain name for the Hillstone device. The StoneOS will append the domain
name as a suffix to the incomplete name. For example, if you specify the domain name as yahoo.-
com, and ping www on the device, then the StoneOS will append the domain name to look for
www.yahoo.com. In addition, the resolution sequence is different when specifying the domain
name to yahoo.com and com: if you specify the domain name as yahoo.com and ping www, the

system will first look for www.yahoo.com; if you specify the domain name as com and ping
www.yahoo, the system will first look for www.yahoo, and then look for www.yahoo.com.
To specify a domain name, in the global configuration mode, use the following command:
ip do main n ame domain-name
l domain-name – Specifies the domain name. The length is 1 to 255 characters, but the max-
imum length between the two periods (.) is only 63 characters.
To restore to the default domain name, in the global configuration mode, use the command no ip
domain name .
The following command specifies the default domain name as hillstonenet.com:
hostname(config)# ip do main n ame h illsto n en et.co m
Configuring a DNS Domain Name Server
DNS domain name server is used by the Hillstone device to resolve DNS. To specify a DNS
domain name server, in the global configuration mode, use the following command:
ip n ame-server server-address1 [ server-address2 ] ... [ server-address6 ] [vro uter vrouter-name ]
l server-address1 – Specifies the IP address of the domain name server. You can configure up
to 6 domain name servers by one command or multiple commands, i.e., running command ip
name-server 1.1.1.1 2.2.2.2 and running commands ip name-server 1.1.1.1 and ip name-
server 2.2.2.2 make no difference. You can configure up to 64 domain name servers.
l vrouter-name – Specifies a DNS server for the specified VRouter.
To cancel the specified DNS domain name server, in the global configuration mode, use the com-
mand no ip name-server server-address1 [server-address2 ] ... [server-address6 ].
Configuring a DNS Proxy

DNS Proxy function take effect by the DNS proxy rules.Generally a proxy rule consists of two
parts: filtering condition and action. You can set the filtering condition by specifying traffic's
ingress interface , source address, destination address, and domain name. The action of the DNS

proxy rules includes proxy,bypass and block. When the action of the proxy rule is specified as
proxy, you need to configure the DNS proxy servers, so that the DNS request meeting the fil-
tering condition will be resolved by these DNS proxy servers.
Each proxy rule is labeled with a unique ID which is automatically generated when the rule is cre-
ated. You can also specify a proxy rule ID at your own choice. All proxy rules in StoneOS are
arranged in a specific order. When DNS traffic flows into a Hillstone device, the device will query
for proxy rules in the list by turns, and processes the traffic according to the first matched rule.
The configuration of DNS proxy on Hillstone devices includes:
l Configuring a DNS proxy rule
l Moving a DNS Proxy Rule
l Configuring Time Interval of Tracking for DNS Proxy
l Enabling/Disabling Calculating the Checksum of UDP Packet for DNS Proxy
l Specifying the TTL for DNS-proxy Response Packets
l DNS Proxy Hit Analysis
Configuring a DNS Proxy Rule
You can configure a DNS proxy rule via CLI to control the DNS traffic destined to the device.
The configuration includes:
l Creating a DNS proxy rule
l Configuring the Filtering Condition of a DNS Proxy rule
l Specifying the Action of a DNS Proxy Rule
l Configuring DNS Proxy Servers
l Enabling/Disabling DNS Proxy Log

l Enabling/Disabling a DNS Proxy Rule
l Modifying/Deleting the Descriptions of a Proxy Rule
Creating a DNS Proxy Rule
To create a DNS proxy rule or enter the DNS Proxy rule configuration mode, in the global con-
dn s-p ro xy rule [id id ]
l id id – Specifies the ID of the DNS proxy rule. If not specified, the system will auto-
matically assign an ID to the DNS proxy rule. The ID must be unique in the entire system.
To delete the DNS proxy rule, in the global configuration mode, use the command no dns-proxy
rule id id.
Configuring the Filtering Condition of a DNS Proxy rule
The filtering conditions of a DNS Proxy rule include the ingress interface, source address, des-
tination address and DNS domain name of DNS request. You should configure these four con-
ditions simultaneously, and then system will filter the DNS requests after configuration. Only if
the DNS request meets the above four conditions can it is considered a successful match.
Specifying Ingress Interface
You can specify the ingress interface of DNS request in the rule to filter the DNS request mes-
sage. It is permissible to specify numbers of interfaces. To add or delete the ingress interface of
request, in DNS proxy rule configuration mode, use the following command:
l Add the ingress interface of DNS traffic: ingress-interface interface-name
l Delete the ingress interface of DNS traffic: no ingress-interface interface-name
Specifying Source Address
You can specify the source address of DNS request in the rule to filter the DNS request message.
It is permissible to specify multiple source address filtering conditions. To add or delete the

source address of DNS request, in DNS proxy rule configuration mode, use the following com-
mand:
l Add the source address of the address entry type: src-addr { addr-name | any}
l Delete the source address of the address entry type: no src-addr { addr-name| any}
l Add the source address of the IP member type: src-ip {ip/netmask | ip-address netmask }
l Delete the source address of the IP member type: no src-ip {ip/netmask | ip-address
netmask }
l Add the source address of the IP range type: src-range min-ip max-ip
l Delete the source address of the IP range type: no src-range min-ip max-ip
Specifying Destination Address
You can specify the destination address of DNS request in the rule to filter the DNS request mes-
sage. It is permissible to specify multiple destination address filtering conditions.To add or delete
the destination address of request, in DNS proxy rule configuration mode, use the following com-
mand:
l Add the destination address of the address entry type: dst-addr { addr-name | any}
l Delete the destination address of the address entry type: no dst-addr { addr-name | any}
l Add the destination address of the IP member type: dst-ip {ip/netmask | ip-address
netmask }
l Delete the destinaion address of the IP member type: no dst-ip {ip/netmask | ip-address net-
mask }
l Add the destination address of the IP range type: dst-range min-ip max-ip
l Delete the destination address of the IP range type: no dst-range min-ip max-ip

Specifying Domain Name
You can specify the domain name of DNS request in the rule to filter the DNS request message.
It is permissible to specify multiple domain name filtering conditions.To add or delete the domain
name, in DNS proxy rule configuration mode, use the following command:
do main { an y | domain-name | h o st-b o o k host-book-entry }
l domain-name - Specifies the domain name that will be matched.
l any – Specifies as any domain name that will be matched.
l host-book host-book-entry – Specifies the name of the host entry that will be matched.
In DNS proxy rule configuration mode ,use the following command to delete the domain name
that will be matched:
no domain any | domain-name | host-book host-book-entry.
Specifying the Action of a DNS Proxy Rule
For the DNS request that meets the filtering conditions, system can proxy, bypass and block the
traffic.You can specify the action for a DNS proxy rule, in the DNS proxy rule configuration
mode, using the following command:
actio n {p ro xy [ro llb ack ]| b yp ass | b lo ck}
l proxy [rollback] – Specifies the action of a DNS proxy rule as proxy. The DNS request will
be resolved through the proxy server. You can configure the rollback property as needed.
After rollback is configured, when there is no DNS server or DNS server unable to resolve
the DNS address, system will bypass the DNS request and forward it to the DNS server ori-
ginally requested by the message.
l bypass – Specifies the action of a DNS proxy rule as bypass. That is, the DNS request will
be forwarded to the DNS server originally requested by the message.
l block – Specifies the action of a DNS proxy rule as block. That is,the DNS request will be
discarded.

Configuring DNS Proxy Servers
When the action of the proxy rule is specified as proxy, you need to configure the DNS proxy
servers. You can specify up to six DNS server and you can configure the interface and preferred
properties for the DNS server as needed. When you configure multiple DNS servers, the DNS
server with preferred property will be selected for domain name resolution. If no preferred server
is specified, the system will query whether there are DNS servers that have specified the egress
interface; If so, select these DNS server in a round robin; Except for the two DNS servers, which
means that you only have a regular DNS server, then select this kind of DNS servers in a round
robin.To add a DNS proxy server,in the DNS proxy rule configuration mode, use the following
command:
n ame-server server-ip [vro uter vrouter-name | egress-in terface interface-name | p referred]
l server-ip – Specifies the IP address of the DNS proxy.
l vrouter-name – Specifies a VRouter for the DNS proxy.
l interface-name – Bind the egress interface to the DNS proxy server. After binding, system
will forward the DNS request to the DNS proxy server through this interface.
l preferred – Specifies the DNS proxy 4dserver as the preferred server, and a DNS proxy rule
can only specify one server as the preferred server.
To delete the DNS proxy server, in the DNS proxy rule configuration mode , use the command
no name-server server-ip [vrouter vrouter-name].
Modifying/Deleting the Descriptions of a Proxy Rule
In the DNS proxy rule configuration mode, use the following command to modify the description
of a rule.
l description – Specifies the description for the dns proxy rule.
In the DNS Proxy Rule configuration mode, use the command no description to delete the
description.

Enabling/Disabling DNS Proxy Log
With the DNS Proxy Log function enabled, the system will generate log information when there
is DNS request traffic matching a DNS proxy rule. To enable or disable the DNS proxy log func-
tion, in the DNS proxy rule configuration mode, use the following command:
log {enable | disable}
l enable | disable - Enable (enable) or disable (disable) the DNS proxy log function.
Enabling/Disabling a DNS Proxy Rule
DNS proxy rule is enabled by default. To disable or enable the function, in the DNS proxy rule
l Disable a DNS proxy rule : disable
l Enable a DNS proxy rule: enable
Moving a DNS Proxy Rule
Each DNS proxy rule is labeled with a unique ID. When traffic flowing into the Hillstone device,
the device will query for DNS proxy rules by turns, and then process the DNS request according
to the first matched rule. However, the rule ID is not related to the matching sequence during the
query. The sequence displayed by the command show dns-proxy is the query sequence for the
matching. You can move a DNS proxy rule to modify the matching sequence. To move a DNS
proxy rule, in the globle configuration mode, use the following command:
dn s-p ro xy mo ve rule-id {to p | b o tto m | b efo re rule-id | after rule-id }
l move rule-id – Specifies the DNS proxy rule that will be moved.
l top – Move the DNS proxy rule to the top of all the rules.
l bottom – Moves the DNS proxy rule to the bottom of all the rules.
l before rule-id – Move the DNS proxy rule before the rule id.
l after rule-id – Move the DNS proxy rule after the rule id.

Configuring Time Interval of Tracking for DNS Proxy
This function is to track the reachability of the DNS proxy server. System will periodically detect
the DNS proxy server at a specific time interval. When the server cannot be tracked, the IP
address of server will be removed from the DNS resolution list untill the link is restored. By
default, the tracking for DNS proxy server is enabled.To configure the time interval of tracking
for DNS proxy server,in the global configuration mode, use the following command:
dn s-p ro xy server-track [in terval interval-time ]
l interval-time – Specifies the tracking interval time. The value range is 0 to 30 seconds. The
To disable tracking for DNS proxy server, in the global configuration mode, use the following
command:
no dns-proxy server-track
Enabling/Disabling Calculating the Checksum of UDP Packet for DNS Proxy
The system will calculate the checksum of UDP packet for DNS proxy when the DNS proxy on
interfaces is enabled. If you need to improve the performance of the device,you can disable this
function.
To enable/disable calculating the checksum of UDP packet for DNS proxy, in the globle con-
l Enable: dns-proxy udp-checksum enable
l Disable: dns-proxy udp-checksum disable
Specifying the TTL for DNS-proxy Response Packets
TTL refers to the survival time of the DNS records in DNS-proxy server. To specify the TTL of
DNS-proxy response packets, in the global configuration mode, use the following command:
dn s-p ro xy ttl ttl-time

l ttl-time – Specifies the TTL for DNS-proxy’s response packets. If the DNS-proxy requests
are not responded after the TTL, the DNS client will clear all DNS records. The value range is
30 to 600 seconds. The default value is 60.
To disable this function, in the global configuration mode, use the command dns-proxy ttl
disable.
DNS Proxy Hit Analysis
DNS Proxy Hit Analysis is a process to check the DNS proxy rule hit counts, that is, when DNS
request traffic matches a certain DNS proxy rule, the hit count will increase by 1 automatically,
and the ratio of the hit number of each DNS proxy rule to all the DNS requests of the system is
counted, which directly shows the efficiency of the use of DNS proxy rules in the user network.
Viewing DNS Proxy Statistical Information
To view the DNS proxy statistical information, in any mode, use the following command:
show dns-proxy statistics [history {day | hour | month | week}]
l history {day | hour | month | week}– View the statistical information within the latest 1
hour (hour), the latest 1 day (day), the latest 1 week (week) or the latest 1 month (month). If
it's not specified, all DNS proxy statistics will be displayed.
Clearing DNS Proxy Statistical Information
To clear all the DNS proxy statistical information, in any mode, use the following command:
clear dns-proxy statistics
Viewing the DNS Proxy Rule
To view the DNS proxy rule in details, in any mode, use the following command:
sh o w dn s-p ro xy [rule id rule-id ]

l rule-id– Shows the details of the specified DNS proxy rule. If it's not specified, all DNS
proxy rules will be displayed.
Resolution
Users can specify the retry times and timeout of DNS requests for the DNS function of Hillstone
devices, TTL for the DNS-proxy response packets and DNS load balancing.
Specifying the Timeout of DNS Requests
StoneOS will wait for DNS server's response after sending the DNS request, and will send the
request again if no response returns after a specified time. The period of waiting for response is
known as timeout. To specify the timeout of DNS requests, in the global configuration mode, use
ip do main timeo ut timeout-value
l timeout-value – Specifies the timeout value. The value range is 1 to 3 seconds. The default
value is 2.
To restore to the default timeout, in the global configuration mode, use the command no ip
domain timeout.
Specifying the Retry Times of DNS Requests
If the DNS request is not responded after timeout, StoneOS will send the request again; if still
not responded after the specified retry times (i.e., the repetition times of the DNS request),
StoneOS will send the request to the next DNS server. To specify the retry times, in the global
ip do main retry times
l times – Specifies the retry times. The value range is 1 to 3 times. The default value is 2.
To restore to the default retry times, in the global configuration mode, use the command no ip
domain retry.

Specifying the TTL for DNS Resolution Cache
TTL refers to the survival time of the DNS domain name resolution cache (including dynamic
DNS cache and register DNS cache). To specify the TTL of DNS resolution cache, in the global
ip do main ttl ttl-time
l ttl-time – Specifies the TTL for DNS resolution cache. If the DNS resolution cache are not
responded after the TTL, the system will clear all domain name records. The value range is 60
to 600 seconds.
In the global configuration mode, use no ip domain ttl command to restore to the default value
which is a value returned by DNS server.
Enabling the DNS Resolution Log
You can enable the DNS resolution log function to record the result of DNS resolution, and gen-
erate the log information, the log content including the domain name, IP address of the DNS and
generation time. By default, the function is closed.To enable the DNS resolution log function, in
the global configuration mode, use the following command:
ip do main resp o n se-lo g
To disable the DNS resolution log function, in the global configuration mode, use the command
no ip domain response-log.
DNS Cache
When using DNS, a system might store the DNS mappings to its cache to speed up the query.
There are 3 ways to obtain DNS mappings:
l Dynamic: Obtains from DNS response.
l Static: Adds DNS mappings to cache manually.

l Register: DNS hosts specified by some modules of Hillstone devices, such as NTP, AAA,
address book, etc.
You can add static DNS mappings to cache, view DNS mappings and delete dynamic mappings.
Adding a Static DNS Mapping
To manually add a DNS mapping to the cache, in the global configuration mode, use the following
command:
ip h o st host-name { address1 [ address2 ] ... [ address8 ]} [vro uter vrouter-name ]
l host-name – Specifies the host name. The length is 1 to 255 characters.
l {address1 [address2 ] ... [address8 ]} – Specifies the IP Address of the host. You can specify
up to 8 IP addresses.
l vrouter-name – Specifies the VRouter for the host.
To delete the specified DNS mapping, in the global configuration mode, use the command no ip
host host-name.
Viewing a DNS Mapping
To view a DNS mapping, in any mode, use the following command:

show ip hosts [ host-name ] [vro uter vrouter-name ]
l host-name – Shows the DNS mapping of the specified host.
l vrouter-name - Shows the DNS mapping of the specified VRouter.
Deleting a Dynamic DNS Mapping
To manually remove a dynamic DNS mapping, in the execution mode, use the following com-
mand:
clear h o st [ host-name [vro uter vrouter-name ] ]

l host-name – Deletes the DNS mapping of the specified host.
l vrouter-name – Deletes the host DNS mapping of the specified VRouter.
This command is used to delete the specified or all the dynamic DNS mappings. To delete the
static DNS mappings that are manually added, use the command no ip host.
DNS Snooping
The DNS Snooping function creates and maintains a mapping table for domain names and cor-
responding IPv4/IPv6 addresses through domain name resolution. Meanwhile the system returns
the IP address in the mapping table to the function modules that refer to the domain name (such
as the address book, PBR, policy, etc.), so as to realize the access control based on the domain
name.
DNS Snooping supports obtaining domain name and IP address mapping through the following
two methods of domain name resolution:
l Active mode: System periodically initiates DNS queries to the configured DNS domain name
server to obtain the mapping information between the domain name and the IP address.
l Passive mode: System monitors the DNS response packets which flow through the device to
obtain the mapping information between the domain name and the IP address.
The configurations include:
l Specifying the Domain Name Resolution Mode
l Specifying the Maximum Mapping IP Addresses for a Specific Domain Name
l Specifying the Maximum Wildcard Domain Names
l Specifying the TTL for DNS Snooping Mapping Cache
l Viewing the Configuration Information of DNS Snooping
l Viewing the Mapping information of DNS Snooping

Specifying the Domain Name Resolution Mode
To specifying the mode of the domain name resolution, in the global configuration mode, use the
following command:
dns snooping mode {active | passive | all}
l active - Specifies the domain name resolution mode as the active mode. In this mode, system
periodically initiates DNS queries to the configured DNS domain name server to obtain the
mapping information between the domain name and the IP address, meanwhile returns the IP
address to the function modules that refer to the domain name. This is the default value.
l passive - Specifies the domain name resolution mode as the passive mode. In this mode, sys-
tem monitors the DNS response packets which flow through the device to obtain the map-
ping information between the domain name and the IP address, meanwhile returns the IP
address to the function modules that refer to the domain name.
l all - Specifies the domain name resolution mode as both active mode and passive mode. The
IP address will be the union of the IP address resolved by active mode and passive mode.
In the global configuration mode, use the command no dns snooping mode to restore the default
value.
Specifying the Maximum Mapping IP Addresses for a Specific Domain Name
When the domain name resolution mode is passive mode, users can specify the maximum number
of mapping IP addresses for each specific domain name. To specify the maximum number of map-
ping IP addresses for each specific domain name, in the global configuration mode, use the fol-
lowing command:
dns snooping host-ip-num number
l number - Specifies the maximum number of mapping IP addresses for each specific domain
name. The range is 32 to 256. The default value is 64.

In the global configuration mode, use the command no dns snooping host-ip-num to restore the
default value.
Specifying the Forward Delay of DNS Response Packets
When DNS Snooping receives DNS response packets and the mapping information between the
domain name and the IP address needs to be updated, DNS Snooping supports forwarding the
DNS response packets to client in a delay time, so that client obtains IP address delay. To specify
the forward delay time, in the global configuration mode, use the following command:
dns snooping pak-delay time
l time - Specifies the forward delay time. The range is 0 to 2000 milliseconds. The default
value is 5 milliseconds.
In the global configuration mode, use the command no dns snooping pak-delay to restore the
default value..
Specifying the Maximum Wildcard Domain Names
System supports the function of wildcard domain name (e.g., *.test.com) resolution. To specify
the maximum number of wildcard domain names supported by the system, in the global con-
dns snooping wildcard-num number
l number - Specifies the maximum number of wildcard domain names supported by the system.
The range is 128 to 512. The default value is 128.
In the global configuration mode, use the command no dns snooping wildcard-num to restore the
default value.
Notes: System only supports to resolve wildcard domain names through passive
mode.

Specifying the TTL for DNS Snooping Mapping Cache
TTL (Time-to-live) refers to the storage time of the domain name and IP address mapping cache.
To specify the TTL for DNS snooping mapping cache, in the global configuration mode, use the
following command:
dns snooping ttl ttl-value
l ttl-value - Specifies the TTL for DNS snooping mapping cache. The range is 60 to 3600
seconds. The default value is 3600 seconds.
In the global configuration mode, use the command no dns snooping ttl to restore the default
value.
Notes: System will periodically clear the domain name and IP address mapping
cache that reaches the timeout value:
l In the passive mode, timeout value of the domain name and IP address map-
ping cache = TTL for the DNS response packets + TTL for DNS snooping
mapping cache.
l In the active mode, timeout value of the domain name and IP address map-
ping cache = TTL for DNS Resolution Dynamic Cache. For more inform-
ation about TTL for DNS Resolution Dynamic Cache, see Specifying the
TTL for DNS Resolution Dynamic Cache.
Viewing the Configuration Information of DNS Snooping
To view the configuration information of DNS snooping, in any mode, use the following com-
mand:
show dns snooping configuration

Viewing the Mapping information of DNS Snooping
To view the mapping information of DNS snooping, in any mode, use the following command:
show dns snooping domain {active | passive} [domain-name]
l active | passive - View the domain name and IP address mapping information obtained by the
active mode or the passive mode.
l domain-name - View the domain name and IP address mapping information for a specified
domain name.
Enabling/Disabling DNS
By default, DNS is disabled on Hillstone devices. To enable/disable the DNS function, in the
global configuration mode, use the following commands:
l Enable: ip domain lookup
l Disable: no ip domain lookup
Viewing DNS configuration information

To view DNS configuration information, in any mode, use the following command:
sh o w dn s
DNS Configuration Example

This section describes a typical DNS configuration example.
Requirement
The Hillstone device allows PC1 within the trust zone to access Internet via DNS proxy. The IP
address of DNS server in the public network is 202.106.0.20; the IP address of the device's eth-
ernet0/0 interface is 192.168.10.1/24; the IP address of PC1 in the trust zone, which is con-
nected to the above interface, is 192.168.10.3/24; the IP address of ethernet0/1 interface, which
is connected to the public network in the untrust zone, is 10.160.65.31/24.

Configuration Steps
Step 1: Bind security zones and configure IP addresses for Hillstone device's interfaces
hostname# co n figure
Step 2: Configure DNS proxy rule on the Hillstone device
hostname(config-dns-proxy-rule)# in gress-in terface eth ern et0/0
hostname(config-dns-proxy-rule)# n ame-server 202.106.0.20
Step 3: ping www.sina.com.cn. This address can be resolved on PC1

DDNS
DDNS, the abbreviation for Dynamic Domain Name Server, is designed to resolve fixed domain
names to dynamic IP addresses. Generally you will be allocated with a dynamic IP address from
ISP each time you connect to the Internet, i.e., the allocated IP addresses for different Internet
connections will vary. DDNS can bind the domain name to your dynamic IP address, and the bind-
ing between them will be updated automatically each time you connect to Internet.
In order to enable DDNS, you will have to register in a DDNS provider to obtain a dynamic
domain name. Hillstone devices support the following 5 DDNS providers:
l 3322.org: http://www.3322.org
l Huagai.net: http://www.ddns.com.cn
l ZoneEdit.com: http://www.zoneedit.com
l no-ip.com： http://www. no-ip.com
l dyndns.org：http://www.dyndns.org
Visit one of the above websites to complete registration.
Configuring DDNS
When the IP address of the interface connecting to the external network changes, the Hillstone
device will send an update request to the DDNS server (over HTTP) to update the IP address
and the binding domain. You can configure different DDNS names, then configure DDNS para-
meters for the DDNS names (such as the update method, DDNS server and update interval), and
finally bind the configured DDNS names to interfaces to enable the DDNS function.
This section describes the following configurations:
l Configuring a DDNS name
l Binding the DDNS name to an interface

Configuring a DDNS Name
The DDNS service parameters need to be configured in the DDNS name configuration mode. To
create a DDNS name, specify the type of update and enter the specified DDNS service con-
figuration mode, in the global configuration mode, use the following command:
ddn s n ame ddns-name typ e h ttp
l ddns-name – Specifies the DDNS name.
l type http – Specifies how to update the DDNS service, i.e., sending the DDNS update
requests over HTTP.
The command leads you into the configuration mode of the specified DDNS name. You can con-
figure DDNS parameters for the DDNS service, including the DDNS provider, DDNS server
name and port number, the minimum and maximum update interval, as well as the username and
password of the DDNS provider.
To delete the specified DDNS name, in the global configuration mode, use the command no ddns
name ddns-name type http.
Specifying the DDNS Provider
Hillstone devices support 5 DDNS servers: 3322.org, Huagai.net, ZoneEdit.com, no-ip.com and
dyndns.org. To specify the DDNS provider, in the DDNS name configuration mode, use the fol-
lowing command:
typ e {dyn dn s | h uagai | n o -ip | qdn s | zo n eedit}
l dyndns - Use dyndns.org as the DDNS provider.
l huagai - Use Huagai.net as the DDNS provider.
l no-ip - Use no-ip.com as the DDNS provider.
l qdns - Use 3322.org as the DDNS provider.
l zoneedit - Use ZoneEdit.com as the DDNS provider.

To cancel the specified DDNS provider, in the DDNS name configuration mode, use the com-
mand no type.
Specifying the DDNS Server Name and Port
Different DDNS servers are configured with different server names and port numbers. To specify
the DDNS server name and port number, in the DDNS name configuration mode, use the fol-
lowing command:
server n ame server-name p o rt port-number
l server-name – Specifies the server name for the configured DDNS.
l port-number – Specifies the server port number for the configured DDNS. The value range
is 1 to 65535.
To cancel the specified DDNS server name and port number, in the DDNS name configuration
mode, use the command no server.
Notes: The DNS server name and port number must be the corresponding name
and port of the DDNS server. Do not configure these options if the exact inform-
ation is unknown. The server will return the name and port information auto-
matically after connection to the DDNS server has been established successfully.
Specifying the Minimum Update Interval
When the IP address of the interface with DDNS enabled changes, StoneOS will send an update
request to the DDNS server. If the request is not responded, StoneOS will send the request again
according to the configured minimum update interval. For example, if the minimum update inter-
val is set to 5 minutes, then StoneOS will send the second request 5 minutes after the first
request failure; if it fails again, StoneOS will send the request again 10 (5x2) minutes later; and 20
(10x2) minutes later, so and forth. The value will not increase anymore when reaching 120, i.e.,
StoneOS will send the request at a fixed interval of 120 minutes. To configure the minimum
update interval, in DDNS name configuration mode, use the following command:
min up date in terval time-value

l time-value – Specifies the minimum update interval. The value range is 1 to 120 minutes.
To restore to the default minimum update interval, in DDNS name configuration mode, use the
command no minupdate.
Specifying the Maximum Update Interval
On the condition that IP address has not changed, StoneOS will send an update request to the
DDNS server at the maximum update interval. To configure the maximum update interval, in the
DDNS name configuration mode, use the following command:
maxup date in terval time-value
l time-value – Specifies the maximum update interval. The value range is 24 to 8760 hours.
To restore to the default maximum update interval, in DDNS name configuration mode, use the
command no maxupdate.
Specifying the DDNS Username/Password
This command is to specify the user information registered in the DDNS provider. To configure
the user information, in the DDNS name configuration mode, use the following command:
user user-name p asswo rd user-password
l user-name - Specifies the username registered in the DDNS provider.
l user-password - Specifies the corresponding password.
To cancel the specified user information, in the DDNS name configuration mode, use the com-
mand no user.
Binding a DDNS Name to an Interface
The domain names will not be updated according to the configured DDNS parameters upon any
interface IP address changes unless the DDNS name is bound to an interface. To bind the DDNS

name to an interface, in the global configuration mode, use the following command:
ddn s en ab le ddns-name in terface interface-name h o stn ame host-name
l ddns-name – Specifies the DDNS name.
l interface-name – Specifies the name of the binding interface.
l host-name – Specifies the domain name obtained from the corresponding DDNS provider.
To cancel the specified binding, in the global configuration mode, use the command no ddns
enable ddns-name interface interface-name.
Viewing DDNS Information
To view the DDNS information, in any mode, use the following command:
l Show the DDNS configuration information: show ddns config ddns-name
l Show the DDNS state: show ddns state ddns-name
Example of Configuring DDNS

This section describes a typical DDNS configuration example.
Requirement
The interface ethernet0/1 of the Hillstone device locates at the untrust zone, and the interface
obtains IP address by PPPoE. If the IP address changes during PPPoE connection, the interface
will send an update request to the DDNS server.
Configuration Steps
Step 1: Create a PPPoE instance named pppoe1
hostname(config)# p p p o e-clien t gro up p p p o e1
hostname(config-pppoe-group)# auto -co n n ect 10
hostname(config-pppoe-group)# idle-in terval 5

hostname(config-pppoe-group)# ro ute distan ce 2
hostname(config-pppoe-group)# ro ute weigh t 10
hostname(config-pppoe-group)# auth en ticatio n an y
hostname(config-pppoe-group)# user user1 p asswo rd 123456
hostname(config-pppoe-group)# exit
hostname(config)#
Step 2: Configure ethernet0/1
hostname(config-if-eth0/1)# ip address p p p o e setro ute
hostname(config-if-eth0/1)# p p p o e en ab le gro up p p p o e1
Step 3: Configure DDNS on the device
hostname(config)# ddn s n ame 3322 typ e h ttp
hostname(config-ddns)# typ e qdn s
hostname(config-ddns)# user test p asswo rd 123456
hostname(config-ddns)# exit
Step 4: Bind ethernet0/1 to the DDNS named 3322 (the domain name obtained from 3322.org is
hillstonenet.3322.org)
hostname(config)# ddns enable 3322 interface ethernet0/1 hostname hillstonenet.3322.org
Step 5: Configure DNS on the device in order to parse domain names
hostname(config)# ip name-server 202.106.0.20
Step 6: Launch a PPPoE connection to trigger DDNS when the IP address of the interface
changes

hostname(config)# pppoe-client group pppoe1 connect

DHCP
DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appro-
priate IP addresses and related network parameters for subnets automatically, thus reducing
requirement on network administration. Besides, DHCP can avoid address conflict to assure the
re-allocation of idle resources.
DHCP on Hillstone Devices

Hillstone devices support DHCP client, DHCP server and DHCP relay proxy.
l DHCP client: A Hillstone device's interface can be configured as a DHCP client and obtain
IP addresses from the DHCP server.
l DHCP server: A Hillstone device's interface can be configured as a DHCP server and allocate
IP addresses chosen from the configured address pool for the connected hosts.
l DHCP relay proxy: A Hillstone device's interface can be configured as a DHCP relay proxy to
obtain DHCP information from the DHCP server and forward the information to connected
hosts.
Hillstone devices are designed with all the above three DHCP functions, but an individual inter-
face can be only configured with one of the above functions.
Configuring a DHCP Client

You can configure an interface of the Hillstone device as the DHCP client that obtains IP address
from the DHCP server. The DHCP client should be configured in the interface configuration
mode. The configuration includes:
l Obtaining an IP address via DHCP
l Releasing and renewing the IP address
l Configuring the route priority (administration distance) and route weight

Obtaining an IP Address via DHCP
To enable the interface to obtain an IP address via DHCP, in the interface configuration mode,
ip address dh cp [setro ute]
l setroute – Uses the gateway specified by the DHCP server as the default route gateway.
To cancel the configuration, in the interface configuration mode, use the command no ip address
dhcp.
For example, to enable etherenet0/1 to obtain the IP address dynamically via DHCP, and set the
default gateway route, use the following commands:
hostname(config-if-eth0/1)# ip address dh cp setro ute
hostname(config)#
Releasing and Renewing the IP Address
The interface that has obtained a dynamic IP address via DHCP can release and renew its IP
address. To release and renew the IP address, in the interface configuration mode, use the fol-
lowing commands:
l Release: dhcp-client ip release
l Renew: dhcp-client ip renew
To view the DHCP IP address information allocated to an interface, in the interface configuration
dhcp-client ip show

Configuring the Route Priority (Administration distance) and Route Weight
After the DHCP interface is configured with the default route (ip address dhcp setroute), to con-
figure the route priority (administration distance) and route weight, in the interface configuration
dhcp-client route {distan ce value | weigh t value }
l distance value – Specifies the route priority. The value range is 1 to 255. The default value is
1.
l weight value – Specifies the route weight. The value range is 1 to 255. The default value is
1.
To restore to the default route priory and weight, in the interface configuration mode, use the
command no dhcp-client route {distance | weight}.
Enable/ Disable Classless Static Routing Options
After the DHCP interface is configured with the default gateway route (ip address dhcp setroute),
you can enable the classless static routing function via the DHCP options. When it is enabled, the
DHCP client will send a request message with the Option121 (i.e., classless static routing option)
to the server, and then the server will return the classless static route information. Finally, the cli-
ent will add the classless static routing information to the routing table. To enable the classless
static routing function via DHCP, in the interface configuration mode, use the following com-
mand:
dh cp -clien t classless-static-ro ute
To disable the function of obtaining classless static route via DHCP, in the interface configuration
no dhcp-client classless-static-route

Notes:
l The priority of classless static route is higher than the default gateway
route, i.e. when the device receives classless static routing options and
default gateway routing options at the same time, the device will only add
classless static routing information to the routing table.
l By default, it is enabled on interface eth0/0, while it is disabled on other

interfaces. You can enable or disable the function on all interfaces.
Viewing DHCP Client Configuration Information
To view the DHCP Client configuration information, in any mode, use the following command:
sh o w dh cp -clien t in terface { interface-name }
l interface-name – Specifies the name of interface.
Configuring a DHCP Server

The Hillstone devices can act as a DHCP server to allocate IP addresses for the DHCP clients in
the subnets. The DHCP server should to be configured in the DHCP server configuration mode.
To enter the DHCP server configuration mode, in the global configuration mode, use the fol-
lowing command:
dh cp -server p o o l pool-name
l pool-name – Specifies the name of the DHCP address pool.
After executing the above command, the system will create a new DHCP address pool and enter
the DHCP server configuration mode of the address pool; if the specified address pool exists, the
system will directly go to the DHCP server configuration mode:
To delete the specified address pool, in the global configuration mode, use the command no
dhcp-server pool pool-name.
The DHCP server functions you can configure in the DHCP server configuration mode are:

l Basic configuration of the DHCP address pool
l Configuring auto-config
l Configuring DNS/WINS servers and domain name for the DHCP client
l Configuring SMTP/ POP3/news servers for the DHCP client
l Configure the IP address of the relay agent
l IP-MAC Binding
l Configuring option 49
After configuring the DHCP server address pool, you need to bind the DHCP address pool to an
interface in order to enable the DHCP server on the interface. For more specific commands, see
Binding the Address Pool to an Interface.
In addition, you can view the DHCP configuration of the system anytime by the command show.
Basic Configuration of the DHCP Address Pool
This section describes how to configure DHCP address pool.
Configuring an IP Range
You need to specify the IP range used for external allocation. To specify the IP range of the
address pool, in the DHCP server configuration mode, use the following command:
address start-ip-address [ end-ip-address ]
To cancel the specified IP range, in the DHCP server configuration mode, use the command no
address start-ip-address.
Configuring a Reserved Address
IP addresses in the reserved address, within the IP range of the address pool, are reserved for the
DHCP server and will not be allocated. To configure the reserved address, in the DHCP server
exclude address start-ip-address [ end-ip-address ]

l start-ip-address – Specifies the start IP address of the reserved address.
l end-ip-address – Specifies the end IP address of the reserved address.
exclude address start-ip-address.
Configuring a Gateway
To configure the IP address of the gateway for the client, in the DHCP server configuration
gateway ip-address
l ip-address – Specifies the IP address of the gateway.
To cancel the specified IP address of the gateway, in the DHCP server configuration mode, use
the command no gateway.
Configuring a Netmask
To configure the netmask for the client, in the DHCP server configuration mode, use the fol-
lowing command:
n etmask netmask
l netmask – Specifies the netmask, such as 255.255.255.0.
To cancel the specified netmask, in the DHCP server configuration mode, use the command no
netmask.
Configuring a DHCP Lease Time
Lease is the period during which a client is allowed to use an IP address, starting from the time
the IP address is allocated. After the lease expired, the client will have to request an IP address
again from the DHCP server. To configure the lease of DHCP server, in the DHCP server con-
lease lease-time

l lease-time – Specifies the lease time. The value range is 300 to 1048575 seconds. The
To restore to the default lease time, in the DHCP server configuration mode, use the command
no lease.
Configuring Auto-config
Auto-config is able to function when an interface in a DHCP server configured gateway has been
enabled as DHCP client. When auto-config is enabled, if the DHCP server (Hillstone) does not
have DNS, WINS or domain name configured, the DHCP client (DHCP) will distribute the
DNS, WINS and domain name information obtained from a connected DHCP server to the host
that obtains such information from the DHCP server (Hillstone). However, the DNS, WINS and
domain name that are configured manually still have the priority. To configure auto-config, in the
DHCP server configuration mode, use the following command:
auto -co n fig in terface interface-name
l interface-name – Specifies the interface with the DHCP client enabled on the same device.
To disable the function, in the DHCP server configuration mode, use the command no auto-con-
fig.
Configuring DNS/WINS Servers and Domain Name for the DHCP Client
To configure DNS, WINS servers and domain name for the DHCP client, in the DHCP server
configuration mode, use the following commands:
dn s ip-address1 [ ip-address2 ]
l ip-address1 – Specifies the IP address of the primary DNS server.
l ip-address2 – Specifies the IP address of the alternative DNS server.
win s ip-address1 [ ip-address2 ]

l ip-address1 – Specifies the IP address of the primary WINS server.
l ip-address2 – Specifies the IP address of the alternative WINS server.
do main domain-name
l domain-name – Specifies the domain name.
To cancel the configured DNS, WINS server and domain name, in the DHCP server con-
l no dns
l no wins
l no domain
Configuring SMTP/ POP3/news Servers for the DHCP Client
To configure the SMTP, POP3 and news servers for the DHCP client, in the DHCP server con-
l smtp ip-address
l pop3 ip-address
l news ip-address
To cancel the configured SMTP, POP3 and news servers, in the DHCP server configuration
l no smtp
l no pop3
l no news

Configure the IP Address of the Relay Agent
When the device (Hillstone1) with DHCP server enabled is connected to another deivce(Hill-
stone2) with DHCP relay enabled, and the PC obtains Hillstone1's DHCP information from Hill-
stone2, then only when the relay agent's IP address and netmask are configured on Hillstone1 can
the DHCP information be transmitted to the PC successfully. To configure a relay agent, in the
DHCP server configuration mode, use the following command:
relay-agen t ip-address netmask
l ip-address netmask – Specifies the IP address and netmask of the relay agent, i.e., the IP
address and netmask for the interface with relay agent enabled on Hillstone2.
To cancel the specified relay agent, in the DHCP server configuration mode, use the command no
relay-agent ip-address netmask .
IP-MAC Binding
You can manually bind IP and MAC addresses to establish a corresponding relationship between
IP and MAC address on the device. In this way, the specified MAC address can only obtain the
corresponding bound IP address. To configure an IP-MAC binding, in the DHCP server con-
ip mac-b in d ip-address mac [descrip tio n description ]
l ip-address – Specifies the IP address. The IP address must be the address defined in the
address pool.
l mac – Specifies the binding MAC address.
l description description – Specifies a description for this IP-MAC binding entry. You can spe-
cify up to 63 characters.
To cancel the specified IP-MAC binding, in the DHCP server configuration mode, use the com-
mand no ipmac-bind ip-address.

Binding the Address Pool to an Interface
If the address pool is bound to an interface, the interface will run DHCP server based on the con-
figuration parameters of the address pool. To bind the address pool to an interface, in the interface
dhcp-server enable pool pool-name
l pool-name – Specifies the address pool defined in the system.
To disable the DHCP server on the interface, in the interface configuration mode, use the com-
mand no dhcp-server enable.
Configuring DHCP Options
When the interface acts as the DHCP server, the system supports the option 43, option 49,
option 60, option 66, option 67, option 138, option 150 and option 242.
Configuring Option 43
Option 43 is used to exchange specific vendor specific information (VSI) between DHCP client
and DHCP server. The DHCP server uses option 43 to assign Access Controller (AC) addresses
to wireless Access Point (AP), and the wireless AP use DHCP to discover the AC to which it is
to connect.
Configuring the VSI Carried by Option 43 for DHCP Server
To configure the VSI carried by option 43 for DHCP server, use the following command in the
DHCP server configuration mode:
o p tio n 43 {ascii value | h ex value }
l ascii value – Specify the VSI in ASCII. If the string contains spaces, it must be enclosed in
quotes.
l hex value – Specify the VSI in hex.
To cancel the option 43 settings, use the no option 43 command.

Notes:
l If the VCI matching string has been configured, first of all, you need to
verify the VCI carried by the option 60 field in client’s DHCP packets.
When the VCI matches the configured one, the IP address, option 43 and
corresponding information will be offered. If not, DHCP server will drop
client’s DHCP packets and will not reply to the client.
l For verifying VCI carried by option 60, see Verifying VCI Carried by
Option 60 section.
To make the DHCP client obtain the list of the IP addresses of systems that are running the X
window System Display Manager, configure the option 49 settings. Use the following command
to configure the option 49 settings in the DHCP server configuration mode:
o p tio n 49 ip ip-address
l ip-address – Specifies the IP address of the server that is running the X window System Dis-
play Manager.
To cancel the option 49 configurations, in the DHCP server configuration mode, use the com-
mand no option 49 ip ip-address.
Option 60 is used by DHCP clients to optionally identify the type and configuration of a DHCP
client. The information is a string of n octets, interpreted by servers. Vendors and sites may
choose to define specific vendor class identifiers (VCI) to convey particular configuration or
other identification information about a client.
You can configure the following functions:

l Verify the VCI carried by the option 60 field in client’s DHCP packets. When the VCI
matches the configured one, the IP address and corresponding information will be offered.
l Set the VCI carried by the option 60 for the DHCP server.
Verifying VCI Carried by Option 60
The DHCP server can verify the VCI carried by option 60 in the client’s DHCP packets. When
the VCI in client’s DHCP packet matches the VCI matching string you configured in the
DHCP server, DHCP server will offer the IP address and other corresponding information. If not,
DHCP server will drop client’s DHCP packets and will not reply to the client. If you do not
configure a VCI matching string for the DHCP server, it will ignore the VCI carried by option 60.
To configure the VCI matching string, use the following command in the DHCP server con-
figuration mode:
vci-match -strin g {ascii value | h ex value }
l ascii value – Specify the VCI matching string in ASCII. If the string contains spaces, it must
be enclosed in quotes.
l hex value – Specify the VCI matching string in hex.
In each specified DHCP server configuration mode, you can only set one VCI matching string.
The newly configured VCI matching string will replace the previous one.
To cancel the VCI matching string settings, use the no vci-match-string command.
Configuring the VCI Carried by Option 60 for DHCP Server
After configuring the VCI carried by option 60 for DHCP server, the DHCP packets sent by the
DHCP server will carry this option and the corresponding VCI. To configure the VCI carried by
option 60 for DHCP server, use the following command in the DHCP server configuration mode:
o p tio n 60 {ascii value | h ex value }

l ascii value – Specify the VCI in ASCII. If the string contains spaces, it must be enclosed in
quotes.
l hex value – Specify the VCI in hex.
To cancel the option 60 settings, use the no option 60 command.
The option 66 is used to configure the TFTP server name option. By configuring Option 66, the
DHCP client get the domain name or the IP address of the TFTP server. You can download the
startup file specified in the Option 67 from the TFTP server.
To configure option 66, in the DHCP server configuration mode, use the following command:
option 66 { ascii string | h ex value }
l ascii string – Specify the domain name or the IP address of the TFTP server in ASCII. The
length is 1 to 255 characters, but the maximum length between the two periods (.) is only 63
characters.
l hex value – Specify the domain name or the IP address of the TFTP server in hex.
mand no option 66.
Notes: The TFTP server name must start with a letter or number, and cannot end
with ”.” (dot). The "-" (hyphen) and"." (dot) cannot appeare continuously.
The option 67 is used to configure the startup file name option for the TFTP server. By con-
figuring option 67, the DHCP client can get the name of the startup file.
o p tio n 67 {ascii string | h ex value }

l ascii string – Specify the startup file name in ASCII. The length is 1 to 255 characters.
l hex value – Specify the startup file name in hex.
mand no option 67.
The Control And Provisioning of Wireless Access Points Protocol (CAPWAP) allows a Wireless
Termination Point (WTP) to use DHCP to discover the Access Controllers (AC) to which it is to
connect.
The DHCP server uses option 138 to carry a list of 32-bit (binary) IPv4 addresses indicating one
or more CAPWAP ACs available to the WTP. Then the WTP discovers and connects to the AC
according to the provided AC list.
If you do not set the option 138 for the DHCP server or the DHCP client does not request
option 138, DHCP server will not offer the option 138 settings.
To add an AC IP address into the list carried by option 138, use the following command in the
DHCP server configuration mode:
o p tio n 138 ip A.B.C.D
l A.B.C.D – Specify the IP address of the AC.
Repeat this command to add multiple ACs. Each DHCP server supports up to 4 ACs.
To cancel the specified AC, use the no optioin 138 ip A.B.C.D command.
The option 150 is used to configure the address options for the TFTP server. By configuring
option 150, the DHCP client can get the address of the TFTP server.
o p tio n 150 ip ip-address

l ip-address – Specify the IP address of the TFTP server. You can configure up to 8 TFTP
servers.
mand no option 150 ip ip-address.
The option 242 is a private DHCP private option for IP phones. By configuring option 242, the
specific parameters information of IP phone can be exchanged between DHCP server and DHCP
client, such as call server address (MCIPADD), call the server port (MCPORT), the address of
the TLS server (TLSSRVR), HTTP (HTTPSRVR) HTTP server address and server port
(HTTPPORT) etc.
o p tio n 242 {ascii string | h ex value }
l ascii string – Specify the specific parameters of the IP phone in ASCII. The length is 1 to
255 characters.
l hex value – Specify the specific parameters of the IP phone in hex.
mand no option 242.
Viewing DHCP Configuration Information
To view the DHCP address pool binding information or statistics, use one of the following com-
mands:
sh o w dh cp -server {b in din g | p o o l | statistics} pool-name
l binding pool-name – Shows the binding information of the specified address pool.
l statistics pool-name – Shows the statistics of the specified address pool.
l pool pool-name – Shows the information of the specified address pool.

Configuring a DHCP Relay Proxy
The Hillstone device can act as a DHCP relay proxy to receive requests from a DHCP client and
send requests to the DHCP server, and then obtain DHCP information from the server and return
it to the client. The DHCP relay proxy should be configured in the interface configuration mode.
l Specifying the IP address of the DHCP server
l Enabling DHCP relay proxy on an interface
Notes: To ensure that clients can successfully obtain IP addresses, the administrator
needs to configure DHCP relay permit policies in the direction from the DHCP
server to clients.
Specifying the IP Address of the DHCP Server
To specify the IP address of the DHCP server, in the interface configuration mode, use the fol-
lowing command:
dh cp -relay server ip-address
l ip-address – Specifies the IP address of the DHCP server.
To cancel the specified IP address, in the interface configuration mode, use the command no
dhcp-relay server ip-address.
Enabling DHCP Relay Proxy on an Interface
To enable DHCP relay proxy on an interface, in the interface configuration mode, use the fol-
lowing command:
dh cp -relay en ab le
To disable the specified DHCP relay proxy, in the interface configuration mode, use the com-
mand no dhcp-relay enable.

Enabling the Function of Replacing the Source IP of the DHCP Relay Packets
In the scenario where the device acts as a DHCP relay proxy, when the device forwards requests
to the DHCP server, by default, it uses the IP address of the egress interface as the source IP of
the DHCP relay packets, whose source port is 68. However, in specific configurations where
strict security policies are applied, packets returned by the DHCP server may be dropped by the
device. To avoid this type of packet loss, you can enable this function. This way, the source IP of
the DHCP relay packets is replaced with the IP address of the interface on which the DHCP relay
proxy is enabled. The source port of the packets is changed to 67.
To enable the function of replacing the source IP address of the DHCP relay packets, in the
dhcp-relay source-ip agent-ip
To restore to the default configuration, use the following command:
no dhcp-relay source-ip agent-ip

PPPoE
PPPoE, the abbreviation for Point-to-Point Protocol over Ethernet, combines PPP protocol and
Ethernet to implement access control, authentication and accounting on clients during IP address
allocation.
The implementation of PPPoE protocol consists of two stages: discovery stage and PPP session
stage.
l Discovery stage: The client discovers the access concentrator by identifying the Ethernet
MAC address of the access concentrator and establishing a PPPoE session ID.
l PPP session stage: The client and the access concentrator negotiate over PPP. The nego-
tiation procedure is the same with that of a standard PPP negotiation.
Hillstone devices' interfaces can be configured as PPPoE clients to accept PPPoE connections.
Configuring PPPoE
Hillstone devices allow you to configure multiple PPPoE instances, and then bind the configured
PPPoE instances to interfaces. If an interface is configured to obtain its IP address via PPPoE,
the interface will launch a PPPoE connection based on the parameters configured in PPPoE
instances. The PPPoE configurations include:
l Configuring a PPPoE instance
l Binding the PPPoE instance to an interface
l Obtaining an IP address via PPPoE
l Manually Connecting or Disconnecting PPPoE
l Viewing PPPoE configuration

Configuring a PPPoE Instance
You can configure various PPPoE parameters in the PPPoE instance, including access con-
centrator, authentication method, PPPoE connection method, netmask, route distance and
weight, service, static IP, PPPoE user information, schedule and DNS preference. The PPPoE
instances must be configured in the PPPoE instance configuration mode. To enter the PPPoE
instance configuration mode, in the global configuration mode, use the following command:
p p p o e-clien t gro up group-name
l group-name – Specifies the name of the PPPoE instance. After executing the command, the
system will create a new PPPoE instance, and enter the instance configuration mode; if the
specified name exists, the system will enter the instance configuration mode directly.
To delete the specified PPPoE instance, in the global configuration mode, use the command no
pppoe-client group group-name.
Specifying the Access Concentrator
To use PPPoE connections, you need to specify the access concentrator first. To specify the
access concentrator, in the instance configuration mode, use the following command:
ac ac-name
l ac-name - Specifies the name of the concentrator.
To cancel the specified access concentrator, in the instance configuration mode, use the com-
mand no ac.
Specifying the Authentication Method
Hillstone devices will have to pass PPPoE authentication when trying to connect to a PPPoE
server. The supported authentication methods include CHAP, PAP and any. The configured
authentication must be the same with that configured in the PPPoE server. To specify the authen-
tication method, in the instance configuration mode, use the following command:
auth en ticatio n {ch ap | p ap | an y}

l chap - Specifies the authentication as CHAP.
l pap - Specifies the authentication as PAP.
l any - Specifies the authentication as either CHAP or PAP. This is the default option.
To restore to the default authentication method, in the instance configuration mode, use the com-
mand no authentication.
Configuring a PPPoE Connection Method
PPPoE supports two connection methods:
l Automatic connection: If the PPPoE connection has been disconnected due to any reasons
for a certain period, i.e., the specified re-connect interval, StoneOS will try to re-connect auto-
matically.
l On-demand dial-up: If the PPPoE interface has been idle (no traffic) for a certain period, i.e.,
the specified idle interval, StoneOS will disconnect the Internet connection; if the interface
requires Internet access, StoneOS will connect to Internet automatically.
The above two methods are mutually exclusive, you are not recommended to use these two meth-
ods at the same time. When the schedule is not configured, the system will select the automatic
connection by default.
To specify the re-connect interval, in the instance configuration mode, use the following com-
mand:
auto -co n n ect time-value
l time-value - Specifies the re-connect interval. The value range is 0 to 10000 seconds. The
default value is 10, which means the function is disabled.
To restore to the default re-connect interval, in the instance configuration mode, use the com-
mand no auto-connect.
To specify the idle interval, in the instance configuration mode, use the following command:
idle-interval time-value

l time-value - Specifies the idle interval. The value range is 0 to 10000 minutes. The default
value is 0.
To restore to the default idle interval, in the instance configuration mode, use the command no
idle-interval.
Specifying the Netmask
You can specify the netmask for the IP address obtained via PPPoE. To specify the netmask, in
the instance configuration mode, use the following command:
netmask netmask
l netmask - Specifies the network mask, such as 255.255.255.0.
To cancel the specified netmask, in the instance configuration mode, use the command no net-
mask. After that the system will used the default netmask 255.255.255.255.
Specifying the Route Distance/Weight
To specify the route distance and weight, in the instance configuration mode, use the following
command:
ro ute {distan ce value | weigh t value }
l distance value – Specifies the route distance. The value range is 1 to 255. The default value
is 1.
l weight value – Specifies the route weight. The value range is 1 to 255. The default value is
1.
To restore to the default route distance and weight, in the instance configuration mode, use the
command no route {distance | weight}.
Specifying the Service
To specify the allowed service, in the instance configuration mode, use the following command:

l service-name – Specifies the allowed service. The specified service must be the same with
that provided by the PPPoE server. If no service is specified, Hillstone devices will accept
any service returned from the server automatically.
To cancel the specified service, in the instance configuration mode, use the command no service.
Specifying the Static IP
You can specify a static IP address and negotiate to use this address to avoid IP change. To spe-
cify the static IP address, in the instance configuration mode, use the following command:
static-ip ip-address
l ip-address – Specifies the static IP address.
To cancel the specified static IP address, in the instance configuration mode, use the command
no static-ip.
Specifying the PPPoE User Information
To specify the PPPoE user information, in the instance configuration mode, use the following
command:
user user-name p asswo rd password
l user-name – Specifies the PPPoE username.
l password – Specifies the corresponding password.
To cancel the specified PPPoE user information, in the instance configuration mode, use the com-
mand no user.
Configuring the Schedule
Hillstone devices support schedules. You can specify a schedule for the PPPoE instance to make
the PPPoE interface maintain the Internet connection or disconnect from the Internet during the
specified period. To configure the schedule, in the instance configuration mode, use the following
command:

sch edule schedule-name [disco n n ect | sch -auto -co n n ectio n time-value | sch -idle-timeo ut
time-value ]
l schedule-name – Specifies the name of the schedule.
l disconnect – If this keyword is selected, the system will disconnect PPPoE connection dur-
ing the specified period.
l sch-auto-connection time-value – If this keyword is selected, the system will connect to the
Internet during the specified period automatically. time-value is used to specify the re-con-
nect interval. The value range is 0 to 10000 seconds. The default value is 0, which means the
function is disabled.
l sch-idle-timeout time-value – If this keyword is selected, the system will dial up to the Inter-
net on demand during the specified period. time-value is used to specify the idle interval. The
value range is 0 to 10000 minutes. The default value is 30.
To cancel the specified schedule, in the instance configuration mode, use the command no sched-
ule.
Tip: For more information about how to create a schedule, see Creating a Sched-
ule of System Management.
Specifying the MAC Address of the PPPoE Server
If the MAC address of the PPPoE server is known, you can specify the MAC address of the
PPPoE server so that the Hillstone device can quickly connect to the PPPoE server. To specify
the MAC address of the PPPoE server, in the instance configuration mode, use the following com-
mand:
mac mac-address
l mac-address – Specifies the MAC address of the PPPoE server.

To cancel the specified MAC address, in the instance configuration mode, use the command no
mac.
Configuring Connection Status Detection
To detect the status of the PPPoE connection, you can enable the device to send a LCP Echo
request to the PPPoE server. If the device has not yet received response to the request from the
PPPoE server after timeout, it will send the request once again; if the retry times reach the spe-
cified number, and the device still did not receive any response, then the system will determine
the PPPoE server is disconnected, and identify the status of the PPPoE interface as disconnected.
To configure the timeout, in the instance configuration mode, use the following command:
p p p lcp -ech o -timeo ut timeout-value
l timeout-value – Specifies the timeout value. The value range is 1 to 1000 seconds. The
To restore to the default timeout, in the instance configuration mode, use the following com-
mand:
no ppp lcp-echo-timeout
To configure the retry times, in the instance configuration mode, use the following command:
p p p lcp -ech o -retries times
l times – Specifies the retry times. The value range is 1 to 30. The default value is 10.
To restore to the default retry times, in the instance configuration mode, use the following com-
mand:
no ppp lcp-echo-retries
Obtaining an IP Address via PPPoE
To enable the interface to obtain an IP address via PPPoE, in the interface configuration mode,
ip address p p p o e [setro ute]

l setroute – Uses the gateway specified by the PPPoE server as the default route gateway.
To cancel the configuration, in the interface configuration mode, use the command no ip address
pppoe.
Binding a PPPoE Instance to an Interface
After binding the configured PPPoE instance to an interface, the interface will adopt the para-
meters of the instance to establish PPPoE connections. To bind the PPPoE instance to an inter-
face, in the interface configuration mode, use the following command:
p p p o e en ab le gro up group-name
l group-name – Specifies the name of the PPPoE instance.
To cancel the specified binding, in the interface configuration mode, use the command no pppoe
enable group.
Manually Connecting or Disconnecting PPPoE
To connect to or disconnect from the PPPoE, in the global configuration mode, use the following
command:
p p p o e-clien t gro up group-name {co n n ect | disco n n ect}
l group-name – Specifies the name of the PPPoE instance.
l connect – Connects to PPPoE.
l disconnect – Disconnects from PPPoE.
Viewing PPPoE Configuration Information
To view the PPPoE instance parameter information and the connection status, in any mode, use
sh o w p p p o e-clien t {all | gro up group-name }

l all – Shows the information of all the PPPoE instances.
l group group-name – Shows the information of the specified PPPoE instance.
Example of Configuring PPPoE

This section describes a typical PPPoE configuration example.
Requirement
The Hillstone device acts as the PPPoE and sends requests to the PPPoE server; the PPPoE
server returns response to the client.
Configuration Steps
Step 1: Create a PPPoE instance named pppoe1 and specify the parameters
hostname(config-pppoe-group)# ro ute distan ce 2
hostname(config-pppoe-group)# ro ute weigh t 10
hostname(config-pppoe-group)# auth en ticatio n an y
hostname(config)#
Step 2: Enable ethernet0/3 to obtain its IP address via PPPoE, and bind the PPPoE instance to
ethernet0/3

hostname(config)#
Step 3: Create a schedule named schedule1, and enable ethernet0/3 to launch PPPoE con-
nections via on-demand dial-up from 9:00 to 15:30 everyday. The idle time of the on-demand
dial-up is 20 minutes
hostname(config)# sch edule sch edule1
hostname(config-schedule)# ab so lute start 10/15/2007 09:30 en d 11/05/2007 15:00
hostname(config-schedule)# p erio dic daily 09:00 to 15:30
hostname(config-schedule)# exit
hostname (config-pppoe-group)# sch edule sch edule1 sch -idle-timeo ut 20
hostname (config-pppoe-group)# exit
hostname(config)#

NAT
Overview
NAT (Network Address Translation) is a protocol for IP address translation in an IP packet
header. When the IP packets pass through a firewall or router, the device or router will translate
the source IP address and/or the destination IP address in the IP packets. In practice, NAT is
mostly used to allow the private network to access the public network, or vice versa. NAT has
the following advantages:
l Helps to solve the problem of IP address resources exhaustion by using a small number of
public IP addresses to represent the majority of the private IP addresses.
l Hides the private network from external networks, for the purpose of protecting private net-
works.
Typically private networks use private IP addresses. RFC1918 defines three types of private IP
addresses as follows:
l Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0 / 8)
l Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
l Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
IP addresses in the above three ranges will not be allocated on the Internet. You can use those IP
addresses in an enterprise network freely without requesting them from an ISP (Internet Service
Provider) or registration center.
Basic Translation Process
When a firewall is implementing the NAT function, it locates between the public network and the
private network. Figure below illustrates the basic translation process of NAT.

As shown above, the firewall lies between the private network and the public network. When the
internal PC at 10.1.1.2 sends an IP packet (IP packet 1) to the external server at 202.1.1.2
through the firewall, the appliance checks the packet header. Finding that the IP packet is
destined to the public network, the appliance translates the source IP address 10.1.1.2 of packet 1
to the public IP address 202.1.1.1 which can get routed on the Internet, and then forwards the
packet to the external server. At the same time, the appliance also records the mapping between
the two addresses in its NAT table. When the response packet of IP packet 1 reaches the firewall,
the appliance checks the packet header again and finds the mapping records in its NAT table, then
replaces the destination address with the private address 10.1.1.2. In this process, the firewall is
transparent to the PC and the Server. To the external server, it considers that the IP address of
the internal PC is 202.1.1.1 and knows nothing about the private address 10.1.1.2. Therefore,
NAT hides the private network of enterprises.
NAT of Hillstone Devices

The NAT function of the Hillstone devices translates the IP address and port number of the
internal network host to the external network address and port number of the device, and vice
versa. That is translation between the "private IP address + port number" and the "public IP
address + port number".
The Hillstone devices achieve the NAT function through the creation and implementation of
NAT rules. There are two types of NAT rules, which are source NAT rules (SNAT rules) and des-
tination NAT rules (DNAT rules). SNAT translates source IP addresses, thereby hiding the
internal IP addresses or sharing the limited IP addresses; DNAT translates destination IP

addresses, usually translating IP addresses of internal servers (such as the WWW server or SMTP
server) protected by the device to public IP addresses.
Configuring a NAT Rule

NAT rules are created based on VRouters. You can create, move and delete SNAT/DNAT rules
in the VRouter configuration mode, or configure NAT rules for the default VR trust-vr in the
NAT configuration mode (to enter the NAT configuration mode, in global configuration mode,
use the command nat).
To enter the VRouter configuration mode, in the global configuration mode, use the following
command:
l vrouter-name – Specifies the name of VRouter.
Creating a BNAT Rule
BNAT can be seen as a combination of DNAT and SNAT, which uses just one rule to achieve
both source and destination translation.
In the packet processing flow, BNAT has precedence over DNAT. When a packet mataches a
BNAT rule, it follows the destination translation and source transaltion defined in that BNAT
rule. It will not check for other regular NAT rules. After it finishes BNAT mapping, it will start
to match policy.
To create a BNAT rule, under VRouter configuration mode, use the command below:
b n atrule [id id ] [b efo re id | after id | to p ] [ in terface interface-name ] [zo n e zone-name ] vir-
tual {ip { A.B.C.D/M | X:X:X:X:X::X/M } | address-b o o k address-name } real {ip { A.B.C.D |
A.B.C.D/M | X:X:X:X:X::X/M } | address-b o o k address-name } [gro up group-id ] [descrip -
tio n description ][sch edule schedule-name ]
l id id – Specifies an ID for this BNAT rule. Each BNAT has its unique ID. If you skip enter-
ing ID for it, the system will assign an ID number automatically. If you specify an existing ID,
the new rule will replace the existing rule.

l beforeid | afterid | top – Specifies the position of the rule. The position can be top, before
id or after id. If the position is not specified, the rule would be located at the end of all the
BNAT rules. By default, the newly-created BNAT rule is located at the end of all the rules.
l interfaceinterface-name – Specifies the external interface for Internet users to visit.
l zonezone-name – Specifies the security zone to which the interface provided for Internet
user access is bound. After the configuration is completed, only the traffic that flows through
the interface bound to this security zone can continue to match the BNAT rule. By default,
the parameter is set to Any.
Note:
l The security zone must belong to the specified virtual router. In NAT configuration
mode, VRouter is trust-vr.
l Only one security zone can be configured for a BNAT rule.
l virtual {ip { A.B.C.D/M | X:X:X:X:X::X/M} | address-book address-name } – Specifies

the external IP address for Internet users to visit. This is normmaly 1-to-1 mapping. If the
address is an address book or range, you should make sure the virtual address has the same the
number of the real addresses. The mapping order is from top to bottom.
Note: Netmask must be specified. An IP address without netmask is not supported. If an
IPv4 address is specified, the range of the netmask is from 0 to 32. If an IPv6 address is spe-
cified, the range of the IPv6 prefix is from 48 to 128. If an address book is specified, the num-
ber of IPv4 virtual addresses cannot exceed 2 32 while the number of IPv6 virtual addresses
cannot exceed 2 80.
l real {ip {A.B.C.D/M | X:X:X:X:X::X/M} | address-book address-name } - Specifies the real

internal address. This address is invisible to Internet users, and it is the real Intranet address
of the server.
Note: Netmask must be specified. An IP address without netmask is not supported. If an

IPv4 address is specified, the range of the netmask is from 0 to 32. If an IPv6 address is spe-
cified, the range of the IPv6 prefix is from 48 to 128. If an address book is specified, the num-
ber of IPv4 virtual addresses cannot exceed 2 32 while the number of IPv6 virtual addresses
cannot exceed 2 80.
l group group-id - Specifies the HA group the BNAT rule belongs to. If the parameter is not
specified, the BNAT rule being created will belong to HA group0.
l description description – Specifies the description for this BNAT rule. You can specify at
most 63 characters.
l scheduleschedule-name– Specifies the schedule for the BNAT rule.
To delete a BNAT rule, use the following command:

n o b n atrule id id
For example, you can use the following command to implement BNAT translation. If Internet
traffic accesses the internal network, when the traffic matches the BNAT rule based on the secur-
ity zone to which the interface provided for Internet user access is bound, the traffic will be
DNATed. If traffic over the internal network accesses the Internet, when the traffic matches the
BNAT rule based on the security zone to which the interface provided for Internet user access is
bound, the traffic will be SNATed.
hostname(config)# ip vro uter trust-vr
hostname(config-vrouter)# bnatrule interface ethernet0/1 zone untrust virtual ip

1.1.1.1/32 real ip 192.168.1.254/32
（ethernet0/1 is the interface provided for Internet user access, untrust is

the security zone to which the preceding interface is bound, 1. 1. 1. 1/32 is
the public IP address provided for Internet user access, and

192. 168. 1. 254/32 is the real internal address of the intranet PC.
（DNAT translation of BNAT: If Internet traffic accesses the internal network

from 1.1.1.2 to 1.1.1.1, when the traffic matches the BNAT rule, the traffic will be
DNATed. To be specific, the destination address is converted to 192.168.1.254
and the source address remains unchanged.）
（SNAT translation of BNAT: If traffic over the internal network accesses the
Internet from 192.168.1.254 to 1.1.1.2, when the traffic matches the BNAT rule,
the traffic will be SNATed. To be specific, the source address is converted to
1.1.1.1 and the destination address remains unchanged.
rule ID=1
Moving an BNAT Rule
You can move an BNAT rule to modify the matching sequence. To move an BNAT rule, in the
VRouter configuration mode, use the following command:
b n atrule mo ve id {b efo re id | after id | to p | b o tto m}
l id – Specifies the ID of the BNAT rule that will be moved.
l before id – Moves the BNAT rule before the specified ID.
l after id – Moves the BNAT rule after the specified ID.
l top – Moves the BNAT rule to the top of the BNAT rule list.
l bottom – Moves the BNAT rule to the bottom of the BNAT rule list.
Specifying a Schedule for a BNAT Rule
You can associate an existing BNAT rule with a schedule or modify the schedule for a BNAT
rule. To specify a schedule for a BNAT rule, use the following command in VRouter con-
figuration mode/NAT configuration mode:
bnatrule ididscheduleschedule-name

l id – Specifies the ID of the BNAT rule that needs to reference a schedule.
l schedule-name– Specifies the schedule for the BNAT rule.
In VRouter configuration mode/NAT configuration mode, use the no bnatrule ididschedule com-
mand to delete the schedule from a specified BNAT rule.
Creating an SNAT Rule
SNAT rules are used to specify whether to implement NAT on the source IP address of the
matched traffic. If NAT is implemented, you also need to specify the translated IP address and
translation mode. To configure an SNAT rule, in the VRouter configuration mode, use the fol-
lowing command:
sn atrule [id id ] [b efo re id | after id | to p ] [in gress-in terface interface-name ] [fro m-zo n e zone-
name] [to -zo n e zone-name] fro m src-address to dst-address [service service-name ] [eif egress-
interface | evr vrouter-name ] tran s-to {addressb o o k trans-to-address | eif-ip } mo de {static |
dyn amicip | dyn amicp o rt [sticky | ro un d-ro b in ]} [lo g] [gro up group-id ] [disab le] [ track
track-name ] [descrip tio n description ][sch edule schedule-name ]
l id id – Specifies the ID of the SNAT rule. Each SNAT rule has a unique ID. If the ID is not
specified, the system will automatically assign one. If the specified SNAT ID exists, the ori-
ginal rule will be overwritten.
l before id | after id | top – Specifies the position of the rule. The position can be top, before
SNAT rules. By default, the newly-created SNAT rule is located at the end of all the rules.
l ingress-interface interface-name – Specifies the ingress interface of the SNAT rule. When
the interface is specified, only the traffic from this interface will continue to match this SNAT
rule, and traffic from other interfaces will not.
l from-zonezone-name –Specifies the security zone to which the ingress interface of traffic
that matches the SNAT rule is bound. After the configuration is completed, only the traffic

that flows through the ingress interface bound to this security zone can continue to match the
SNAT rule. By default, the parameter is set to Any.
Note:
l The source zone must belong to the specified virtual router. In NAT configuration
l Only one source zone can be configured for an SNAT rule.
l to-zonezone-name – Specifies the security zone to which the egress interface of traffic that
matches the SNAT rule is bound. After the configuration is completed, only the traffic that
flows through the interface bound to this security zone can continue to match the SNAT rule.
By default, the parameter is set to Any.
Note:
l The destination zone must belong to the specified virtual router. In NAT configuration
l Only one destination zone can be configured for an SNAT rule.
l from src-address to dst-address [eif egress-interface | evr vrouter-name] – Specifies con-

ditions of the rule that the traffic should be matched. The conditions include:
l from src-address - Specifies the source IP address of the traffic. src-address should be
an IP address (IPv4 type or IPv6 type) or an address entry in the address book(IPv4
type or IPv6 type).
l to dst-address - Specifies the destination IP address of the traffic. dst-address should be

an IP address (IPv4 type or IPv6 type) or an address entry in the address book (IPv4
type or IPv6 type).
l service service-name – Specifies the service type of the traffic. service-name should
be a service defined in the service book.

l eif egress-interface | evr vrouter-name - Specifies the egress interface (eif egress-inter-
face) or the next-hop VRouter (evr vrouter-name) of the traffic.
l addressbook trans-to-address | eif-ip – Specifies the translated IP address. It can be either an

address entry in the address book or the address of the egress interface (eif-ip).
l mode {static | dynamicip | dynamicport [sticky | round-robin]} – Specifies the translation

mode. StoneOS supports three translation modes: static, dynamicip and dynamicport. For
more details, see the table below:
Mode Description
static Static mode means one-to-one translation. This mode requires the
translated address entry (trans-to-address) contains the same num-
ber of IP addresses as that of the source address entry (src-
address).
Notes: When configuring a static source NAT66 rule, the min-
imum subnet mask must be 48 bits.
dynamicip Dynamic IP mode means multiple-to-one translation. This mode

translates the source address to a specific IP address. Each source
address will be mapped to a unique IP address, until all specified
addresses are occupied.
dynamicport Namely PAT. Multiple source addresses will be translated to one

specified IP address in an address entry. If Sticky is enabled, all ses-
sions from an IP address will be mapped to the same fixed IP
address. If Round-robin, all sessions from an IP address will be
polled to map the IP address. If Sticky and Round-robin are not
enabled, the first address in the address entry will be used first;
when port resources of the first address are exhausted, the second
address will be used. Note: Sticky function and Round-robin func-

Mode Description
tion are mutually exclusive and cannot be configured at the same

time.
l log – Enables the log function for this SNAT rule (Generating a log when the traffic is
matched to this NAT rule).
l group group-id - Specifies the HA group the SNAT rule belongs to. If the parameter is not
specified, the SNAT rule being created will belong to HA group0.
l disable – Enter this command to disable the SNAT rule.
l track track-name – Specifies a track object name that is configured in the system. After con-
figuring this option, the system will track whether the translated public address is valid. The
configured track object can be a Ping track object, HTTP track object, TCP track object. For
more details, see Configuring a Track Object of System Management. This function only sup-
ports dynamicport mode, and the translated address should be an IP address or an address in
address book (i.e., trans-to address book trans-to-address). The system will prioritize the
translated address which is tracked successfully. When a translated address failed to visit a
website or a host, it will be temporarily disabled until being tracked successfully again. When
the tracking object fails, the system will disable the address and generate a log in the next
tracking cycle, and no longer translate the private address to a public address until the address
restores to reachable. If all the address in the public address book of SNAT rules are unreach-
able, the system will not disable any translated address and generate a log.
l description description – Specifies the description for this SNAT rule. You can specify at
most 63 characters.
l scheduleschedule-name– Specifies the schedule for the SNAT rule.
For example, you can use the following command to implement SNAT translation. If traffic over
the internal network accesses the Internet, the traffic will be SNATed based on the security zone

to which the ingress interface of the traffic is bound and the security zone to which the egress
interface of the traffic is bound.
hostname(config-vrouter)# snatrule from-zone trust to-zone untrust from ip

192.168.2.23 to 1.1.12.3 trans-to ip 1.1.10.6 mode static
（trust is the security zone to which the ingress interface of traffic that
matches the SNAT rule is bound, untrust is the security zone to which the
egress interface of traffic that matches the SNAT rule is bound, 192. 168. 2. 23
is the source IP address, 1. 1. 12. 3 is the destination IP address, and 1. 1. 10. 6
is the SNATed source IP address. ）
（SNAT translation: If traffic over the internal network accesses the Internet
from 192.168.2.23 to 1.1.12.3, when the traffic matches the SNAT rule, the
source address is converted to 1.1.10.6 and the destination address remains
unchanged.）
snat service not set, set to default Any
rule ID=1
For example, the following example achieves the interface-based NAT of ethernet0/0 in the
untrust zone:
hostname(config-vrouter)# snatrule from any to any eif ethernet0/0 trans-to eif-

ip mode dynamicport
rule id=1
To configure an SNAT rule that disables NAT, in the NAT configuration mode, use the following
command:
sn atrule [id id ] [b efo re id | after id | to p ] fro m src-address to dst-address [eif egress-interface
| evr vrouter-name ] n o -tran s [gro up group-id ] [descrip tio n description ]
Enabling/Disabling SNAT Rule
To enable or disable an SNAT rule, under NAT configuration mode, use the following command:
sn atrule id id [en ab le | disab le]

l enable – Enable an SNAT rule of the specified ID.
l disable – Disable an SNAT rule of the specified ID.
Moving an SNAT Rule
Each SNAT rule is labeled with a unique ID. When traffic flows into the Hillstone device, the
device will query for SNAT rules in the list by turns, and then implement NAT on the source IP
of the traffic according to the first matched rule. However, the rule ID is not related to the match-
ing sequence during the query. The sequence displayed by the command show snat is the query
sequence for the matching. You can move an SNAT rule to modify the matching sequence. To
move an SNAT rule, in the NAT configuration mode, use the following command:
sn atrule mo ve id {b efo re id | after id | to p | b o tto m}
l id – Specifies the ID of the SNAT rule that will be moved.
l before id – Moves the SNAT rule before the specified ID.
l after id – Moves the SNAT rule after the specified ID.
l top – Moves the SNAT rule to the top of the SNAT rule list.
l bottom – Moves the SNAT rule to the bottom of the SNAT rule list.
Enabling/Disabling Expanded PAT Port Pool
When the translation mode of SNAT is set to dynamicport, you can enable or disable the expan-
ded PAT port pool to expand the network address port resources after NAT. This function is dis-
abled by default. To enable the function, in the global configuration mode, use the following
command:
exp an ded-p o rt-p o o l
To disable the function, in the global configuration mode, use the following command:
n o exp an ded-p o rt-p o o l

Notes:
l Only some of Hillstone models support the expanded PAT port pool, and the
supported port resources also vary from different platforms.
l The function is only applicable to the SNAT rules that have not been enabled
yet; if the SNAT rule is already enabled, reboot the system to make the func-
tion take effect.
The function is only applicable to the SNAT rules that have not been enabled yet; if the SNAT
rule is already enabled, reboot the system to make the function take effect.
Deleting an SNAT Rule
To delete the SNAT rule with the specified ID, in the NAT configuration mode, use the fol-
lowing command:
n o sn atrule id id
Modifying/Deleting the Descriptions of a SNAT Rule
In the NAT configuration mode, use the following command to modify the description of a spe-
cific SNAT rule:
sn atrule id id descrip tio n description
l id – Specifies the ID of the SNAT rule whose description you want to modify.
l description description – Specifies the new description. You can enter at most 64 characters.
In the NAT configuration mode, use the following command to delete the description of a spe-
cific SNAT rule:
n o sn atrule id id descrip tio n
Specifying a Schedule for an SNAT Rule
You can associate an existing SNAT rule with a schedule or modify the schedule for an SNAT
rule. To specify a schedule for an SNAT rule, use the following command in VRouter

configuration mode/NAT configuration mode:
snatrule ididscheduleschedule-name
l id– Specifies the ID of the SNAT rule that needs to reference a schedule.
l schedule-name– Specifies the schedule for the SNAT rule.
In VRouter configuration mode/NAT configuration mode, use the no snatrule ididschedule com-
mand to delete the schedule from a specified SNAT rule.
Configuring the SNAT Rule Port Resource Monitor Function
The system can monitor the usage of a SNAT rule IP address's port resource usage and record
logs based on the configuration. This function is disabled by default.
To enable the monitor of SNAT rules' port resource usage, in the global configuration mode, use
monitor-snat-port-resource rising-threshold threshold-value sample-period period-value
l rising-threshold threshold-value - Specifies the rising threshold. When the current port
resource usage exceeds the percentage threshold specified by this parameter, the system will
record a warning log. The value range is 1 to 99.
l sample-period period-value - Specifies the report period. The value range is 900 to 3600
seconds.
To disable the monitor of SNAT rules' port resource usage, in the global configuration mode, use
no monitor-snat-port-resource
Viewing the SNAT Rule Port Usage Monitor Function Configuration
To view the SNAT rule port usage monitor function configuration, in the global configuration
show monitor-snat-port-resource

Viewing SNAT Configuration Information
To view the SNAT configuration information, in any mode, use the following command:
sh o w sn at [id id | vro uter vrouter-name ]
show snat [vrouter vrouter-name] [src src-address] [dst dst-address] [service service-name] [trans-
to trans-to-address] [description description]
l id – Shows the SNAT rule information of the specified ID.
l vrouter vrouter-name – Shows the SNAT configuration information of the specified

VRouter. If this parameter is not specified, the system will show the SNAT rule information
of the default VRouter (trust-vr).
l src src-address –Shows the SNAT configuration information of the specified source address.
l dst dst-address - Shows the SNAT configuration information of the specified destination
address.
l service service-name –Shows the SNAT configuration information of the specified service.
l trans-to trans-to-address - Shows the SNAT configuration information of the specified trans-
lated IP.
l description description –Shows the SNAT configuration information of the specified descrip-
tion.
Viewing SNAT Source Utilization
To view the source utilization information, in any mode, use the following command:
sh o w sn at id id reso urce [ ip A.B.C.D ] [detail]
sh o w sn at reso urce [vro uter vrouter-name ] [ ip A.B.C.D ] [detail]
l resource – When the translation mode of SNAT is set to dynamicport, this parameter is used
to show the source utilization of the source port address pool.

l ip – Shows the port resource ultilization of the specified IP in the translation address
pool.
l detail - Shows the detail information of port resource ultilization of the translation
address pool. Such as the allocated state, translation mode and port range.
Viewing Tracked Failed Information of SNAT Translated Address
To view the tracked failed information of SNAT translated address, in any mode, use the fol-
lowing command:
sh o w sn at track-failedslo t slot-number [vro uter vrouter-name ][ ip A.B.C.D [detail] | detail ]
sh o w sn attrack-failed [vro uter vrouter-name ]
sh o w sn attrack-failedcp u cpu-numb
l track-failed – Displays the tracked failed information of SNAT translated address.
l vrouter vrouter-name – Dispalys the tracked failed SNAT translated address of the specified
VRouter. If this parameter is not specified, the system will display the information of the
default VRouter (trust-vr).
l slot slot-number – Dispalys the tracked failed SNAT translated address of the specified slot.
l cpu cpu-number – Dispalys the tracked failed SNAT translated address of the specified
CPU.
Creating a DNAT Rule
DNAT rules are used to specify whether to implement NAT on the destination IP address of the
matched traffic. To configure a DNAT rule for NAT, in the VRouter configuration mode, use the
following command:
dn atrule [id id ] [b efo re id | after id | to p ] [in gress-in terface interface ] [fro m-zo n e zone-
name] fro m src-address to dst-address [service service-name ] tran s-to trans-to-address [p o rt
port ] [ { redirect | load-balance } [track-tcp port ] [track-p in g] | source-trans-to source-

trans-to-address mode { dynamicport | static } ] [lo g] [gro up group-id ] [disab le] [descrip -
tio n description ]
l id id – Specifies the ID of the DNAT rule. Each DNAT rule has a unique ID. If the ID is
not specified, the system will automatically assign one. If the specified DNAT ID exists, the
original rule will be overwritten.
l before id | after id | top – Specifies the position of the rule. The position can be top,
before id or after id. If the position is not specified, the rule would be located at the end of all
the DNAT rules. By default, the newly-created DNAT rule is located at the end of all the
rules.
l ingress-interface interface – Specifies the ingress interface whose traffic will match this dnat
rule. When this interface is designated, only the traffic from this interface will continue to
match this DNAT rule. Traffic from other interfaces will not.
l from-zonezone-name –Specifies the security zone to which the ingress interface of traffic
that matches the DNAT rule is bound. After the configuration is completed, only the traffic
that flows through the ingress interface bound to this security zone can continue to match the
DNAT rule. By default, the parameter is set to Any.
Note:
l The source zone must belong to the specified virtual router. In NAT configuration
l Only one source zone can be configured for a DNAT rule.
l from src-address to dst-address [service service-name] – Specifies conditions of the rule that
the traffic should be matched. The conditions are:
l from src-address – Specifies the source IP address /netmask of the traffic. src-address
should be an IP address /netmask or an address entry in the address book.

l to dst-address – Specifies the destination IP address/netmask of the traffic. dst-
address should be an IP address /netmask or an address entry in the address book.
l service service-name – Specifies the service type of the traffic. If the port number
needs to be translated together (specified by port port), the specified service can only
be configured with one protocol and one port. For example, the TCP port number can
be 80, but cannot be 80 to 100.
l trans-to trans-to-address – Specifies the translated IP address. trans-to-address is an IP

address/netmask or an address entry in the address book. When the number of this translated
IP address be different from the destination IP address of the traffic (specified by to dst-
address) or the destination IP address is any, you must enable the redirect function for this
DNAT rule (specified by redirect). If the DNAT rule is enabled withload-balance, the num-
ber of translated IP addresses can be allowed different from the destination IP address of the
traffic, but the destination IP address cannot be any.If this translated IP address is an address
book entry containing a DNS domain name, you need to enable load-balance for the DNAT
rule (specified by load-balance).
l port port – Specifies port number of the internal network server.
l redirect - Enables redirect for this DNAT rule, allows the destination IP address of the traffic
to be any.
l load-balance – Enables load-balance for this DNAT rule. The system will adopt persistent
algorithm to distribute traffic and balance the traffic to different servers in the internal net-
work based on the hash of user IP.
l track-tcp port – If this parameter is configured and the port number of the internal network
server is specified, the system will send TCP packets to the internal network server every 3
seconds to monitor if the specified port is reachable. If no response is returned for 3 packets
in succession, the system will conclude the server fails.

l track-ping – If this parameter is configured, the system will send Ping packets to the internal
network server every 3 seconds to monitor if the server is reachable. If no response is
returned for 3 packets in succession, the system will conclude the server fails.
l source-trans-to source-trans-to-address - Enables the source address translation function (bid-

irectional NAT) and specifies the IP address after translation, which can be an address entry in
the address book or an IPv4 or IPv6 address/mask.
l mode {dynamicport | static} - Specifies the source address translation mode. The dynam-
icport mode will translate the same source IP to the same NAT address. If translation fails,
the system will select one randomly. The static mode means one-to-one translation. This
mode requires the number of source IP addresses be the same as that of translated IP
addresses.
l log – Enables the log function for this DNAT rule (Generating a log when the traffic is
l [group group-id] - Specifies the HA group that the DNAT rule belongs to. If the parameter is
not specified, the DNAT rule being created will belong to HA group0.
l disable – Enter this command to disable the DNAT rule.
l description description – Specifies the description for this DNAT rule. You can specify at
most 63 characters.
l scheduleschedule-name– Specifies the schedule for the DNAT rule.
For example, you can use the following command to implement DNAT translation. If Internet
traffic accesses the internal network, the traffic will be DNATed based on the security zone to
which the ingress interface of the traffic is bound.
hostname(config-vrouter)# dnatrule from-zone untrust from ip 1.1.2.2 to ip 2.2.2.56

trans-to ip 192.168.4.56

（untrust is the security zone to which the ingress interface of traffic that
matches the DNAT rule is bound, 1. 1. 2. 2 is the source IP address, 2. 2. 2. 56 is
the destination IP address, 192. 168. 4. 56 is the DNATed destination IP
address. ）
（DNAT translation: If Internet traffic accesses the internal network from 1.1.2.2
to 2.2.2.56, when the traffic matches the DNAT rule, the destination address is
converted to 192.168.4.56 and the source address remains unchanged.）
dnat service not set, set to default Any
rule ID=2
For example, the following command will translate the IP address of the request from addr1 to
the IP address of addr2, but will not translate the port number:
hostname(config-vrouter)# dn atrule fro m an y to addr1 service an y tran s-to addr2
rule id=1
To configure a DNAT rule that disables NAT, in the NAT configuration mode, use the following
command:
dn atrule [id id ] [b efo re id | after id | to p ] fro m src-address to dst-address [service service-
name ] n o -tran s [gro up group-id ] [descrip tio n description ]
Enableing/Disabling DNAT Rule
To enable or disable a DNAT rule, under NAT configuration mode, use the following command:
dn atrule id id [en ab le | disab le]
l enable – Enable the DNAT rule of the specified ID.
l disable – Disable the DNAT rule of the specified ID.
Moving a DNAT Rule
Each DNAT rule is labeled with a unique ID. When traffic flowing into the Hillstone device, the
device will query for DNAT rules by turns, and then implement NAT on the source IP of the
traffic according to the first matched rule. However, the rule ID is not related to the matching
sequence during the query. The sequence displayed by the command show dnat is the query

sequence for the matching. You can move a DNAT rule to modify the matching sequence. To
move a DNAT rule, in the NAT configuration mode, use the following command:
dn atrule mo ve id {b efo re id | after id | to p | b o tto m}
l id – Specifies the ID of the DNAT rule that will be moved.
l before id – Moves the DNAT rule before the specified ID.
l after id – Moves the DNAT rule after the specified ID.
l top – Moves the DNAT rule to the top of the DNAT rule list.
l bottom – Moves the DNAT rule to the bottom of the DNAT rule list.
Modifying/Deleting the Descriptions of a DNAT Rule
In the NAT configuration mode, use the following command to modify the description of a spe-
cific DNAT rule:
dn atrule id id descrip tio n description
l id – Specifies the ID of the DNAT rule whose description you want to modify.
l description description – Specifies the new description. You can enter at most 64 characters.
In the NAT configuration mode, use the following command to delete the description of a spe-
cific DNAT rule:
n o dn atrule id id descrip tio n
Deleting a DNAT Rule
To delete the DNAT rule with the specified ID, in the NAT configuration mode, use the fol-
lowing command:
n o dn atrule id id
Specifying a Schedule for a DNAT Rule
You can associate an existing DNAT rule with a schedule or modify the schedule for a DNAT
rule. To specify a schedule for a DNAT rule, use the following command in VRouter

configuration mode/NAT configuration mode:
dnatrule ididscheduleschedule-name
l id– Specifies the ID of the DNAT rule that needs to reference a schedule.
l schedule-name– Specifies the schedule for the DNAT rule.
In VRouter configuration mode/NAT configuration mode, use the no dnatrule ididschedule com-
mand to delete the schedule from a specified DNAT rule.
Viewing DNAT Configuration Information
To view the DNAT configuration information, in any mode, use the following command:
sh o w dn at [id id | vro uter vrouter-name ][ src src-address ] [ dst dst-address ] [ service ser-
vice-name ] [ trans-to trans-to-address ] [ source-trans-to source-trans-to-address ]
[ trans-port port-number ] [ description description ]]
l id id – Shows the DNAT rule information of the specified ID.
l vrouter vrouter-name – Shows the DNAT configuration information of the specified

VRouter. If this parameter is not specified, the system will show the DNAT rule information
of the default VRouter (trust-vr).
l src src-address –Shows the DNAT configuration information of the specified source
address.
l dst dst-address - Shows the DNAT configuration information of the specified destination
address.
l service service-name –Shows the DNAT configuration information of the specified service.
l trans-to trans-to-address - Shows the DNAT configuration information of the specified trans-
lated IP.
l source-trans-to source-trans-to-address - Shows the DNAT configuration information of the

specified source IP address after translation.

l trans-port port-number - Shows the DNAT configuration information of the specified trans-
lated port.
l description description –Shows the DNAT configuration information of the specified

description.
To show the information of the DNAT rule with load balancing configured, in any mode, use the
following command:
show load-balance rule [ id ]
l id – Shows the DNAT rule information (with load balancing) of the specified ID.
To view the status of the load-balancing server, in any mode, use the following command:
sh o w lo ad-b alan ce server [ ip-address ] [vro uter vrouter-name ]
l ip-address – Shows status of the load-balancing server of the specified IP address.
l vrouter vrouter-name – Shows status of the load-balancing server of the specified VRouter.
If this parameter is not specified, the system will show status of the load-balancing server of
the default VRouter (trust-vr).
To view the status of the internal network server, in any mode, use the following command:
sh o w dn at server [ ip-address ] [vro uter vrouter-name ] [tcp -p o rt port ] [p in g]
l ip-address – Shows status of the internal network server of the specified IP address.
l vrouter vrouter-name – Shows status of the internal network server of the specified
VRouter. If this parameter is not specified, the system will show status of the internal net-
work server of the default VRouter (trust-vr).
l tcp-port port – Shows status of the internal network server of the specified port number.
l ping – Shows Ping monitor status of the internal network server.

Configuring an Excluding Port Rule
By configuring the excluded port rules, you can rule out port or port range. The system will not
convert the specified port when the source address is translated.
To configure the excluding port function, take the following steps:
1. Create a SNAT port group.
2. Configure the SNAT port group, and specify the description excluded port number.
3. Bind the SNAT port group to the specified VRouter to make the function take effect.
Creating a SNAT Port Group
To create a SNAT port group, in the global configuration mode, use the following command:
sn at-p o rt-gro up snat-port-group-name
l snat-port-group-name - Specifies the SNAT port group name and enters the SNAT port group
configuration mode. If the specified name exists, then the system will directly enter the
SNAT port group configuration mode. The name range is 1 to 95 characters.
Notes: System supports at most 8 SNAT port groups.
To delete a SNAT port group, in the global configuration mode, use the following command:
n o sn at-p o rt-gro up snat-port-group-name
Specifying the Description of SNAT Port Group
To specify the description of SNAT port group, in the SNAT port group configuration mode, use
l description – Specifies the description of SNAT port group, the range is 0 to 256 characters.

To delete the description of SNAT port group, in the SNAT port group configuration mode, use
n o descrip tio n
Specifying the Excluding Port Number
To specify the port range that needs to be excluded, in the SNAT port group configuration mode,
p o rt {TCP | U DP} min -p o rt min-port [max-p o rt max-port ]
l TCP | UDP – Specifies the protocol type of excluded ports.
l min-port min-port [max-port max-port]- Specifies the excluded port number. If the port num-
ber is a number range, then min-port is the minimum port number, and max-portis the max-
imum port number.
To cancel the above configuration, in the SNAT port group configuration mode, use the fol-
lowing command:
no port {TCP | U DP} min -p o rt min-port [max-p o rt max-port ]
Binding the SNAT Port Group to VRouter
After binding the SNAT port group to the specified VRouter, the SNAT rule of all dynamic ports
of the VRouter excludes the port number specified in the SNAT port group, in the VRouter con-
sn at-exclude-p o rt snat-port-group-name
To cancel the binding, in the VRouter configuration mode, use the following command:
no snat-exclude-port
Viewing the SNAT Port Group Information
To view the configuration information of SNAT port group, in any mode, use the following com-
mand:
sh o w sn at-p o rt-gro up [ snat-port-group-name ]

l snat-port-group-name – Display the SNAT port group configuration information of the spe-
cified name.
Viewing the SNAT Port Group References
To view the SNAT port group references, in any mode, use the following command:
sh o w referen ce sn at-p o rt-gro up [ snat-port-group-name ]
l snat-port-group-name – Display the SNAT port group references of the specified name.
Redundancy Check
If a large amount of NAT rules pile up in the device and you are not sure whether to delete them,
this makes it more difficult to maintain these rules. To ensure the validity of NAT rules, the sys-
tem performs redundancy check on the NAT rules. In other words, the system checks the cov-
erage scope of NAT rules to solve the problem that certain NAT rules are overwritten and thus
cannot be hit.
To start/stop/clear redundancy check, use the following command in any mode:
exec {snat | dnat | bnat} redundancy-checkvroutervrouter-name {start | stop | clear}
l snat | dnat | bnat– Specifies the type of rules on which you want to perform redundancy
check.
l vroutervrouter-name– Specifies the virtual router to which SNAT rules, DNAT rules, or
BNAT rules belong.
l start– Specifies to start redundancy check on SNAT rules, DNAT rules, or BNAT rules.
l stop– Specifies to stop redundancy check on SNAT rules, DNAT rules, or BNAT rules.
l clear– Specifies to clear the results of redundancy check performed on SNAT rules, DNAT
rules, or BNAT rules.
In any mode, use the show {snat | dnat | bnat} redundancy-checkvroutervrouter-name com-
mand to view the redundancy check results of SNAT rules, DNAT rules, or BNAT rules.

l vroutervrouter-name– Specifies the virtual router to which NAT rules whose redundancy
check results you want to view belong.
Example:
hostname(config)# sh o w sn at redun dan cy-ch eck vro uter trust-vr
Total count: 1（Displays the total number of redundant SNAT rules that belong
to the virtual router trust-vr）
VR name: trust-vr
===================================================
SNAT ID covered by（Displays that the SNAT rule whose ID is 4 is over-

written by the SNAT rule whose ID is 3）
---------------------------------------------------
4 3;
===================================================
DNS Rewrite
When the client initiates a DNS request, DNS server in Internet will return DNS response to the
client. The security device can rewrite the IP address/host name in DNS response packet to
private IP in order to protect the private network configurations.
Each DNS rewrite rule has a unique ID. By specifying or adjusting the position of a rule ID, the
administrator can adjust the rule priority. When receiving a DNS response, the device will try to
match all rules from top to bottom and rewrite the response according to the rule that is matched
firstly.
Configuring DNS Rewrite Rules
In NAT configuration mode, type the following command:

dn s-rewrite-rule [id id ] [ after id | before id | top ] dn s-resp o n se {ip ip-address | address-
b o o k address-name | host-book host-book-name } rewrite-to {ip ip-address | address-
b o o k address-name } dyn amic-map p in g [ description description ]

l id id – Specifies the rule ID. Each rule has a unique ID. If the ID is not specified, the sys-
tem will automatically assign one. If the specified ID exists, the original rule will be over-
written.
l after id | beforeid | top - Specifies the position of the rule. The rule can be placed before or
after a specific ID, or placed on the top of all rules. By default, the rule is placed at the end of
all rules.
l dns-response {ip ip-address | address-book address-name | host-book host-book-name} -

Specifies public IP, address book or host name book in DNS response.
l rewrite-to {ip ip-address| address-book address-name} – Specifies private IP or address

book which the security device rewrites.
l description description - Specifies the description of the DNS rewrite rule.
In NAT configuration mode, use the following command to delete a DNS rewrite rule:
no dns-rewrite-rule [idid]
Modifying/Deleting DNS Rewrite Rule Description
In NAT configuration mode, use the following command to modify the description of a DNS
rewrite rule:
dns-rewrite-rule [id id] description description
Use the following command to delete the description of a DNS rewrite rule:
no dns-rewrite-rule [id id] description
Viewing DNS Rewrite Ruls
In any mode, use show dns-rewrite-rule [id id | vrouter vr-name] dynamic-mapping to view DNS
rewrite rules:
l id id | vrouter vr-name– View the DNS rewrite rules of the specified ID or VRouter.

Adjusting the Priority of DNS Rewrite Rule
To adjust the priority of a DNS rewrite rule, in the NAT configuration mode, use the following
command:
dns-rewrite-rule move id {after id | before id | top | bottom}
l id - Specifies the ID of the DNS rewrite rule to be moved.
l after id - Moves the DNS rewrite rule after the specified ID.
l before id - Moves the DNS rewrite rule before the specified ID.
l top - Moves the DNS rewrite rule to the top of the DNS rewrite rule list.
l bottom - Moves the DNS rewrite rule to the bottom of the DNAT rule list.
Enabling/Disabling DNS Rewrite Rule Rematch
When a DNS response hits a DNS Rewrite rule, the device will rewrite the response based on the
DNS Rewrite rule and establish an entry to record the mapping relationships between the
response IP and the rewrite IP. Subsequent service requests will be translated based on the map-
ping relationships recorded. When the user adds, modifies or deletes a DNS Rewrite rule, rule pri-
orities might change. When an entry established by a previously hit rule matches a new rule:
l If DNS Rewrite rematch is enabled, the device will directly delete the previous entry.
l If DNS Rewrite rematch is disabled, the device will not delete the previous entry and sub-
sequent service requests might still hit the entry.
The DNS Rewrite rematch function is disabled by default. To enable this function, in the global
dns-rewrite-rule rematch
Use the following command to disable this function:
no dns-rewrite-rule rematch

NAT444
Hillstone devices support NAT444. NAT444 is carrier-grade NAT that is designed to extend the
service life of IPv4 during the transition from IPv4 to IPv6 and win some time for the deploy-
ment of IPv6.
With NAT444 configured, the system will create a mapping table according to user’s address
pool (source IP), public address pool (translated IP), available port range and port block size, and
implement NAT for the source IPs and ports of matched traffic based on the mapping table.
Configuring NAT444
NAT444 on Hillstone devices is implemented by creating and executing SNAT rules. Compared
with traditional SNAT rules, NAT444 SNAT rules are featured with some new parameters. This
section mainly describes these new parameters. To configure an SNAT rule for NAT444, in the
VRouter configuration mode, use the following command:
sn atrule [id id ] [b efo re id | after id | to p ] fro m src-address to dst-address [service service-
name ] [eif egress-interface | evr vrouter-name ] tran s-to addressb o o k trans-to-address mo de
dyn amicp o rt [fixed-b lo ck | ran do m-b lo ck] start start-port en d end-port size port-block-size
[max-b lo ck-p er-user blocks ] [lo g {[p o rt-b lo ck {allo cate | release | all}] [sessio n {allo cate |
release | all}] | sessio n {allo cate | release | all} | all]} [gro up group-id ] [descrip tio n descrip-
tion ]
l l mode dynamicport [fixed-block | random-block] start start-port end end-port size port-
block-size [max-block-per-user blocks] – All the sessions originating from one source
IP will be mapped to one specified IP address in an address entry. The source IP cor-
responds to one or more port blocks of the mapped IP. If the port resources in the
block are exhausted, the translation will fail. For detailed mapping relationship, see the
NAT444 SNAT example below.
l fixed-block – Uses the static port block mapping mode . Each source IP address
corresponds to a fixed port block of the mapped IP.

l random-block – Uses the dynamic port block mapping mode. Each source IP
address can correspond to one or more port blocks and the parameter max-block-
per-user blocks determines how many port blocks that each source IP address
can correspond to.
l start start-port end end-port – Specifies the start port and end port of the avail-
able port range. The value range is 1024 to 65535.
l size port-block-size – Specifies the size of the port block. The value range is 64
to 64512, and the value must be the integer multiple of 64.
l max-block-per-user blocks – Specifies the maximum number of port blocks that

each user in the intranet can occupy. When using the dynamic port block map-
ping mode, you can set this parameter. The default value is 1.
l log {[port-block {allocate | release | all}] [session {allocate | release | all}] | session
{allocate | release | all} | all]} – Configures log for NAT444 (generates logs for
matched traffic):
l port-block {allocate | release | all} – Generates logs when the system is alloc-
ating (allocate) or releasing (release) port block. all indicates generating logs for
both of the above events.
l session {allocate | release | all} – Generates logs when the system is creating
(allocate) or disconnecting (release) a NAT session. all indicates generating logs
for both of the above events.
l all – Generates log when the system is either allocating/releasing a port block or
creating/disconnecting a NAT session.
groupgroup-id | both - Specifies the HA group the SNAT rule belongs to. If the para-
meter is not specified, the SNAT rule being created will belong to HA group0. In the
static port block mapping mode (fixed-block), the both parameter can be specified.

System will divide the port range of the device under the HA Peer mode according to
the HA Node ID. That is, the device of each HA Node ID uses half the port range. For
example, the device of HA Node ID is 0 uses the first half of the port range, and the
device of HA Node ID is 1 uses the second half of the port range.
The following is a NAT444 SNAT example:
Suppose the source IP is src_addr: 192.168.1.0/24, and the translated IP is

global_addr: 200.1.2.10~200.1.2.100
hostname(config-vrouter)# sn atrule id 1 fro m src_addr to an y tran s-to address-
b o o k glo b al_addr mo de dyn amicp o rt fixed-b lo ck start 1024 en d 65000 size 4096
rule id=1
The mapping relationship is shown as below:

hostname(config-vrouter)# sh o w sn at id 1 p o rts-map
------------------------------------------------------------------
==================================================-
===================
from translate to start port end port
---------------------------------------------------------------------
192.168.1.0 200.1.2.10 1024 5119
192.168.1.1 200.1.2.10 5120 9215
192.168.1.2 200.1.2.10 9216 13311
……
192.168.1.14 200.1.2.10 58368 62463
192.168.1.15 200.1.2.11 1024 5119
192.168.1.16 200.1.2.11 5120 9215
192.168.1.17 200.1.2.11 9216 13311
……

To configure an SNAT rule that disables NAT444, in the NAT configuration mode, use the fol-
lowing command:
sn atrule [id id ] [b efo re id | after id | to p ] fro m src-address to dst-address [eif egress-interface
| evr vrouter-name ] n o -tran s [gro up group-id ]
Monitoring the Port Utilization and Port Block Utilization
The system can monitor the port utilization and port block utilization. When the real utilization is
higher than the specified threshold, the system will send the corresponding alarms. This monitor
function is available to all NAT444 rules.
To configure the port utilization or port block utilization monitor, in the global configuration
n at444-reso urce mo n ito r {p o rt-utilizatio n th resh o ld value | p o rt-b lo ck-utilizatio n th resh o ld
value } lo g
l port-utilization threshold value – Specifies the threshold of the port utilization. When the
actual value is higher than the threshold specified here, the system will send the cor-
responding alarm. The value range is from 1 to 99.
l port-block-utilization threshold value – Specifies the threshold of the port block utilization.
When the actual value is higher than the threshold specified here, the system will send the cor-
responding alarm. The value range is from 1 to 99.
In the global configuration mode, use the command to cancel the monitor configuration.
n o n at444-reso urce mo n ito r {p o rt-utilizatio n | p o rt-b lo ck-utilizatio n }
Viewing NAT444 Configuration Information
To view SNAT rule information of NAT444, in any mode, use the following command:
sh o w sn at [id id ] p o rts-map {src src-address [detail] | tran s-to trans-to-address | vro uter
vrouter-name {src src-address [detail] | tran s-to trans-to-address }}

l id id – Shows the mapping information of the SNAT rule with the specified ID.
l src src-address – Shows the mapping information of the specified source IP.
l detail – Shows the mapping information of the specified source IP and port block utilization.
l trans-to trans-to-address – Shows the mapping information of the translated IP address.
l vrouter vrouter-name - Shows the SNAT rule mapping information of the specified VRouter.
Viewing IP Addresses and Port Resources Allocation Mode
To view the IP addresses and port resources distribution mode, use the following command in
any mode:
sh o w flo w sn at-p o rt-allo catio n mo de
Full-cone NAT
Full-cone NAT, also known as one-to-one NAT, will map all the requests from one IP/port in
the private network to one IP/port in the public network, and thereafter all the hosts in the pub-
lic network will be able to communicate with the host that initiated the request by making use of
the mapping relationship.
As shown below, suppose PC1 in the Intranet has already established a connection with PC2 in
the Internet after NAT translation, and the device translates the IP/port of PC1 (Private IP:Priv-
ate port) to a public IP/port (Public IP:Public port). Since there exists a session, PC2 can connect
to PC1 reversely by matching the session. However, due to no session matching information, by
default PC3 and PC4 cannot communicate with PC1 even if the translated public IP/port (Public
IP:Public port) is routable. With Full-cone NAT enabled, the device will create and maintain a
Full-cone NAT entry and advertise the mapping between the public and private IPs/ports (Local
IP:Local port <==> Public IP:Public port) by the entry. In such a condition, if only PC3 and
PC4 can reach the public IP/port of PC1 (Public IP:Public port), they can tranverse the NAT
device and connect to PC1 proactively by making use of the mapping information.

To enable Full-cone NAT, in the global configuration mode, use the following command:
n at typ e full-co n e
To disable Full-cone NAT, in the global configuration mode, use the following command:
n o n at typ e full-co n e
To specify the protocol that is enabled with Full-cone NAT, in the global configuration mode,
n at p ro to co l {tcp | udp }
l tcp- Enables Full-cone NAT on TCP.
l udp - Enables Full-cone NAT on UDP. This is the default option.
To cancel the configuration, in the global configuration mode, use the following command:
n o n at p ro to co l {tcp | udp }
Viewing Full-cone NAT Configuration Information
To view the configuration information of Full-cone NAT, in any mode, use the following com-
mand:

sh o w n at {co n fig | gen eric | en try [ all | src-ip ip-address [ src-port port-number protocol
{ tcp | udp } snat-id [in terface interface-name ]] | vr vrouter-name ]| co n tro l [vro uter vrouter-
name ]}
l config - Shows the configuration of Full-cone NAT.
l generic - Shows the general information of Full-cone NAT entry.
l entry [all |src-ip ip-address [src-port port-number protocol {tcp | udp} snat-id [interfaceinter-
face-name]]| vr vrouter-name]
l entry - Shows the detailed information of Full-cone NAT entry.
l all - Shows the detailed information of Full-cone NAT entry in VSYS.
l src-ip ip-address [src-port port-number protocol {tcp | udp} snat-id [interfaceinterface-

name]] - Shows the detailed information of Full-cone NAT entry of the specified source
IP address (src-ip ip-address), source port (src-port port-number), protocol type (pro-
tocol {tcp | udp}) and SNAT rule ID (snat-id) and interface (interface-name).
l vr vrouter-name - Shows the detailed information of Full-cone NAT entry of the spe-
cified VRouter. If not specified, the system will show the Full-cone NAT entry inform-
ation of trust-vr by default.
l control [vrouter vrouter-name]
l control - Shows the status of the following functions: full-cone NAT, expanded PAT
port pool, SNAT port split under HA peer mode and "Bounce NAT" on Page 249.
l vrouter vrouter-name - Shows the status of Bounce NAT of the specified VRouter. If
not specified, the system will show the status of Bounce NAT of trust-vr by default.
Bounce NAT
Suppose the HTTP server is deployed in the intranet and users from the internet try to access the
server via the configured DNAT rules as shown in the following picture. When the intranet PC1

(192.168.1.2) visits the HTTP server (192.168.1.3), it will send the domain name to the internet
DNS server for analyzing and obtain the public IP (10.1.1.2) of the HTTP server. Therefore, the
PC1 will send HTTP request to 10.1.1.2. After the request is received, the destination IP will be
translated to 192.168.1.3 and forwarded to the HTTP server in the intranet. When the HTTP
server receives the request, it will send response packets to PC1. At this moment, the source IP
of the response packet is 192.168.1.3, which is not consistent with the destination IP (10.1.1.2)
in the request packet sent by PC1. Then PC1 will drop the response packets and the PC1 in the
intranet will fail to visit the intranet server in the same segment.
With the Bounce NAT function, the above problem can be solved. Only the request matches the
following conditions can the function be triggered. With the function, the source IP address in
the request packet will be modified as the IP address of egress interface (such as eth0/0:
192.168.1.1 in the above picture), and then the PC in the intranet will access the intranet server
normally. The conditions are as follows:
l Match DNAT rules.
l Do not match all the SNAT rules.
l The egress and ingress interfaces are the same.
By default, the Bounce Nat function is enabled. To disable the function, in the VRouter con-
bounce-snat-disable
Use the command no bounce-snat-disable to enable the Bounce NAT function.
Example of Configuring NAT

This section describes a typical NAT configuration example.

Requirement
The company network is divided into three zones by a Hillstone device: Trust Zone, DMZ Zone
and Untrust Zone. Employees work in the Trust zone, they are allocated with the private network
segment of 10.1.1.0/24 and get the highest security priority; WWW server and FTP server are in
the DMZ zone, they are allocated with the private network segment of 10.1.2.0/24 and can be
accessed by internal employees and external users; external networks are in the Untrust zone. The
network topology is shown in Figure below:
There are three requirements:
l Requirement 1: Employees in segment 10.1.1.0/24 in the trust zone are able to access the
Internet, while PCs in other segments of the zone cannot access the Internet. The legitimate
IP address range provided to access the external network is 202.1.1.3 to 202.1.1.5. Because
there are not enough public network addresses, NAT address multiplexing function is needed.
l Requirement 2: Two internal servers are provided for users and can be accessed from the
external networks, including an FTP server (the internal IP address is 10.1.2.2, port number is

21) and a WWW server (the internal IP address is 10.1.2.3, port number is 80); external map-
ping IP address is 202.1.1.6.
l Requirement 3: After any PC in the Trust zone has gained access to the host in the Untrust
zone, all the hosts in the Untrust zone can connect to the PC in the Trust zone reversely by
making use of Full-cone NAT.
Configuration Steps
Step 1: Configure security zones and IP addresses
hostname(config-if-eth0/3)# zo n e dmz
hostname(config)#
Step 2: Configure address entries
hostname(config)# address addr1

hostname(config)# address addr2
hostname(config)# address test1
Step 3: Configure policy rules
hostname(config-policy)# rule
hostname(config-policy-rule)# src-zo n e trust
hostname(config-policy-rule)# dst-zo n e un trust
hostname(config-policy-rule)# src-addr addr1
hostname(config-policy-rule)# dst-addr an y
hostname(config-policy-rule)# service an y
hostname(config-policy-rule)# actio n p ermit
hostname(config-policy-rule)# dst-zo n e dmz
hostname(config-policy-rule)# src-addr an y

hostname(config-policy-rule)# src-zo n e un trust
hostname(config-policy-rule)# service h ttp
hostname(config-policy-rule)# service ftp
hostname(config)#
Step 4: Configure NAT rules
hostname(config-vrouter)# sn atrule id 1 fro m addr1 to an y eif eh tern et0/2 tran s-to

address-b o o k addr2 mo de dyn amicp o rt sticky
rule id=1
hostname(config-vrouter)# dn atrule id 2 fro m an y to test1 service ftp tran s-to test2

p o rt 21
rule id=2
hostname(config-vrouter)# dn atrule id 3 fro m an y to test1 service h ttp tran s-to test3

p o rt 80
rule id=3
hostname(config-vrouter)# exit
hostname(config)# n at typ e full-co n e
hostname(config)# nat protocol tcp

Application Layer Identification and Control
Overview
Hillstone devices provide a wide range of application layer monitoring, statistics and filtering func-
tions. These functions can identify applications such as FTP, HTTP, P2P, IM tools and VoIP,
and based on the security policy rules configured, ensure the proper communication of the applic-
ations or perform the specified operations on the traffic, such as monitoring, statistics, traffic con-
trol and blocking. By making use of the fragment reassembling and transport layer proxy
technique, the Hillstone devices can adapt to the complex network environment, reassemble the
packets, and identify the applications effectively even when the complete application layer data is
fragmented and disordered during the transmission, thus ensuring the effective implementation of
security policies.
Fragment Reassembly
Typically the intermediate network device such as a router or switch does not reassemble the frag-
mented packets it receives. The destination host reassembles the fragmented packets after all the
fragments have arrived. Due to the complexity of the network environment, fragmented packets
may be dropped or disordered during the transmission, while the reassembling needs to receive
and sort all the fragments, which will consume certain system resources. From the aspect of the
main function and forwarding efficiency, the network devices usually only forward the fragments
and will not reassemble them. However, for security devices, the application of security policies
requires an analysis of application layer information, in order to filter the malicious messages that
contain potential security risks, or block any attempt of intrusions and attacks. All the operation
will only be finally determined after the device receives the complete information of the applic-
ation layer. Powered by the transport layer proxy function, StoneOS can buffer, sort and reas-
semble the fragmented packets first, and then re-encapsulate and forward the normal data after a
complete analysis and identification.
Application Layer Gateway (ALG)
Some applications use multi-channels for data transmission, such as the widely used FTP. In such
a condition the control channel and data channel are separated. Hillstone devices under strict

security policy control set strict limits on each data channel, for example, only allow FTP data
from internal network to external network to transfer on the well-known port TCP 21. Once in
the FTP active mode, if an FTP server in the public network tries to initiate a connection to a ran-
dom port of the host in the internal network, Hillstone devices will reject the connection and the
FTP server will not work properly in such a condition. This requires Hillstone devices to be intel-
ligent enough to properly handle the randomness of legitimate applications under strict security
policies. In FTP instances, by analyzing the transmission information of the FTP control channel,
Hillstone devices will be aware that the server and the client reached an agreement, and open up a
temporary communication channel when the server takes the initiative to connect to a port of the
client, thus assuring the proper operation of FTP.
StoneOS adopts the strictest NAT mode. Some VoIP applications may work improperly after
NAT due to the change of IP address and port number. The ALG mechanism can ensure the nor-
mal communication of VoIP applications after the NAT. Therefore, the ALG supports the fol-
lowing functions:
l Under strict security policy rules, ensures the normal communication of multi-channel applic-
ations, such as FTP, TFTP, PPTP, RTSP, RSH, MSRPC, SUNRPC and SQLNET.
l Ensures the proper operation of VoIP applications such as SIP and H.323 in NAT mode, and
performs monitoring and filtering according to the policies.
HTTP, P2P and IM
Powered by the fragment reassembly and transport layer proxy functions, StoneOS supports the
identification and control of 3 main types of applications: HTTP applications, P2P applications
and IM applications. The Hillstone devices can perform various operations like monitoring,
restricting and blocking traffic on each application by creating Profiles. For example:
l Filtering HTTP Java Applets to ensure users are protected from harmful Java Applets.
l Filtering HTTP ActiveX to prevent malicious ActiveX programs from damaging the user's sys-
tem.
l Identifying, monitoring and blocking P2P applications, like BT, eMule, Thunder, etc.

l Operations on IM tools, such as identifying and controlling IM chatting and file transfer. The
supported IM clients include MSN Messenger, QQ, Yahoo
Configuring ALG
StoneOS allows you to enable or disable ALG for different applications. Hillstone devices sup-
port ALG for the following applications: FTP, HTTP, MSRPC, PPTP, Q.931, RAS, RSH, RTSP,
SIP, SQLNetV2, SUNRPC, TFTP, DNS, H323 and XDMCP. You can not only enable or disable
ALG for applications, but also specify H323's session timeout.
To enable or disable the ALG control function for applications, in the global configuration mode,
Enable: alg {all | auto | TFTP | FTP | RSH |…}
Disable: no alg {all | auto | TFTP | FTP | RSH | …}
l all – Enables or disables the ALG control function for all the applications.
l auto – Enables or disables the ALG control function based on the result of application iden-
tification.
l TFTP | FTP | RSH | … - Enables or disables the ALG control function for the specific
application.
Notes: If ALG for HTTP is disabled, the Web content filter function on the device
will be void.
ALG supports strict mode and non-strict mode. In the strict mode, the newly-created pinhole has
the SNAT port which is the same as the SNAT port of the control session. By default, the strict
mode is enabled. To enable the ALG strict mode, use the following command in the global con-
figuration mode:
alg strict-mo de
Use the no alg strict-mode command to enable the non-strict mode. In the scenario below, Hill-
stone recommends the users to enable the non-strict mode:

l The third-party pinhole exists.
l SNAT is configured and port expansion is enabled.
l The IP address and port number in the payload for negotiating the data session is the same as
the IP address and port number of the control session.
To specify the timeout value for the H323 protocol, in global configuration mode, use the fol-
lowing command:
alg h 323 sessio n -time time-value
l time-value - Specifies the timeout value for H323. The value range is 60 to 1800 seconds.
To cancel the specified timeout value, in global configuration mode, use the following command:
n o alg h 323 sesstio n -time
To limit the number of the SIP messages that can be processed per second, use the following com-
mand in the global configuration mode:
Enable: alg sip-message-rate number
l number - Specifies the maximum number of the SIP messages that can be processed per
second. The value is in the range of 1 to 65535.
Disable: no alg sip-message-rate

To enable or disable the anomaly detection of FTP PORT, in global configuration mode, use the
following command:
Enable: alg ftp anomaly-detection
Disable: no alg ftp anomaly-detection
To enable or disable the ALG FTPS funtion, in global configuration mode, use the following com-
mand:
Enable: alg ftp ftps-extension
Disable: no alg ftp ftps-extension

To enable or diable the logging function for the HTTP persistent connection requests, in global
Enable: alg http persistent connection
Disable: no alg http persistent connection
To view the status and configuration of ALG, in any mode, use the following commands:
l To view if ALG is enabled: show alg
l To view the ALG configuration and status of SIP gateway: show alg sip-capacity
Specifying SIP Proxy Server Mode
The Session Initiation Protocol (SIP) is a communications protocol for signaling and controlling
multimedia communication sessions. The most common applications of SIP are in Internet tele-
phony for voice and video calls. Multimedia transitted by SIP usually are voice, video and text.
SIP proxy server acts as an intermediary entity when the SIP user agent clients are making
requests. When SIP user agent clients exchange media data packets, they can transfer data with or
without a SIP proxy server. To avoid communication error, the firewall should select a mode that
complies with the actural data transmission mode.
Under global configuration mode, use the command below to inform the firewall that SIP user
agent clients are communicating media data directly without SIP proxy server. This is the default
setting on the firwall. This command ensures normal communication among SIP user agents.
n o alg sip media-p ro xied-b y-server
Under global configuration mode, use the command below to inform the firewall that SIP user
agent clients are exchanging media data packets through SIP proxy server.
alg sip media-p ro xied-b y-server
Showing ALG SIP
To show ALG SIP information, including if the firewall has enabled SIP server proxy, SIP mes-
sage rate maximum, registered client number and busy client number, under any mode, use the fol-
lowing command:

sh o w alg sip
Examples of Configuring Application Layer Identification and Control

This section describes two application layer identification and control examples:
l Example 1: The goal is to strictly restrict internal users’ access to TFTP, FTP and RTSP ser-
vices running on the external network only on the well-known ports, while also ensuring the
normal communication of these applications on multiple channels.
l Example 2: The goal is to block ActiveX controls and Java applets from the external network.
Configuration Steps for Example 1
Step 1: Restrict service types in security policy rules
The address entry “internal” includes all the IPs of internal clients
hostname(config-policy-rule)# src-addr in tern al
hostname(config-policy-rule)# service tftp
hostname(config-policy-rule)# service ftp
hostname(config-policy-rule)# service rtsp
hostname(config-policy-rule)# ap p licatio n tftp
hostname(config-policy-rule)# ap p licatio n ftp
hostname(config-policy-rule)# ap p licatio n rtsp

hostname(config)#
Step 2: Enable ALG for these applications
hostname(config)# alg tftp
hostname(config)# alg ftp
hostname(config)# alg rtsp
Configuration Steps for Example 2
Step 1: Enable ALG for the HTTP application
hostname(config)# alg http
Step 2: Configure a Profile to control Java applets and ActiveX
hostname(config)# b eh avio r-p ro file test
hostname(config-bhv-profile)# o b ject active-x den y
hostname(config-bhv-profile)# o b ject java-ap p let den y
hostname(config-bhv-profile)# exit
hostname(config)#
Step 3: Bind the profile to policy rules
The address entry “internal” includes all the IPs of

internal clients
hostname(config-policy-rule)# src-addr in tern al

hostname(config-policy-rule)# ap p licatio n h ttp
hostname(config-policy-rule)# b eh avio r test
hostname(config)#

VLAN
VLAN, the abbreviation for Virtual Local Area Network, is defined in IEEE 802.1Q. VLAN has
the following features:
l A physical LAN can be divided into multiple VLANs, and a VLAN might include devices
from multiple physical networks.
l A VLAN is virtually a broadcast domain. Layer 2 packets between VLANs are isolated. Com-
munications between VLANs can only be implemented by Layer 3 route technique (through
routers, Layer 3 switches or other Layer 3 network devices).
VLANs are differentiated by VLAN numbers. The value range is 1 to 4094. StoneOS reserves 32
VLAN numbers (224 to 255) for BGroup, but the unused numbers within the range are also avail-
able to VLANs.
Configuring a VLAN
The configurations of VLAN include:
l Creating a VLAN
l Configuring a switch mode and its VLAN
l Creating a VLAN interface
Creating a VLAN
To create one or more VLANs, in the global configuration mode, use the following command:
vlan vlan-list
l vlan-list – Specifies the VLAN ID. The value range is 1 to 4094 (the IDs being used by
BGroup is not available any more).
To delete the specified VLAN, in the global configuration mode, use the following command:
n o vlan vlan-list

Configuring a Switch Mode and its VLAN
There are two VLAN switch modes: Access and Trunk.
l The interface in Access mode is designed for terminal users and only allows packets from one
VLAN to pass through.
l The interface in Trunk mode is typically used for inter-connections between devices, and
allows packets from multiple VLANs to pass through. When Native VLAN is configured, the
interface will delete the tag of the Native VLAN packets being transmitted, and add a Native
VLAN tag to the received packets with no tag set.
To configure the switch mode of an interface and the VLAN it belongs to, in the Ethernet inter-
face configuration mode, use the following commands:
switch mo de {access vlan vlan-id | trun k {vlan vlan-list [n ative-vlan vlan-id ] | n ative-vlan
vlan-id }}
l access vlan vlan-id – Configures the switch mode as Access and specifies the VLAN the
interface belongs to.
l trunk vlan vlan-list [native-vlan vlan-id] – Configures the switch mode as Trunk, and spe-
cifies the VLAN that is allowed to pass through (and the Native VLAN of the interface).
l trunk native-vlan vlan-id – Configures the switch mode as Trunk, and specifies the Native
VLAN of the interface.
Notes: The specified VLAN must exist in the system.
To cancel the configuration, in the Ethernet interface or aggregation interface configuration mode,
use the following commands:
l Cancel the specified VLAN: no switchmode
l Cancel the switch mode of Trunk: no switchmode trunk

l Delete the VLAN that is allowed to pass through: no switchmode trunk vlan vlan-list
l Delete the local VLAN of the interface: no switchmode trunk native-vlan
Creating a VLAN Interface
VLAN interfaces are Layer 3 interfaces. One VLAN is matched to one VLAN interface, and the
VLAN interfaces allow Layer 3 communications among VLANs. To create a VLAN interface, in
interface vlanid
l id – Specifies the VLAN ID for the VLAN interface. After executing the command, the sys-
tem will create the specified VLAN interface and enter VLAN interface configuration mode;
if the specified VLAN interface exists, the system will directly enter the VLAN interface con-
figuration mode.
To cancel the specified VLAN interface, in the global configuration mode, use the command no
interface vlanid.
Viewing VLAN Configuration

To view the VLAN and VLAN interface configuration, in any mode, use the following com-
mands:
l show vlan [vlan-id]
l show vlan port interface-name
l show interface vlanid

Super-VLAN
Super-VLAN, also known as VLAN aggregation, allows network devices that belong to different
VLANS in one physical switching network to be allocated to one IPv4 subnet, and share one
default gateway, thus optimizing IP address allocation.
A super-VLAN may include multiple sub-VLANs, and can be configured with a Layer 3 interface
IP address. Once a common VLAN is added to the super-VLAN, it will become a sub-VLAN
automatically. Each sub-VLAN is virtually an independent broadcast domain, and cannot be con-
figured with any Layer 3 interface IP address. The Layer 2 packets between different sub-VLANs
are isolated. If the device within the sub-VLAN requires Layer 3 communications, it will use the
Layer 3 interface IP address of the corresponding super-VLAN as the default gateway address.
Therefore, multiple VLANs can share one IP address, thus saving IP address resources. The rela-
tionship between super-VLAN, sub-VLAN and interfaces are shown in Figure below.
As shown above, one super-VLAN may include multiple sub-VLANs, while one sub-VLAN can
only correspond to one super-VLAN; one sub-VLAN may include multiple interfaces, and one
interface can be bound to multiple sub-VLANs (VLANs).
Configuring a Super-VLAN
The configurations of a Super-VLAN include:

l Creating a super-VLAN
l Adding a super-VLAN interface
l Adding a sub-VLAN
Creating a Super-VLAN
To create a super-VLAN, in the global configuration mode, use the following command:
sup ervlan sup ervlan X
l X – Specifies the ID of the super-VLAN. The value range of X may vary from different plat-
forms.
After executing the above command, the system will enter the super-VLAN configuration mode.
To delete the specified super-VLAN, in the global configuration mode, use the following com-
mand:
n o sup ervlan sup ervlan X
Adding a Super-VLAN Interface
The super-VLAN interface is actually a Layer 3 interface. One super-VLAN can correspond to
one super-VLAN interface. The Layer 3 communications between different sub-VLANs are imple-
mented over the corresponding super-VLAN interface. To create a super-VLAN interface, in the
in terface sup ervlan X
l X – Specifies the ID of the super-VLAN. The command creates a super-VLAN interface

with the specified ID, and leads you in the super-VLAN interface configuration mode; if the
specified super-VLAN interface exists, the system will directly enter the super-VLAN inter-
face configuration mode. The value range of X may vary from different platforms.
To delete the specified super-VLAN interface, in the global configuration mode, use the com-
mand no interface supervlanX.

Adding a Sub-VLAN
To add a sub-VLAN to the super-VLAN, in the super-VLAN configuration mode, use the fol-
lowing command:
subvlan vlan-list
l vlan-list – Specifies the ID or ID range (e.g., 2-4) of the sub-VLAN. The value range is 1 to
4094.
To delete the specified sub-VLAN from the super-VLAN, in the super-VLAN configuration
mode, use the command no subvlan vlan-list.
Viewing Super-VLAN Configuration

To view the super-VLAN and super-VLAN interface configuration, in any mode, use the fol-
lowing commands:
l show supervlan
l show supervlan supervlanX

RSTP
RSTP, the abbreviation for Rapid Spanning Tree Protocol defined by IEEE 802.1D-2004, is the
enhancement and supplement to STP (8021.D). The protocol can provide faster spanning tree
convergence after a topology changes.
RSTP is a loop network solution that is designed to block the redundant links to avoid broadcast
storms. When a link fails in the network, the redundant link will quickly switch to the forwarding
state, and ensure that the traffic will not be interrupted. The root of the Rapid Spanning Tree is
known as a root bridge in the RSTP protocol. The root bridge is autonomously selected among
the network device by comparing the bridge priorities (the smaller the value is, the higher the pri-
ority will be). The farthest port to the root bridge on the other device (the largest cost) will be
blocked, and the link corresponding to the blocked port will become a redundant link.
Configuring RSTP
The configurations of RSTP include:
l Creating RSTP
l Enabling RSTP
l Configuring the bridge priority
l Configuring the Hello interval
l Configuring the Forward Delay time
l Configuring the maximum age of BPDU message
l Enabling RSTP on an interface
l Configuring the RSTP priority on an interface
l Configuring the RSTP cost on an interface

Creating RSTP
To create RSTP and enter the RSTP configuration mode, in the global configuration mode, use
stp
The command creates RSTP and leads you to the RSTP configuration mode; if the RSTP is exist-
ing, the system will directly enter the RSTP configuration mode.
To delete RSTP, in the global configuration mode, use the command no stp.
Enabling RSTP on the Device
The RSTP function is a global switch. You need to enable both the global function switch and the
interface RSTP switch to control RSTP function jointly. By default, RSTP is disabled on the
device. To enable RSTP, in the RSTP configuration mode, use the following command:
en ab le
To disable RSTP, in the RSTP configuration mode, use the command no enable.
Enabling RSTP on an Interface
By default, RSTP on an interface is disabled. To enable RSTP on an interface, in the Ethernet

interface or aggregate interface configuration mode, use the following command:
stp en ab le
To disable RSTP on an interface, in the Ethernet interface or aggregate interface configuration

n o stp en ab le
Configuring the Bridge Priority
To configure the bridge priority, in the RSTP configuration mode, use the following command:
b ridge p rio rity value

l value – Specifies the bridge priority. The value must be the integer multiples of 4096. The
value range is 0 to 61440. The default value is 32768.
To restore to the default bridge priority, in the RSTP configuration mode, use the following com-
mand:
n o b ridge p rio rity
Configuring the Hello Interval
Hello packets are used to confirm whether the link between devices is normal. The Hello interval
is used to specify how often the device sends a Hello packet. To configure the Hello interval, in
the RSTP configuration mode, use the following command:
h ello seconds
l seconds – Specifies the Hello interval. The value range is 1 to 10 seconds. The default value
is 2.
To restore to the default Hello interval, in the RSTP configuration mode, use the following com-
mand:
n o h ello
Configuring the Forward Delay Time
When any link fails, the system will re-calculate the spanning tree network. It’s impossible for
the system to spread the new BPDU (Bridge Protocol Data Unit, used for data exchanging
between bridges) configuration information throughout the network immediately, so if the data
transmission starts too early, it may cause a temporary loop. To avoid such a problem, RSTP
defines a forwarding delay timer, i.e., the forward delay time.
To configure the forward delay time, in the RSTP configuration mode, use the following com-
mand:
fo rward-delay value

l value – Specifies the forward delay time. The value range is 4 to 30 seconds. The default
value is 15.
To restore to the default forward delay time, in the RSTP configuration mode, use the following
command:
n o fo rward-delay
Configuring the Maximum Age of BPDU Message
The maximum age of BPDU messages indicates the lifetime of a BPDU message on the device.
When the lifetime runs out, the BPDU message will be deleted.
To configure the maximum age of BPDU message, in the RSTP configuration mode, use the fol-
lowing command:
maximum-age value
l value – Specifies the maximum age of BPDU message. The value range is 6 to 40 seconds.
To restore to the default maximum age, in the RSTP configuration mode, use the following com-
mand:
n o maximum-age
Configuring the RSTP Priority on an Interface
To configure the RSTP priority on an interface, in the Ethernet interface or aggregate interface
stp p rio rity value
l value – Specifies the RSTP priority of the current interface. The value must be the integer
multiples of 16. The value range is 0 to 240. The default value is 128.
To restore to the default RSTP priority, in the Ethernet interface or aggregate interface con-
n o stp p rio rity

Configuring the RSTP Cost on an Interface
To configure the RSTP cost on an interface, in the Ethernet interface or aggregate interface con-
stp co st value
l value – Specifies the RSTP cost value on the interface. The value range is 1 to 200000000.
If this parameter is not specified, the system will calculate a value based on the interface type
(a single interface or aggregate interface), speed (10Mbps, 100Mbps or 1000Mbps) and duplex
status (full-duplex or half-duplex).
To restore to the default RSTP cost (calculated based on the above factors), in the Ethernet inter-
face or aggregate interface configuration mode, use the following command:
n o stp co st
Viewing RSTP Configuration

To view the RSTP configuration information, in any mode, use the following command:
sh o w stp [p o rt interface-name ]
The section describes a RSTP example.
Requirement
As shown below, the Hillstone device acts as gateway and is connected to Internet. The require-
ment is: when the link between Switch1 (or Switch2) and the Hillstone device fails, enable STP
on the switches and device to implement the Layer 2 link redundancy, and ensure the PC in the
LAN is still able to access the Internet.

Configuration Steps
First, ensure that STP on Switch1 and Switch2 can function properly, and then take the following
steps:
Step 1: Create a VLAN named VLAN1, and add ethernet0/1 and ethernet0/3 to VLAN1
hostname(config)# vlan 1
hostname(config-vlan)# exit
hostname(config-if-eth0/1)# switch mo de access vlan 1
hostname(config-if-eth0/3)# switch mo de access vlan 1
hostname(config)#
Step 2: Create a VLAN interface named vlan1, bind it to the zone trust and configure the IP
address
hostname(config)# in terface vlan 1

hostname(config-if-vla1)# zo n e trust
hostname(config-if-vla1)# ip address 192.168.1.1 255.255.255.0
hostname(config-if-vla1)# exit
hostname(config)#
Step 3: Ethernet0/0 belongs to the zone untrust. Configure the policy rule from trust to untrust
hostname(config-policy-rule)# dst-zo n e trust
hostname(config)#
Step 4: Create RSTP, configure necessary parameters, and enable RSTP
hostname(config)# stp

hostname(config-stp)# b ridge p rio rity 0
hostname(config-stp)# en ab le
hostname(config-stp)# exit
hostname(config)#

Wireless Access Mode
Introduction
SG-6000-E1100 (WLAN version), SG-6000-E1100 (3G version), SG-6000-E1100 (WLAN+3G
version) and SG-6000-A200W (WLAN version) support the wireless access mode. You can use
the wireless mode to access the network. This chapter introduces the following functions:
l "WLAN" on Page 277
l "3G/4G" on Page 295
WLAN
WLAN (Wireless Local Area Network) represents the local area network that uses the wireless
channel as the medial. WLAN is important supplements and extensions of the wired LAN. By con-
figuring the WLAN function, you can establish the wireless local area network and allow the users
to access LAN through wireless mode.
Configuring WLAN Settings
WLAN Profile is the combination of the WLAN settings. To implement the WLAN function,
configure the WLAN Profile and then apply the configure WLAN Profile to the WLAN interface.
One WLAN Profile can only be applied to one WLAN interface. The WLAN settings contain the
following sections:
l Enabling the WLAN function.
l Creating and configuring the WLAN Profile. The WLAN Profile contains the corresponding
attributes of wireless service, including SSID, enabling/disabling SSID broadcast, security
mode, authentication encryption method, user isolation, maximum user numbers, and authen-
tication server.

l Binding the WLAN Profile to the WLAN interface. After binding the WLAN Profile to the
WLAN interface successfully, the WLAN function can take effect.
l Configuring the global parameters of WLAN function, such as country/region code, wireless
mode, channel, maximum transmission power, wireless multimedia.
Enabling WLAN Function
By default, the WLAN function is enabled. Use wlan to enter the WLAN configuration mode. To
enable the WLAN function, use the following command in the WLAN configuration mode:
wlan en ab le
To disable the WLAN function, use the following command:

n o wlan en ab le
Creating WLAN Profile
To create the WLAN Profile, use the following command in the global configuration mode:
wlan p ro file number
l number- Specifies the number of the WLAN Profile. After executing this command, the sys-
tem will create the WLAN Profile of the specified number and enter the WLAN Profile con-
figuration mode. If the specified number already exists, the system will enter the WLAN
Profile configuration mode directly. The value ranges from 0 to 3, thus allowing up to 4
WLAN Profiles.
To delete the specified WLAN Profile, use the following command in the global configuration
mode:
no wlan profile number
Configuring SSID
SSID (Service Set Identifier) is the name of the WLAN, which is used to distinguish among dif-
ferent networks.
To configure SSID, use the following command in the WLAN Profile configuration mode:

ssid ssid-name
l ssid-name – Specifies the name of the WLAN.
To delete the SSID in the WLAN Profile, use the following command in the WLAN Profile con-
figuration mode:
n o ssid
Enabling/Disabling SSID Broadcast
After enabling SSID broadcast, any user can search it. After disabling the SSID broadcast, users
cannot discover it. By default, the system enables the SSID broadcast.
To enable the SSID broadcast, use the following command in the WLAN configuration mode:
b ro adcast en ab le
To disable the SSID broadcast, use the following command in the WLAN Profile configuration
mode:
n o b ro adcast en ab le
Configuring Security Mode and Authentication Encryption Method
To configure the security mode and authentication encryption method, use the following com-
mand:
security {n o n e | wep auth en ticatio n {o p en -system | sh ared-key} {wep 40|wep 104}{p ass-
p h rase | raw-key} key | {wp a | wp a2 |wp a-wp a2 | wp a-p sk | wp a2-p sk | wp a-wp a2-p sk |
mac-p sk} en cryp tio n {tkip | ccmp | tkip -ccmp }[ p re-sh ared-key { p ass-p h rase | raw-key}
p sk ]}
l none – Do not perform the encryption.
l wep authentication {open-system | shared-key} {wep40 | wep104} {pass-phrase | raw-

key} key – Specifies the security mode as WEP (Wired Equivalent Privacy).
l open-system | shared-key – Specifies the authentication mode, including the open sys-
tem authentication (open-system) and shared key authentication (shared-key).

l wep40 | wep104 – Specifies the encryption method for the key.
l {pass-phrase | raw-key} key – Specifies the key form and the key value. pass-
phrase represents to use character string as the key and raw-key represents to use
hexadecimal number as the key. The key length of different configuration combinations
is as follows: wep40 pass-phrase (5 characters), wep40 raw-key (10 hexa-
decimal numbers), wep104 pass-phrase (13 characters), wep104 raw-key
(26 hexadecimal numbers).
l {wpa | wpa2 | wpa-wpa2 | wpa-psk | wpa2-psk | wpa-wpa2-psk | mac-psk } encryption

{tkip | ccmp | tkip-ccmp} – Specifies the security mode, including WPA, WPA2, WPA-
WPA2, WPA-PSK, WPA2-PSK, WPA-WPA2-PSK, and MAC-PSK.
l wpa | wpa2 | wpa-wpa2 – WPA, WPA, and WPA-WPA2 are used for 802.1X authen-
tication. WPA-WPS2-PSK is compatible with WPA and WPA-2.
l wpa-psk | wpa2-psk | wpa-wpa2-psk – WPA-PSK, WPA2-PSK, and WPA-WPA2-

PSK use the pre-shared key authentication. WPA-WPA-PSK is compatible with WPA-
PSK and WPA2-PSK.
l mac-psk – MAC-PSK integrates MAC authentication with WPA-WPA2-PSK authen-

tication.
l tkip | ccmp | tkip-ccmp – Specifies the data encryption method. ccmp has higher
security, while tkip-ccmp has higher compatibility. Hillstone recommend you to
use the ccmp method.
l pre-shared-key { pass-phrase | raw-key} psk – Specifies the form and the value of the pre-
defined key. The pre-defined key length of different types is as follows: pass-phrase (8-
63 characters), raw-key (64 hexadecimal numbers).

Notes: When using the WPA, WPA2, WPA-WPA2, or MAC-PSK method, you
must specify the authentication server for the authentication task.
Enabling/Disabling User Isolation
After enabling the user isolation, users within one WLAN cannot access each other. User isolation
enhances the security for different users. By default, the user isolation function is disabled. To
enable the use isolation function, use the following command in the WLAN Profile Configuration
mode:
statio n -iso latio n en ab le
To disable this function, use the following command in the WLAN Profile configuration mode:
n o statio n -iso latio n en ab le
Configuring Maximum User Numbers
To specify the allowed maximum number of users that can access this WLAN, use the following
command in the WLAN Profile configuration mode:
statio n -max-n umb er number
l number – Specifies the allowed maximum number of users. The value ranges from 1 to 128,
and the default value is 64.
To restore the setting to the default value, use the following command:
n o statio n -max-n umb er
Specifying the Authentication Server
When specifying the security mode as WPA, WPA2, WPA-WPA2, or MAC-PSK, you must select
a configured AAA server as the authentication server for user identification. Use the following
command in the WLAN Profile mode to select the AAA server:
radius-server server-name

l server-name - Specifies the name of the configured AAA server. When the security mode is
WPA, WPA2, or WPA-WPA2, the system only support the RADIUS server. When the secur-
ity mode is MAC-PSK, the system supports the local authentication server and RADIUS
server and the username and password must be MAC address.
To delete the specified authentication server, use the following command in the WLAN Profile
configuration mode:
n o radius-server server-name
Binding the WLAN Profile to a WLAN Interface
The WLAN function can take effect after you bind the WLAN Profile to a WLAN interface. To
bind the WLAN Profile to a WLAN interface, take the following steps in the interface con-
figuration mode:
wlan profile number
l number - Specifies the number of the WLAN Profile that is bound to the current WLAN inter-
face. After executing this command, the system binds the WLAN Profile of the specified num-
ber to the WLAN interface.
To cancel the binding, use the following command in the interface configuration mode:
n o wlan p ro file
Configuring Global Parameters
The following sections introduce the global parameters of WLAN.
Configuring the Country/Region Code
Different countries or regions have different management and limitations on RF use. The coun-
try/region code determines the available frequency range, channel, and legal level of transmit
power. To configure the country/region code, use the following command in the WLAN con-
figuration mode:
co un try-zo n e-co de code

l code - Specifies the country/region code. There are 133 country/region codes.The default
value is US. For more information, see the table below:
Country/Region Code Country/Region
AL Albania
DZ Algeria
AR Argentina
AM Armenia
AU Aruba
AT Australian
AZ Austria
BS Azerbaijan
BH Bahrain
BD Bangladesh
BB Barbados
BY Belarus
BE Belgium
BZ Belize
BM Bermuda
BO Bolivia
BA Bosnia and Herzegovina
BR Brazil
BN Brunei

BG Bulgaria
KH Cambodia
CA Canada
CL Chile
CN China
CO Columbia
CR Costa Rica
HR Croatia
CY Cyprus
CZ Czechoslovakia
DK Denmark
DO Dominican Republic
EC Ecuador
EG Egypt
SV Salvador
EE Estonia
FI Finland
FR France
GF French Guiana
PF French Polynesia
GE Georgia

DE Germany
GR Greece
GL Greenland
GD Grenada
GP Guadalupian
GU Guam
GT Guatemala
HT Haiti
HN Honduras
HK Hong Kong
HU Hungary
IS Iceland
IN India
ID Indonesia
IR Iran
IE Ireland
IL Israel
IT Italy
JM Jamaica
JP Japan
JO Jordan

KZ Kazakhstan
KE Kenya
KP North Korea
KR South Korea
KW Kuwait
LV Latvia
LB Lebanon
LI Liechtenstein
LT Lithuania
LU Luxembourg
MO Macao
MK Macedonia
MW Malawi
MY Malaysia
MT Malta
MQ Martinique
MU Mauritius
YT Mayotte
MX Mexico
MC Monaco
MA Morocco

NP Nepal
NL Netherlands
AN Netherlands Antilles
NZ New Zealand
NI Nicaragua
NO Norway
OM Oman
PK Pakistan
PA Panama
PG Papua New Guinea
PY Paraguay
PE Peru
PH Philippines
PL Poland
PT Portugal
PR Puerto Rico
QA Qatar
RE Reunion
RO Rumania
RU Russia
RW Rwanda

SA Saudi Arabia
RS Serbia
ME Montenegro
SG Singapore
SK Slovakia
SI Slovenia
ZA South Africa
ES Spain
LK Sri Lanka
SE Sweden
CH Switzerland
SY Syria
TW Taiwan
TZ Tanzania
TH Thailand
TT Trinidad and Tobago
TN Tunisia
TR Turkey
UG Uganda
UA Ukraine
AE The United Arab Emirates

GB United Kingdom
US United States
UY Uruguay
UZ Uzbekistan
VE Venezuela
VN Vietnam
YE Yemen
ZW Zimbabwe
To restore the setting to the default value, use the following command in the WLAN Profile con-
figuration mode:
no country-zone-code
Configuring the Operation Mode
To configure the operation mode, use the following command in the WLAN configuration mode:
radio -typ e {do t11a | do t11an | do t11b | do t11b gn | do t11g}
l dot11a – Specifies the operation mode as dot11a, which represents that the interface works
in the 802.11a mode.
l dot11an – Specifies the operation mode as dot11an, which represents that the interface
works in the 802.11n mode of 5GHz.
l dot11b – Specifies the operation mode as dot11b, which represents that the interface works
in the 802.11b mode.
l dot11bgn – Specifies the operation mode as dot11bgn, which represents that the interface
works in the 802.11n mode of 2.4GHz.

l dot11g – Specifies the operation mode as dot11g, which represents that the interface works
in the 802.11g mode.
l dot11ac - Specifies the operation mode as dot11ac, which indicates that the wireless interface
works in 5GHz 802.11AC mode (Only supported by SG-6000-A200W).
Configuring the Channel
The available channels you can select vary with the country/region code and RF type. When con-
figuring the channels, use the following command in the WLAN configuration mode:
ch an n el {auto | ch an n el-n umb er}
l auto – Asks the system to select the channel automatically. After the country/region code or
the operation mode is changed, the system will select the channel automatically.
l channel-number – Specifies the channel number.
Specifying the Maximum Transmit Power
Sg-6000-A200W doesn't support to configure maximum transmit power and its default value is
100% of the maximum transmit power. The maximum transmit power varies with the coun-
try/region code and RF type. By default, there are four levels: 12.5% of the maximum transmit
power, 25% of the maximum transmit power, 50% of the maximum transmit power, and 100% of
the maximum transmit power. To configure the maximum transmit power, use the following com-
mand in the WLAN configuration mode:
p o wer-man agemen t level {1 | 2 | 3 | 4}
l 1 – 12.5% of the maximum transmit power.
l 2 – 25% of the maximum transmit power.

Enabling/Disabling Wireless Multimedia Function
After enabling the wireless multimedia function, the system will raise the transmission priorities
of the multimedia traffic such as audio and video. By default, the system has enabled wireless mul-
timedia function. To enable this function, use the following command in the WLAN con-
figuration mode:
wmm en ab le
To disable this function, use the following command:

n o wmm en ab le
Viewing WLAN Settings
To view the WLAN settings, use the show command in any mode.
l View the configurations of WLAN Profile: show wlan-profile number
l View the information of the WLAN station: show wlan-station [interface interface-name][mac
mac-address]
l View the global parameters: show wlan
WLAN Configuration Example
This section describes the configuration example of WLAN.
Requirement
Create a WLAN through the Hillstone device and ensure the users can access the LAN through
wireless mode. The Hillstone device uses the routing mode. The ethernet0/1 uses the PPPoE
mode to dial up and creates the WLAN whose SSID is test.

Configuration Steps
Step 1: Configure a DHCP address pool and PPPoE instance
#Create a DHCP address pool

hostname(config)# dh cp -server p o o l wlan _p o o l
hostname(config-dhcp-server)# address 192.168.2.2 192.168.2.254
hostname(config-dhcp-server)# n etmask 255.255.255.0
hostname(config-dhcp-server)# gateway 192.168.2.1
hostname(config-dhcp-server)# dn s 192.168.2.1
hostname(config-dhcp-server)# exit
#Create a PPPoE instance


hostname(config)#
Step 2: Configure the interface and the security zone
hostname(config)# in tern et wlan 0/1
hostname(config-if-wla0/1)# zo n e trust
hostname(config-if-wla0/1)# ip address 192.168.2.1/24
hostname(config-if-wla0/1)# dh cp -server en ab le p o o l wlan _p o o l
hostname(config-if-wla0/1)# exit
hostname(config)#
Step 3: Configure the DNS proxy
hostname(config-dns-proxy-rule)# in gress-in terface wla0/1
hostname(config-dns-proxy-rule)# n ame-server 202.106.1.1(Th e real DNS server )
hostname(config)# in terface wla0/1
hostname(config-if-wla0/1)# dn s-p ro xy
Step 4: Configure the SNAT rule

hostname(config-vrouter)# sn atrule id 1 fro m an y to an y eif eth ern et0/1 tran s-to eif-
ip mo de dyn amicp o rt sticky
rule id=1
hostname(config)#
Step 5: Configure the policy rule
hostname(config)#
Step 6: Enable the WLAN function. By default, the WLAN function is enabled already
hostname(config)# wlan
hostname(config-wlan)# wlan en ab le
hostname(config-wlan)# exit
hostname(config)#
Step 7: Create the WLAN Profile
#The security mode is WPA2-PSK, the encryption method is

CCMP, the pre-key is hillstone123
hostname(config)# wlan -p ro file 0

hostname(config-wlan-profile)# ssid test
hostname(config-wlan-profile)# security wp a2-p sk en cryp tio n ccmp p re-sh ared-key

p ass-p h rase h illsto n e123
hostname(config)#
#The security mode is WPA2, the encryption method is

CCMP, the authentication server is radius1： 202.10.1.2
hostname(config)# aaa-server radius1 typ e radius
hostname(config-aaa-server)# h o st 202.10.1.2
hostname(config-aaa-server)# secret 123456
hostname(config-aaa-server)# exit
hostname(config)# wlan -p ro file 0
hostname(config-wlan-profile)# ssid test
hostname(config-wlan-profile)# security wp a2 en cryp tio n ccmp
hostname(config-wlan-profile)# radius-server radius1
hostname(config)#
Step 8: Bind the WLAN Profile to the WLAN interface
hostname(config)# in terface wlan 0/1
hostname(config-if-wla0/1)# wlan -p ro file 0
hostname(config)#
3G/4G
The third generation of mobile telecommunications technology supports the high speed data trans-
mission. By configuring the 3G/4G function, users can access the Internet through wireless
mode.

The 3G/4G function needs the support of ISP. Before configuring the 3G/4G function, you
need to purchase the SIM card from the ISP, enable the data connection service, and obtain the
following 3G/4G parameters: access point, username, password, dial-up string, and correctly
installed SIM card.
Configuring 3G/4G Function
Configuring 3G/4G function includes the following items:
l Configuring basic parameters
l Managing the PIN code
Configuring Basic Parameters
You can configure the following basic parameters:
l Configuring the access point name
l Enabling/disabling the 3G/4G function
l Specifying the connection mode
l Configuring the dial-up string
l Specifying the verification method
l Specifying the route distance and weight
l Specifying the static IP
l Specifying the user information
l Configuring the schedule
l Manually connect/disconnect the 3G/4G connection

Configuring the Access Point Name
Before the 3G/4G dial-up, you must configure the APN (access potion name). You need to
obtain the specific value of the APN from the ISP. To configure the APN, use the following com-
mand in the SIM card configuration mode:
ap n apn-name
l apn-name – Specifies the access point name.
In the SIM card configuration mode, use the following command to delete the configuration of
the APN:
n o ap n
Tip: To enter the SIM card configuration mode, use the simcommand.
Enabling/Disabling the 3G/4G Function
By default, the 3G/4G function is enabled. After enabling the 3G/4G function, the system can
trigger the 3G/4G dial-up. To enable the 3G/4G function, use the following command in the
3G/4G (cellular) interface configuration mode:
cellular enable
To disable the 3G/4G function, use the following command in the 3G/4G (cellular) interface
configuration mode:
cellular disable
Tip: To enter the 3G/4G (cellular) interface configuration mode, use the com-
mand interface cellular0/0.

Specifying the Connection Mode
You can specify the connection mode for the 3G/4G network, including 2G (GSM), 3G
(WCDMA, CDMA2000, TD-SCDMA), 4G(FDD-LTE, TDD-LTE) and auto-adaption mode. By
default, the system uses the auto-adaption mode. To specify the 3G/4G connection mode, use
the following command in the 3G/4G (cellular) interface configuration mode:
co n n ect-mo de {2G-o n ly | 3G-o n ly | 4G-o n ly | auto }
l 2G-only – Uses the 2G network.
l auto – Uses the auto-adaption mode.
In the 3G/4G (cellular) interface configuration mode, use the following command to restore the
connection to the default option:
n o co n n ect-mo de
Configuring the Dial-up String
Ask your ISP to provide the dial-up string. To configure the dial-up string, use the following com-
mand:
dial dial-number
l dial-number – Specifies the dial-up number. The value ranges from 1 to 31 characters.
To restore the dial-up number to the default value, use the following command in the 3G/4G (cel-
lular) mode:
n o dial
Specifying the Verification Method
When 3G/4G dial-up establishes the connection, it needs to pass the PPP protocol verification.
The device supports the following verification method: CHAP, PAP, and Any. To specify the

verification method, use the following command in the 3G/4G (cellular) mode:
p p p auth en ticatio n {ch ap | p ap | an y}
l chap – Uses the verification method of CHAP.
l pap - Uses the verification method of PAP.
l any - Uses the verification method of CHAP or PAP. any is the default option.
To restore the verification method to the default option, use the command no ppp
authentication.
Specifying the Route Distance and Weight
To specify the route distance and weight, use the following command in the 3G/4G (cellular)
interface mode:
p p p ro ute {distan ce value | weigh t value }
l distance value – Specifies the route distance. The value ranges from 1 to 255. The default
value is 1.
l weight value – Specifies the route weight. The value ranges from 1 to 255. The default value
1.
To restore the settings to the default values, use the following command:
no ppp route {distance | weight}
Specifying the Static IP Address
You can specify a static IP address and negotiate for using this static IP address, which can avoid
the IP address changing. To specify a static IP address, use the following command in the 3G/4G
(cellular) interface mode:
p p p static-ip ip-address
l ip-address – Specifies the static IP address.
To cancel the static IP address setting, use the following command:

no ppp static-ip
Specifying the Online Mode
3G/4G dial-up has two online modes as follows:
l Redial automatically: when the 3G/4G connection disconnects due to certain reasons and the
disconnection time lasts the specified length of time, the system will redial automatically.
l Hang up after a specified idle time: When the idle time of the 3G/4G (cellular) interface
reaches the specified value, the system will disconnection the 3G/4G connection.
The above two modes cannot be used meanwhile. Without configuring the schedule, the system
will use the “hang up after a specified idle time” mode by default.
In the “redial automatically” mode, to specify the time between redial attempts, use the fol-
lowing command in the 3G/4G(cellular) interface configuration mode:
p p p redial-o p tio n auto -co n n ect time
l time – Specifies the time (in seconds) between redial attempts. The value ranges from 0 to
10000 seconds. The default value is 0, which represents that the system does not use the
“redial automatically” mode.
In the “hang up after a specified idle time” mode, to specify the idle time before hanging up,
use the following command in the 3G/4G (cellular) interface configuration mode:
p p p redial-o p tio n idle-in terval time
l time – Specifies the idle time (in seconds) before hanging up. The value ranges from 0 to
10000 seconds. The default value is 0, which represents that the system does not use the
“hang up after a specified idle time” mode.
Use the no ppp redial-option command to restore the setting to the default value.

Specifying the User Information
You need to obtain the 3G/4G username and password from the ISP. To specify the user inform-
ation, use the following command in the 3G/4G (cellular) interface configuration mode:
p p p user user-name p asswo rd password
l user-name – Specifies the 3G/4G username.
l password – Specifies the corresponding password.
Use the following command to cancel the specified 3G/4G user information:
no user
Configuring the Schedule
The device supports the schedule. You can specify a schedule entry to make the 3G/4G (cellular)
interface keep connected and disconnected individually during the specified time period. To con-
figure the schedule, use the following command in the instance configuration mode:
p p p sch edule schedule-name [co n n ect | disco n n ect]
l schedule-name – Specifies the name of the schedule entry.
l connect – The system will use the “on-demand dial-up” mode to connect to the internet
during the period specified by the schedule entry.
l disconnect – The system will disconnect the connection during the period specified by the
schedule entry.
To cancel the schedule settings, use the no ppp schedule command.
Manually Connect/Disconnect the 3G/4G Connection
You can manually connect/disconnect the 3G/4G connection. In any mode, use the following
command to manually connect/disconnect the 3G/4G connection:
exec dial in terface cellular0/0 {co n n ect | disco n n ect}

l connect – Connect the 3G/4G connection.
l disconnect – Disconnect the 3G/4G connection.
Managing the PIN Code
PIN (Personal Identification Number) code is used to identify the user of the SIM card avoid the
illegal use of the SIM card.
Managing the PIN code includes the following configurations:
l Enabling/Disabling the PIN code protection
l Automatically verifying the PIN code
l Manually verifying the PIN code
l Modifying the PIN code
l Unlocking the PIN code
Enabling/Disabling the PIN Code Protection
To enable the PIN code protection, you must first enter the correct PIN code. After the PIN
code is verified, you can use the SIM card. The PIN code consists of 4-8 decimal numbers and
you can obtain the PIN code from your ISP. To enable/disable the PIN code protection, use the
following command in any mode:
exec p in verificatio n {en ab le | disab le} pin
l enable – Enables the PIN code protection.
l disable – Disables the PIN code protection.
l pin – Specifies the PIN code. The PIN code consists of 4-8 decimal numbers.
Notes: After three consecutive failed attempts at PIN code, the SIM card will be
locked.

Automatically Verifying the PIN Code
After enabling the PIN code protection, you can save the PIN code in the system. After the sys-
tem reboots, it can automatically verify the PIN code. To automatically verify the PIN code, use
the following command in the SIM card configuration mode:
p in -verify-cip h er pin
Use no pin-verify-cipher to cancel the configurations of automatically verifying the PIN code.
Manually Verifying the PIN Code
To verify the PIN code manually, use the following command in any mode:
exec p in verify pin
Modifying the PIN Code
To modify the PIN code, you must first enter the correct PIN code. After three consecutive
failed attempts at PIN code, the SIM card will be locked. To modify the PIN code, use the fol-
lowing command in any mode:
exec p in mo dify current-pin new-pin
l current-pin – Specifies the current PIN code. The PIN code consists of 4-8 decimal num-
bers.
l new-pin – Specifies the new PIN code. The PIN code consists of 4-8 decimal numbers.
Unlocking the PIN Code
If the SIM card is locked, you need to obtain the PUK code from the ISP to unlock the SIM card
and set the new PIN code. To use the PUK code to unlock the SIM card, use the following com-
mand:
exec p in un lo ck puk new-pin

l puk – Specifies the PUK code.
l new-pin – Specifies the new PIN code. The PIN code consists of 4-8 decimal numbers.
Notes: After ten consecutive failed attempts at PUK code, the SIM card will be
invalid.
Viewing the 3G/4G Configurations
To view the 3G/4G configurations, use the corresponding show commands in any mode:
l View the 3G/4G data card information and 3G/4G connection configurations: show cellular
l View the corresponding configurations of PPP: show ppp
l View the SIM card information: show sim
3G Configuration Example
This section describes the configuration example of 3G.
Requirement
Use the Hillstone device with the 3G data card inserted to access the 3G network by 3G dial-up.
The Hillstone device uses the routing mode. The ethernet0/1 belongs to the trust security zone
and user’s PC connects to this ethernet0/1.

Configuration Steps
Step 1: Configure basic parameters of 3G, for example, WCDMA
hostname(config)# sim
hostname(config -sim)# ap n un in et
hostname(config -sim)# exit
hostname(config)# in terface cellular0/0
hostname(config -if-cel0/0)# dial *99#
hostname(config -if-cel0/0)# p p p auth en ticatio n an y
hostname(config-if-cel0/0)# p p p user n o n e p asswo rd n o n e
hostname(config -if-cel0/0)# en d
hostname# exec dial in terface cellular0/0 co n n ect

hostname(config)#
Step 3: Configure the IP address, gateway, and DNS of the user’s PC. The IP address must be at
the same subnet as the IP address of the ethernet0/0. The DNS address must be a public DNS
address
LLDP
Network devices are increasingly diverse, and their configurations are respectively complicate.
Therefore, mutual discovery and interactions in information of system and configuration between
devices of different manufacturers are necessary to facilitate management. LLDP (Link Layer Dis-
covery Protocol ) is a neighbor discovery protocol defined in IEEE 802.1ab, which provides a dis-
covery method in link layer network. By means of the LLDP technology, the system can quickly
master the information of typology and its changes of the layer-2 network when the scale of net-
work expands rapidly.
By means of LLDP, the LLDP information of the device, including the device information, sys-
tem name, system description, port description, network management address and so on, can be
sent in the form of standard TLV (Type Length Value) multicast message from the physical port
to the directly-connected neighbor. If the neighbor enables LLDP too, then neighbor relations
will be established between both sides. When the neighbor receives these messages, they are
stored in the form of MIB in the SNMP MIB database, in order to be utilized by the network man-
agement system to search and analyze the two-layer topology and the problems in it of the current
network.

LLDP Work Mode
The 4 work modes of LLDP are listed below:
l txrx: the system transmits and receives LLDP messages.
l tx: the system only receives LLDP messages.
l rx: the system only transmits LLDP messages.
l disable: the system neither transmits nor receives LLDP messages.
Configuring LLDP
Configuring LLDP can enable neighbor devices' collection of network typology changes.
l Enabling/Disabling global LLDP
l Enabling/Disabling LLDP of port
l Configuring LLDP work mode
l Configuring the initialization delay of port
l Configuring the transmission delay of LLDP messages
l Configuring the transmission interval of LLDP messages
l Configuring TTL multiplier
l Displaying LLDP local information
l Displaying LLDP neighbor information of port
l Displaying LLDP statistical information
l Displaying LLDP status information

Enabling/Disabling Global LLDP
LLDP is enabled only when the "Global LLDP" and the "LLDP of Port" are enabled at the same
time, so the corresponding port can transmit and receive LLDP messages.
l By default, the global LLDP and the LLDP of port are both disabled.
l When the global LLDP is enabled, the LLDP of all the ports of the system will be enabled.
l When the global LLDP is disabled, the LLDP of all the ports of the system will be disabled.
l When the global LLDP is enabled, the user does not have to modify LLDP configuration, for
LLDP can be enabled by default configuration.
To enable or disable the global LLDP, in the global configuration mode, use the following com-
mand:
l Enable: lldp global enable
l Disable: lldp global disable
Enabling/Disabling LLDP of Port
Before enabling LLDP of port, in the global configuration mode, use interface ethernetm/n com-
mand to enter the configuration mode of the port which needs to enable LLDP.
To enable or disable LLDP of port, in the interface configuration mode, use the following com-
mand:
l Enable: lldp enable
l Disable: lldp disable
Notes: Only the physical port of the device supports enabling LLDP. Logical port
does not support this function.

Configuring LLDP Work Mode
The user can configure the work mode of LLDP , specifying whether the port transmits or
receives the LLDP messages. By default, the LLDP work mode of port is txrx (transmits and
receives the LLDP messages).
To configure the LLDP work mode of port, in the interface configuration mode, use the fol-
lowing command:
lldp admin-status {disable | rx | tx | txtx}
l disable: the port neither transmits nor receives LLDP messages.
l rx: the port only transmits LLDP messages.
l tx: the port only receives LLDP messages.
l txrx: the port transmits and receives LLDP messages.
Recover the default LLDP work mode, use the following command:
no lldp admin-status
Configuring the Initialization Delay of Port
When the LLDP work mode of the port changes, the system will operate initialization on the
port. Configuring the initialization delay of the port can avoid continuous initialization of the port
due to frequent changes of the LLDP work mode.
To configure the initialization delay of port, in the global configuration mode, use the following
command:
lldp reinit-delay delay-value
l delay-value - Specifies the initialization delay of port. The measurement is second-based, and
the range is from 1 to 10.
To recover the default initialization delay of port, use the following command:
no lldp reinit-delay

Configuring the Transmission Delay of LLDP Messages
Transmission delay refers to the minimal delay time before the LLDP messages are sent to the
neighbor device when the state of the local device frequently changes.
To configure the transmission delay of LLDP messages, in the global configuration, use the fol-
lowing command:
lldp message-transmission delay delay-value
l delay-value - Specifies the transmission time delay of LLDP messages. The measurement is
second-based, and the range is from 1 to 900.
To recover the default transmission delay of LLDP messages, use the following command:
no lldp message-transmission delay
Configuring the Transmission Interval of LLDP Messages
Transmission interval refers to the time period of transmitting the LLDP message to the neighbor
device when the state of the local device state remains stable.
To configure the transmission interval of LLDP messages, in the global configuration mode, use
lldp message-transmission interval interval
l interval - Specifies the transmission interval of LLDP messages. The measurement is second-
based, and the range is from 1 to 3600, the default value is 30s.
To recover the default transmission interval of LLDP messages, use the following command:
no lldp message-transmission interval
Configuring TTL Multiplier
TTL (Time to Live) refers to the living time of the local device information in the neighbor
device.

TTL multiplier is used to adjust the living time of the local device information in the neighbor
device. The computational formula is: TTL = Transmission Interval × TTL Multiplier.
To configure TTL multiplier, in the global configuration mode, use the following command:
lldp message-transmission hold-multiplier hold-multiplier
l hold-multiplier - Specifies the TTL multiplier value. The range is from 1 to 100, and the
default value is 4.
To recover the default TTL multiplier value, use the following command:
no lldp message-transmission hold-multiplier
Displaying LLDP Local Information
To view the DDLP local information, in any mode, use the following command:
show lldp local-information [global | interface-name ]
l global - Displays the LLDP local information to be sent to the neighbor device.
l interface-name - Displays the LLDP local information to be sent from the specified port to
the neighbor device.
Displaying LLDP Neighbor Information of Port
To view the LLDP neighbor information of port, in any mode, use the following command:
show lldp neighbor-information [ interface-name ]
l interface-name - Displays the LLDP information sent from the neighbor device to the local
device and received by the specified port. If this parameter is not specified, the LLDP neigh-
bor information of all the ports will be shown.
Displaying LLDP Statistical Information
To view the LLDP statistical information, in any mode, use the following command:
show lldp statistics [global | interface-name ]

l global - Displays the global statistical information.
l interface-name - Displays the LLDP statistical information of the specified port.
Displaying LLDP Status Information
To view the LLDP status information, in any mode, use the following command:
show lldp status [ interface-name ]
l interface-name - Displays the LLDP status information of the specified port.

Chapter 2 Policy
This section contains the following contents:
l "Security Policy" on Page 314：This section introduces the basic concepts of security
policies, including policy rules, policy groups, web page redirection, and viewing policy rules.
l "Share Access" on Page 352：This section introduces how to configure shared access rules,
configure shared access signature database, and share access logs.

Security Policy
Overview
Policy is designed to control the traffic forwarding between security zones/segments. By default,
Hillstone devices will deny all traffic between security zones/segments, while the policy can
identify which flow between security zones or segments will be permitted and which will be
denied based on the policy rules.
Basic Elements of Policy Rules

Policy rules permit or deny traffic between security zone(s)/segment(s). The basic elements of
policy rules are service type of the traffic, source and destination address/zone, and action.
l Source zone/address - The source zone/address of the traffic.
l Destination Zone/Address - The destination zone/address of the traffic.
l Service - The service type of the traffic.
l Action - The actions for processing traffic include Permit, Deny, Tunnel, From tunnel and
WebAuth.
Below is a CLI example which permits the ICMP traffic from any address in the trust zone to any
address in the untrust zone to pass through.
hostname(config-policy)# rule fro m an y to an y service icmp p ermit
l Source Address - Any, i.e., any address. It is the default address entry in the address book.
l Destination Address - Any, i.e., any address. It is the default address entry in the address
book.
l Service – ICMP
l Action - Permit, i.e., this kind of traffic is permitted to pass through the device.
314 Chapter 2 Policy

Defining a Policy Rule
Generally a policy rule consists of two parts: filtering condition and action. You can set the fil-
tering condition by specifying traffic's source zone/address, destination zone/address, service
type, and role. Each policy rule is labeled with a unique ID which is automatically generated when
the rule is created. You can also specify a policy rule ID at your own choice. All policy rules in
StoneOS are arranged in a specific order. When traffic flows into a Hillstone device, the device
will query for policy rules in the list by turns, and processes the traffic according to the first
matched rule.
The maximum global policy rule numbers may vary from different Hillstone models.
Introduction to Profile
The combination of the profile and security policy allows the Hillstone devices to implement
fine-grained control over the application layer security policy. Profile defines different operations
for different kinds of applications, which can simplify system configurations. StoneOS support
nine types of profiles, namely URL filter profile, Web content profile, Web posting profile, email
filter profile, IM control profile, HTTP/FTP control profile, anti-virus profile, IPS profile and
GTP profile. Each profile category can be configured with an action for a specific application.
QoS Tag
StoneOS supports the QoS tag function in policy rules. You can add the QoS tag to a policy rule
that permits the traffic to pass through.
Tip: For more information about QoS, see “QoS" of “Traffic Management”.
Configuring Access Control for a Policy

The combination of the ACL Profile and policy rule allows the Hillstone devices to access control
over the message based on a policy, such as source/destination MAC address etc.

Configuring an ACL Profile
The ACL profile needs to be configured in the ACL profile configuration mode. To enter the
ACL profile configuration mode, in the global configuration mode, use the following command:
acl-profileacl-profile-name
l acl-profile-name – Specifies the name of the ACL profile. After executing the command, the
system will create a ACL profile with the specified name, and enter the ACL profile con-
figuration mode; if the specified name exists, the system will directly enter the ACL profile
configuration mode. You can specify up to 64 ACL profiles.
To delete the specified ACL Profile, in the global configuration mode, use the command no acl-
profileacl-profile-name.
Configuring an Access Control Rule
To configure an Ipv4 access control rule, in the ACL Profile configuration mode, use the fol-
lowing command:
sequence id {drop | pass} [both | forward | backward] [src-mac src-mac-address] [dst-macdst-
mac-address] [dscp dscp-value]
l id – Specifies the ID of the access control rule. .The range is 1 to 32.
l drop | pass – Specifies the action for the access control rule, drop or pass.
l both | forward | backward – Specifies the traffic direction of the access control rule.
l src-macsrc-mac-address – Specifies the source MAC address of the access control rule.
l dst-macdst-mac-address – Specifies the destination MAC address of the access control rule.
l dscp dscp-value – Specifies the DSCP value, the range is 0 to 63.
To delete the specified access control rule, in the ACL Profile configuration mode, use the com-
mand no sequence id.

Notes: For more information about configuring access control rules and control
actions for an IPv6 policy, see Access Control for an IPv6 Policy.
Configuring the Default Action
When no access control rule is hit, the system will take the specified default access control action.
To configure the default action, in the ACL Profile configuration mode, use the following com-
mand:
default-action {drop |pass}
l drop | pass – Specifies the default action for the access control rule, drop or pass. If default
action is not specified, the system will adopt Pass.
To restore to the default control action Pass, in the ACL Profile configuration mode, use the com-
mand no default-action.
Viewing ACL Profile Information
To view the ACL profile configuration, in any mode, use the following command:
show acl-profile [acl-profile-name]
l acl-profile-name – Shows the configuration of the specified ACL profile. If this parameter is
not specifies, the command will show the configurations of all the ACL profiles.
Configuring a Policy Rule

You can configure a policy rule via CLI to control the traffic destined to the device. The con-
figuration includes:
l Switching to the multi-zone mode
l Creating a policy rule

l Editing a policy rule
l Specifying the default action
Entering the Policy Configuration mode
To enter the policy configuration mode, in the global configuration mode, use the following com-
mand:
p o licy-glo b al
Switching to the Multi-Zone Mode
The system supports switches between the multi-zone mode and the single-zone mode. In the
single-zone mode, one policy supports only one source zone and one destination zone. In the
multi-zone mode, one policy supports multiple zones. In this case, users can manage policies
more easily when there are fewer policies needed configuring in the system. One policy supports
up to 16 source/destination zones. By default, the system applies the single-zone mode. To
switch to the multi-zone mode, in the policy configuration mode, use the following command:
multi-zone-enable
In the policy configuration mode, use the following command to restore to the single-zone mode:
no multi-zone-enable
Notes: You can use this command to restore to the single-zone mode only when
multi-zone policies are not configured in the system. Otherwise, the command fails.
Creating a Policy Rule
To create a policy rule, in the global configuration mode or policy configuration mode, use the fol-
lowing command:
rule [id id ] [n ame name ] [to p | b efo re {n ame rule-name | id } | after {n ame rule-name | id } ]
[ro le {U NKNO WN | role-name } | user aaa-server-name user-name | user-gro up aaa-server-
name user-group-name ] [fro m {h o st host-name | ran ge min-ip max-ip | src-addr }] [to {h o st

host-name | ran ge min-ip max-ip | dst-addr }] [fro m-zo n e zone-name to -zo n e zone-name ]
[service service-name ] [ap p licatio n app-name ] [p ermit | den y | tun n el tunnel-name | fro m-
tun n el tunnel-name | web auth | p o rtal-server server-name ]
l id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign
an ID to the policy rule. The ID must be unique in the entire system.
l name name – Specifies the name of the policy rule.
l top | before {name rule-name| id} | after {name rule-name| id - Specifies the location of
the policy rule. By default, the newly-created policy rule is located at the end of all the rules.
l top Specifies the location of the policy rule to the top of all rules.
l before {name rule-name| id} –Specifies the location of the policy rule before the rule
of specified ID or name.
l after {name rule-name| id –Specifies the location of the policy rule after the rule of
specified ID or name.
l role {UNKNOWN | role-name} | user aaa-server-name user-name | user-group aaa-server-

name user-group-name - Specifies the role/user/user group for the policy rule.
l role {UNKNOWN | role-name} – Specifies the role name. UNKNOWN is the role
reserved by the system, i.e., the role that is neither authenticated nor statically bound.
l user aaa-server-name user-name – Specifies the user. aaa-server-name is the AAA

server the user belongs to, and user-name is the name of the user.
l user-group aaa-server-name user-group-name – Specifies the user group. aaa-server-

name is the AAA server the user group belongs to, and user-group-name is the name of
the user group.
l from {host host-name | range min-ip max-ip | src-addr } – Specifies the source address of
the policy rule.

l host host-name - The source address entry for the host defined in the address book.
l range min-ip max-ip – The source address entry for the IP addresses defined in the
address book.
l src-addr – The address entry defined in the address book.
l to {host host-name | range min-ip max-ip | dst-addr } – Specifies the destination address
of the policy rule.
l host host-name – The destination address entry for the host defined in the address
book.
l range min-ip max-ip – The destination entry for the IP addresses defined in the
address book.
l dst-addr - The address entry defined in the address book.
l from-zone zone-name – Specifies the source zone of the policy rule.
l to-zone zone-name - Specifies the destination zone of the policy rule.
l service service-name - Specifies the service name of the policy rule. service-name is the ser-
vice defined in the service book.
l application app-name – Specifies the application name for the policy rule. app-name is the
application name you defined in the application book.
l permit | deny | tunnel tunnel-name | fromtunnel tunnel-name| webauth } - Specifies the

action of the policy rule, including:
l permit - Permits the traffic to pass through.
l deny - Denies the traffic.
l tunnel - For the traffic from local to a peer, this option allows the traffic to pass through
the VPN tunnel.

l fromtunnel - For the traffic from a peer to local, if this action is selected, StoneOS will
first determine if the traffic originates from a tunnel. Only such traffic will be per-
mitted.
l webauth - Performs Web authentication on the matched traffic.
After switching to the multi-zone mode, repeat the above commands to add more source/des-
tination zones. Each policy supports up to 16 source/destination zones. If Any zone is con-
figured, you cannot configure other zones at the same time.
For example, to create a policy rule that permits ICMP service from any address to any address,
hostname(config)# policy-global
hostname(config-policy)# rule from any to any service icmp permit
Rule id 5 is created.
To delete the policy rule, in the global configuration mode or policy configuration mode, use the
following command:
n o rule {id id | n ame name }
l id id – Deletes the policy rule of the specified ID.
l name name - Deletes the policy rule of the specified name.
Tip: For information about how to configure parameters of a policy rule,

see“Editing a Policy Rule”.
Editing a Policy Rule
You can edit improper parameters for the policy rule in the policy rule configuration mode. To
enter the policy rule configuration mode, in the global configuration or policy configuration mode,
rule [id id ] [to p | b efo re {n ame name | id } | after {n ame name | id ]

After entering the policy rule configuration mode, to edit the policy rule, use the following com-
mands:
l Name/rename a policy rule: name policy-name
l In the single-zone mode, use the following commands to specify/edit/delete zones:
l To specify/edit a source security zone: src-zone src-zone
l To delete a source security zone: no src-zone(When this command is executed, there is

no source zone in the policy)
l To specify/edit a destination security zone: dst-zone dst-zone
l To delete a destination security zone: no dst-zone(When this command is executed,

there is no destination zone in the policy)
l In the multi-zone mode, use the following commands to specify/edit/delete zones:
l To specify/edit a source zone: src-zone src-zone(In the multi-zone configuration

mode, when the source zone is not the Any, repeat this command to configure up to 16
zones.)
l To delete a source zone: no src-zone [src-zone](By repeating this command, you can
delete specific zones one by one. If the zone is not selected, this command deletes all
zones. In this case, there is no source zone in the policy.)
l To specify/edit a destination zone: dst-zone dst-zone(In the multi-zone configuration

mode, when the destination zone is not the Any, repeat this command to configure up
to 16 zones.)
l To delete a destination zone: dst-zone [dst-zone](By repeating this command, you

can delete specific zones one by one. If the zone is not selected, this command
deletes all zones. In this case, there is no destination zone in the policy.)
l Add the source address of the address entry type: src-addr src-addr

l Delete the source address of the address entry type:no src-addr src-addr
l Add the source address of the IP member type: src-ip ip/netmask
l Delete the source address of the IP member type: no src-ip ip/netmask
l Add the source address of the host member type: src-host host-name
l Delete the source address of the host member type: no src-host host-name
l Add the source address of the IP range type: src-range min-ip [max-ip]
l Delete the source address of the IP range type: no src-range min-ip [max-ip]
l Add the destination address of the address entry type: dst-addr dst-addr
l Delete the destination address of the address entry type: no dst-addr dst-addr
l Add the destination address of the IP member type: dst-ip {ip/netmask | ip-address
netmask }
l Delete the destination address of the IP member type: no dst-ip {ip/netmask | ip-address net-
mask }
l Add the destination address of the host member type: dst-host host-name
l Delete the destination address of the host member type: no dst-host host-name
l Add the destination address of the IP range type: dst-range min-ip [max-ip]
l Delete the destination address of the IP range type: no dst-range min-ip [max-ip]
l Add the service type: service service-name
l Delete the service type: no service service-name
l Add / Delete the service rule: The service rule includes the protocol type and port number of
the service. You can configure the service rule of the policy according to the required

protocol and port number. For adding / deleting the service rule, refer to Configuring the Ser-
vice Rule.
l Add the application type: application application-name
l Delete the application type: no application application-name
l Specify the role: role {UNKNOWN | role-name}
l Delete the role: no role {UNKNOWN | role-name}
l Specify the user: user aaa-server-name user-name
l Delete the user: no user aaa-server-name user-name
l Specify the user group: user-group aaa-server-name user-group-name
l Delete the user group: no user-group aaa-server-name user-group-name
l Edit the action: action {permit | deny | tunnel | fromtunnel | webauth}
l Configure the VLAN ID: vlan-id vlan-id
l Delete the VLAN ID: no vlan-id vlan-id
l Configure the schedule: schedule schedule-name
l Delete the schedule: no schedule schedule-name
Tip: By default, the configured policy rule will take effect immediately. If you
apply a schedule to the policy rule, the rule will only take effect in the specified
time defined in the schedule. You can configure up to 8 schedules for a policy
rule, and the effective time of the policy rule is the sum of all time configured in
the schedules.

l Adding the description: description description(the length of description is 1 to 255 bytes)
l Delete the description: no description description
l Edit the QoS tag of the rule: policy-qos-tag tag(the value range of tag is 1 to 1024)
l Delete the QoS tag of the rule: no policy-qos-tag tag
l Bind the anti-virus profile: av {av-profile-name | no-av} (no-av indicates binding the pre-
defined Anti-Virus Profile named no-av, i.e., no Anti-Virus detection.)
l Cancel the anti-virus profile binding: no av
l Bind the IPS profile: ips {ips-profile-name | no-ips} (no-ips indicates binding the predefined
IPS Profile named no-ips, i.e., no IPS detection.)
l Cancel the IPS profile binding: no ips
l Bind the HTTP/FTP control profile: behavior {behavior-profile-name | no-behavior} (no-

behavior indicates binding the predefined HTTP/FTP control profile named no-behavior,
i.e., no HTTP/FTP control.)
l Cancel the HTTP/FTP control profile binding：no behavior
l Bind the Web content profile：contentfilter {contentfilter-profile-name | no-contentfilter}

(no-contentfilter indicates binding the predefined Web content profile named no-con-
tentfilter, i.e., no Web content filter.)
l Cancel the Web content profile binding：no contentfilter
l Bind the Email filter profile：mail {mail-profile-name | no-mail} (no-mail indicates binding
the predefined Email filter Profile named no-mail, i.e., no Email filter.)
l Cancel the Email filter profile binding：no mail

l Bind the IM control profile：im {im-profile-name | no-im} (no-im indicates binding the pre-
defined IM control Profile named no-im, i.e., no IM control.)
l Cancel the IM control profile binding：no im
l Bind the Web posting profile: webpost {webpost-profile-name | no-webpost}（no-webpost

indicates that you bind the predefined profile no-webpost to the policy rule and the system
will not check the Web posting information.）
l Cancel the Web posting profile binding：no webpost
l Bind the URL filter profile: url {url-profile-name | no-url}（no-url indicates that you bind
the predefined profile no-url to the policy rule and the system will not check and filter the
URLs.）
l Cancel the URL filter profile binding：no url
l Bind the GTP profile：gtp-profile profile-name
l Cancle the GTP profile binding：no gtp-profile
l Bind the ACL profile：acl acl-profile-name
l Cancel the ACL profile binding：no acl.
Enabling/Disabling a Policy Rule
By default, the configured policy rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule. To enable or disable the policy rule, in the policy rule con-
l Disable：disable
l Enable：enable

Log Management of Policy Rules
l For the policy rules of action Permit, logs will be generated when the matched traffic session
starts and ends.
l For the policy rules of action Deny, logs will be generated when the matched traffic is denied.
Before using this function, make sure the log function for the traffic is enabled. In the global con-
figuration mode, use the command logging traffic on. To configure the log management of policy
rules, in the policy rule configuration mode, use the following command:
lo g {p o licy-den y | sessio n -start | sessio n -en d}
l policy-deny - Generates logs when the matched traffic is denied. This parameter is applicable
to the policy rules of action Deny.
l session-start - Generates logs when the matched traffic starts its session. This parameter is
applicable to the policy rules of action Permit.
l session-end - Generates logs when the matched traffic ends its session. This parameter is
applicable to the policy rules of action Permit.
To cancel the log management configuration, in the policy rule configuration mode, use the com-
mand no log {policy-deny | session-start | session-end}.
In addition, for the traffic from the source security zone to the destination security zone that is
not matched to any policy rule, you can specify whether to generate logs. By default, the system
does not generate log for such kind of traffic. To generate log for such traffic, in the global policy
lo g p o licy-default
To restore to the default value, in the global policy configuration mode, use the following com-
mand:
n o lo g p o licy-default

Configuring the Service Rule
When configuring the service rule of the policy rule, you can add a predefined or user-defined ser-
vice that have been configured in the service book. When the required service does not exist in
the service book, the administrator can specify the protocol type and port number of the service
by configuring the service rules, thus simplifying the configuration steps of the policy.
To add a service rule of TCP or UDP type, in the policy configuration mode, use the following
command:
service-rule {tcp | udp } dst-p o rt min-port [ max-port ] [src-p o rt min-port [ max-port ]]
l tcp | udp - Specifies the protocol type of the service rule: TCP or UDP.
l dst-portmin-port [max-port] – Specifies the destination port number of the service rule. If
the destination port number is a number range, then min-port is the minimum destination port
number, and max-port is the maximum destination port number. If max-port is not configured,
system will use min-port as the single destination port number. The value range is 0 to 65535
l src-portmin-port [max-port] – Specifies the source port number of the service rule. If the
source port number is a number range, then min-port is the minimum source port number,
and max-port is the maximum source port number. If max-port is not configured, system will
use min-port as the single source port number. The value range is 0 to 65535.
To add a service rule of ICMP type, in the policy configuration mode, use the following com-
mand:
service-ruleicmp typ e type-value [co de min-code [ max-code ]]
l type-value – Specifies the ICMP type value of the user-defined service. The value range is 0
（Echp-Reply）, 3（Destination-Unreachable）, 4（Source Quench）, 5（Redirect）, 8
（Echo）, 11（Time Exceeded）, 12（Parameter Problem）, 13（Timestamp）, 14
（Timestamp Reply） , 15（Information Request）, 16（Information Reply）, 17
（Address Mask Request）, 18（Address Mask Reply）, 30（Traceroute）, 31（Datagram
Conversion Error）, 32（Mobile Host Redirect）, 33（IPv6 Where-Are-You）, 34（IPv6

I-Am-Here）, 35（Mobile Registration Request）, 36（Mobile Registration Reply）.
l code min-code [max-code] – Specifies the ICMP code value for the user-defined service. If
the ICMP code is a number range, then min-port is the minimum code, and max-port is the
maximum code. If max-port is not configured, system will use min-port as the single code.
To add a service rule of ICMPv6 type, in the policy configuration mode, use the following com-
mand:
service-ruleicmpv6 type type-value [ code min-code [ max-code ]]
l type-value – Specifies the ICMPv6 type value. For more information about the value range,
see Appendix 1: ICMPv6 Type and Code.
l code min-code [max-code] – Specifies the ICMPv6 code value for the user-defined service.
If the ICMPv6 code is a number range, then min-port is the minimum code, and max-port is
the maximum code. If max-port is not configured, system will use min-port as the single code.
To add a service rule of SCTP type, in the policy configuration mode, use the following com-
mand:
service-rule sctp dst-p o rt min-port [ max-port ] [src-p o rt min-port [ max-port ]]
l dst-port min-port [max-port] – Specifies the destination port number of the service rule. If
the destination port number is a number range, then min-port is the minimum destination port
number, and max-port is the maximum destination port number. If max-port is not configured,
system will use min-port as the single destination port number. The value range is 0 to 65535
l src-port min-port [max-port] – Specifies the source port number of the service rule. If the
source port number is a number range, then min-port is the minimum source port number,
and max-port is the maximum source port number. If max-port is not configured, system will
use min-port as the single source port number. The value range is 0 to 65535.

To add a service entry of other types, in the policy configuration mode, use the following com-
mand:
service-rulep ro to co l protocol-number
l protocol-number – Specifies the protocol number of the service rule. The value range is 1 to
255.
To delete the specified service rule, use one of the following commands.
l noservice-rule{tcp | udp} dst-portmin-port [max-port] [src-portmin-port [max-port]]
l no service-rule icmp typetype-value [codemin-code [max-code]]
l no service-rule icmpv6 typetype-value [code min-code [max-code]]
l no service-rule sctp dst-port min-port [max-port] [src-port min-port [max-port]]
l no service-rule protocolprotocol-number
Specifying the Default Action
You can specify the default action for the traffic that is not matched to any configured policy rule.
StoneOS will process the traffic according to the specified default action. By default StoneOS will
deny such traffic. To specify the default action as Permit, in the global policy configuration mode,
default-actio n p ermit
To restore to the default action of Deny, in the global policy configuration mode, use the fol-
lowing command:
n o default-actio n p ermit
Moving a Policy Rule
Each policy rule is labeled with a unique ID and name. When traffic flows into a Hillstone device,
the device will query policy rules by turn, and processes the traffic according to the first matched
rule. However, the policy rule ID is not related to the matching sequence during the query. The

sequence displayed by the command show policy is the query sequence for policy rules (in the
descending order). You can also specify the position for the policy rule when creating it, or modi-
fying the position of the policy rule in the policy configuration mode. The rule position can be an
absolute position, i.e., at the top or bottom, or a relative position, i.e., before or after an ID or a
name. To move a policy rule, in the policy rule configuration mode, use the following command:
mo ve {n ame name | id } {to p | b o tto m | b efo re {n ame rule-name | id } | after {n ame rule-
name | id } }
l name name | id – Specifies the policy rule ID or name that you want to move.
l top –Moves the policy rule to the top of all rules.
l before {name rule-name | id} –Moves the policy rule before the rule of specified ID or
name.
l after {name rule-name | id} –Moves the policy rule after the rule of specified ID or name.
Viewing Resource Usage in Policy Rules
To view the resource usage of the source address, destination address, and service in policy rules,
that is, to view the proportion of the number of source address, destination address, and service
configured in policy rules to the total available number, in any mode, use the following command:
show policy resource
For example:
hostname(config)# sh o w p o licy reso urce
Resource usage:
address: 2%(10000 of 480000; src-addr usage: 5000; dst-addr usage: 5000; current available:
470000)
service: 4%(10000 of 240000; current available: 230000)
In the above case, there are 5000 configured source addresses and 5000 configured des-
tination addresses in the policy rules. The configured source and destination addresses

account for 2% of the total number of configurable addresses in the system, and the number
of remaining available addresses in the system is 470000. The number of configured ser-
vices in the policy rules is 1000, accounting for 4% of the total number of configurable ser-
vices in the system.
Rule Redundancy Check
In order to make the rules in the policy are effective, system provides a method to check the con-
flicts among rules in a policy. With this method, administrators can check whether the rules over-
shadow each other.
In any mode, use the following command to start redundancy check:
exec p o licy redun dan cy-ch eck start
The check will last a few minuts, please wait. After checking, you can use show policy redund-
ancy-check command to view the policy rule ID which is overshadowed.
You can also use exec policy redundancy-check stop command to stop check or use exec policy
redundancy-check clear command to clear cache of last redundancy check results.
Configuring Policy Audit Function
System support the policy audit function. When you create or modify the policy rule/, you can
use this function to add policy audit comments of the policy rule/aggregation policy so that you
can understand the change reasons and change history of the policy rule.
Enabling/Disabling the Policy Audit Function
By default, the policy audit function is disabled. To enable this function, in the global con-
audit-comment-enable
To disable this function, in the global policy configuration mode, use the following command:
no audit-comment-enable
Adding the Audit Comment
To add policy audit comments to the policy rule, in any mode, use the following command:

audit-comment rule id id comment comment
l rule id id - Specifies the ID of the policy rule that needs to add audit comments.
l comment comment - Specifies the audit comment content. The range is 1-255 characters.
Viewing Policy Audit Enabled Status
To view the policy audit function enabled status, in any mode ,use the following command:
show audit-comment-status
Notes:
l Policy audit comment is optional. When you create or modify the policy rule,
you can add policy audit comments to policy rules according to requirements.
l For viewing the audit history information of policy rules, you can only view it
via WebUI. Please refer to StoneOS_WebUI_User_Guide.
Policy Group
You can organize some policy rules together to form a policy group, and configure the policy
group directly.
Configuring Policy Group
You can perform the following operations on a policy group through CLI:
l Creating/Deleting a policy group
l Enabling/Disabling a policy group
l Modifying/Deleting the Descriptions of a policy group
l Adding/Deleting a policy rule member

l Renaming a Policy Group
l Configuring a policy group for VSYS Profile
Creating/Deleting a Policy Group
To create a policy group, in the global configuration mode, use the following command:
p o licy-gro up group-name
l group-name –Specifies the name of the policy group. The length is 1 to 95 characters.
After executing this command, the CLI will enter the policy group configuration mode.
To detele a policy group, in the global configuration mode, use the following command:
n o p o licy-gro up group-name
Enabling/Disabling a Policy Group
Policy group is enabled by default. To disable or enable the policy group, in the policy group con-
l Enable：enable
l Disable：disable
Notes:
l After disable or enable the policy group, the enabled status of policy rules in
policy group are modified at the same time.
l Policy rules cannot be disabled or enabled when they are referenced.
Modifying/Deleting the Descriptions of a policy group
In the policy group configuration mode, use the following command to modify the description of
a policy group.

l group-name – Specifies the new description. You can enter at most 255 characters.
In the policy group configuration mode, use the following command to delete the description of a
policy group.
n o descrip tio n
Adding/Deleting a Policy Rule Member
To add a policy rule member to the policy group, in the policy group configuration mode, use the
following command:
rule id
l id – Specifies the policy rule ID.
To delete a policy rule member to the policy group, in the policy group configuration mode, use
n o rule id
Notes: A policy rule only can be added to a policy group.
Renaming a Policy Group
To rename a policy group entry, in the global configuration mode, use the following command:
ren ame p o licy-gro up old-name new-name
l old-name – Specifies the old name for the policy group.
l new-name – Specifies the new name for the policy group.
Configuring a policy group for VSYS Profile
To configure a policy group for VSYS Profile, in the VSYS Profile configuration mode, use the fol-
lowing command:

p o licy-gro up max max-num reserve reserve-num
l max max-num reserve reserve-num – Specifies the maximum quota ( max-num ) and
reserved quota (reserve reserve-num) of policy group in VSYS. The reserved quota and max-
imum quota vary from different platforms. The reserved quota should not exceed the max-
imum quota.
Viewing Policy Group Information
To view the policy group information, in any mode, use the following command:
sh o w p o licy-gro up [ name ]
l name – Specifies the name of policy group for viewing the information.
User Online Notification
The user online notification function redirects your HTTP request to a new notification page
when you visit Internet for the first time. In the process, a prompt page (see the picture below)
will be shown first, and after you click Continue on this page, the system will redirect to the spe-
cified notification page. If you want to visit your original URL, you need to type the URL address
in your Web browser.
To configure the user online notification function, take the following steps:
1. Enable WebAuth.
2. Create a policy rule to specify the traffic that will be redirected and the network resources
accessible to the traffic.
3. Configure the notification page URL for the controlled traffic.

Notes: To make the user online notification function take effect, the action for the
policy rule must be Permit.
Configuring the User Online Notification URL
To configure the user online notification URL, in the policy rule configuration mode, use the fol-
lowing command:
web -redirect [ url ]
l url – Specifies the user online notification URL. The length is 1 to 127 characters. The URL
format should be http://www.abc.com or https://www.abc.com. If the parameter is not spe-
cified, the webpage will be redirected to the URL originally specified by the user.
To cancel the user online notification URL, in the policy rule configuration mode, use the fol-
lowing command:
n o web -redirect
Notes: For more information about how to enter the policy rule configuration
mode, see Entering the Policy Configuration mode
Configuring the Idle Time
The idle time refers to the time that a user keeps online without traffic transmitting. If an HTTP
request exceeds the idle time, it will be redirected to the user online notification page again. To
configure the idle time, in the global configuration mode, use the following command:
web -redirect idle-time time-value
l time-value – Specifies the idle time. The value range is 3 to 1440 minutes. The default value
is 30.
To restore to the default idle time, in the global configuration mode, use the following command:
n o web -redirect idle-time

Customizing the Logo Picture
You can change the logo picture and customize your own user online notification page. To import
the logo picture, you need zip the picture first, and then in the execution mode, use the following
command:
imp o rt custo mize web redirect fro m {ftp server ip-address [vro uter vrouter-name ] [user user-
name p asswo rd password ] | tftp server ip-address [vro uter vrouter-name ]} file-name
l ftp server ip-address [user user-name password password [vrouter vrouter-name]] - Obtains
the logo picture from the FTP server, and specifies the IP address, VRouter, username and
password of the server. If no username and password are specified, you will log into the server
anonymously.
l tftp server ip-address [vrouter vrouter-name] - Obtains the logo picture from the TFTP server,
and specifies the IP address and VRouter of the TFTP server.
l file-name - Specifies the name of the zip file.
Notes: The uploaded zip file should include the “logo.jpg” file.
To restore to the default logo picture, in any mode, use the following command:
exec custo mize web redirect default
Viewing Online Notification Users
To view the detailed information of online notification users, in any mode, use the following com-
mand:
sh o w web -redirect-user
Viewing Policy Rule Information
You can view the detailed information of all policy rules or a specified policy rule. And also you
can view the detailed information of the policy matching the five-tuple filtering conditions (includ-
ing source IP address, destination IP address, protocol, source port and destination port).

To view the detailed information of the policy rules, in any mode, use the following command:
sh o w p o licy [id id ] [fro m src-zone ] [to dst-zone ] [src-addr src-addr ] [dst-addr dst-addr ] [p ro -
to co l | service service-name ] [ap p licatio n application-name ] [descrip tio n description ] [n ame
name ] [n ame-filter filter-name ]
l id id - Shows the detailed information of the specified policy rule.
l from src-zone - Shows the detailed information of the policy rule whose source security zone
is the specified zone.
l to dst-zone - Shows the detailed information of the policy rule whose destination security
zone is the specified zone.
l src-addr src-addr – Shows the detailed information of the specified source address of the IP
range type.
l dst-addr dst-addr – Shows the detailed information of the specified the destination address
of the address entry type.
l protocol | serviceservice-name - Shows the detailed information of the specified protocol

(protocol) or service (serviceservice-name).
l service service-name – Shows the detailed information of the specified service type.
l application application-name – Shows the detailed information of the specified application

type.
l description description –Shows the detailed information of the specified name rule.
l name name –Shows the detailed information of the specified name rule.
l name-filter filter-name –Shows the detailed information of all rules whose name includes the
specified keyword.
To view the policy rules corresponding to TCP or UDP protocol types, in any mode, use the fol-
lowing command:

show policy protocol {tcp | udp} [dst-port {port-number | range min-port max-port}] [ src-port
{port-number | range min-port max-port} ]
l tcp | udp – Shows the detailed information of the policy rule with the protocol type of TCP
or UDP.
l dst-port{ port-number| range min-port max-port}– Shows the detailed information of the
l src-port {port-number| range min-port max-port} - Shows the detailed information of the spe-
Notes: min-portmust be less than or equal to max-port. When min-port is equal to

max-port, it means that a single port number is specified.
To view the policy rules corresponding to ICMP or ICMPv6 protocol types, in any mode, use the
following command:
show policy protocol {icmp | icmpv6} [type type-number [code {code-number | rangemin-code
max-code}] ]
l icmp | icmpv6 –Shows the detailed information of the policy rule with the protocol type of
ICMP or ICMPv6.
l typetype-number – Shows the detailed information of the policy rule with the specified
ICMP type or ICMPv6 type.
l code {code-number| range min-code max-code} - Shows the detailed information of the
policy rule with the specified ICMP code or ICMPv6 code. code-numberis a single code. If
the code is in a range, min-codeis the minimum code, max- codeis the maximum code. The

code value of ICMP Protocol type ranges from 0 to 15, and that of ICMPv6 protocol type
Notes: min-codemust be less than or equal to max- code. Whenmin-codeis equal to

max- code, it means that a single code.
show policy protocol sctp [dst-port {port-number | range min-port max-port}] [ src-port {port-
number | range min-port max-port} ]
l dst-port{ port-number| range min-port max-port}– Shows the detailed information of the
l src-port {port-number| range min-portmax-port} - Shows the detailed information of the spe-
Notes: min-portmust be less than or equal to max-port. When min-port is equal to

max-port, it means that a single port number is specified.
To view the policy rules corresponding to other specified protocol types, in any mode, use the fol-
lowing command:
show policy protocol protocol-number
l protocol-number – Shows the detailed information of the policy rule with the specified pro-
tocol number. The protocol number is from 1 to 255.

Viewing the current policy configuration information of the device
To view the current policy configuration information of the device, in any mode, use the fol-
lowing command:
sh o w co n figuratio n p o licy [n ame name | id id | b y-lin e]
l name name – Shows the policy configuration information of the specified policy name in a
single line.
l id id – Shows the policy configuration information of the specified policy ID in a single line.
l by-line – Shows all the policy configuration information in a single line.
Policy Hit Count
StoneOS supports statistics on policy hit counts, i.e., it counts how many times the traffic
matches a policy rule. Each time the inbound traffic matches a certain policy rule, the hit count
will increment by one automatically. To view the policy hit count statistics, in any mode, use the
following command:
sh o w p o licy h it-co un t [id id | n ame name | [fro m src-zone ] [to dst-zone ] to p {10 | 20 | 50 |
all }]
l id id - Shows the policy hit count statistics of the specified ID rule.
l name name –Shows the policy hit count statistics of the specified name rule.
l from src-zone - Shows the policy hit count statistics of the rule whose source security zone is
the specified zone.
l top {10 | 20 | 50 | all } - Shows the policy hit count statistics of the top 10, 20, 50 matched
rules , or shows the policy hit count statistics of all policy rules in descending order.
Examples:
Shows the policy hit count statistics of all matched

rules.

hostname(config)# sh o w p o licy h it-co un t
Most hit policy rules:
===================================================-
===========================
No. Id Src-zone Dst-zone Src-addr Dst-addr Service Applica~ Action Hit-count
------------------------------------------------------------------------------
1 14 trust trust Any Any Any PERMIT 0
2 4 untrust trust Any Any Any PERMIT 1
3 3 trust untrust Any Any Any PERMIT 761697
4 1 Any Any Any Any Any PERMIT 64203455
===================================================-
===========================
Show the policy hit count statistics of the specified ID

rule.
hostname(config)# sh o w p o licy h it-co un t id 1
Policy id 1 is hit 342424 times
Show the policy hit count statistics of the specified

name rule.
SG-6000(config)# sh o w p o licy h it-co un t n ame a
Policy "a" is hit 0 times
Show the policy hit count statistics of the top 10

matched rules.
hostname(config)# sh o w p o licy h it-co un t to p 10
===================================================-
==================
No. Id Src-zone Dst-zone Src-addr Dst-addr Service Action Hit-count
---------------------------------------------------------------------

1 4 trust trust any any http permit 40029
2 6 zone2 untrust addr1 any any deny 7487
3 3 zone2 untrust s1 d1 ftp permit 3834
4 29 trust untrust any any any permit 2899
5 14 zone1 zone2 s2 any pop3 permit 2046
Show the policy hit count statistics of the all policy

rules in descending order.
hostname(config)# sh o w p o licy h it-co un t to p all
===================================================-
===========================
No. Id Src-zone Dst-zone Src-addr Dst-addr Service Applica~ Action Hit-count
------------------------------------------------------------------------------
1 1 Any Any Any Any Any PERMIT 64212319
2 3 trust untrust Any Any Any PERMIT 762070
3 4 untrust trust Any Any Any PERMIT 1
4 14 trust trust Any Any Any PERMIT 0
===================================================-
===========================
To clear the policy hit count statistics, in any mode, use the following command:
clear p o licy h it-co un t {all | id id | n ame name}
l all - Clears the policy hit count statistics of all the rules.
l id id - Clears the policy hit count statistics of all the specified ID rules.
l name name –Clears the policy hit count statistics of all the specified name rules.
To clear the policy hit count statistics of the default action, in any mode, use the following com-
mand:

clear p o licy h it-co un t default-actio n
Configuring the Policy Assistant

The policy assistant can help users generate targeted policies more quickly and accurately. With
the function, system can analyze the traffic of a specified policy ID, generate service on the basis
of the traffic, optimize the traffic via setting replacement conditions and aggregation conditions,
and then generate the target policies.
Enabling/Disabling the Policy Assistant
Before configuring policy assistant related function, please enable the function first. To enable the
policy assistant, in the policy configuration mode, use the following command:
assistan t en ab le
Notes: For the root VSYS, at most 4 policies are allowed to enable the policy assist-
ant function, while for the non-root VSYS, only 1 policy can enable the function.
To disable the policy assistant, in the policy configuration mode, use the following command:
assistan t disab le
Examp le:
hostname(config-policy)# rule id 2
hostname(config-policy-rule)# assistan t en ab le
Viewing the Policy of the Policy Assistant Enabled
To view the policy of the policy assistant enabled, in any mode, use the following command:
sh o w p o licy assistan t-en ab le

Aggregate Policy
According to the needs of different scenarios, you can create an aggregate policy, and add some
policy rules with the same effect or the same attributes to the aggregation policy. If the admin-
istrator adjusts the position of an aggregate policy, the positions of all its members will be adjus-
ted accordingly, so as to manage policy rules in bulk.
The aggregate policy configurations includes:
l Creating an aggregate policy
l Adding an aggregate policy member
l Removing an aggregate policy member
l Deleting an aggregate policy
l Adjusting position
l Enabling/Disabling an aggregate policy
l Adding/Deleting an aggregate policy description
Creating an Aggregate Policy
To create an aggregation policy, you need to do the following two steps:
1. Create a policy rule with a name.
2. After entering the policy rule configuration mode, specify the created policy rule as an
aggregate policy.
Notes: If you need to specify an existing policy rule as an aggregate policy, the con-
figuration of the policy rule must meet the following requirements, otherwise it can-
not be specified as an aggregate policy:

l Must contain a configuration with a name.
l It can contain an enabled state or a description configuration, and no con-

figuration is included except the name, enabled state, or description con-
figuration.
To create an aggregate policy, in the global configuration mode, use the following command:
rule [idid ] { namename} aggregate-type
l idid - Specifies the ID of an aggregate policy. If not specified, system will automatically assign
an ID to the policy. The ID should be unique in the system.
l namename - Specifies the name of an aggregate policy. The range is 1 to 95 characters and the
name is required.
l aggregate-type - Specifies the created policy rule as an aggregate policy.
Adding an Aggregate Policy Member
After creating an aggregate policy, the administrator can add a policy rule to the aggregate policy to
be an aggregate policy member. First, use therule ididto enter the configuration mode of the
policy rule to be added, and then, use the following command:
aggregate-rule{ name name | idid} [ top | before {namerule-name| id} | after {namerule-name|
id} ]
l name name | idid - Specifies a name or an ID of the aggregate policy to be added to.
l top | before {namerule-name| id} | after {namerule-name| id }– Specifies the position of

an aggregate policy member in the aggregate policy. By default, the newly-added aggregate
policy member will be put at the bottom of all other members in the policy.

l top - Specifies an aggregate policy member to be put at the top of all other members in
the policy.
l before {namerule-name| id} – Specifies an aggregate policy member to be put before

the ID or name of a certain member in the policy.
l after {namerule-name| id} – Specifies an aggregate policy member to be put after the
ID or name of a certain member in the policy.
Notes:
l A policy rule can only be added to one aggregate policy.
l If a policy rule has already been added to an aggregate policy, the policy rule
will be added to the newly specified aggregate policy after executing the com-
mand.
l An aggregate policy cannot be added to another aggregate policy as a member
l A policy member in the policy group cannot be added to an aggregate policy
Removing an Aggregate Policy Member
To remove a member from an aggregate policy, use the command rule idid to enter the con-
figuration mode of the member to be removed, and then use the following command:
no aggregate-rule
Notes:
l If the member at the top position is removed from an aggregate policy, the
removed member will be put before the aggregate policy

l If a member at a non-top position is removed from an aggregate policy, the
removed member will be put after the aggregate policy
Deleting an Aggregate Policy
To delete an aggregate policy and remove its members, in the global configuration mode, use the
following command:
n o rule {id id | n ame name }
l idid – Deletes the aggregate policy with the specified ID.
l namename – Deletes the aggregate policy with the specified name.
To delete an aggregate policy and its members, that is, delete the aggregate policy together with all
the members in it, in the global configuration mode or policy configuration mode, use the fol-
lowing command:
n o rule {id id | n ame name } in clude-memb er
Adjusting Position
To adjust the position of an aggregate policy or an aggregate policy member, in the policy con-
mo ve {n ame name | id } {to p | b o tto m | b efo re {n ame rule-name | id } | after {n ame rule-
name | id } }
l namename | id – Specifies an ID or a name of an aggregate policy or an aggregate policy

member whose position you want to adjust.
l top – If an aggregate policyis moved, specifies the policy to be put at the top of all other
policy rules; if an aggregate policy memberis moved, specifies the member to be put at the
top of all other members in the policy to which it belongs.

l bottom - If an aggregate policyis moved, specifies the policy to be put at the bottom of all
other policy rules; if an aggregate policy memberis moved, specifies the member to be put at
the bottom of all other members in the policy to which it belongs.
l before {namerule-name | id} – Specifies an aggregate policy to be put before an ID or name.

If an aggregate policy member is moved, the rule-nameor idcan only be specified as the ID or
name of another member in the policy to which it belongs.
l after {namerule-name | id} – Specifies an aggregate policy to be put after an ID or name. If

an aggregate policy member is moved, the rule-nameor idcan only be specified as the ID or
name of another member in the aggregate policy to which it belongs.
Notes:
l After adjusting the position of an aggregate policy, the positions of all aggreg-
ate policy members will be adjusted accordingly.
l It is not supported to add a policy rule to or remove a policy rule from an

aggregate policy by adjusting the position of the policy rule.
Enabling/Disabling an Aggregate Policy
By default, the configured aggregate policy will take effect immediately. By disabling an aggregate
policy, the administrator can terminate its control over the traffic. To disable or enable an aggreg-
ate policy, in the configuration mode of the aggregate policy, use the following commands:
l Disable: disable
l Enable: enable

Notes:
l After disabling an aggregate policy, its members will be disabled too.
l After enabling an aggregate policy, the original status (enabled/disabled) of its

members will remain unchanged. For example, if the original status of an
aggregate policy member is "disabled", the status will remain unchanged after
the policy to which it belongs is enabled
Adding/Deleting an Aggregate Policy Description
To add a description to an aggregate policy, in the configuration mode of the aggregate policy, use
l description – Specifies an aggregate policy description. The range is 1 to 95 characters.
To delete the description of an aggregate policy, in the configuration mode of the policy, use the
following command:
n o descrip tio n

Share Access
Share access means multiple endpoints access network with the same IP. The function of share
access can block access from unknown device and allocate bandwidth for users, so as to prevent
possible risks and ensure good online experience.
Share Access Rule

You can change the update configurations of share access rules as needed. The update con-
figurations include:
l Creating share access rules
l Configuring share access rules
l Viewing share access rules
Creating Share Access Rules
To create the name of share access rule and enter the share access configuration mode, in the
sh are-access-detect rule rule-name [ip v6]
l rule-name –Specifies the name of share access rule. If the rule of specified name already
exists, enter the share access configuration mode directly.
l [ipv6] - Specifies the share access rule as the type of IPv6. If not specified , it will be the type
of IPv4.
To delete the share access rule, in the global configuration mode, use the following command:
no share-access-detect rule rule-name

Configuring Share Access Rules
To configure a share access rule, in the share access configuration mode, use the following com-
mands:
l Specify the source zone of share access: src-zone zone-name
l Delete the source zone of share access: no src-zone
l Specify the source IP address segment (IPv4/IPv6) of share access: src-ip{ipv4/mask-len

|ipv4 netmask }/ src-ip {ipv6 prefix/ prefix length}
l Delete the source IP address segment (IPv4/IPv6) of share access: no src-ip{ipv4/mask-len

|ipv4 netmask }/ no src-ip {ipv6 prefix/ prefix length}
l Specify the source IP address range (IPv4/IPv6)of share access: src-range begin-ipv4 end-
ipv4 / src-range begin-ipv6 end-ipv6
l Delete the source IP address range (IPv4/IPv6) of share access: no src-range begin-ipv4 end-
ipv6 / no src-range begin-ipv6 end-ipv6
l Specify the source IP address book (IPv4/IPv6) of share access: src-addr ipv4-addr/ src-addr
ipv6-addr
l Delete the source IP address book (IPv4/IPv6) of share access: no src-addr ipv4-addr/ no
src-addr ipv6-addr
l Enable/Disable the share access rule: enable | disable(enabled by default)
l Specify the schedule of share access: schedule schedule-name(The share access rule takes
effect in the period specified by the schedule. If the schedule is not configured, the share
access rule will always be effective.)
l Delete the schedule of share access: no schedule

l Specify the maximum number of share access endpoints: access-limit limit-num（(The range
is 1-15. The default value is 2)
l Restore the default number of share access endpoints:no access-limit
l Specify the action: When the number of endpoints with the same IP address exceeds the max-
imum allowed to be shared by system, the IP address of the endpoints will be processed
according to the specified action. The actions include: block and log, log only, warning and
log. The default action is log only.
action {block | log-only | warning}
l block – When the number of shared access endpoints exceeds the maximum, system
will block the IP address of the endpoints out of the limit and record logs during the
specified period.
l log-only – When the number of shared access endpoints exceeds the maximum, sys-
tem will only record logs of the IP address out of limit, without affecting the normal
connection of the access endpoints.
l warning – When the number of shared access endpoints exceeds the maximum, sys-
tem will send warnings to endpoints out of limit and record logs during the specified
period.
l Restore to the default action (log only): no action
l Specify the control duration of block or warning: control-duration duration (The range is 60-
3600s and the default value is 60s. After the duration, system will detect whether the number
of access endpoints exceeds the maximum again.)
l Restore the default control duration of block or warning: no control-duration

l Specify the timeout time of endpoint: detected-endpoint-timeout time(After the timeout
time, when the endpoint no longer accesses network with the IP, system will clear the end-
point information. The range is 300-86400s. The default value is 600s)
l Restore the default timeout time of endpoint: no detected-endpoint-timeout
l Specify the sequence number of share access rules: sequence {first | last | seq-id}
l first – Specifies the sequence number of share access rule as No.1.
l last – Specifies the sequence number of share access rule as the last.
l seq-id – Specifies the sequence number of share access rules. The range is 1-8. The
smaller the number, the higher the priority.
l Specify the user-defined warning message: warning-info string
l Delete the user-defined warning message: no warning-info
Viewing Share Access Rules
To view share access rules, in any mode, use the flowing command:
sh o w sh are-access-detect rule [ rule-name ]
l rule-name – Specifies the name of share access rule. If you do not specify the name of rule,
system will display the configurations of all rules by default.
Viewing Statistics of Share Access
To view the statistics of share access, in any mode, use the following command:
sh o w sh are-access-detect statistics [rule rule-name ] [src-ip { ipv4-address | ipv6-address }]
[src-zo n e zone-name ] [status { b lo ckin g | n o rmal | lo ggin g | warn in g}] [en dp o in t-n um {gt
| lt | eq} number ]

l rule rule-name – Displays the endpoints statistics of the specified share access rule.
l src-ip{ipv4-address | ipv6-address} – Displays the endpoints statistics of the specified

source IP, include IPv4 address or IPv6 address.
l src-zone zone-name – Displays the endpoints statistics of the specified source zone.
l status { blocking | normal | logging | warning} – Specify the endpoint IP address status.
After the specified, the access endpoints statistics in this status will be displayed.
l blocking - Displays the endpoints statistics when the status of endpoint IP address is
blocking.
l normal – Displays the endpoints statistics when the status of endpoint IP address is
normal.
l logging – Displays the endpoints statistics when the status of endpoint IP address is
logging.
l warning - Displays the endpoints statistics when the status of endpoint IP address is
warning.
Share Access Signature Database

You can change the update configurations of share access signature database as needed. The
update configurations include:
l Configuring the update mode of share access signature database
l Updating now
l Importing a share access signature file
l Viewing update information of share access signature database
l Viewing information of share access signature database

Tips: Non-root VSYS also supports the share access function, but does not support
the update configurations of share access signature database.
Configuring the Update Mode of Share Access Signature Database
To update the share access signature database, in the global configuration mode, use the following
command:
sh are-access-detect sign ature up date [mo de {auto | man ual} | p ro xy-server {main | b ackup }
proxy-ip proxy-port | sch edule {daily | weekly {sun | mo n | tue | wed | th u | fri | sat} |
mo n th ly date } [ HH:MM ] | server1 { domain | ip } [vro uter vrouter-name ] | server2 { domain |
ip } [vro uter vrouter-name ] | server3 { domain | ip } [vro uter vrouter-name ] | protocol
HTTP ]
l mode {auto | manual} – Specifies the update mode of share access. System supports auto-
matic and manual update modes. The default mode is automatic update.
l proxy-server {main | backup} proxy-ip proxy-port– Specifies the proxy server of share
access database update.
l schedule {daily | weekly {sun | mon | tue | wed | thu | fri | sat} | monthly date}
[HH:MM] – Specifies the automatic update schedule of share access database.
l server1 {domain | ip} [vrouter vrouter-name] – Specifies the domain, IP address and
VRouter of update server 1.

l protocol HTTP - Specifies the update protocol as HTTP, and the default protocol is HTTPS.
Updating Share Access Signature Database
To update the share access signature database immediately, in the execution mode, use the fol-
lowing command:
exec sh are-access-detect sign ature up date
Importing a Share Access Signature File
In some cases, your device may be unable to connect to the update server to update the share
access signature database. To solve this problem, StoneOS provides the file import function of
share access signature database, i.e., importing the share access signature files to the device from
an FTP or TFTP server, so that the device can update the share access signature database locally.
To import the share access signature file, in the execution mode, use the following command:
imp o rt sh are-access-detect sign ature fro m {ftp server { A.B.C.D | X:X:X:X::X } [vro uter
vrouter-name ] [user username p asswo rd string ] | tftp server { A.B.C.D | X:X:X:X::X }
[vro uter vrouter-name ]} file-name
l ftp server { A.B.C.D | X:X:X:X::X } [vrouter vrouter-name] [user user-name password pass-
word] – Specifies the IP address, VRouter, user name and password of FTP server to import
share access signature files. You can log in the server anonymously without typing user name
and password.
l tftp server { A.B.C.D | X:X:X:X::X } [vrouter vrouter-name]– Specifies the IP address and
VRouter of TFTP server to import share access signature files.
l file-name – Specifies the name of the share access signature file to be imported.

Viewing Update Information of Share Access Signature Database
To view the update information of share access signature database, in any mode, use the following
command:
sh o w sh are-access-detect sign ature up date
Viewing Information of Share Access Signature Database
To view the information of share access signature database, in any mode, use the following com-
mand:
sh o w sh are-access-detect sign ature in fo
Viewing Statistics of Share Access

To view the statistics of share access, in any mode, use the following command:
sh o w sh are-access-detect statistics [rule rule-name ] [src-ip ip-address ] [src-zo n e zone-name ]
[status {n o rmal | lo ggin g | warn in g}] [en dp o in t-n um {gt | lt | eq} number ]
l rule rule-name – Displays the endpoints statistics of the specified share access rule.
l src-ip ip-address – Displays the endpoints statistics of the specified source IP.
l src-zone zone-name – Displays the endpoints statistics of the specified source zone.
l status {normal | logging | warning} – Displays the endpoints statistics in the specified
status.
l normal – Displays the endpoints statistics when the status of endpoint IP address is
normal.
l logging– Displays the endpoints statistics when the status of endpoint IP address is
logging.

l warning – Displays the endpoints statistics when the status of endpoint IP address is
warning.
l endpoint-num {gt | lt | eq} number – Displays the statistics of endpoints which meets the
specified number.
l gt – Displays the statistics of endpoints whose number is more than the specified num-
ber.
l lt – Displays the statistics of endpoints whose number is less than the specified num-
ber.
l eq – Displays the statistics of endpoints whose number is equal to the specified num-
ber.
l number – Displays the number of endpoints.
Share Access Log

You can change the update configurations of share access log as needed. The update con-
figurations include:
l Configuring the status of share access log
l Configuring the output destination of share access log
l Viewing share access logs
Configuring the Status of Share Access Log
To enable the share access log, in the global configuration, use the following command. The func-
tion is enabled by default.
lo ggin g sh are-access-detect o n
To disable the share access log, in the global configuration, use the following command:
n o lo ggin g sh are-access-detect o n

Configuring the Output Destination of Share Access Log
You can specify the output destination of share access log as needed, including syslog server, buf-
fer and console. The default destination is buffer. In the global configuration mode, use the fol-
lowing command:
lo ggin g sh are-access-detect to { syslo g | b uffer [size buffer-size ] | co n so le}
l syslog – Sends the share access logs to the syslog server.
l buffer [size buffer-size] –Sends the share access log to the buffer and specifies the memory
of buffer. The range is 4096-524288 bytes. The default value is 524288.
l console – Sends the share access log to the console.
To cancel the output destination configuration of share access log, in the global configuration
n o lo ggin g sh are-access-detect to { syslo g | b uffer [size buffer-size ] | co n so le}
Viewing Share Access Logs
To view the share access log, in any mode, use the following command:
sh o w lo ggin g sh are-access-detect

Chapter 3 Routing
Routing is the process of forwarding packets from one network to a destination address in another
network. Router, a packet forwarding device between two networks, is designed to transmit pack-
ets based on the various routes stored in routing tables. Each route is known as a routing entry.
Hillstone devices are designed with Layer 3 routing. This function allows you to configure routing
options and forward various packets via VRouter. The routings supported by the Hillstone
devices include Destination Routing, ISP Routing, Source-Based Routing (SBR), Source-Inter-
face-Based Routing (SIBR), Destination-Interface-Based Routing (DIBR), Policy-Based Routing
(PBR), Proximity Routing, Dynamic Routing (including RIP, OSPF and BGP), Equal Cost
MultiPath Routing (ECMP) and Static Multicast-routing.
l "Destination Route" on Page 367：A manually-configured route which determines the next
routing hop according to the destination IP address.
l "Destination Interface Route" on Page 369：A manually-configured route which determines

the next routing hop according to the destination IP address and ingress interface.
l "ISP Route" on Page 371：A kind of route which determines the next hop based on different
ISPs.
l "Source Route" on Page 388：Source IP based route which selects routers and forwards data
according to the source IP address.
l "Src-If Route " on Page 389：Source IP and ingress interface based route.
l "Policy-based Route" on Page 391: A route which forwards data based on the source IP, des-
tination IP address and service type.
l Proximity routing: Selects routers and forwards data according to the result of proximity detec-
tion.

l "Dynamic Routing" on Page 403：Selects routers and forwards data according to the dynamic
routing table generated by dynamic routing protocols (RIP, OSPF, IS-IS, or BGP).
l "ECMP" on Page 475：Load balancing traffic destined to the same IP address or segment in
multiple routes with equal administration distance.
l "Static Multicast Routing" on Page 476：a manually-configured route which broadcasts pack-
ets from a multicasting source to all the members within a group.
When forwarding the inbound packets, the Hillstone device selects a route in the following
sequence: PBR > SIBR > SBR > DIBR > Destination Routing/ISP Routing/Proximity Rout-
ing/Dynamic Routing.
Enabling/Disabling Static Routing Query

For PBR, SBR , SIBR and DIBR, you can control the query on them separately (the system
requires that the destination routing query must be enabled). By default, the BR, SBR , SIBR and
DIBR query are enabled. To enable/disable the query on them, in the global configuration mode,
use the following commands (applicable to all VRouters):
l Enable: route enable {pbr | sibr | sbr |dibr}
l Disable: route disable {pbr | sibr | sbr | dibr}
Tip: For the configuration example of enabling/disabling static routing query,

see“Example of Configuring Static Route Query”.
Enabling/Disabling the Route Rematch by Session

By default, the function of route rematch by session is enabled. When you add, modify or delete
the route, the session will match the optimal route again. During this process, the system will dis-
pose sessions as follows:
363 Chapter 3 Routing

l when the route that the session matched before is deleted:
l if the keep-session function is disabled, the related session will be deleted.
l if the keep-session function is enabled, the related session will not be deleted, and the
routing information of the session will turn to invalid. When the route that the session
matched before is added again, the session will match the optimal route again:
l if the egress interface of the rematched route remains the same, the routing
information of the session will turn to valid, and the session will be restored to
normal status.
l if the egress interface of the rematched route changes, the related session will be
deleted.
l when the route that the session matched before is modified or a new route is added:
l if the route that the session matched before is still the optimal route, the related session
remains normal.
l if the route that the session matched before is not the optimal route, yet the egress inter-
face of the rematched route remains the same, the routing information of the related ses-
sion will be updated.
l if the route that the session matched before is not the optimal route and the egress inter-
face of the rematched route changes, the related session will be deleted.
In some cases (such as adding or deleting the application bound with PBR rule), a large number of
sessions may be deleted, which will lead to traffic anomaly. Meanwhile, you should disable the
function of route rematch by session.
To enable or disable this function, in the Flow configuration mode, use the following command:
session rematch route {enable [ keep-session ]| disable}

l enable - Enable the route rematch by session.
l keep-session - Keep the related session. When the route rematch by session function is
enabled and this parameter is specified, the related session will be not deleted and the routing
information of the session will turn to invalid. By default, this parameter is not specified,
namely, the keep-session function is disabled.
l disable - Disable the route rematch by session. If the keep-session function is enabled, it will
be disabled at the same time.
VRouter
VR virtually acts as a router, and different VRouters have their own independent routing tables. A
VRouter named trust-vr is bundled with the system. Hillstone devices support multiple VRouters
(a function known as multi-VR). All the routing configuration of the Hillstone devices must be
performed in an appropriate VRouter configuration mode. To enter the VRouter configuration
mode, in global configuration mode, use the following command:
l vrouter-name - Specifies the name of VRouter.
In the VRouter Configuration mode, you can configure static routing entries, dynamic routing pro-
tocols, or specify the maximum number of routing entries supported by the VRouter, as well as
import routing entries from other VRouters.
To use the multi-VR function, you need to run exec vrouter enable first, and then reboot the sys-
tem to make multi-VR take effect.
Tip: For the multi-VR configuration examples, see“Example of Configuring

Multi-VR”.

Specifying the Maximum Number of Routing Entries
To specify the maximum number of routing entries permitted by a VRouter (including all direct
routes, static routes and dynamic routes of the VRouter), in the VRouter configuration mode, use
max-ro utes number
l number - Specifies the maximum number of routing entries. The value range is 1 to 100000.
To cancel the specified maximum number of routing entries, in the VRouter configuration mode,
n o max-ro utes
When reaching the maximum number of routing entries, the system will issue an alarm.
Importing VRouter Routing Entries

You can import routing entries from other VRouters to your own VRouter. In the VRouter con-
imp o rt vro uter vrouter-name {co n n ected | static | rip | o sp f | b gp }
l vrouter-name- Specifies the name of the VRouter the imported routing entry belongs to.
l connected | static | rip | ospf | bgp - Specifies the type of the routing entry that will be
imported.
Repeat the above command to import routing entries of different types.
Notes: The priority of routing entries imported from other VRouters is lower than
the priority of the entries bundled with the original VRouter.
Disable the Highest Priority of Direct Route

Direct route has the highest route priority, when you configure other roures in the same time, the
direct route will be used first, makes the other route is not effective. Therefore, you can accord-

ing to need, disable the highest priority of direct route. In the VRouter configuration mode, use
fib -lo o kup co n n ect-first-disab le
To restore the he highest priority of direct route, in the VRouter configuration mode, use the fol-
lowing command:
n o fib -lo o kup co n n ect-first-disab le
Destination Route
The destination route is a manually-configured routing entry that determines the next routing hop
based on the destination IP address. Usually a network with a comparatively small number of out-
bound connections or stable Intranet connections will use a destination route. You can add a
default routing entry at your own choice as needed.
Configuring a Destination Route

You can add a destination route and view the route’s information through CLI.
Adding a Destination Route
You can add a destination routing entry to VRouter. However, before adding the entry, you need
to enter the VRouter configuration mode. In the global configuration mode, use the following
command:
l vrouter-name - Specifies the name of the VRouter.
To add a destination route, in the VRouter configuration mode, use the following command:
ip ro ute { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D | interface-name [ A.B.C.D ] | vro uter
vrouter-name } [ distance-value ] [weigh t weight-value ] [tag tag-value ] [descrip tio n description ]
[sch edule schedule-name ] [track track-name ]
l A.B.C.D/M | A.B.C.D A.B.C.D - Specifies the destination address. The Hillstone devices
support two formats: A.B.C.D/M or A.B.C.D A.B.C.D, for example, 1.1.1.0/24 or 1.1.1.0

255.255.255.0.
l A.B.C.D | interface-name [A.B.C.D] | vrouter vrouter-name- Specifies the type of next hop
which can be a gateway address (A.B.C.D), interface (interface-name) or VRouter (vrouter
vrouter-name). If the next hop type is interface, you can select a tunnel interface (for multi-
tunnel interface, you must specify the next hop IP address of IPsec VPN, GRE or SCVPN
tunnel by the A.B.C.D parameter, and this address must be the same as the next hop IP
address of the corresponding tunnel bound to the tunnel interface), Null0 interface or PPPoE
interface. For more information about how to configure the next hop IP address of the
VPN/GRE tunnel that is bound to the tunnel interface, see “Binding a Tunnel” in “Fire-
wall”.
l distance-value - Specifies the administration distance of the route. This parameter is used to
determine the precedence of the route. The smaller the value is, the higher the precedence is.
If multiple routes are available, the route with higher precedence will be prioritized. The value
range is 1 to 255. The default value is 1. When the value is set to 255, the route is invalid.
l weight weight-value - Specifies the weight of traffic forwarding in load balance. The value
range is 1 to 255. The default value is 1.
l tag tag-value – Specifies the tag value of the destination route. When OSPF redistributes
routes, if the configured routing tag values here are matched to the rules in the routing map-
ping table, the route will be redistributed to filter its information. The value range is 1 to
4294967295.
l description description – Specifies the description of this route. You can enter at most 63
characters.
l schedule schedule-name- Specifies the name of the schedule defined in the system. The con-
figuration will only take effect during the specified period. Repeat the command to specify

more schedules (up to 8). To avoid possible unknown problems, you are not recommended to
use schedules with time overlapping.
l track track-name– Specify the name of a created track object. When the track fails, the route
will be invalid.
Repeat the above command to add more destination routes.

To delete the specified static destination route, use the following command:
n o ip ro ute { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D | interface-name A.B.C.D | inter-
face-name [ A.B.C.D ] | vro uter vrouter-name }[descrip tio n description ] [sch edule schedule-
name ]
Viewing destination routing information
To view the destination routing information, in any mode, use the following command:
sh o w ip ro ute static [vro uter vrouter-name ]
l vrouter-name - Specifies the destination route information of the specified VRouter.
Destination Interface Route

Destination-Interface-Based Routing(DIBR) is a manually-configured route which determines the
next routing hop according to the destination IP address and ingress interface.
Adding a Destination Interface Route

You can add a destination interface routing entry to VRouter. However, before adding the entry,
you need to enter the VRouter configuration mode. In the global configuration mode, use the fol-
lowing command:
To add a destination interface route, in the VRouter configuration mode, use the following com-
mand:

ip ro ute in -in terface interface-name { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D | interface-
name [ A.B.C.D ] | vro uter vrouter-name } [ distance-value ] [weigh t weight-value ] [descrip tio n
description ] [sch edule schedule-name ] [track track-name
l in-interface interface-name - Specifies the ingress interface of the route.
255.255.255.0.
l A.B.C.D | interface-name [A.B.C.D] | vrouter vrouter-name - Specifies the type of next hop
interface. For more information about how to configure the next hop IP address of the
VPN/GRE tunnel that is bound to the tunnel interface, see “Binding a Tunnel” in “Fire-
wall”.
l . distance-value- Specifies the administration distance of the route. This parameter is used to
characters.
l schedule schedule-name - Specifies the name of the schedule defined in the system. The con-

will be invalid.
Repeat the above command to add more destination interface routes.

To delete the specified destination interface route, use the following command:
n o ip ro ute in -in terface interface-name { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D | inter-
face-name [ A.B.C.D ] | vro uter vrouter-name } [descrip tio n description ] [sch edule schedule-
name ]
Viewing Destination Interface Route Information

To view the destination interface route information, in any mode, use the following command:
sh o w ip ro ute in -in terface interface-name
Viewing FIB Information about Destination Interface Route

To view the FIB information about destination interface route, in any mode, use the following
command:
sh o w [ ip v6 ] fib in -in terface interface-name
ISP Route
Generally many users might apply for multiple lines for load balancing purpose. However, a typ-
ical balance will not function based on the traffic's direction. If a server in ISP A is accessed
through ISP B, the speed will be rather low. For such a scenario, StoneOS provides ISP Route
which allows traffics from different ISPs to take their proprietary routes, thus accelerating net-
work access.

To configure an IPv4/IPv6 ISP route, first you need to add a subnet to an IPv4/IPv6 ISP, and
then configure the IPv4/IPv6 ISP route. The destination of the route is determined by the name
of the IPv4/IPv6 ISP. You can customize ISP information, or upload and download custom pro-
files that contain different ISP information. You can implement remote or local update on pre-
defined ISP profiles by using the ISP information database.
In an IPv4/IPv6 ISP route configuration, you can perform the following operations:
l Configuring ISP information database
l Configuring IPv4/IPv6 ISP information
l Configuring an IPv4/IPv6 ISP route
l Uploading/Saving an IPv4/IPv6 ISP route configuration file
l Viewing IPv4/IPv6 ISP route configuration information
Configuring the ISP Information Database

By default, the system automatically updates the ISP information database on a daily basis. You
can modify the update configuration as needed.
The update configuration of the ISP information database includes:
l Configuring the update mode of the ISP information database
l Configuring the transmission protocol for update
l Configuring the update server
l Specifying the HTTP proxy server
l Specifying the update time
l Updating immediately
l Importing predefined ISP profiles

l Displaying information about the ISP information database
l Displaying the update configuration of the ISP information database
Configuring the Update Mode of the ISP Information Database
The ISP information database can be manually or automatically updated. To configure the update
mode of the ISP information database, in global configuration mode, use the following command:
isp -in fo rmatio n up date mo de {auto | man ual}
l auto – Specifies to automatically update the ISP information database. This is the default
update mode.
l manual – Specifies to manually update the ISP information database.
In global configuration mode, use the following command to return to the default update mode:
no isp-information update mode
Configuring the Transmission Protocol for Update
The ISP information database can be updated over HTTP or HTTPS. By default, HTTPS is
used. To set the transmission protocol of updating the ISP information database to HTTP, in
isp -in fo rmatio n up date p ro to co l HTTP
In global configuration mode, use the following command to return to the default transmission
protocol:
n o isp -in fo rmatio n up date p ro to co l HTTP
Configuring the Update Server
The system provides the default update server of the ISP information database update1.hill-
stonenet.com and update2.hillstonenet.com. You can also configure other update servers to down-
load the latest predefined ISP profile as needed. At most 3 update servers can be configured. To
configure an update server, in global configuration mode, use the following command:

isp -in fo rmatio n up date {server1 | server2 | server3} { ip-address | domain-name }
[vro uter vrouter-name ]
l server1 | server2 | server3 – Specifies the server to be configured. The server supports both
IPv4 and IPv6. The default value of server1 is update1.hillstonenet.com and the default value
of server2 is update2.hillstonenet.com.
l ip-address | domain-name – Specifies the name of the update server, which can be an IP
address or domain name, such as update1.hillstonenet.com.
l vroutervrouter-name– Specifies the virtual router bound to the update server. By default,
trust-vr is used.
To restore the default configuration of server1 or server2 or delete the configuration of server3,
in global configuration mode, use the following command:
n o isp -in fo rmatio n up date {server1 | server2 | server3}
Specifying the HTTP Proxy Server
If an HTTP proxy server is required for the device to access the Internet, you need to specify the
IP address and port number of the proxy server on the device to ensure normal update.
To specify an HTTP proxy server for the ISP information database, in global configuration mode,
isp -in fo rmatio n up date p ro xy-server {main | b ackup } ip-addressport-number
l main | backup– Uses the main field to specify the main proxy server and uses the backup
field to specify the backup proxy server.
l ip-addressport-number– Specifies the IP address and port number of the proxy server.
To cancel the specified proxy server, use the no isp-information update proxy-server {main |
backup} command.

Specifying the Update Time
By default, the system automatically updates the ISP information database on a daily basis. The
daily update time is random to avoid high server traffic volume. To specify the update frequency
and time of the ISP information database, in global configuration mode, use the following com-
mand:
isp -in fo rmatio n up date sch edule {daily | weekly {mo n | tue | wed | th u | fri | sat | sun } |
mo n th ly <1-31> } [ HH:MM ]
l weekly {mon | tue | wed | thu | fri | sat | sun} – Updates the database every week. The
mon | tue | wed | thu | fri | sat | sun field is used to specify the date when the database is
updated every week.
l monthly<1-31>– Updates the database every month. The <1-31> field is used to specify
the date when the database is updated every month.
l HH:MM – Specifies the time when the database is updated, such as 09：00.
Updating Immediately
No matter whether the update mode is manual or automatic, you can use the following command
to update the ISP information database at any time. To immediately update the ISP information
database, in any mode, use the following command:
exec isp-information update
l exec isp-information update – Updates only different parts between the current ISP inform-
ation database and the latest ISP information database released by the update server.
Importing Predefined ISP Profiles
In some cases, your device may fail to connect to the update server to update the ISP information
database. To avoid this issue, StoneOS provides the ISP profile import function. You can import

predefined ISP profiles over FTP, FTPS, SFTP, or TFTP to update the ISP information database.
To import a predefined ISP profile, in execution mode, use the following command:
imp o rt isp file fro m {ftp server ip-address [user user-name p asswo rd password ] | ftp s server ip-
address [user user-name p asswo rd password ] | sftp server ip-address [user user-
name p asswo rd password ] | tftp server ip-address } [vro uter vr-name ] file-name
l ip-address - Specifies the IP address of the FTP/FTPS/SFTP/TFTP server.
l userusernamepasswordpassword - Specifies the username and password of the

FTP/FTPS/SFTP server.
l vroutervr-name – Specifies the VRouter to which the FTP/FTPS/SFTP/TFTP server

belongs.
l file-name - Specifies the name of the predefined ISP profile to be imported.
Deleting Predefined ISP Profiles
The predefined ISP profiles are encrypted. The device provides the built-in ISP information data-
base, which contains predefined ISP profiles. The device can connect to the update server or
import predefined ISP profiles over FTP, FTPS, SFTP, or TFTP to update the ISP information
database. You can delete predefined ISP profiles from the ISP information database by using the
CLI.
Deleting Predefined IPv4 ISP Profiles
To delete predefined IPv4 ISP profiles from the system, in execution mode, use the following
command:
exec isp -n etwo rk clear-p redefin e
After you run the command, restart the system and the system will restore the original predefined
IPv4 ISP profiles (built-in predefined IPv4 ISP profiles).

Notes: To ensure that predefined IPv4 ISP profiles can be deleted as expected,
delete nested IPv4 ISP information entries before you delete the predefined IPv4
ISP profiles.
Deleting Predefined IPv6 ISP Profiles
To delete predefined IPv6 ISP profiles from the system, in execution mode, use the following
command:
exec isp -n etwo rk clear-p redefin e ip v6
After you run the command, restart the system and the system will restore the original predefined
IPv6 ISP profiles (built-in predefined IPv6 ISP profiles).
Notes: To ensure that predefined IPv6 ISP profiles can be deleted as expected,
delete nested IPv6 ISP information entries before you delete the predefined IPv6
ISP profiles.
Displaying Information about the ISP Information Database
To view information about the ISP information database of the device at any time, in any mode,
show isp-information info
Example:
hostname(config)# sh o w isp -in fo rmatio n in fo
DB vendor: Hillstone Networks(displays the database vendor)

Current version: 1.0.220902(displays the current version of the ISP
information database)
Release date: 2022/09/02 15:00:02(displays the release date and time of
the current version)

Displaying the Update Configuration of the ISP Information Database
You can view the update information about the ISP information database of the device by using
corresponding show commands at any time. The update information includes but are not limited
to the update server information, update mode, update frequency, time, and botnet prevention sig-
nature database update status. To view the update configuration of the ISP information database,
in any mode, use the following command:
show isp-information update
Example:
hostname(config)# sh o w isp -in fo rmatio n up date
ISP signature update options:(displays the update options of the ISP

information database)
protocol: HTTPS(displays the transmission protocol for ISP
information database update)
server1: update1.hillstonenet.com, 443, trust-vr(displays the information
about the update server of the ISP information database)
server2: update2.hillstonenet.com, 443, trust-vr(displays the information
about the update server of the ISP information database)
server3: 10.10.10.10, 443, trust-vr(displays the information about the
update server of the ISP information database)
proxy server status: enable(displays the proxy server status)
main proxy server:(displays the information about the main proxy
server)
backup proxy server: ip 10.10.10.10, port 12(displays the information about
the backup proxy server)
mode: auto(displays the update mode of the ISP information data-
base)
schedule: daily 09:21(displays the update cycle in auto mode)
current status: normal(displays the process status of the ISP inform-
ation database, in which normal indicates that the ISP

information database is in the not updated status)
last update result: Download signature failed; please confirm the servers are reachable(dis-
plays the result of the last ISP information database
update)
last update time: Fri Nov 4 09:22:02 2022(displays the time when the ISP
information database was last updated)
Configuring IPv4 ISP Information

To configure IPv4 ISP information on the device, first, you need to enter the IPv4 ISP inform-
ation configuration mode. To create an IPv4 ISP name and enter the IPv4 ISP information con-
isp -n etwo rk isp-name
l isp-name - Specifies the name of IPv4 ISP. System allows up to 26 IPv4 ISP information to
be created.
To delete the specified IPv4 ISP, in the global configuration mode, use the following command:
n o isp -n etwo rk isp-name
Adding a Subnet Entry
To add a subnet entry to IPv4 ISP, in the IPv4 ISP information configuration mode, use the fol-
lowing command:
sub n et A.B.C.D/M
l A.B.C.D/M - Specifies the subnet for the IPv4 ISP, in the form of IP address/netmask, for
example, 1.1.1.0/24. The maximum number of subnet entries that the system allows to add
varies depending on the platform, and the range is 1000-6000.
In the IPv4 ISP information configuration mode, repeat the above command to add multiple sub-
nets for the IPv4 ISP.
To delete the specified subnet, in the IPv4 ISP information configuration mode, use the fol-
lowing command:

n o sub n et A.B.C.D/M
Adding an IPv4 ISP Information Entry
To add an IPv4 ISP information entry, that is to add other configured IPv4 ISP information (pre-
defined IPv4 ISP information or user-defined IPv4 ISP information), in the IPv4 ISP information
member isp-name
l isp-name – Specifies the IPv4 ISP name. An IPv4 ISP can include up to 1 nested layers, but
an IPv4 ISP cannot add itself as a member.
In the IPv4 ISP information configuration mode, repeat the above command to add multiple IPv4
ISP information entrys for the IPv4 ISP.
To delete the specified IPv4 ISP information entry, in the IPv4 ISP information configuration
no member isp-name
Notes: IPv4 ISP information and IPv6 ISP information are not allowed to be nested
in each other.
Configuring an IPv4 ISP Route

To configure an IPv4 ISP route, you need to enter the VRouter configuration mode. In the global
To configure an ISP route, in the VRouter configuration mode, use the following command:
ip ro ute isp-name { A.B.C.D | interface-name | vro uter vrouter-name } [ distance-value ]
[weigh t weight-value ] [descrip tio n description ] [sch edule schedule-name ]

l isp-name - Specifies an existing ISP in the system as the destination address of the route.
l A.B.C.D | interface-name | vrouter vrouter-name- Specifies the type of next hop which can
be a gateway address (A.B.C.D), interface (interface-name) or VRouter (vrouter vrouter-
name). If the next hop type is interface, you can select a tunnel interface, Null0 interface or
PPPoE interface.
characters.
Repeat the above command to add multiple ISP routes.

To delete the specified ISP route, in the VRouter configuration mode, use the following com-
mand:
n o ip ro ute isp-name { A.B.C.D | interface-name | vro uter vrouter-name } [ distance-value ]
Viewing IPv4 ISP Route Configuration Information

To view the IPv4 ISP route configuration information, use the following commands:

l View the predefined IPv4 ISP information:
show pre-isp-network {all | isp-name}
l View the user-defined IPv4 ISP information:

show isp-network {all | isp-name}
l View the IPv4 ISP route:

show ip route isp [isp-name | vrouter vrouter-name]
Uploading/Downloading a User-defined IPv4 ISP Profile

Hillstone devices support two types of IPv4 ISP profiles: user-defined IPv4 ISP profiles and pre-
defined IPv4 ISP profiles.
l User-defined IPv4 ISP profiles: Follow the format example shown below to compile a user-
defined profile. Otherwise, even if the file is uploaded successfully, it will not take effect in
the system.
# Software Version 5.5 SG6000-MX_MAIN-68-V6-

r1018.bin 202211040258
!
Version 5.5R10
subVersion 1.0
isp-network test
subnet 1.1.1.1/32
subnet 2.2.2.2/32
member CERNET
exit
l Predefined IPv4 ISP profiles: The predefined IPv4 ISP profile shipped with StoneOS is
encrypted. If the predefined profile has been updated, you need to upload the new profile.

Uploading a User-defined IPv4 ISP Profile
To upload a user-defined IPv4 ISP profile through FTP and TFTP server, in the execution mode,
import ispfile from {ftp server ip-address [user username password string] | tftp server ip-
address} file-name
l ftp server ip-address - Specifies the IP address of FTP server.
l user username password string - Specifies the user name and password accessing FTP server.
l tftp server ip-address - Specifies the IP address of TFTP server.
l file-name - Specifies the name of the user-defined IPv4 ISP profile.
Downloading a User-defined IPv4 ISP Profile
The custom ISP profiles can only be saved through WebUI. To save an IPv4 ISP profile to your
PC, take the following steps:
1. Select Network > Routing > ISP Profile.
2. Select IPv4 tab.
3. Click Download to open the Download User Defined ISP File panel.
4. Select an ISP profile from the ISP profile drop-down list.
5. Click OK to save the profile to a specified location in PC.
Configuring IPv6 ISP Information

To configure IPv6 ISP information on the device, first, you need to enter the IPv6 ISP inform-
ation configuration mode. To create an IPv6 ISP name and enter the IPv6 ISP information con-
isp -n etwo rk isp-name ip v6

l isp-name - Specifies the name of IPv6 ISP. System allows up to 26 IPv6 ISP information to
be created.
l ipv6 - Specifies the ISP information type as IPv6.
To delete the specified IPv6 ISP, in the global configuration mode, use the following command:
n o isp -n etwo rk isp-name
Adding an IPv6 Subnet Entry
To add a subnet entry to IPv6 ISP, in the IPv4 ISP information configuration mode, use the fol-
lowing command:
sub n et ipv6-address/prefix
l ipv6-address/prefix - Specifies the subnet for the IPv6 ISP, in the form of IPv6 address/-
prefix, for example, 1::1/64. The maximum number of subnet entries that the system allows
to add varies depending on the platform, and the range is 1000-6000.
In the IPv6 ISP information configuration mode, repeat the above command to add multiple sub-
nets for the IPv6 ISP.
To delete the specified subnet, in the IPv6 ISP information configuration mode, use the fol-
lowing command:
n o sub n et A.B.C.D/M
Adding an IPv6 ISP Information Entry
To add an IPv6 ISP information entry, that is to add other configured IPv6 ISP information (pre-
defined IPv6 ISP information or user-defined IPv6 ISP information), in the IPv6 ISP information
member isp-name
l isp-name – Specifies the IPv6 ISP name. An IPv6 ISP can include up to 1 nested layers, but
an IPv6 ISP cannot add itself as a member.

In the IPv6 ISP information configuration mode, repeat the above command to add multiple IPv6
ISP information entrys for the IPv6 ISP.
To delete the specified IPv6 ISP information entry, in the IPv6 ISP information configuration
no member isp-name
Notes: IPv6 ISP information and IPv4 ISP information are not allowed to be nested
in each other.
Configuring an IPv6 ISP Route

To configure an IPv6 ISP route, you need to enter the VRouter configuration mode. In the global
To configure an ISP route, in the VRouter configuration mode, use the following command:
ip ro ute isp-name { A.B.C.D | interface-name | vro uter vrouter-name } [ distance-value ]
[weigh t weight-value ] [ descrip tio n description ] [sch edule schedule-name ]
l isp-name - Specifies an existing ISP in the system as the destination address of the route.
l A.B.C.D | interface-name | vrouter vrouter-name- Specifies the type of next hop which can
name). If the next hop type is interface, you can select a tunnel interface, Null0 interface or
PPPoE interface.

characters.
Repeat the above command to add multiple ISP routes.

To delete the specified ISP route, in the VRouter configuration mode, use the following com-
mand:
n o ip ro ute isp-name { A.B.C.D | interface-name | vro uter vrouter-name } [ distance-value ]
Viewing IPv6 ISP Information

To view the IPv6 ISP route configuration information, use the following commands:
l View the predefined IPv6 ISP information:

show ipv6 pre-isp-network {all | isp-name}
l View the user-defined IPv6 ISP information:

show ipv6 isp-network {all | isp-name}
Uploading/Downloading a User-defined IPv6 ISP Profile
Hillstone devices support two types of IPv6 ISP profiles: user-defined IPv6 ISP profiles and pre-
defined IPv6 ISP profiles.

l User-defined IPv6 ISP profiles: Follow the format example shown below to compile a user-
defined profile. Otherwise, even if the file is uploaded successfully, it will not take effect in
the system.
Software Version 5.5 SG6000-MX_MAIN-68-V6-r1018.bin

202211040257
!
Version 5.5R10
subVersion 1.0
isp-network testv6 ipv6
subnet 1::1/128
subnet 2::2/128
member CERNET-v6
exit
Uploading a User-defined IPv6 ISP Profile
To upload a user-defined IPv6 ISP profile through the FTP/FTPS/SFTP/TFTP server, in the
execution mode, use the following command:
import ispfile from {ftp serverip-address [useruser-namepasswordpassword ] | ftps serverip-
address [useruser-namepasswordpassword ] | sftp serverip-address [useruser-namepasswordpass-
word ] | tftp serverip-address } [vroutervr-name] file-name
l ip-address - Specifies the IP address of the FTP/FTPS/SFTP/TFTP server.
l userusernamepasswordpassword - Specifies the user name and password accessing the

FTP/FTPS/SFTP server.
l vroutervr-name – Specifies the VRouter where the FTP/FTPS/SFTP/TFTP server belongs.
l file-name - Specifies the name of the user-defined IPv6 ISP profile.

Downloading a User-defined IPv6 ISP Profile
The custom ISP profiles can only be saved through WebUI. To save an IPv6 ISP profile to your
PC, take the following steps:
1. Select Network > Routing > ISP Profile.
2. Select IPv6 tab.
3. Click Download to open the Download User Defined ISP File panel.
4. Select an ISP profile from the ISP profile drop-down list.
5. Click OK to save the profile to a specified location in PC.
Source Route
The source route can only be configured in the VRouter configuration mode. To enter the
VRouter configuration mode, in global configuration mode, use the following command:
Adding a Source Route

To add a source route, in the VRouter configuration mode, use the following command:
ip ro ute so urce { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D | interface-name | vro uter
vrouter-name } [ distance-value ] [weigh t weight-value ] [sch edule schedule-name ] [track track-
name ]
255.255.255.0.
l A.B.C.D | interface-name - Specifies the type of next hop which can be a gateway address
(A.B.C.D), interface (interface-name) or VRouter (vrouter vrouter-name).If the next hop type
is interface, you can select a tunnel interface, Null0 interface or PPPoE interface.

will be invalid.
To delete the specified source route, in the VRouter configuration mode, use the following com-
mand:
n o ip ro ute so urce { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D | interface-name }
Viewing Source Route Information

To view the source route information, in any mode, use the following command:
show ip route source [vrouter vrouter-name]
l vrouter-name - Shows the source route information of the specified VRouter.
Src-If Route
The Src-If route can only be configured in the VRouter configuration mode. To enter the
VRouter configuration mode, in global configuration mode, use the following command:

Adding a Src-If Route
To add a Src-If route, in the VRouter configuration mode, use the following command:
ip ro ute so urce in -in terface interface-name { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D |
interface-name | vro uter vrouter-name } [ distance-value ] [weigh t weight-value ] [sch edule
schedule-name ] [track track-name
l interface-name - Specifies the ingress interface of the route.
255.255.255.0.
l A.B.C.D | interface-name | vrouter vrouter-name - Specifies the type of next hop which can
name). If the next hop type is interface, you can select a tunnel interface or Null0 interface.
will be invalid.

To delete the specified Src-If route, in the VRouter configuration mode, use the following com-
mand:
n o ip ro ute so urce in -in terface interface-name { A.B.C.D/M | A.B.C.D A.B.C.D } { A.B.C.D |
interface-name | vro uter vrouter-name }
Viewing Src-If Route Information

To view the Src-If route information, in any mode, use the following command:
show ip route source in-interface interface-name
Policy-based Route
Policy-based Route (PBR) is designed to select a router and forward data based on the source IP
address, destination IP address and service type of a packet, and specify the next hop of the pack-
ets which match the policy.
Creating a PBR Policy

To create a PBR policy, in the global configuration mode, use the following command:
p b r-p o licy name
l name - Specifies the name of the PBR policy. The length is 1 to 31 characters. If the policy
exists, the system will directly enter the PBR policy configuration mode.
To delete the specified PBR policy, use the commandno pbr-policy name.
Creating a PBR Rule

To create a PBR rule, in the PBR policy configuration mode, use the following command:
{match | match -v6 } [id rule-id ] [b efo re rule-id | after rule-id | to p ] src-addr dst-addr ser-
vice-name [ application-name ] n exth o p { interface-name | A.B.C.D | vro uter vrouter-name |
vsys vsys-name } [weigh t value ] [track track-object-name ]
l id rule-id- Specifies the ID of the new PBR rule. The value range is 1 to 255. If no ID is spe-
cified, the system will automatically assign an ID. The rule ID must be unique in its

corresponding PBR policy.
l before rule-id | after rule-id | top - Specifies the position of the PBR rule. The new PBR rule
can be located before a rule (before rule-id), after a rule (after rule-id) or at the top of all the
rules (top). By default, the system will put the new rule at the end of all the rules.
l src-addr - Specifies the source address which should be an entry defined in the address book.
l dst-addr - Specify the destination address which should be an entry defined in the address
book.
l service-name – - Specifies the name of the service. service-nameshould be the service

defined in the service book.
l application-name – Specifies the name of the application. application-name should be the

application defined in the application book.
l nexthop {interface-name | A.B.C.D | vrouter vrouter-name | vsys vsys-name} - Specifies the

next hop. interface-name is the name of egress interface, A.B.C.D is the IP address of the next
hop, vrouter vrouter-name is a VRouter, and vsys vsys-name is the name of VSYS.
l weight value - Specifies the weight for the next hop. The value range is 1 to 255. The default
value is 1. If a PBR rule is configured with multiple next hops, the system will distribute the
traffic in proportion to the corresponding weight.
l track track-object-name - Specifies the track object for the next hop. If the track object fails,
the PBR rule will fail as well. For more information about track object, see “Configuring a
Track Object” in “System Management”.
To delete the specified rule, in the PBR policy configuration mode, use the following command:
n o match id rule-id
In addition, you can also use the following command in PBR policy configuration mode to create
a PBR rule ID, and then in the PBR policy rules configuration mode, further configure other rel-
evant parameters of the PBR rule:

match [id rule-id ] [ b efo re rule-id | after rule-id | to p ]
l id id - Specifies the ID of the new PBR rule. If no ID is specified, the system will auto-
matically assign an ID. The rule ID must be unique in the whole system. However, the PBR
rule ID is not related to the matching sequence.
l top | before rule-id | after rule-id - Specifies the position of the PBR rule. The new PBR rule
can be located before a rule (before rule-id), after a rule (after rule-id) or at the top of all the
rules (top). By default, the system will put the newly created rule at the end of all the rules.
Notes: For more information about how to configure other policy-related parameter,
see“Editing a PBR Rule”。
Editing a PBR Rule

You can edit an existing PBR rule by modifying its inappropriate parameters. However, this modi-
fication can only be performed in the PBR policy configuration mode. To enter the PBR policy
l match [id rule-id] [ before rule-id | after rule-id | top]
l match id rule-id(only applicable to the existing rule ID. To delete the rule, use the
commandno match id rule-id)
To edit the rule, in the PBR policy rules configuration mode, use the following commands:
l Add a source address of address entry type: src-addr src-addr
l Delete a source address of address entry type: no src-addr src-addr
l Add a source address of IP address type: src-ip {ip/netmask | ip-addressnetmask }
l Delete a source address of IP address type: no src-ip {ip/netmask | ip-address netmask }
l Add a source address of host name type: src-host host-name

l Delete a source address of host name type: no src-host host-name
l Add a source address of IP range type: src-range min-ip max-ip
l Delete a source address of IP range type: no src-range min-ip max-ip
l Add a destination address of address entry type: dst-addr dst-addr
l Delete a destination address of address entry type: no dst-addr dst-addr
l Add a destination address of IP address type: dst-ip ip/netmask
l Delete a destination address of IP address type: no dst-ip ip/netmask
l Add a destination address of host name type: dst-host host-name
l Delete a destination address of host name type: no dst-host host-name
l Add a destination address of IP range type: dst-range min-ip [max-ip]
l Delete a destination address of IP range type: no dst-range min-ip [max-ip]
l Add a source user of role type: role role-name
l Delete a source user of role type: no role role-name
l Add a source user of user type: user aaa-server-name user-name
l Delete a source user of user type: no user aaa-server-name user-name
l Add a source user of user group type: user-group aaa-server-name user-group-name
l Delete a source user of user group type: no user-group aaa-server-name user-group-name
l Add a service: service service-name
l Delete a service: no service service-name
l Add an application: application application-name

l Delete an application: no application application-name
l Specify the next hop: nexthop {interface-name | A.B.C.D | vrouter-name | vsys vsys-name}
l Cancel the next hop: no nexthop
l Specify a schedule: schedule schedule-name
l Delete the schedule: no schedule
l Add a rule description: description string
l Delete a rule description: no description
l Enable the logging function for PBR rules ：log enable
l Disable the logging function for PBR rules ：no log enable
Enabling/Disabling a PBR Rule
By default the configured PBR rules will take effect immediately. You can disable a rule to end its
control over traffic. To enable or disable a PBR rule, in the PBR policy rules configuration mode,
l Disable: disable
l Enable: enable
Moving a PBR Rule

Each PBR rule is labeled with a unique ID. When traffic flows into a Hillstone device, the device
will query for PBR rules by turn, and processes the traffic according to the first matched rule.
However, the PBR rule ID is not related to the matching sequence during the query. The rule
sequence displayed by the command show pbr-policy is the actual sequence for the rule matching
(the system will match the rules from the top to the bottom). You can specify the location of a
PBR policy rule when creating the rule or moving its position in the PBR policy rule con-
figuration mode. The positions of a PBR policy rule can be either an absolute position, i.e., at the

top or bottom, or a relative position, i.e., before or after a specific rule ID. To move a PBR rule,
in the PBR policy configuration mode, use the following command:
mo ve rule-id {to p | b o tto m | b efo re rule-id | after rule-id }
Configuring Prioritized Destination Routing Lookup

By default, when forwarding the inbound packets, the device selects a route in the following
sequence: PBR > SIBR > SBR > Destination Routing. In some cases, users need to prioritized
the destination route for the packets that are matching a PBR rule, that is the sequence is Destin-
ation Routing >PBR. To configure the prioritized destination routing (DBR) lookup, in the PBR
policy configuration mode, use the following command:
fib -lo o kup db r-first
To cancel prioritized destination routing (DBR) lookup, in the PBR policy configuration mode,
use the following command:no fib-lookup dbr-first
Applying a PBR Rule

You can apply a PBR rule by binding it to an interface, zone or VRouter. In the interface con-
figuration mode , security zone configuration mode or VRouter configutation mode, use the fol-
lowing command:
b in d p b r-p o licy name
l name - The interface , security zone or VRouter the specified PBR rule is bound to.
To cancel the PBR rule binding to the interface, security zone or VRouter, in the interface con-
figuration mode , security zone configuration mode or VRouter configutation mode, use the fol-
lowing command:
n o b in d p b r-p o licy
Configuring the Global Match Order of PBR

By default, If the PRB rule is bound to both an interface , VRouter and the security zone the inter-
face belongs to, the traffic matching sequence will be: Interface > Zone > VRouter. You can con-
figure the global match order of PBR, in global configuration mode, use the following command:
p b r-match o rder index

l index –Specifies the index of global match order of PBR, including 1 to 6, the order index is
expressed as follows:
l 1 – Interface >Zone >Vrouter, it is the default match order of PBR.
l 2 – Zone >interface >Vrouter.
l 3 - Vrouter >Zone > Interface.
l 4 - Interface -> Vrouter >Zone.
l 5 - Vrouter > Interface > Zone.
l 6 – Zone > Vrouter > Interface.
To restore to the default match order, in the global configuration mode, use the command no pbr-
match.
Viewing the the Global Match Order of PBR

In any mode, use the following command:
sh o w p b r-match o rder
Configuring TTL Range for a PBR Rule

You can configure TTL range of packets for a PBR rule, and packet which matches the PBR rule
will be forwarded to the specific export link. To configure TTL range, you need to enter PBR
policy rule configuration mode first, use the following commands:
l match [id rule-id] [ before rule-id | after rule-id | top]
l match id rule-id(only applicable to the existing rule ID)
In the PBR policy rule configuration mode, use the following commands:
ttl-ran ge min-ttl max-ttl

l min-ttl max-ttl - Specifies the TTL range for the PBR rule. min-ttl specifies the minimum
value of TTL, and it is in the range of 1 to 255. max-ttl specifies the maximum value of TTL,
and it is in the range of 1 to 255.
In the PBR policy rule configuration mode, use no ttl-range command to cancel the TTL con-
figuration.
Viewing PBR Rule Information

To view the specific PBR rule information, in any mode, use the following command to:
sh o w p b r-p o licy [ name ]
l name - Shows the specified PBR rule information. If no name is specified, the command will
show the details of all the PBR rules.
DNS Redirect
The DNS redirect function redirects the DNS requests to a specified DNS server. In this version,
the DNS redirect function is mainly used to redirect the video traffic for load balancing. With the
policy based route working together, the system can redirect the Web video traffic to different
links, improving the user experience.
To enable or disable the DNS redirect function, in the global configuration mode, use the fol-
lowing command:
ap p cach e dn s-redirect {en ab le | disab le}
l enable – Enable the DNS redirect function. After enabling this function, specify the DNS
server address according to the prompts provided by the system. Then the DNS requests will
be redirect to the specified DNS server.
l disable – Disable the DNS redirect function. It is the default status of the function.
In any mode, use the show dns-redirect command to show the binding status between the DNS
server and the ingress interface that is bound to the PBR policy.

Configuration Example of Web Video Traffic Redirection
Hillstone device is deployed at the ingress interface of the internet. The ethernet0/0 interface
connects to the PC, and the ethernet0/2 and ethernet0/3 interfaces connect to two ISP lines,
ISP A and ISP B. After configuring the DNS redirect settings and the PBR policies, the traffic
that matches the default route will flow out from the ethernet0/2, and the traffic that matches the
policy-based route will flow out from the ehternet0/3. The topology is shown as below:
The configurations are shows as follows:

Step 1: Configure the interfaces and security zones:

hostname(config)#
Step 2: Configure the policies:
hostname(config)# rule id 1 from any to any service any

permit
Step 3：Configure SNAT settings:
hostname(config)# n at
hostname(config-nat)# sn atrule fro m an y to an y service an y tran s-to eif-ip mo de

dyn amicp o rt
Step 4：Configure the default routes:
hostname(config-vrouter)# ip ro ute 0.0.0.0/0 10.180.32.1
Step 5：Configure a policy-based route and bind it to the interface:
hostname(config)# p b r-p o licy test
hostname(config-pbr)# match to p an y an y an y YO U KU -DNS n exth o p 172.31.1.1
Match id 1 is created.
hostname(config-pbr)# match id 1
hostname(config-pbr-match)# ap p licatio n YO U KU
hostname(config-pbr-match)# ap p licatio n RTMFP

hostname(config-pbr-match)# exit
hostname(config-pbr)# exit
hostname(config)# exit
hostname(config-if-eth0/0)# b in d p b r-p o licy test
Step 6：Configuring ISP routes:
hostname(config-vrouter)# ip ro ute Ch in a-n etco m 172.31.1.1
Step 7：Upgrading APP signature database:
hostname(config)# exec app update professional
Step 8：Enabling the application identification:
hostname(config)# zo n e trust
hostname(config-zone-trust)# ap p licatio n -iden tify
Step 9：Enabling the DNS redirect and configuring the IP address of the DNS server:
hostname(config)# ap p cach e dn s-redirect en ab le
Please specify the IP address for the DNS server
Domain Name Route

The domain name route supports the configuration of destination domain name and next-hop
address. It establishes and updates the mapping information between the destination domain name
and the IP addresses through DNS Snooping active domain name resolution mode or passive
domain name resolution mode, so as to generate routing entries. The system queries the des-

tination IP address in the routing entries and forwards the data. Meanwhile, domain name route
can be redistributed to other routers with OSPF enabled.
For how to configure the DNS Snooping active domain name resolution mode or passive domain
name resolution mode, refer to DNS Snooping. For how to redistribute domain name route, refer
to Configuring Redistribute.
Configuring a Domain Name Route

You can add a domain name route and view the route's information.
Adding a Domain Name Route
You can add a domain name routing entry to VRouter. However, before adding the entry, you
need to enter the VRouter configuration mode. In the global configuration mode, use the fol-
lowing command:
To add a domian name route, in the VRouter configuration mode, use the following command:
do main ro ute domain-name { A.B.C.D | interface-name [ A.B.C.D ] | vro uter vrouter-name }
[ distance-value ] [weigh t weight-value ] [descrip tio n description ] [sch edule schedule-name ]
l domain route - Specifies the destination domain name. It only supports the specific domain
name (e.g., www.test.com).
l A.B.C.D | interface-name [A.B.C.D] | vrouter vrouter-name- Specifies the type of next hop
interface.

characters.
Repeat the above command to add more domain name routes.

To delete the specified domain name route, use the following command:
n o do main ro ute domain-name { A.B.C.D | interface-name A.B.C.D | vro uter vrouter-
name } [descrip tio n description ] [sch edule schedule-name ]
Viewing Domain Name Routing Information

To view the domain name routing information, in any mode, use the following command:
sh o w do main -ro ute status [vro uter vrouter-name ]
l vrouter-name - Specifies the domain name routing information of the specified VRouter.
Dynamic Routing
Dynamic routing refers to the routing that will be automatically adjusted based on the operation
status of network. Hillstone devices will automatically adjust the dynamic routing table according
to the routing protocol being used. StoneOS support 4 dynamic routing protocols: RIP, OSPF,
IS-IS, and BGP.

Configuring RIP
RIP, the abbreviation for Routing Information Protocol, is an internal gateway routing protocol
that is designed to exchange routing information between routers. At present Hillstone devices
support both RIP versions, i.e., RIP-1 and RIP-2.
RIP configuration includes basic options, redistribute, passive IF, neighbor, network and dis-
tance. Besides, you also need to configure RIP parameters for different interfaces, including RIP
version, split horizon and authentication mode.
Basic Options
The basic options of RIP configuration include version, metric, distance, information originate
and timer (update interval, invalid time, holddown time and flush time). You can configure RIP
protocol for different VRouter respectively. The basic options of RIP must be configured in the
RIP routing configuration mode. To enter the RIP routing configuration mode, in the global con-
ip vrouter vrouter-name (enters the VRouter configuration mode)
router rip (enters the RIP routing configuration mode, and at the same time enables the RIP func-
tion on the device)
To disable RIP, in the VRouter configuration mode, use the command no router rip.
Specifying a Version
Hillstone devices support RIP-1 and RIP-2. RIP-1 transmits packets by broadcasting, while RIP-
2 transmits packet by multicasting. To specify the RIP version, in the RIP routing configuration
versio n version-number
l version-number - Specifies the version number which can be 1 (RIP-1) or 2 (RIP-2). The
default version number is 2.
To restore to the default version, in the RIP routing configuration mode, use the command no ver-
sion.

Specifying a Metric
RIP measures the distance to the destination network by hops. This distance is known as metric.
The metric from a router to a directly connected network is 1, and increments by 1 for every addi-
tional router between them. The maximum metric is 15, and the network with metric larger than
15 is not reachable. The default metric will take effect when the route is redistributed. To specify
the default metric, in the RIP routing configuration mode, use the following command:
default-metric value
l value - Specifies the default metric value. The value range is 1 to 15. If no value is specified,
the value of 1 will be used.
To restore to the metric value of 1, in the RIP routing configuration mode, use the command no
default-metric.
Specifying a Distance
To specify the default distance for RIP, in the RIP routing configuration mode, use the following
command:
distan ce distance-value
l distance-value - Specifies the default administration distance value. The value range is 1 to
255. If no value is specified, the value of 120 will be used.
To restore to the distance value of 120, in the RIP routing configuration mode, use the command
no distance.
Configuring the Default Information Originate
You can specify if the default route will be redistributed to other routers with RIP enabled. By
default RIP will not redistribute the default route. To configure the default information originate,
in the RIP routing configuration mode, use the following commands:
Redistribute: default-information originate
Do not redistribute: no default-information originate

Specifying a Timer
The timers you can configure for RIP include update interval, invalid time, holddown time and
flush time, as described below:
l Update interval: Specifies the interval at which all RIP routes will be sent to all the neighbors.
The default value is 30 seconds.
l Invalid time: If a route has not been updated for the invalid time, its metric will be set to 16,
indicating an unreachable route. The default value is 180 seconds.
l Holddown time: If the metric becomes larger (e.g., from 2 to 4) after a route has been
updated, the route will be assigned with a holddown time. During the holddown time, the
route will not accept any update. The default value is 180 seconds.
l Flush time: StoneOS will keep on sending the unreachable routes (metric set to 16) to other
routers during the flush time. If the route still has not been updated after the flush time ends,
it will be deleted from the RIP information database. The default value is 240 seconds.
To modify the above four timers, in the RIP routing configuration mode, use the following com-
mand:
timers b asic interval-time invalid-time holddown-time flush-time
l interval-time - Specifies the update interval time. The value range is 0 to 16777215 seconds.
l invalid-time - Specifies the invalid time. The value range is 1 to 16777215 seconds. The
l holddown-time - Specifies the holddown time. The value range is 1 to 16777215 seconds.
l flush-time - Specifies the flush time. The value range is 1 to 16777215 seconds. The default
value is 240.

To restore to the default timer value, in the RIP routing configuration mode, use the command no
timers basic.
Configuring Redistribute
RIP allows you to introduce information from other routing protocols (BGP, connected, static
and OSPF) and redistribute the information. To configure the redistribute metric, in the RIP rout-
ing configuration mode, use the following commands:
redistrib ute {b gp | co n n ected | static | o sp f | isis} [metric value ]
l bgp | connected | static | ospf | isis- Specifies the protocol type which can be bgp, con-
nected, static , OSPF or isis.
l metric value- Specifies a metric value for the redistribute. The value range is 1 to 15. If the
value is not specified, the system will use the default RIP metric configured by the command
default-metric value.
Repeat the above command to redistribute different types of protocols.

To cancel the redistribute of the specified protocol, in the RIP routing configuration mode, use
the commandno redistribute {bgp | connected | static | ospf | isis}.
Configuring a Passive IF
You can configure some interfaces to only receive but not to send data. This kind of interfaces is
known as a passive interface. To configure a passive interface, in the RIP routing configuration
p assive-in terface interface-name
l interface-name - Specifies the interface as a passive interface.
Repeat the above command to configure multiple passive interfaces.

To cancel the specified passive interface, in the RIP routing configuration mode, use the com-
mand no passive-interface interface-name.

Configuring a Neighbor
You can specify some neighbors to allow P2P (non-broadcasting) RIP information exchanges
between the neighbors and Hillstone devices. To configure a neighbor, in the RIP routing con-
n eigh b o r ip-address
l ip-address - Specifies the IP address of the neighbor.
Repeat the above command to configure more passive neighbors.

To delete the specified neighbor, in the RIP routing configuration mode, use the command no
neighbor ip-address.
Configuring a Network
You can configure some networks so that only the interfaces within the specified networks can
receive and send RIP update. To configure a network, in the RIP routing configuration mode, use
n etwo rk ip-address/netmask
l ip-address/netmask - Specifies the IP address of the network, for example, 10.200.0.0/16.
Repeat the above command to configure more networks.

To delete the specified network, in the RIP routing configuration mode, use the command no net-
work ip-address/netmask .
Configuring a Distance
You can specify an administration distance for the routes that are obtained from the specified net-
works. To configure a distance, in the RIP routing configuration mode, use the following com-
mand:
distan ce distance-value ip-address/netmask

l distance-value - Specifies the administration distance value. The value range is 1 to 255. The
priority of this distance is higher than that of the default distance configured in the basic RIP
options specified by the command
l ip-address/netmask - Specifies the IP address of the network, for example, 10.200.0.0/16.
Repeat the above command to configure a distance for the routes that are obtained from different
networks.
To delete the specified distance, in the RIP routing configuration mode, use the command no dis-
tance ip-address/netmask .
RIP Database
When a Hillstone device is running RIP, it will own a RIP route database which can store all rout-
ing entries for all the reachable networks. The routing entry information includes destination
address, next hop, metric, source, and timer information. To view the RIP database information,
sh o w ip rip datab ase [ A.B.C.D/M ] [vro uter vrouter-name ]
l A.B.C.D/M - Shows the RIP information of the specified destination IP address.
l vrouter vrouter-name- Shows the RIP information of the specified VRouter. At present
StoneOS only supports VRouter named trust-vr.
Configuring RIP for Interfaces
The RIP configuration for the interfaces of Hillstone devices includes: authentication mode, trans-
mit and receive version, and split horizon. The RIP configuration for the interfaces must be done
in the interface configuration mode.
Configuring an Authentication Mode
Only RIP-2 supports authentication on RIP packets. The packet authentication mode includes
plain text and MD5. The plain text authentication, during which unencrypted string is transmitted
together with the RIP packet, cannot assure security, so it cannot be applied to the scenarios that

require high security. The default mode is plain text authentication. To configure the authen-
tication mode and authentication string for the RIP packets, in the interface configuration mode,
l Authentication mode: ip rip authentication mode {md5 | text}
l Authentication string: ip rip authentication string string
To cancel the specified authentication mode and authentication string, in the interface con-
l no ip rip authentication mode
l no ip rip authentication string
Specifying RIP Version
By default RIP-2 information will be transmitted. To specify the RIP version number that will be
transmitted, in the interface configuration mode, use the following command:
ip rip sen d versio n [1][2]
l 1 - Only RIP-1 information will be transmitted.
l 2 - Only RIP-2 information will be transmitted.
To restore to the default version number, in the interface configuration mode, use the command
no ip rip send version.
By default RIP-2 information will be received. To specify the RIP version number that will be
received, in the interface configuration mode, use the following command:
ip rip receive versio n [1][2]
l 1 - Only RIP-1 information will be received.
l 2 - Only RIP-2 information will be received.
To restore to the default version number, in the interface configuration mode, use the command
no ip rip receive version.

Configuring Split Horizon
In split horizon, routes learned from an interface will not be sent from the same interface, in order
to avoid routing loop and assure correct broadcasting to some extent. To enable or disable split
horizon, in the interface configuration mode, use the following commands:
Enable: ip rip split-horizon
Disable: no ip rip split-horizon
Viewing System RIP Information
To view the RIP information of system, in any mode, use the following command:
sh o w ip rip
To view the RIP route information, in any mode, use the following command:
sh o w ip route rip [vro uter vrouter-name ]
l vrouter-name - Shows the RIP router information of the specified VRouter.
Configuring OSPF
OSPF, the abbreviation for Open Shortest Path First, is an internal gateway protocol based on link
state developed by IETF. The current version of OSPF is version 2 (RFC2328). OSPF is applic-
able to networks of any size. Its quick convergence feature can send update message immediately
after the network topology has changed, and its algorithm assures it will not generate routing
loops. OSPF also have the following characteristics:
l Area division: divides the network of autonomous system into areas to facilitate management,
thereby reducing the protocol’s CPU and memory utilization, and improving performance.
l Classless routing: allows the use of variable length subnet mask.
l ECMP: improves the utilization of multiple routes.
l Multicasting: reduces the impact on non-OSPF devices.
l Verification: interface-based packet verification ensures the security of the routing calculation.

Tip: Autonomous system is a router and network group under the control of a
management institution. All routers within an autonomous system must run the
same routing protocol.
Configuring OSPF Protocol
You can configure OSPF protocol for different VRouters respectively. The configuration of
OSPF protocol includes:
l Configuring a Router ID
l Configuring area authentication
l Configuring route aggregation for an area
l Configuring the default cost for an area
l Configuring the virtual link for an area
l Specify the ID and password for MD5 authentication.
l Configuring the default cost for sending OSPF packets
l Configuring a default metric
l Configuring the default information originate
l Configuring the default distance
l Configuring an OSPF timer
l Specifying the network that runs OSPF protocol
l Configuring redistribute

l Configuring a distance
l Configuring a Passive IF
The basic options of OSPF protocol must be configured in the OSPF routing mode. To enter the
OSPF routing mode, in the global configuration mode, use the following commands:
router ospf [process-id]（(enters the OSPF routing mode, and at the same time enables OSPF on
the device)
l process-id – Specify the OSPF process ID. The default value is 1. The value ranges from 1
to 65535. Each OSPF process is individual, and has its own link state database and the related
OSPF routing table. Each VRouter supports up to 4 OSPF processes and multiple OSPF pro-
cesses maintain a routing table together.
When specifying the OSPF process ID, note the following matters:
l When running multiple OSPF processes in a VRouter, the network advertised in interfaces in
each OSPF process cannot be same.
l When route entries with the same prefix exist in multiple OSPF processes, the system will
compare the administrative distance of each route entry and the route entry with the lower
administrative distance will be added to the VRouter’s routing table. If their AD is the
same, the route entry that was first discovered will be added to the routing table.
l If the OSPF route entries are redistributed to other routing protocols, the routing information
of process 1 will be redistributed by default. If this process does not exist, the routing inform-
ation of OSPF will not be redistributed.
To disable OSPF, in the VRouter configuration mode, use the command no router ospf [process-
id].

Configuring a Router ID
Each router running OSPF protocol must be labeled with a Router ID. The Router ID is the
unique identifier of an individual router in the whole OSPF domain, represented in the form of an
IP address. To configure a Router ID for the Hillstone device that is running OSPF protocol, in
the OSPF routing mode, use the following command:
ro uter-id A.B.C.D [lo cal]
l A.B.C.D - Specifies the Router ID used by OSPF protocol, in form of an IP address.
l local - Specifies the Router ID as a local configuration. This kind of configuration is applic-
able to HA A/A mode, and is not synchronized to HA configuration. By default the router ID
is not a local configuration.
Configuring Area Authentication
By default, there is no area authentication. To configure an area authentication mode, in the OSPF
routing mode, use the following command:
area { id | A.B.C.D } auth en ticatio n [message-digest]
l id | A.B.C.D - Specifies an area ID, in form of a 32-bit digital number, or an IP address.
l [message-digest] - Specifies the MD5 authentication. If the keyword is not specified, then the
system will use the plain text authentication.
The authentication mode specified by the above command must be the same as that of the other
routers within the area; the authentication password for routers that communicate over OSPF in
the same network must be the same.
To cancel the specified area authentication mode, in the OSPF routing mode, use the command
no area {id | A.B.C.D} authentication.
Specifying the Network Type for an Interface
In OSPF, the network types of an interface have the following options: broadcast, point-to-point,
and point-to-multipoint. By default, the network type of an interface is broadcast. To configure
the network type of an interface, in the interface configuration mode, use the following command:

ip o sp f n etwo rk {p o in t-to -p o in t | p o in t-to -multip o in t}
l point-to-point – Specifies the network type of an interface as the point-to-point type.
l point-to-multipoint - Specifies the network type of an interface as the point-to-multipoint

type.
To set the network type as the default broadcast type, use the following command:
n o ip o sp f n etwo rk
Configuring Route Aggregation for an Area
Route aggregation refers to aggregating the routing information with the same prefix together
through ABR, and then only advertising one route to other areas. You can configure multiple
aggregation segments in one area, so that OSPF can aggregate multiple segments. By default, the
route aggregation function is disabled. To configure route aggregation for an area, in the OSPF
routing mode, use the following command:
area { id | A.B.C.D } ran ge { A.B.C.D/M } [advertise | n o t-advertise]
l id | A.B.C.D- Specifies an area ID that will perform the route aggregation, in form of a 32-bit
digital number, or an IP address.
l range {A.B.C.D/M} - Specifies the network segment that will be aggregated.
l advertise - Specifies to aggregate the routes of the segment and advertises the aggregated
route.
l not-advertise -Specifies to aggregate the routes of the segment, but do not advertise the
aggregated route.
The route aggregation function is only applicable to an area border router (also known as ABR, the
router that connects the backbone area and non-backbone area).
To cancel the route aggregation, in the OSPF routing mode, use the command no area {id |
A.B.C.D} range {A.B.C.D/M} [advertise | not-advertise].

Configuring the Default Cost for an Area
The default cost of an area refers to the default routing cost for sending a packet to the stub area.
To configure default cost for an area, in the OSPF routing mode, use the following command:
area { id | A.B.C.D } default-co st cost-value
l id | A.B.C.D - Specifies an area ID the default cost will be applied to, in form of a 32-bit
l cost-value - Specifies a cost value. The value range is 0 to 16777214. If no value is specified,
the system will use the value of 1.
To restore to the cost value of 1, in the OSPF routing mode, use the command no area {id |
A.B.C.D} default-cost.
Notes: This command is only applicable to NSSA.
Configuring the Virtual Link for an Area
Virtual link is used to connect the discontinuous backbone areas, so that they can maintain logical
continuity. To configure virtual link parameters and its timer parameters, in the OSPF routing
area { id | A.B.C.D } virtual-lin k A.B.C.D [h ello -in terval interval-value ] [retran smit-in terval
interval-value ] [tran smit-delay interval-value ] [dead-in terval interval-value ]
l id | A.B.C.D - Specifies an area ID that requires virtual link, in form of a 32-bit digital num-
ber, or an IP address.
l virtual-link A.B.C.D - Specifies the Router ID that is used as a virtual link router.
l hello-interval interval-value - Specifies the interval for sending the Hello packets. The value
range is 1 to 65535 seconds. The default value is 10.
l retransmit-interval interval-value - After sending a LSA packet to its neighbor, a router will
wait for the acknowledge from the peer. If no ACK packet is received after the specified

interval, the router will retransmit this LSA packet to the neighbor. The parameter is used to
specify the retransmit interval. The value range is 3 to 65535 seconds. The default value is 5.
l transmit-delay interval-value - Specifies the transmit delay time of the update packets. The
value range is 1 to 65535 seconds. The default value is 1.
l dead-interval interval-value - If a router has not received the Hello packet from its peer for a
certain period, it will determine the peering router is dead. This period is known as the dead
interval between the two adjacent routers. This parameter is used to specify the value of dead
interval. The value range is 1 to 65535 seconds. The default value is 40.
To restore to the default timer values, in the OSPF routing mode, use the command no area {id |
A.B.C.D} virtual-link A.B.C.D [hello-interval] [retransmit-interval] [transmit-delay] [dead-inter-
val].
To configure the authentication mode of the virtual link, in the OSPF routing mode, use the fol-
lowing command:
area { id | A.B.C.D } virtual-lin k A.B.C.D auth en ticatio n [message-digest] [auth en ticatio n -key
string ] [message-digest-key ID md5 string ] [n ull]
l id | A.B.C.D - Specifies an area ID that requires virtual link, in form of a 32-bit digital num-
l virtual-link A.B.C.D - Specifies the Router ID that is used as a virtual link router.
l authentication-key string - Specifies the password for the plain text authentication.
l message-digest-key ID md5 string - Specifies to use MD5 authentication.
l null - No authentication.
To cancel the authentication mode, in the OSPF routing mode, use the command no area {id |
A.B.C.D} virtual-link A.B.C.D authentication [message-digest] [authentication-key string] [mes-
sage-digest-key ID].

Configuring a Stub Area
The stub area refers to the area that does not send or receive Type-5 LSA (AS-external-LSAs).
For the network that generates large amount of Type-5 LSAs, this approach can effectively reduce
the router LSDB size within the stub area, and the resource occupation arising from SPF cal-
culation on the router. The stub area is usually located at the border of the autonomy system. To
configure the stub area of OSPF, in the OSPF routing mode, use the following command:
area { id | A.B.C.D } stub [n o -summary]
l id | A.B.C.D - Specifies an ID for the stub area, in form of a 32-bit digital number, or an IP
address.
l no-summary - Stops ABR from sending Type 3 or Type 4 Summary LSA to the stub area.
To cancel the specified stub area, in the OSPF routing mode, use the command no area {id |
A.B.C.D} stub [no-summary].
Configuring a NSSA Area
A stub area cannot redistribute routes. You can configure the area as an NSSA area to allow for
route redistribution by keeping other stub area characteristics. To configure the NSSA area of
OSPF, in the OSPF routing mode, use the following command:
area { id | A.B.C.D } n ssa [n o -summary | n o -redistrib utio n | default-in fo rmatio n -o rigin ate]
l id | A.B.C.D - Specifies an ID for the NSSA area, in form of a 32-bit digital number, or an IP
address.
l no-summary | no-redistribution | default-information-originate - no-summary allows an area

to be a not-so-stubby area but not have summary routes injected into it. no-redistribution is
used when the router is an NSSA ABR and you want the redistribute command to import
routes only into the normal areas, but not into the NSSA area. default-information-originate is
used to generate a Type 7 default into the NSSA area. This keyword only takes effect on an
NSSA ABR or an NSSA ASBR.

To cancel the specified NSSA area settings, in the OSPF routing mode, use the command no area
{id | A.B.C.D} nssa [no-summary | no-redistribution | default-information-originate]
Configuring the Reference Bandwidth for OSPF
OSPF can calculate the cost of sending OSPF packets for an interface based on the interface band-
width. To configure reference bandwidth, in the OSPF routing mode, use the following com-
mand:
auto -co st referen ce-b an dwidth bandwidth
l bandwidth - Specifies the bandwidth value. The value range is 1 to 4294967 Mbps. The
To calculate the cost of sending OSPF packets for an interface based on the interface type, in the
OSPF routing mode, use the commandno auto-cost reference-bandwidth
Configuring the Default Metric
The default metric configured here will take effect when redistributing. To specify the default
metric for OSPF, in the OSPF routing configuration mode, use the following command:
l value - Specifies the default metric value. The value range is 1 to 16777214.
To restore to the original metric value, in the OSPF routing configuration mode, use the com-
mand no default-metric.
You can specify if the default route will be redistributed to other routers with OSPF enabled. By
default OSPF will not redistribute the default route. To configure the default information ori-
ginate, in the OSPF routing configuration mode, use the following command:
default-in fo rmatio n o rigin ate [always] [typ e {1｜2}] [metric value ]

l always - OSPF unconditionally generates and redistributes the default route.
l type {1｜2} - Specifies the type of the external route associated with the default route that is
sent to OSPF routing area. 1 refers to type1 external route, 2 refers to type2 external route.
l metric value - Specifies the metric value for the default route that will be sent. If no default
metric value is specified by this command or by the command default-metric value, then
OSPF will use the value of 20. The value range is 0 to16777214.
To restore to the value of 20, in the OSPF routing configuration mode, use the command no
default-information originate.
Configuring the Default Distance
To configure the default distance for OSPF route, in the OSPF routing configuration mode, use
l distance-value - Specifies the default administration distance value. The value range is 1 to.
255. If no value is specified, OSPF will use the value of 110.
To restore to the value of 110, in the OSPF routing configuration mode, use the command no dis-
tance.
Configuring a Timer for OSPF
You can specify the following two OSPF protocol timers: how long OSPF will re-calculate the
path after receiving an update, and the interval between the two OSPF calculations. To configure
an OSPF timer, in the OSPF routing configuration mode, use the following command:
timers sp f delay1 delay2
l delay1 - After receiving the update, OSPF will re-calculate the path within the specified
period. The value range is 0 to 65535 seconds. The default value is 5.
l delay2 - Specifies the interval between the two calculations. The value range is 0 to 65535
seconds. The default value is 10.

To restore to the value of 5 or 10, in the OSPF routing configuration mode, use the command no
timers spf.
Specifying an OSPF Network Interface
To specify the network interface that enables OSPF and add the network to the specified area, in
the OSPF routing configuration mode, use the following command:
n etwo rk A.B.C.D/M area { id | A.B.C.D }
l A.B.C.D/M - Specifies the network interface that enables OSPF protocol.
l area {id | A.B.C.D} - Specifies the area ID the network will be added to, in form of a 32-bit
To cancel the specified network interface, in the OSPF routing configuration mode, use the com-
mand no network A.B.C.D/M area {id | A.B.C.D}.
OSPF allows you to introduce information from other OSPF processes and routing protocols
(BGP, IS-IS, connected, static, RIP, VPN and Domain Name routing) and redistribute the inform-
ation. You can set the metric and type of the external route for the redistribute, or filter the rout-
ing information based on a route map and only distribute specific routing information. To
configure the redistribute metric, in the OSPF routing configuration mode, use the following com-
mand:
redistrib ute {b gp | co n n ected | isis | o sp f process-id | static | rip | vp n | do main } [typ e {1
| 2}] [metric value ] [ro ute-map name ] [tag tag-value ]
l bgp | connected | isis | ospf process-id | static | rip | vpn - Specifies the protocol type
which can be bgp, connected, isis, ospf, static, rip, VPN or domain (domain name routing).
When introducing information from other OSPF processes, specify the process.
l type {1｜2} - Specifies the type of the external route. 1 refers to type1 external route, 2
refers type2 external route.

l metric value - Specifies a metric value for the redistribute. The value range is 0 to 16777214.
If the value is not specified, the system will use the default OSPF metric configured by the
command default-metric value.
l route-map name - Specifies the route map that is used to filter the routing information intro-
duced from other routing protocols. For more information about route map, see Configuring a
Route Map.
l tag tag-value – Specifies the tag values of the redistributed route. The value range is 1 to
4294967295.
Repeat the above command to redistribute a different type of routes.

To cancel the redistribute of specified route, in the OSPF routing configuration mode, use the
command no redistribute {bgp | connected | isis | ospf process-id | static | rip | vpn
|domain}.
Configuring a Route Map
By default the system will introduce all the routing information. You can filter the routing inform-
ation introduced from other routing protocols by referencing a route map. The route map mainly
consists of two parts: matching rules and actions (permit or deny) for the matched routing inform-
ation. If introduced routing information hits any matching rule, the system will take the con-
figured action, i.e., permit or deny the introduced routing information.
Notes:
l If the action is set to Permit, the system will only permit the matched routing
information and deny all the unmatched routing information.
l If the action is set to Deny, the system will deny the matched routing inform-
ation, but still permit all the unmatched routing information.
To configure a route map and filter the introduced routing information, take the following steps:

1. Create a route map and add matching rules to the route map. Matching rules are dif-
ferentiated by IDs. The smaller the ID is, the higher the matching priority will be. By
default if the routing information hits any matching rule, the system will not continue to
match the subsequent rules; if no matching rule is hit, the system will take the Deny action.
2. Add matching conditions to the matching rules. The matching condition can be the metric,
destination address, next-hop IP address or next-hop interface of the introduced routing
information. One matching rule may contain multiple matching conditions, and the relation
between these conditions is AND, i.e., in order to hit a matching rule, the routing inform-
ation information must satisfy all the matching conditions in the rule.
3. If the matching condition is the destination address or next-hop IP address, also configure a
route access-list that will be referenced. For more information about route access-list, see
Configuring a Route Access-list.
4. If needed, require the system to continue to match another rule after the routing inform-
ation hits a matching rule.
5. If needed, modify partial attrubutes of the introduced routing information before redis-
tribution.
To create a route map and add a matching rule to the route map, in the global configuration mode,
ro ute-map name {den y | p ermit} sequence
l route-map name - Specifies the name of the route map, and enters the route map con-
figuration mode. The value range is 1 to 31 characters. If the name already exists in the sys-
tem, you will directly enter the route map configuration mode.
l deny | permit - Specifies the action for the matched routing information.
l sequence - Specifies the sequence number for the matching rule in the route map. The value
range is 1 to 65535.

To delete the specified route map, in the global configuration mode, use the following command:
n o ro ute-map name [ sequence ]
l sequence - Only deletes the specified matching rule from the route map.
To add a matching condition to the matching rule, in the route map configuration mode, use the
following command:
match {as-p ath access-list-number | co mmun ity { community-list-name | community-list-num-
ber } [ exact-match ] | metric metric-value | in terface interface-name | ip address access-list |
ip n ext-h o p access-list | tag tag-value }
l as-path access-list-number – Matches the AS path of the introduced routing information.

access-list-number is the number of the AS-path access list configured by yourself. If the AS
path of the route matches the AS path that is permitted in this AS-path access list, the system
concludes that the matching is successful. For more information about configuring an AS-path
access list, see Configuring an AS-path Access List.
l community {community-list-name | community-list-number} [exact-match] – Matches the

communities path attributes of the introduced routing information. community-list-name is
the name of the community list. community-list-number is the number of the community list.
exact-match indicates that the system will execute the exact matching. For more information
about configuring community list, see Configuring BGP Communities.
l metric metric-value - Specifies to match the metric of the introduced routing information.
l interface interface-name - Specifies to match the next-hop interface of the introduced routing
information.
l ip address access-list - Specifies to match the destination address of the introduced routing
information. access-list is the route access-list configured in the system. If the destination
address of the routing information is the permitted address in the route access-list, the system

will conclude the matching succeeds. For more information about route access-list, see Con-
figuring a Route Access-list.
l ip next-hop access-list - Specifies to match the next-hop IP address of the introduced routing
information. access-list is the route access-list configured in the system. If the next-hop IP
l tag tag-value – Matches the route tag value of OSPF protocol. If the configured tag value of
the route here matches the tag value in the static route, the match is considered successful.
Repeat the above command to add more matching conditions to the matching rule. To delete the
specified matching condition from the matching rule, in the route map configuration mode, use
n o match {metric | in terface | ip address | ip n ext-h o p }
Notes: If you only created a route map but did not add any matching rule, by default
the system will conclude all the introduced routing information is matched.
For example, the following commands will only allow OSPF to redistribute the routing inform-
ation from BGP with the next-hop interface set to eth0/1 and metric set to 50:
hostname(config)# ro ute-map test p ermit 10
hostname(config-route-map)# match in terface eth ern et0/1
hostname(config-route-map)# match metric 50
hostname(config-route-map)# exit
hostname(config-vrouter)# ro uter o sp f
hostname(config-router)# redistrib ute b gp ro ute-map test
hostname(config-router)# en d

Continuing to Match Another Matching Rule
By default if the introduced routing information hits any matching rule, the system will not con-
tinue to match any other matching rules. For fine-grained control, you can require the system to
continue to match another matching rule even after hitting a matching rule. To continue to match
another matching rule, in the route map configuration mode, use the following command:
co n tin ue [ sequence ]
l sequence - Specifies the sequence number for the matching rule that will be continued. The
value range is 1 to 65535. This sequence number must be larger than the sequence number of
the current matching rule. If this parameter is not specified, the system will continue to match
the next rule after hitting the current rule.
To cancel the above configuration, in the route map configuration mode, use the following com-
mand:
n o co n tin ue
For example, the following commands will also only allow OSPF to redistribute the routing
information from BGP with the next-hop interface set to eth0/1 and metric set to 50:
hostname(config-route-map)# match in terface eth ern et0/1
hostname(config-route-map)# co n tin ue 20
hostname(config-route-map)# match metric 50

Modifying Attributes of Introduced Routing Information
For the introduced routing information, you can modify partial attributes before redistribution. To
modify the attribute of the introduced routing information, in the route map configuration mode,
set {metric metric-value | metric-typ e {typ e-1 | typ e-2}| tag tag-value }
l metric metric-value - Specifies the metric of the introduced routing information. The value
range is 0 to 4294967295.
l metric-type {type-1 | type-2} - Specifies the metric type of the external route. type-1 indic-
ates type1 external route metric, and type-2 indicates type2 external route metric.
l tag tag-value – Specifies the tag value of OSPF protocol’s redistributed route. The value
range is 1 to 4294967295.
To cancel the modification and restore to the metric setting when the routing information was
introduced, in the route map configuration mode, use the following command:
n o set {metric | metric-typ e | tag }
Configuring a Route Access-list
The destination address and next-hop IP address in the matching conditions are matched by route
access-list. A route access-list mainly consists of two parts: IP address matching rules and actions
(Permit or Deny) for the matched IP addresses. If the destination address or next-hop IP address
matches the IP address defined in the route access-list, the system will take the specified action.
One route access-list may contain multiple IP address matching rules. The system will match
these rules in the sequence of rule creation time, and will stop matching if any rule is hit; if no
rule is hit, the system will take the action of Deny.
To configure a route access-list, in the global configuration mode, use the following command:
access-list ro ute name {den y | p ermit} { A.B.C.D/M [exact-match ] | an y}
l name - Specifies the name of the route access-list. The value range is 1 to 31 characters.
l deny | permit - Specifies the action for the matched IP address.

l A.B.C.D/M - Specifies the IP address or IP prefix (excluding the netmask) to be matched.
l exact-match - Specifies to match the exact IP prefix (including the netmask).
l any - Specifies to match any IP address.
To delete the specified route access-list, in the global configuration mode, use the following com-
mand:
n o access-list ro ute name [{den y | p ermit} { A.B.C.D/M [exact-match ] | an y}]
If any IP address matching rule is specified, the command will only delete the rule from the route
access-list, but will not delete the route access-list.
To add description to the route access-list, in the global configuration mode, use the following
command:
access-list ro ute name descrip tio n description
l name - Specifies the name of the route access-list. The value range is 1 to 31 characters.
l description - Specifies the description of the route access-list. The value range is 1 to 31 char-
acters.
To delete the description, in the global configuration mode, use the following command:
n o access-list ro ute name descrip tio n
For example, the following commands will disallow OSPF to redistribute the routing information
from BGP with the next-hop IP address set to 192.168.1.1 or any IP address in 192.168.2.0 seg-
ment:
hostname(config)# ro ute-map test den y 10
hostname(config-route-map)# match ip n ext-h o p access_list
hostname(config)# access-list ro ute access_list p ermit 192.168.1.1/32
hostname(config)# access-list ro ute access_list p ermit 192.168.2.0/24

Configuring a Distance
You can specify the administration distance based on the type of route. To configure the distance,
in the OSPF routing configuration mode, use the following command:
distan ce o sp f {in tra-area distance-value | in ter-area distance-value | extern al distance-value }
l intra-area distance-value - Specifies the administration distance for the routes within an area.
The value range is 1 to 255. The default value is 110.
l inter-area distance-value - Specifies the administration distance for the routes between areas.
l external distance-value- Specifies the administration distance for the external type5 route. The
To restore to the default value, in the OSPF routing configuration mode, use the command no dis-
tance ospf.
known as a passive interface. To configure a passive interface, in the OSPF routing configuration
p assive-in terface interface-name
l interface-name - Specifies the interface as a passive interface.
Repeat the above command to configure more passive interfaces.

To cancel the specified passive interface, in the OSPF routing configuration mode, use the com-

Configuring Route Filters Based on the Route Access-list
OSPF uses the route access-list to filter the introduced route. To configure the route filter func-
tion based on the route access-list, use the following command in the OSPF routing configuration
mode:
distrib ute-list access-list-name in [ interface-name ]
l access-list-name – Specifies name of the route access-list. For more information about route
access-list, see Configuring a Route Access-list .
l in – Use in to filter the introduced routes.
l interface-name – Specifies name of the interface. After specifying this interface, the system
will filter the OSPF route from the specified interface. If the interface name is not specified,
the system will filter all OSPF routes.
Use the following command to cancel the above configurations:

n o distrib ute-list access-list-name in [ interface-name ]
Configuring OSPF for an Interface
The OSPF function for an interface must be configured in the interface configuration mode. The
OSPF configuration for the Hillstone device’s interfaces includes:
l Configuring OSPF authentication for an interface
l Specifying the link cost for an interface
l Configuring the timer for an interface
l Specifying the router priority for an interface
l Specifying the network type for an interface

Configuring OSPF Authentication for an Interface
The priority of OSPF authentication for an interface is higher than that of the OSPF authen-
tication for an area. Hillstone devices support the plain text and MD5 authentication. By default
the OSPF authentication for an interface is disabled. To enable or disable it, in the interface con-
ip o sp f auth en ticatio n
n o ip o sp f auth en ticatio n
To configure the password for the plain text authentication, in the interface configuration mode,
ip o sp f auth en ticatio n -key string
l string - Specifies the password (up to eight characters).
To cancel the specified password, in the interface configuration mode, use the command no ip
ospf authentication-key.
To configure the MD5 authentication ID and password, in the interface configuration mode, use
ip o sp f message-digest-key ID md5 string
l ID - Specifies the authentication ID.
l string - Specifies the password.
To cancel the specified password, in the interface configuration mode, use the command no ip
ospf message-digest-key ID.
Specifying the Link Cost for an Interface
To specify the link cost for an interface, in the interface configuration mode, use the following
command:
ip o sp f co st cost-value [lo cal]

l cost-value - Specifies the link cost for an interface. The value range is 1 to 65535.
l local - Specifies the link cost for an interface as local. When the device is operating in the HA
AA mode, the parameter will prevent the device from synchronizing the cost value to the
backup device. Thus the two devices’ link costs will be different, avoiding asymmetrical
OSPF routes.
To cancel the specified link cost, in the interface configuration mode, use the command no ip
ospf cost [local].
Configuring the Timer for an Interface
There are four interface timers: the interval for sending Hello packets, the dead interval of adja-
cent routers, the interval for retransmitting LSA, and the transmit delay for updating packets.
To specify the interval for sending Hello packets for an interface, in the interface configuration
ip o sp f h ello -in terval interval
l interval - Specifies the interval for sending Hello packets for an interface. The value range is 1
to 65535 seconds. The default value is 10.
To restore to the default interval, in the interface configuration mode, use the command no ip
ospf hello-interval.
If a router has not received the Hello packet from its peer for a certain period, it will determine
the peering router is dead. This period is known as the dead interval between the two adjacent
routers. To configure the dead interval for an interface, in the interface configuration mode, use
ip o sp f dead-in terval interval
l interval - Specifies the dead interval of adjacent routes for an interface. The value range is 1 to
65535 seconds. The default value is 40 (4 times of sending the Hello packets).
To restore to the default dead interval, in the interface configuration mode, use the command no
ip ospf dead-interval.

To specify the LSA retransmit interval for an interface, in the interface configuration mode, use
ip o sp f retran smit-in terval interval
l interval - Specifies the LSA retransmit interval for an interface. The value range is 3 to 65535
To restore to the default retransmit interval, in the interface configuration mode, use the com-
mand no ip ospf retransmit-interval.
To specify the transmit delay for updating packet for an interface, in the interface configuration
ip o sp f tran smit-delay interval
l interval - Specifies the transmit delay for updating packet for an interface. The value range is 1
to 65535 seconds. The default value is 1.
To restore to the default transmit delay, in the interface configuration mode, use the command no
ip ospf transmit-delay.
Specifying the Router Priority for an Interface
The router priority is used to determine which router will act as the designated router. The des-
ignated router will receive the link information of all the other routers in the network, and broad-
cast the received link information. To specify the router priority for an interface, in the interface
ip o sp f p rio rity level
l level - Specifies the router priority. The value range is 0 to 255. The default value is 1. The
router with priority set to 0 will not be selected as the designated router. If two routers within
a network can both be selected as the designated router, the router with higher priority will be
selected; if the priority level is the same, the one with higher Router ID will be selected.
To restore to the default priority, in the interface configuration mode, use the command no ip
ospf priority.

Specifying the Network Type for an Interface
In OSPF, the network types of an interface have the following options: broadcast, point-to-point,
and point-to-multipoint. By default, the network type of an interface is broadcast. To configure
the network type of an interface, in the interface configuration mode, use the following command:
ip o sp f n etwo rk {p o in t-to -p o in t | p o in t-to -multip o in t}
l point-to-point – Specifies the network type of an interface as the point-to-point type.。

type.
n o ip o sp f n etwo rk
Viewing OSPF Route Information
To view the OSPF route information, in any mode, use the following command:
sh o w ip ro ute o sp f [vro uter vrouter-name ]
l vrouter-name - Shows the OSPF route information of the specified VRouter name.
To view the OSPF information of the Hillstone device, in any mode, use the following command:
sh o w ip o sp f [vro uter vrouter-name ] [p ro cess process-id ]
l vrouter-name - Specifies the VRouter name.
l process process-id – Specifies the OSPF process.
To view the OSPF protocol’s database information of the Hillstone device, in any mode, use
sh o w ip o sp f datab ase {asb r-summary | extern al | n ssa-extern al | n etwo rk | ro uter | sum-
mary} [ A.B.C.D ] [{adv-ro uter A.B.C.D } | self-o rigin ate] [vro uter vrouter-name ] [p ro cess pro-
cess-id ]

l asbr-summary - Shows the LSAs of the AS border router
l external - Shows the LSAs of the external network.
l nssa-external - Shows the external LSAs information of NSSA.
l network Shows the LSAs of the network.
l router - Shows the LSAs of the router.
l summary - Shows the LSAs summary.
l A.B.C.D - Shows the IP address of link status ID.
l adv-router A.B.C.D - Shows the LSAs of the specified router.
l self-originate - Only shows self- originated LSAs(from local router).
sh o w ip o sp f datab ase [max-age | self-o rigin ate] [vro uter vrouter-name ] [p ro cess process-id ]
l max-age - Specify the maximum age time.
l self-originate - Only shows self- originated LSAs(from local router).
To view the OSPF interface information, in any mode, use the following command:
sh o w ip o sp f in terface [ interface-name ] [vro uter vrouter-name ] [p ro cess process-id ]
To view the OSPF virtual link information, in any mode, use the following command:
sh o w ip o sp f virtual-lin ks [vro uter vrouter-name ] [p ro cess process-id ]
To view the OSPF neighbor information, in any mode, use the following command:
sh o w ip o sp f n eigh b o r [ A.B.C.D | detail] [vro uter vrouter-name ] [p ro cess process-id ]

sh o w ip o sp f ro ute [ A.B.C.D ] [vro uter vrouter-name ] [p ro cess process-id ]
To view the route map information, in any mode, use the following command:
sh o w ro ute-map [ name ]
To view the route access-list information, in any mode, use the following command:
sh o w access-list ro ute [ name ]
To view the route filtering information, in any mode, use the following command:
sh o w ip o sp f distrib ute-list [vro uter vrouter-name ] [p ro cess process-id ]
Configuring IS-IS
IS-IS (Intermedia System-to-Intermediate System) is a dynamic routing protocol that is designed
by ISP for CLNP (Connection-Less Network Protocol). To make it support IP, IETF (Interface
Engineering Task Force) modified IS-IS in RFC 1195. With the modifications added, the new IS-
IS, which is called Integrated IS-IS or Dual IS-IS, can be used in both TCP/IP environment and
OSI environment. StoneOS supports the application of IS-IS in the TCP/IP environment.
You can configure the IS-IS for each virtual router. Configuring IS-IS includes the following sec-
tions:
l Configuring the Router Type
l Enabling IS-IS at Interfaces
l Configuring the Interface Type
l Configuring the Network as Point-to-Point Type
l Configuring the NET Address
l Configuring the Administrative Distance
l Configuring the Metric Style
l Configuring the Interface Metric

l Configuring Redistribute
l Configuring the Default Route Advertisement
l Configuring the Interval for Sending Hello Packets
l Configuring the Multiplier for Hello Packets
l Configuring Padding for Hello Packets
l Configuring the Passive Interface
l Configuring Priority for DIS Election
l Configuring LSP Generation Interval
l Configuring Maximum Age of LSPs
l Configuring LSP Refresh Interval
l Configuring SPF Calculation Interval
l Configuring the Overload Bit
l Configuring Hostname Mappings
l Configuring the Authentication Methods
l Configuring the Interface Authentication
Basic Settings
To configure the IS-IS dynamic routing protocol, you need to enter the IS-IS routing configuring
mode by executing the following commands:
ip vrouter vrouter-name – In the global configuration mode, enter the VRouter configuration
mode.
router isis – Enter the IS-IS routing configuration mode and create the IS-IS process. The IS-IS
processes in each VRouter are independent.

To close the IS-IS process, use no router isis command in the VRouter configuration mode.
Configuring the Router Type
The types include Level-1 router, Level-2 router, and Level-1-2 router. To configure the router
type, use the following command in the IS-IS routing configuration mode:
is-typ e [level-1 | level-1-2 | level-2-o n ly]
l level-1 | level-1-2 | level-2-only – Configure the type as Level-1 router (level-1) , Level-2
router (level-2-only), or Level-1-2 router (level-1-2). The default type is Level-1-2. Only
when the type is Level-1-2, you are allowed to configure the interface type as Level-1 or
Level-2.
To cancel the type settings, use the no is-type command in the IS-IS routing configuration mode.
Enabling IS-IS at Interfaces
By default, the IS-IS function is disabled at the interface. After creating an IS-IS process at the
current router, proceed to enable the IS-IS function at the interface. Use the following command
in the interface configuration mode:
isis en ab le
Use the no isis enable command to disable the IS-IS function at the interface.
Configure the Interface Type
When the router type is Level-1, the interface type can only be Level-1 and it can only establish
the Level-1 adjacency. When the router type is Level-2, the interface type can only be Level-2
and it can only establish the Level-2 adjacency. When the router type is Level-1-2, the interface
type can be Level-1 and Level-2. To configure the interface type, use the following command in
the interface configuration mode:
isis circuit-typ e [level-1 | level-1-2 | level-2-o n ly]
l level-1 | level-1-2 | level-2-only – Specify the interface type as Level-1 interface (level-1),
Level-2 interface (level-2-only), or Level-1-2 interface (level-1-2).

Configuring the Network as Point-to-Point Type
If there are two devices in the broadcast network, you can configure the link that the interface loc-
ates as the point-to-point type. For point-to-point type link, IS-IS does not execute the DIS elec-
tion and CSNP flooding. Use the following command in the interface configuration mode:
isis n etwo rk p o in t-to -p o in t
Use the no isis network point-to-point command to cancel the above settings.
Routing Information Settings
Configuring the NET Address
NET (Network Entity Title) represents the network layer information of the IS, excluding the
transmission layer information. The NET address is used to mark the device with the IS-IS pro-
cess enabled. An IS-IS process can have at most three NET addresses and these NET addresses
must have the same System IDs. To specify the NET address for the device, use the following
command in the IS-IS routing configuration mode:
n et net [ local ]
l net – Specify the NET address for the device. When you use this device as level-1 router, it
must have the same area ID with other devices in the same area. When you use this device as
level-2 router, the process of establishing the adjacency will not check the area ID.
l local - Specifies NET address as a local configuration. This kind of configuration is applicable
to HA Peer mode, and is not synchronized to HA configuration. By default theNET address
To cancel the NET address configurations, use the no net net command.
Configuring the Administrative Distance
To configure the administrative distance, use the following command in the IS-IS routing con-
figuration mode:

l distance-value – Specify the administrative distance. The value ranges from 1 to 255. The
To cancel the configurations, use the no distance command.
Configuring the Metric Style
If the metric style is Narrow, the router only generates and receives packets whose metric field is
narrow. The metric value of the interface ranges from 0 to 63. For the large network environment,
the maximum allowed metric of a route is 1023. When the metric value exceeds 1023, the des-
tination is considered to be unreachable. If the metric style is Wide, the router only generates and
receives packets whose metric field is wide. The metric value of the interface ranges from 0 to
16777215. If the metric style is transition, the router can generate and receive packets whose met-
ric field is wide or narrow. To configure the metric style, use the following command in the IS-IS
routing configuration mode:
metric-style {wide | n arro w | tran sitio n }
l wide - The router only generates and receives packets whose metric field is Wide.
l narrow - The router only generates and receives packets whose metric field is Narrow.
l transition - The router can generate and receive packets whose metric field is Wide or Nar-
row.
To cancel the metric style configurations, use the no metric-style command.
Configuring the Interface Metric
The metric is used to calculate the cost to the destination network via the selected link. To con-
figure the metric of the link, use the following command in the interface configuration mode:
isis metric value [level-1 | level-2]
l value – Configure the metric value of the link that the interface locates. The value ranges
from 1 to 16777214 and the default value is 10.

l level-1 | level-2 – Use level-1 to configure the metric value for Level-1 routes. Use level-2
to configure the metric value for Level-2 routes. Without specifying level-1 or level-2, the
metric value is effective for both Level-1 and Level-2 routes.
Use the no isis metric command to restore the metric value to the default one.
IS-IS allows you to introduce routing information from other routing protocols (connected, static,
OSPF, BGP and RIP) and redistribute the information. To configure the redistribute and the cor-
responding metric, in the IS-IS routing configuration mode, use the following commands:
redistrib ute {co n n ected | static | o sp f | b gp | rip } [level-1 | level-1-2 | level-2] [metric
value ] [metric-typ e {extern al | in tern al}]
l connected | static | ospf | bgp | rip - Specify the protocol type which can be connected,
static, OSPF, bgp, or rip.
l level-1 | level-1-2 | level-2 – Specify the level for the introduced route, including the level-
1 route (level-1), level-2 route (level-2), and both levels (level-1-2).
l metric value - Specify a metric value for the introduced route. The value range is 0 to
4294967296. The default value is 0. When the metric type of the router is narrow, the metric
value of the introduced route cannot exceed 63.
l metric-type {external | internal} – If you select the external metric type (external), the met-
ric value will be the sum of the value configured in metric value and 64. If you select the
internal metric type (internal), the metric value will be the one you configured in the metric
value command. The default option is internal.
To cancel the redistribute configurations, use the no redistribute {connected | static | ospf | bgp
| rip} [level-1 | level-1-2 | level-2] command.
Configuring the Default Route Advertisement
The default route in the introduced routing information will not be used by the routers. To advert-
ise the default route in the routing domain, in the IS-IS routing configuration mode, use the

following command:
default-in fo rmatio n o rigin ate
If there is a default route in the router with the above command configured, the IS-IS process in
this router will advertise this route via Level-2 LSPs.
To cancel the default route advertisement, use the no default-information originate command.
Network Optimization
Configuring the Interval for Sending Hello Packets
To configure the interval that the interface sends Hello packets, use the following command in
isis h ello -in terval value [level-1 | level-2]
l value – Specify the interval that the interface sends Hello packets. The value ranges from 1
to 600. The unit is second. The default value is 3.
l level-1 | level-2 – Use level-1 to configure the interval for sending Level-1 Hello packets.
Use level-2 to configure the interval for sending Level-2 Hello packets.
Use the no isis hello-interval command to restore the interval to the default value.
Configuring the Multiplier for Hello Packets
Within the hold time, if a router does not receive Hello packets form its neighbor, it considers the
neighbor down and will re-calculate the routes. The hold time is to multiply the Hello multiplier
and the Hello interval. To configure the Hello multiplier, use the following command in the inter-
face configuration mode:
isis h ello -multip lier value [level-1 | level-2]
l value – Specify the multiplier for Hello packets. The value ranges from 2 to 100. The default
value is 10.

l level-1 | level-2 – Use level-1 to configure the multiplier for Level-1 Hello packets. Use
level-2 to configure the multiplier for Level-2 Hello packets. Without specifying level-1 or
level-2, the multiplier value is effective for both Level-1 and Level-2 Hello packets.
To restore the multiplier value to the default value, use the no isis hello-multiplier command.
Configuring Padding for Hello Packets
Use the padding function to pad the hello packets and make them as large as the MTU of the inter-
face. To configure the padding function, use the following command in the interface con-
figuration mode:
isis h ello p addin g
To cancel the padding function, use the no isis hello padding command.
Configuring Priority for DIS Election
In the broadcast network, you can specify the DIS priority for the interface to influence the DIS
election. In the DIS election, the router whose interface has higher DIS priority will be selected
as the DIS. If interfaces have the same priority, the router whose interface has larger MAC address
will be selected as the DIS. To configure the DIS priority for the interface, use the following com-
mand in the interface configuration mode:
isis p rio rity value [level-1 | level-2]
l value – Specify the DIS priority for this interface. The value ranges from 0 to 127. The
l level-1 | level-2 – Use level-1 to specify the priority for the Level-1 interface. Use level-2 to
specify the priority for the Level-2 interface. Without specifying level-1 or level-2, the pri-
ority is effective for both Level-1 and Level-2 interfaces.
Use the no isis priority [level-1 | level-2] command to restore the priority of the specified inter-
face level to the default one.

Configuring the Passive Interface
After configure an interface as a passive interface, this interface will not send and receive any IS-
IS packets, and it will not establish adjacency with neighbors. But you can redistribute the con-
nected routing information about this network to other interfaces via LSPs. To configure an inter-
face as a passive interface, use the following command in the interface configuration mode:
isis p assive
Use the no isis passive command to cancel the above settings.
Configuring LSP Generation Interval
When the network topology changes, the router will generate LSPs. To avoid the frequent gen-
eration of LSPs consuming a larger amount of router resources and bandwidth, you can configure
the LSP generation interval. In the IS-IS routing configuration mode, use the following command
to configure the LSP generation interval:
lsp -gen -in terval value [level-1 | level-2]
l value – Specify the LSP generation interval. The value ranges from 1 to 120. The default
value is 30. The unit is second.
l level-1 | level-2 – Enter level-1 to specify the LSP generation interval for level-1 LSPs only,
and enter level-2 to specify the LSP generation interval for level-2 LSPs only. If you enter no
parameter, the configured interval value will be used for both level-1 LSPs and level-2 LSPs.
To restore the value to the default one, use the no lsp-gen-interval command.
Configuring Maximum Age of LSPs
Each LSP has a maximum age. The LSP with an age of 0 will be deleted from the LSDB. To con-
figure the maximum age of LSPs, in the IS-IS routing configuration mode, use the following com-
mand:
max-lsp -lifetime value
l value – Specify the maximum age of LSP. The value ranges from 350 to 65535. The default

To restore the value to the default one, use the no max-lsp-lifetime command.
Configuring LSP Refresh Interval
Since each LSP has a maximum age, the router must refresh the LSPs generated by itself. To con-
figure the LSP refresh interval, in the IS-IS routing configuration mode, use the following com-
mand:
lsp -refresh -in terval value
l value – Specify the LSP refresh interval. The value ranges from 1 to 65535. The default
value is 900. The unit is second. Hillstone recommends that the refresh interval is 300s less
than the maximum age, which ensures that the LSP refresh can reach the routes within the
area before the arrival of the maximum age.
Use the no lsp-refresh-interval command to restore the value to the default one.
Configuring SPF Calculation Interval
If the LSDB changes, the router will re-calculate the SPF. To configure the SPF calculation inter-
val, use the following command in the IS-IS routing configuration mode:
sp f-in terval value [level-1 | level-2]
l value – Specify the SPF calculation interval. The value ranges from 1 to 120. The default
l level-1 | level-2 – Enter level-1 to specify the SPF calculation interval for level-1 SPFs only,
and enter level-2 to specify the SPF generation interval for level-2 SPFs only. If you enter no
parameter, the configured interval value will be used for both level-1 SPFs and level-2 SPFs.
Use the no spf-interval command to restore the value to the default one.
Configuring the Overload Bit
The lack of resources can lead to the result that the LSDB is inaccurate or incomplete. The router
whose resource is lack will add the overload bit in the LSPs. After other routers receive these
LSPs, they will not use this router whose resource is lack to forward packets. If the packets
whose destination address is the network that is connected to this router, the packets will still be

forward to this router. To configure the overload bit for the router, use the following command in
the IS-IS routing configuration mode:
set-o verlo ad-b it
To cancel the overload bit configuration, use the no set-overload-bit command.
Configuring Hostname Mappings
In the IS-IS routing domain, System ID, as part of the NET address, is used to identify the host
or the router. Hostname mapping maps the System ID to the hostname. The router will maintain a
mapping table which records the mapping settings between the System ID and the hostname. To
configure the hostname mapping, use the following command in the IS-IS routing configuration
mode:
h o stn ame dyn amic
To cancel the hostname mapping, use the no hostname dynamic command.
Authentication
Configuring the Authentication Methods
Configure the authentication methods for the LSP packets, CSNP packets, and PSNP packets.
With the authentication configured, routers will authenticate the preceding packets when they
receive them. But this will not affect the Hello packets for establishing neighbors. There are two
authentication methods, clear text authentication and MD5 authentication. As the default option,
the clear text authentication cannot secure the communication and the password is forwarded
together with the packets. To configure the authentication method, use the following command
in the IS-IS routing configuration mode:
auth en ticatio n {md5 | text} [level-1 | level-2]
l md5 | text – Use the MD5 authentication (md5) or the clear text authentication (text).
l level-1 | level-2 – Use level-1 to configure the authentication method for the packets
between Level-1 routers, which prevents Level-1 routers learning the routing information
from the untrusted routers . The Level-1 routers in the same area must use the same

authentication method and password. Use level-2 to configure the authentication method for
the packets between level-2 routers, whichi prevents Level-2 routers learning the routing
information from the untrusted routers. The Level-2 routers in the same routing domain must
use the same authentication method and password.
To cancel the authentication configurations, use the no authentication mode command in the IS-
IS routing configuration mode.
After configuring the authentication methods, proceed to configure the passwords. To specify the
password for the packet authentication between level-1 routers, use the following command in
the IS-IS routing configuration mode:
area-p asswo rd word
l word – Specify the password. You can specify at most 32 characters. To delete the pass-
word, use the no area-password command.
To delete the password, use the no area-password command.

To specify the password for the packet authentication between level-2 routers, use the following
command in the IS-IS routing configuration mode:
do main -p asswo rd word
l word – Specify the password. You can specify at most 32 characters.
To delete the password, use the no domain-password command.
Configuring the Interface Authentication
Interface authentication is used to verify the legality of its neighbors and avoid the adjacency
establishment with illegal routers. After configuring interface authentication, the password will be
encapsulated in the Hello packets. After the packets were verified, the routers can become neigh-
bors. To become neighbors, two interfaces must use the same interface authentication method
and password. To configure the interface authentication, use the following command in the inter-
face configuration mode:
isis auth en ticatio n {md5 | text} [level-1 | level-2]

l md5 | text – Use the MD5 authentication（md5or the clear text authentication (text).
l level-1 | level-2 – Use level-1 to configure the authentication method for the Hello packets
between Level-1 routers. Use level-2 to configure the authentication method for the Hello
packets between level-2 routers.
To cancel the interface authentication, use the no isis authentication command.

After configuring the interface authentication method, proceed to specify the password for the
authentication. Use the following command in the interface configuration mode:
isis p asswo rd word [level-1 | level-2]
l word – Specify the password. You can specify at most 32 characters.
l level-1 | level-2 – Use level-1 to configure the password for the Hello packets between
Level-1 routers. Use level-2 to configure the password for the Hello packets between level-2
routers.
Use the no isis password command to cancel the specified password.
Viewing IS-IS Information
To show the IS-IS process and corresponding information, use the following command in any
mode:
sh o w isis [vro uter vrouter-name ]
l vrouter-name – Show the information of the specified vrouter.
To show the link state database, use the following command in any mode:
sh o w isis datab ase [detail] [vro uter vrouter-name ]
l detail – Show the detailed information.
l vrouter-name – Show the information of the specified vrouter.
To show the IS-IS interface information, use the following command in any mode:
sh o w isis in terface [ interface-name ]

To show the IS-IS neighbor information, use the following command in any mode:
sh o w isis n eigh b o r [detail] [vro uter vrouter-name ]
To show the dynamic host information, use the following command in any mode:
sh o w isis h o stn ame [vro uter vrouter-name ]
To show the IS-IS routing information, use the following command in any mode:
sh o w isis ro ute [ A.B.C.D/M ] [vro uter vrouter-name ]
To show the routing redistribute information, use the following command in any mode:
sh o w isis ro ute redistrib ute [level-1 | level-2] [ A.B.C.D/M ] [vro uter vrouter-name ]
Configuring BGP
BGP, the abbreviation for Border Gateway Protocol, is a routing protocol that is used to exchange
dynamic routing information among the autonomous systems (An autonomous system is the
router and network group under the control of a management institution. All the routers in the
autonomous system must run the same routing protocol). It is also the protocol used between
ISPs. BGP runs over port TCP 179, and supports Classless Inter-Domain Routing (CIDR). BGP
operates in two ways: when running between the autonomous systems, it is known as EBGP;
when running within the autonomous system, it is know as IBGP. BGP has the following char-
acteristics:
l After the initial TCP connection has been established, BGP neighbors exchange the entire
BGP routing tables, then they only exchange the updated routing information.
l Periodically sending KEEPALIVE packets to check TCP connectivity.
l BGP routers only advertise the shortest path to the neighbors.
l BGP is a distance vector routing protocol that is designed to avoid the routing loop.
The router that sends BGP messages is known as a BGP speaker. The BGP speaker will receive
or generate new routing information, and advertise to other speakers. When a speaker receives a
new route from another autonomous system, if the route is shorter than all the known routes, or
there is no known route at all, the speaker will advertise the route to all the other speakers. The
BGP speaker that is exchanging information is knows as a peer to its counterpart, and multiple

associated peers can constitute a peer group. The purpose of the peer group is to simplify the con-
figuration. It does not affect the establishment of the actual peer relationship or the advertisement
of routes.
There are four types of BGP packets: OPEN, UPDATE, NOTIFICATION, and KEEPALIVE.
BGP peers send OPEN packets to exchange their versions, autonomous system numbers, hold-
down time, BGP identifiers and other information, and negotiate with each other. The OPEN
packet is mainly used to establish neighbor (BGP Peer) relationship. It is the initial handshake
message between BGP routers, and should be sent before advertising any message. When a peer
receives an OPEN message, it will respond with a KEEPALIVE message. Once the handshake
has been completed successfully, these BGP neighbors will be able to exchange UPDATE,
KEEPALIVE, NOTIFICATION and other messages. The UPDATE packet carries the routing
update information, including the revoked routes, reachable routes and the reachable routes’
paths. When detecting any error (connection interruption, negotiation error, packet error, etc.),
BGP will send a NOTIFICATION packet, and drop the connection to the peer. The
KEEPALIVE packets are transmitted between BGP peers periodically, in order to ensure con-
nectivity.
Configuring BGP Protocol
You can configure the BGP protocol for different VRouters respectively. The BGP protocol con-
figuration includes:
l Entering the BGP configuration mode
l Specifying a Router ID
l Creating a route aggregation
l Adding a static BGP route
l Configuring a timer
l Specifying the administration distance of BGP route
l Specifying the default metric

l Creating a BGP peer group
l Adding a BGP peer to the peer group
l Configuring a BGP peer
l Activating a BGP connection
l Configuring description
l Configuring a BGP peer timer
l Configuring the next hop as itself
l Configuring EBGP multihop
l Disabling a peer or peer group
l Resetting a BGP connection
l Configuring an AS-path access list
l Configuring BGP communities
l Redistributing routes into BGP
l Configuring a route map
l Modifying attributes of introduced routing information
l Configuring route filters based on the AS-path access list
l Sending communities path attributes to peers or peer groups
l Configuring route filters based on the route map

l Configuring equal cost multipath routing
l Enabling/Disabling multipath-relax of EBGP
l Configuring BGP GR
Entering the BGP Configuration Mode
The BGP protocol options must be configured in the BGP routing mode. To enter the BGP rout-
ing mode, in the global configuration mode, use the following commands:
ro uter b gp number
l number - Specifies the number of the autonomous system. The value range is 1 to
4,294,967,295.
The above command will enable the BGP function on the system, create a BGP instance for the
specified autonomous system, and switch to the BGP instance configuration mode.
To delete the specified BGP instance, in the VRouter configuration mode, use the command no
router bgp number.
Specifying a Router ID
Each router running BGP protocol must be labeled with a Router ID. The Router ID is the
unique identifier of an individual router in the whole BGP domain, represented in the form of an
IP address. If the Router ID is not specified, the system will set the largest IP address of the loop-
back interface on the device as the Router ID; if there is no loopback interface or the IP address
of the loopback interface is not configured, the system will select the largest IP address of other
interfaces as the Router ID. To specify the Router ID, in the BGP instance configuration mode,
ro uter-id A.B.C.D
l A.B.C.D - Specifies the Router ID used by BGP protocol, in form of an IP address.
To cancel the specified Router ID, in the BGP instance configuration mode, use the following
command:

n o ro uter-id
Creating a Route Aggregation
You can aggregate the routing entries in the BGP routing table. To create a route aggregation, in
the BGP instance configuration mode, use the following command:
aggregate-address { A.B.C.D/M | A.B.C.D A.B.C.D } [as-set] [summary-o n ly]
l A.B.C.D/M | A.B.C.D A.B.C.D - Specifies the network address for the aggregation. Hill-
stone devices support two formats: A.B.C.D/M or A.B.C.D A.B.C.D, for example,
1.1.1.0/24 or 1.1.1.0 255.255.255.0.
l as-set- If this parameter is specified, the system will advertise the aggregated path information
to other routers as its own path information.
l summary-only - If this parameter is specified, the system will only advertise the aggregated
route.
To cancel the specified route aggregation, in the BGP instance configuration mode, use the fol-
lowing command:
n o aggregate-address { A.B.C.D/M | A.B.C.D A.B.C.D}
Adding a Static BGP Route
To add a static BGP route, in the BGP instance configuration mode, use the following command:
n etwo rk { A.B.C.D/M | A.B.C.D A.B.C.D }
l A.B.C.D/M | A.B.C.D A.B.C.D - Specifies the static BGP routing entry. Hillstone devices
255.255.255.0.
To delete the specified static routing entry, in the BGP instance configuration mode, use the fol-
lowing command:
n o n etwo rk { A.B.C.D/M | A.B.C.D A.B.C.D }

Configuring a Timer
You can configure two BGP timers which are KEEPALIVE and HOLDDOWN, as described
below:
l KEEPALIVE: The interval of sending the KEEPALIVE message to the BGP peer. By
default StoneOS sends the message every 60 seconds.
l HOLDDOWN: If the local router still has not received the KEEPALIVE message from any
peer after the HOLDDOWN time, then it will determine the peer is not active any more. The
default value is 180 seconds.
To configure a timer, in the BGP instance configuration mode, use the following command:
timers keepalive holddown
l keepalive - Specifies the interval for sending the KEEPALIVE message. The value range is 0
to 65535 seconds, but should not be larger than HOLDDOWN/3. The default value is 60. If
the value is larger than HOLDDOWN/3, the actual effective time will be HOLDDOWN/3.
The value 0 indicates never sending the KEEPALIVE message.
l holddown - Specifies the HOLDDOWN time. The value range is 0 to 65535 seconds or 3 to
65535 seconds. The default value is 180. The value 0 indicates never checking the
HOLDDOWN time.
To restore to the default timer value, in the BGP instance configuration mode, use the following
command:
n o timers
Specifying the Administration distance of BGP Route
You can specify the administration distance for the local BGP routes or the BGP routes acquired
from other peers. To specify the administration distance for a BGP route, in the BGP instance
distan ce ebgp-distance ibgp-distance local-distance

l ebgp-distance - Specifies the administration distance for the EBGP route. The value range is 1
to 255. The default value is 20.
l ibgp-distance - Specifies the administration distance for the IBGP route. The value range is 1
l local-distance - Specifies the administration distance for the local route. The value range is 1
To restore to the default administration distance for a BGP route, in the BGP instance con-
n o distan ce
Specifying the Default Metric
By default, the metric of the redistributed IGP route remains unchanged, and the metric of the
redistributed connected route is 0. To specify the default metric of the redistributed routing, in
the BGP instance configuration mode, use the following command:
l value - Specifies the default metric value. The value range is 1 to 4294967295. To restore to
the default metric value, in the BGP instance configuration mode, use the following com-
mand:
To restore to the default metric value, in the BGP instance configuration mode, use the following
command:
n o default-metric
Creating a BGP Peer Group
The BGP peer group is designed to simplify the configuration, and update the information in a
more effective way. To create a BGP peer group, in the BGP instance configuration mode, use
n eigh b o r peer-group-name p eer-gro up

l peer-group-name - Specifies a name for the new peer group.
To delete the specified BGP peer group, in the BGP instance configuration mode, use the fol-
lowing command:
n o n eigh b o r peer-group-name p eer-gro up
Adding a BGP Peer-to-peer Group
To add a BGP peer-to-peer group, in the BGP instance configuration mode, use the following
command:
n eigh b o r A.B.C.D p eer-gro up peer-group-name
l A.B.C.D - Specifies the IP address of the BGP peer that will be added.
l peer-group-name - Specifies the peer group that has been created in the system.
To delete the specified BGP peer from the BGP peer group, in the BGP instance configuration
n o n eigh b o r A.B.C.D p eer-gro up peer-group-name
Configuring a BGP Peer
To exchange BGP routing information, you need to specify a BGP peer (peer group) for the
device. To configure a BGP peer, in the BGP instance configuration mode, use the following com-
mand:
n eigh b o r { A.B.C.D | peer-group } remo te-as number
l A.B.C.D | peer-group - Specifies the IP address of the peer or the name of the peer group.
l number - Specifies the number of autonomous system the configured peer or peer group
belongs to.
To cancel the specified BGP peer or peer group, in the BGP instance configuration mode, use the
following command:
n o n eigh b o r { A.B.C.D | peer-group } remo te-as

Configuring BGP MD5 Authentication
To improve BGP security, you can configure MD5 authentication for the BGP peer or peer
group. With this function enabled, the two ends of a peer will have to pass the MD5 authen-
ticatoin in order to establish a TCP connection. To configure BGP MD5 authentication, in the
BGP instance configuration mode, use the following command:
n eigh b o r { A.B.C.D | peer-group } p asswo rd password
l A.B.C.D | peer-group - Specifies the IP address of the peer or the name of peer group.
l password password - Specifies the MD5 password string. The value range is 1 to 32 char-
acters.
To cancel the BGP MD5 authentication,in the BGP instance configuration mode, use the fol-
lowing command:
n o n eigh b o r { A.B.C.D | peer-group } p asswo rd
Notes: The MD5 password configured on the peers or peer groups must be con-
sistent.
Activating a BGP Connection
By default, the BGP connection between the configured BGP peer or peer group and the device
is activated. You can de-activate or re-activate the BGP connection. To activate the BGP con-
nection, in the BGP instance configuration mode, use the following command:
n eigh b o r { A.B.C.D | peer-group } activate
To de-activate the BGP connection to the specified BGP peer or peer group, in the BGP instance
n o n eigh b o r { A.B.C.D | peer-group } activate

You can specify if the default route will be redistributed to other BGP peers or peer groups. By
default BGP will not redistribute the default route.
To configure the default information originate, in the BGP instance configuration mode, use the
following command:
default-in fo rmatio n o rigin ate
If there is no default route in the routing table,the system will not redistribute default route any
more.
To cancel the default information originate, in the BGP instance configuration mode, use the fol-
lowing command:
n o default-in fo rmatio n o rigin ate
To configure the default information originate, in the BGP instance configuration mode, use the
following command:
n eigh b o r { A.B.C.D | peer-group } default-o rigin ate
If there is no default route in the routing table,the system will construct a default route to redis-
tribute.
To cancel the default information originate, in the BGP instance configuration mode, use the fol-
lowing command:
n o n eigh b o r { A.B.C.D | peer-group } default-o rigin ate
Configuring Description
To configure description for a peer or peer group, in the BGP instance configuration mode, use
n eigh b o r { A.B.C.D | peer-group } descrip tio n description
l description - Specifies the description. The length is 1 to 80 characters.

To cancel the description of the specified peer or peer group, in the BGP instance configuration
n o n eigh b o r { A.B.C.D | peer-group } descrip tio n
Configuring a BGP Peer Timer
By default, the timer of BGP peers or peer groups in the whole BGP system is set to the value
specified by timer keepalive holddown. You can specify a different timer value for a specific BGP
peer or peer group. The priority of the specified value is higher than that of the value specified by
timer keepalive holddown. To specify a timer value for a BGP peer or peer group, in the BGP
instance configuration mode, use the following command:
n eigh b o r { A.B.C.D | peer-group } timers keepalive holddown
l keepalive - Specifies the interval for sending the KEEPALIVE message. The value range is 0
to 65535 seconds, but should not be larger than HOLDDOWN/3. The default value is 60. If
the value is larger than HOLDDOWN/3, the actual effective time will be HOLDDOWN/3.
The value 0 indicates never sending the KEEPALIVE message.
l holddown - Specifies the HOLDDOWN time. The value range is 0 to 65535 or 3 to 65535
seconds. The default value is 180. The value 0 indicates never checking the HOLDDOWN
time.
To cancel the specified timer for the BGP peer or peer group, in the BGP instance configuration
n o n eigh b o r { A.B.C.D | peer-group } timers
Configuring the Next Hop as Itself
With this function configured, the router will advertise the next hop of the BGP route for the
BGP peer or peer group is the router itself. To configure the next hop as itself, in the BGP
n eigh b o r { A.B.C.D | peer-group } n ext-h o p -self

To cancel next hop as itself, in the BGP instance configuration mode, use the following com-
mand:
n o n eigh b o r { A.B.C.D | peer-group } n ext-h o p -self
Configuring EBGP Multihop
For BGP running between different AS (i.e., EBGP), if the BGP peers or peer groups are not dir-
ectly connected, you need to configure EBGP multihop in order to establish neighbor between
devices. To configure EBGP multihop, in the BGP instance configuration mode, use the fol-
lowing command:
n eigh b o r { A.B.C.D | peer-group } eb gp -multih o p [ ttl ]
l A.B.C.D | peer-group - Specifies the peer IP address or the name of peer group.
l ttl- Specifies the count of maximum hops to the peer IP address or peer group. The value
range is 1 to 255, and the default value is 255. If no peer or peer group can be found after the
maximum hops, the system will conclude neighbor cannot be established.
To cancel EBGP multihop, in the BGP instance configuration mode, use the following command:
n o n eigh b o r { A.B.C.D | peer-group } eb gp -multih o p
Disabling a Peer/Peer Group
If a peer or peer group is disabled, all the sessions to the peer or peer group will be dropped, and
all the relevant routing information will be deleted. To disable a peer or peer group, in the BGP
n eigh b o r { A.B.C.D | peer-group } sh utdo wn
To re-enable the specified peer or peer group, in the BGP instance configuration mode, use the
following command:
n o n eigh b o r { A.B.C.D | peer-group } sh utdo wn

Resetting a BGP Connection
To reset a BGP connection, in the execution mode, use the following command:
clear ip b gp {* | A.B.C.D | extern al | p eer-gro up peer-group-name | number } [vro uter
vrouter-name ]
l * - Resets all the existing BGP connections.
l A.B.C.D - Resets BGP connections to the specified peer.
l external - Resets all the existing EBGP connections.
l peer-group peer-group-name Resets BGP connections to the specified peer group.
l number - Resets BGP connections in the specified autonomous system.
l vrouter vrouter-name - Specifies the VRouter where the reset operation is performed.
Configuring an AS-path Access List
An AS-path access list is the sequence of the AS numbers that the route has traversed before
reaching the destination network. Before reaching the destination network, the BGP route will
add the AS number to the AS-path access list each time it traversed an AS.
With an AS-path access list, you can use the route filter function. The AS-path access list mainly
consists of a set of regular expressions and the actions that will be performed when the route
matches the regular expressions (permit or deny). When the regular expression matches the AS
path of the route, the system will execute the specified action. If not, the system will deny the
route. The system supports up to 64 AS-path access list and each AS-path access list supports up
to 8 regular expressions.
To configure the AS-path access list, use the following command in the global configuration
mode:
ip as-p ath access-list access-list-number {den y | p ermit} regular-expression

l access-list-number – Specifies the number of the AS-path access list. The range is 1 to 500.
l deny | permit – Specifies the action that will be performed to the route that matches the AS-
path access list.
l regular-expression – Specifies the regular expressions to match the AS path. StoneOS sup-
ports the PCRE.
To delete the AS-path access list, use the following command in the global configuration mode:
n o ip as-p ath access-list access-list-number [{den y | p ermit} regular-expression ]
In the example below, you can configure an AS-path access list whose number is 1, refuse the
route that has traversed AS 31, and allow other routes.
hostname(config)# ip as-p ath access-list 1 den y _31_
hostname(config)# ip as-p ath access-list 1 p ermit .*
hostname(config)#
Configuring BGP Communities
The communities path attribute provides a way to group the routing information that has the same
characteristics and it does not relate to the IP subnet and AS where it locates. Besides the cus-
tomized communities path attribute, the system supports the following well-known community
values that you can specify for BGP routes:
l No-export – Routes with this communities path attribute cannot be advertised to peers that
are outside the AS.
l No-adverties – Route with this communities path attribute cannot be advertised to any BGP
peers.
l Local-as – Route with this communities path attribute can be advertised to other peers in the
local AS and cannot be advertised to peers outside the local AS.
l Internet – Route with this communities path attribute can be advertised to any BGP neigh-
bor. By default, each route carries this communities path attribute.

A community list consists of attributes and actions that will be performed after the successful
matching. If the communities path attribute of the route matches the specified attributes, the sys-
tem will perform the specified action. If not, the system will deny the route. The system supports
up to 128 community list and in each list, you can configure one permit rule and one deny rule.
To configure the community list, use the following command in the global configuration mode:
ip co mmun ity-list {stan dard community-list-name | community-list-number } {den y | p ermit}
{[in tern et] [lo cal-as] [n o -advertise] [n o -exp o rt] [ community-number ]}
l standard community-list-name – Specifies the name of the community list. You can specify
up to 31 characters.
l community-list-number – Specifies the number of the community list. The number is in the
range of 1 to 99.
l deny | permit – Specifies the actions performed to the route that matched the list. deny
means the route will be denied and permit means the route will be permitted.
l [internet] [local-as] [no-advertise] [no-export] [community-number] – Specifies the com-

munities path attributes. You can specify one or more attributes and use one space to separate
them. The value of community-numberis in the range of 1 to 4294967295.
To delete the community list, use the following command in the global configuration mode:
n o ip co mmun ity-list {stan dard community-list-name | community-list-number }
Redistributing Routes into BGP
The BGP supports the function that redistributes routes of other protocols into BGP and advert-
ises the routing information. Besides, you can set the metric of the redistributed route and use the
route map to filter the routing information. To redistribute routes into BGP, use the following
command in the BGP instance configuration mode:
redistrib ute {o sp f | isis | co n n ected | static | rip } [metric value ] [ro ute-map name ]
l ospf | isis | connected | static | rip - Specifies the protocol type which can be ospf, isis, con-
nected, static or rip.

l metric value Specifies a metric value for the redistributed route. The value range is 0 to
4294967295. If the value is not specified, the system will use the default BGP metric con-
figured by the default-metric value command.
l route-map name - Specifies the route map that is used to filter the routing information intro-
duced from other routing protocols. For more information about route map, see Configuring
a Route Map.
You can use the command above to redistribute route of different types.。
To cancel the redistributed route, use the following command: no redistribute {ospf | isis | con-
nected | static | rip}.
Configuring a Route Map
By default the system will introduce all the routing information. You can filter the routing inform-
ation introduced from other routing protocols by referencing a route map. The route map mainly
consists of two parts: matching rules and actions (permit or deny) for the matched routing inform-
ation. If introduced routing information hits any matching rule, the system will take the con-
figured action, i.e., permit or deny the introduced routing information.
Notes:
l If the action is set to Permit, the system will only permit the matched routing
information and deny all the unmatched routing information.
l If the action is set to Deny, the system will deny the matched routing inform-
ation, but still permit all the unmatched routing information.
To configure a route map and filter the introduced routing information, take the following steps:
1. Create a route map and add matching rules to the route map. Matching rules are dif-
ferentiated by IDs. The smaller the ID is, the higher the matching priority will be. By
default if the routing information hits any matching rule, the system will not continue to

match the subsequent rules; if no matching rule is hit, the system will take the Deny action.
2. Add matching conditions to the matching rules. The matching condition can be the AS
path, communities path attribute, metric, destination IP address, or next-hop IP address of
the introduced routing information. One matching rule may contain multiple matching con-
ditions, and the relation between these conditions is AND, i.e., in order to hit a matching
rule, the routing information must satisfy all the matching conditions in the rule.
3. If needed, require the system to continue to match another rule after the routing inform-
ation hits a matching rule.
4. If needed, modify partial attributes of the introduced routing information before redis-
tribution.
To create a route map and add a matching rule to the route map, in the global configuration mode,
ro ute-map name {den y | p ermit} sequence
l route-map name - Specifies the name of the route map, and enters the route map con-
figuration mode. The value range is 1 to 31 characters. If the name already exists in the sys-
tem, you will directly enter the route map configuration mode.
l deny | permit - Specifies the action for the matched routing information.
l sequence - Specifies the sequence number for the matching rule in the route map. The value
To delete the specified route map, in the global configuration mode, use the following command:
n o ro ute-map name [ sequence ]
l sequence - Only deletes the specified matching rule from the route map.
To add a matching condition to the matching rule, in the route map configuration mode, use the
following command:

match {as-p ath access-list-number | co mmun ity { community-list-name | community-list-num-
ber } [ exact-match ] | metric metric-value | in terface interface-name | ip address access-list |
ip n ext-h o p access-list }
l as-path access-list-number– Matches the AS path of the introduced routing information.

access-list-number is the number of the AS-path access list configured by yourself. If the AS
path of the route matches the AS path that is permitted in this AS-path access list, the system
concludes that the matching is successful. For more information about configuring an AS-path
access list, see Configuring an AS-path Access List。
l community {community-list-name | community-list-number} [exact-match] – Matches the

communities path attributes of the introduced routing information. community-list-name is
the name of the community list. community-list-number is the number of the community list.
exact-match indicates that the system will execute the exact matching. For more information
about configuring community list, see Configuring BGP Communities.
l metric metric-value – Matches the metric of the introduced routing information. The value
range is 0 to 4294967295.
l interface interface-name– Matches the next-hop interface of the introduced routing inform-
ation.
l ip address access-list– Matches the destination address of the introduced routing inform-
ation. access-list is the route access-list configured in the system. If the destination address of
the routing information is the permitted address in the route access-list, the system will con-
clude the matching succeeds. For more information about route access-list, see Configuring an
AS-path Access List.
l ip next-hop access-list - Specifies to match the next-hop IP address of the introduced routing
information. access-list is the route access-list configured in the system. If the next-hop IP

Repeat the above command to add more matching conditions to the matching rule. To delete the
specified matching condition from the matching rule, use the following command:
n o match {as-p ath | co mmun ity | metric | in terface | ip address | ip n ext-h o p }
Notes: If you only created a route map but did not add any matching rule, by default
the system will conclude all the introduced routing information is matched.
Modifying Attributes of Introduced Routing Information
For the introduced routing information that satisfies the matching conditions, you can modify par-
tial attributes before the redistribution. To modify the attribute of the introduced routing inform-
ation, in the route map configuration mode, use the following command:
set {as-p ath p rep en d as-number | co mmu-list { community-list-name | community-list-num-
ber } delete | co mmun ity {[in tern et] [lo cal-AS] [n o -advertise] [n o -exp o rt] [ community-list-
number ]} [additive] | ip n ext-h o p ip-address | lo cal-p referen ce value | metric metric-value |
o rigin {egp | igp | in co mp lete}}
l as-path prepend as-number – Add a new AS path after the existing AS path of the intro-
duced route. The rang is 1 to 65535 and you can use spaces to separate multiple values.
l commu-list {community-list-name | community-list-number} delete – Uses community-list-

name to specifies the name of the community list or use community-list-number to specify
the number of the community list. Delete the matched communities path attribute.
l community {[internet] [local-AS] [no-advertise] [no-export] [community-list-number]} [addit-

ive] – Modifies the communities path attributes of the introduced route. You can use addit-
ive to add new attributes to the ones of the introduced route.
l ip next-hop ip-address – Modifies the next-hop IP address of the introducted route.

l local-preference value – Modifies the attribute of the local preference of the route. The
range is 0 to 4294967295.
l metric metric-value - Specifies the metric type of the external route. type-1 indicates type1
external route metric, and type-2 indicates type2 external route metric.
l origin {igp | egp | incomplete}– Modifies the source attribute of the introduced route. igp
means the route comes from internal AS; egp means the route is obtained from EGP. incom-
plete means the route is obtained by other methods.
To cancel the modification and restore to the settings when the routing information was intro-
duced, use the following command:
n o set {as-p ath p rep en d | co mmu-list | co mmun ity | ip n ext-h o p | lo cal-p referen ce | o rigin
| metric | metric-typ e}
Configuring Route Filters Based on the AS-path Access List
BGP uses the AS-path access list to filter the route introduced by the peers or peer groups or the
route advertised. To configure the route filter function based on the AS-path access list, use the
following command in the BGP instance configuration mode:
n eigh b o r { A.B.C.D | peer-group } filter-list access-list-number {in | o ut}
l A.B.C.D | peer-group – Specifies the IP address or the name of the BGP peer.
l access-list-number– Specifies number of the AS-path access list. For more information about
AS-path access list, see Configuring an AS-path Access List.
l in | out – Use in to filter the introduced routes or use out to filter the advertised routes.

n o n eigh b o r { A.B.C.D | peer-group } filter-list {in |o ut}
Sending Communities Path Attributes to Peers or Peer Groups
To send communities path attributes to peers or peer groups, use the following command in the
BGP instance configuration mode:

n eigh b o r { A.B.C.D | peer-group } sen d-co mmun ity {stan dard | exten ded | b o th }
l A.B.C.D | peer-group - Specifies the IP address of the BGP peer or the name of the peer
group.
l standard | extended | both – Specifies the type of the communities path attributes. There
are three types: standard means the standard communities path attributes, extended means the
extended communities path attributes, and both means both of the communities path attrib-
utes and extended communities path attributes.

n o n eigh b o r { A.B.C.D | peer-group } sen d-co mmun ity
Configuring Route Filters Based on the Route Map
BGP uses the route map to filter the route introduced by the peers or peer groups or the route
advertised. To configure the route filter function based on the route map, use the following com-
mand in the BGP instance configuration mode:
n eigh b o r { A.B.C.D | peer-group } ro ute-map {in |o ut}
l A.B.C.D | peer-group – Specifies the IP address of the BGP peer or the name of the peer
group.
l in | out – Use in to filter the introduced routes or use out to filter the advertised routes.

n o n eigh b o r { A.B.C.D | peer-group } ro ute-map {in |o ut}
Configuring Equal Cost Multipath Routing
To configure the maximum number of equal cost multipath (ECMP) routes for BGP, use the fol-
lowing command in the BGP instance configuration mode:
maximum-p ath s {eb gp | ib gp } maximum-number

l maximum-number– Specifies the maximum number of ECMP routes for IBGP/EBGP.
When there are eligible ECMP paths, they will be added to the routing table according to the
maximum number you specified. With these configurations, ECMP assists with load-balancing
of BGP on multiple routes. The range is 1 to 8 and the default value is 1.
Use the following command in the BGP instance configuration mode to cancel the above settings:
n o maximum-p ath s {eb gp | ib gp }
Notes: Before configuring this ECMP routing, you must first enable the ECMP func-
tion. For more information, see ECMP.
Viewing BGP Information
To view the BGP routing information , in any mode, use the following command:
sh o w ip ro ute b gp [vro uter vrouter-name ]
l vrouter-name - Shows the BGP routing information of the specified vRouter.
To view the routing information of the entire BGP routing table, in any mode, use the following
command:
sh o w ip b gp [ A.B.C.D | A.B.C.D/M ] [vro uter vrouter-name ]
l A.B.C.D | A.B.C.D/M - Shows the BGP routing information of the specified network.
l vrouter-name - Shows the BGP routing information of the specified VRouter.
To view the path information of all the autonomous systems stored in the BGP database, in any
sh o w ip b gp p ath s [vro uter vrouter-name ]
l vrouter-name - Shows the paths information of autonomous systemof the specified VRouter.
To view the status parameters of all BGP connections, including the prefix, path, attribute, etc.,
sh o w ip b gp summary [vro uter vrouter-name ]

l vrouter-name - Shows the BGP connecting status parameters of the specified VRouter.
To view the BGP peer status, in any mode, use the following command:
sh o w ip b gp n eigh b o r [ A.B.C.D ] [vro uter vrouter-name ]
l A.B.C.D - Specifies the peer.
l vrouter-name - Shows the BGP peer status of the specified VRouter.
To view the BGP community list, use the following commands in any mode:
sh o w ip co mmun ity [ community-list-name ]
l community-list-name – Shows the information of the specified community list. Without this
parameter specified, the information of all community lists will be displayed.
sh o w ip as-p ath -access-list [ access-list-number ]
l access-list-number – Shows the information of the specified AS-path access list. Without
this parameter specified, the information of all AS-path access lists will be displayed.
Enabling/Disabling multipath-relax of EBGP
For EBGP to the same destination network through different AS paths, system supports enabling
multipath-relax of EBGP function, so that EBGP can achieve load balancing on different AS
paths. In the BGP instance configuration mode,, use the following command:
l Enable: bestpath as-path multipath-relax
l Disable: no bestpath as-path multipath-relax
Configuring BGP GR
GR (Graceful Restart) is also called Non-Stop Forwarding (NSF).

The BGP GR ensures that the forwarding layer can continue to forward data during the
switchover between backup and primary devices or device restart. Meanwhile, the operation of
the forwarding layer is not affected by the re-establishment of neighbor relations and the routing
computation of the control layer. In this scenario, BGP GR can help the system have less single
point of failure, and reduce the influence of route flapping on the network during the switchover

between backup and primary devices. Therefore, the network is more reliable and can avoid the
influence of traffic interruption on users' important services.
Basic Concepts of BGP GR
l End-of-RIB marker: End-of RIB marker is a BGP Update message with no reachable Network
Layer Reachability Information (NLRI) and its withdrawn NLRI is empty. When the current
device receives the End-of-RIB marker from its peer, it indicates that this peer has sent all
updates needing to be notified.
l Graceful Restart Capability: Graceful Restart Capability is a new BGP capability to better sup-
port GR functionality. It is advertised by the BGP with the Open message when a BGP con-
nection is established. Graceful Restart Capability can indicate that the current device can
preserve its forwarding state during BGP restart, and generate the End-of-RIB marker upon
the completion of its initial updates.
l GR Restarter: GR Restarter is the device applying Graceful Restart during BGP restart or the
switchover between backup and primary devices.
l GR Helper: GR Helper is the neighbor of GR Restarter, and is the device with GR Capability
to assist GR Restarter in the Graceful Restart.
A device can be a GR Restarter or a GR Helper. Whether to become a GR Restarter or a GR

Helper is determined according to the actual role the device plays in the procedures of BGP GR.
Take device HA as an example. The working procedures of BGP GR are as follows:
1. In device HA, the new primary device works as the GR Restarter and re-establishes the
BGP connection with the GR Helper.
2. The GR Helper disconnects its BGP neighborhood with the previous primary device and
marks the BGP routes learned from the previous primary device as stale. But the GR Helper
still forwards data messages via these routes and enables the Graceful-Restart Stale-Path-
Time. To configure the Graceful-Restart Stale-Path-Time, use the graceful-restart stale-
path-time time command.

3. If the GR Restarter successfully establishes the BGP session with the GR Helper within the
notified Graceful-Restart Restart-Time, they become neighbors and will exchange routing
information. If the GR Restarter cannot establish a BGP neighborhood with the GR Helper
within the notified Graceful-Restart Restart-Time, the GR Helper will delete routes related
to the GR Starter immediately. To configure Graceful-Restart Restart-Time, use the grace-
ful-restart restart-time time command.
4. GR Helper sends updates after becoming a neighbor of the GR Restarter and generates an
End-of-RIB marker upon the completion of the updates. Even if the GR Helper does not
have updates to be notified, it is required to send the End-of-RIB marker.
5. GR Restarter starts to select the optimum path after receiving the End-of-RIB markers from
its peers. If GR Restarter does not receive all the necessary End-of-RIB markers, it will start
to select the optimum path after the configured Graceful-Restart Wait-For-Rib-Time
expires. To configure the Graceful-Restart Wait-For-Rib-Time, use the graceful-restart wait-
for-rib-time time command.
6. After the selection of the optimum path, GR Restarter updates the RIB, then generates
updates of the BGP route and sends the updates to its BGP neighbors. Whether there are
updates or not, GR Restarter should notify the End-of-RIB marker.
7. After receiving the route updates, GR Helper removes the stale markers of relative routes.
GR Helper will remove routes still with stale markers after receiving the End-of-RIB marker
sent by the GR Restarter.
8. If routing information exchange is not completed within the Graceful-Restart Stale-Path-

Time, GR Restarter is forced to quit GR and then GR Restarter updates RIB according to
the learned BGP route information and deletes invalid RIB.

Notes:
l BGP GR cannot be applied in HA peer mode.
l Only when devices in the below scenarios can they work as the GR Restarter.
Otherwise, they work as the GR Helper.
l The newly elected primary device after HA switching;
l Devices with SCM HA function, such as

X6150/X6180/X7180/X9180/X10800/K9180.
l BGP GR does not work if HA between primary and backup devices dis-
connects.
Enabling BGP GR
To enable the BGP GR functionality, in the BGP instance configuration mode, use the following
command:
graceful-restart
To disabling the BGP GR functionality, in the BGP instance configuration mode, use the com-
mand no graceful-restart.
Configuring GR Restart-Time
To configure the longest time for a peer to wait for a BGP session to be re-established, in the
BGP instance configuration mode, use the following command:
graceful-restart restart-time time
l time - Specifies the longest time for a peer to wait for a BGP session to be re-established. The
time range from 1 to 3600 seconds. The default Graceful-Restart Restart-Time is 120
seconds.
To restore to the default value, in the BGP instance configuration mode, use the commandno
graceful-restart restart-time.
Configuring GR Stale-Path-Time

To configure the longest time to retain the stale routes of the restarted peers, in the BGP instance
graceful-restart stale-path-time time
l time - Specifies the longest time to retain the stale routes of the restarted peers. The time
range from 1 to 3600 seconds. The default Graceful-Restart Stale-Path-Time is 360 seconds.
To restore to the default value, in the BGP instance configuration mode, use the command no
graceful-restart stale-path-time.
Configuring GR Wait-For-Rib-Time
To configure the longest time for the GR Restarter to wait for the End-of-RIB markers from the
neighbors, in the BGP instance configuration mode, use the following command:
graceful-restart wait-for-rib-time time
l time - Specifies the longest time for the GR Restarter to wait for the End-of-RIB markers
from the neighbors. The time range from 1 to 3600 seconds. The default Graceful-Restart
Wait-For-Rib-Time is 180 seconds.
To restore to the default value, in the BGP instance configuration mode, use the command no
graceful-restart wait-for-rib-time.
ECMP
Equal Cost Multi-Path Routing (ECMP) is a routing strategy where the next-hop packet for-
warding to a single destination can occur over multiple best paths which tie for top place in rout-
ing metric calculations.
Configuring ECMP
By default the ECMP function is enabled, and allows up to 40 equal-cost routes for the purpose
of load balancing. To enable or disable ECMP, in the VRouter configuration mode, use the fol-
lowing command:
ecmp en ab le ecmp-route-num

l ecmp-route-num - Specifies the maximum number of ECMP routes permitted in the system.
The value range is 1 to 1000. The value of 1 indicates ECMP is disabled.
Configuring ECMP Route Selection
To configure the method for selecting an ECMP route, in the global configuration mode, use the
following command:
ecmp -ro ute-select {b y-5-tup le | b y-src | b y-src-an d-dst}
l by-5-tuple - Selects a route based on network quintuple (source IP address, destination IP

address, source port, destination port and service type).
l by-src - Selects a route based on the source IP address.
l by-src-and-dst - Selects a route based on the source IP address and destination IP address.
This is the default method.
Static Multicast Routing

Multicast refers to the communication method of transmitting data from one source to multiple
destination nodes. The source that sends data is known as the multicast source, and the nodes
that receive data form a multicast group. The destination address to which the multicast source
sends data is known as a multicast address. Its range is 224.0.0.0 to 239.255.255.255 (Class D
addresses).
Any host in the Internet can be used as a multicast source. Once the multicast source sends one
copy of data to the multicast address, all the nodes in the group will receive the data. Information
transmission by multicast can effectively save the network bandwidth. Increasing the number of
users accessing the network will not lead to a heavier burden on the host that is sending data, thus
reducing network workload.
To transmit data from the multicast source to the members in the multicast group, you need to
manually configure the following options for the multicast routing rule:

l Multicast source and multicast address: the source IP and destination IP of the multicast.
l Ingress and egress interface: the data that match the corresponding multicast source and mul-
ticast address flows in from the ingress interface specified in the multicast routing rule, and
flows out from the specified egress interface.
Enabling/Disabling a Multicast Route

By default the multicast route is disabled. To enable or disable the multicast route, in the VRouter
l Enable: ip multicast-routing
l Disable: no ip multicast-routing
Configuring a Static Multicast Route

To create a static multicast route, in the VRouter configuration mode, use the following com-
mand:
ip mro ute A.B.C.D A.B.C.D [iif interface-name ] [eif interface-name ]
l A.B.C.D A.B.C.D - Specifies the multicast source and multicast address. The first A.B.C.D is
the IP address of the multicast source, and the second A.B.C.D is the multicast address. The
value range is 224.0.0.0 to 239.255.255.255.
l iif interface-name - Specifies an ingress interface. You can specify up to two ingress interfaces.
l eif interface-name - Specifies an egress interface. You can specify up to four egress interfaces.
To delete the specified static multicast route, in the VRouter configuration mode, use the fol-
lowing command:
n o ip mro ute A.B.C.D A.B.C.D [iif interface-name ] [eif interface-name ]

Specifying an Ingress/Egress Interface
You can configure an ingress or egress interface for the existing static multicast route. Each mul-
ticast route can have up to two ingress interfaces, and up to 32 egress interfaces. The options of
ingress and egress interface must be configured in the static multicast route configuration mode.
To enter the static multicast route configuration mode, in the VRouter configuration mode, use
ip mro ute A.B.C.D A.B.C.D
l A.B.C.D A.B.C.D - Specifies the multicast source and multicast address. The first A.B.C.D is
the IP address of the multicast source, and the second A.B.C.D is the multicast address.
To specify an ingress and egress interface for the existing static multicast routing entry, in the
static multicast route configuration mode, use the following command:
l Specify an ingress interface: iif interface-name
l Specify an egress interface: eif interface-name
Repeat the above command to configure multiple ingress or egress interfaces.
Viewing Multicast Route Information

To view the multicast route information, in any mode, use the following command:
sh o w ip mro ute [ A.B.C.D A.B.C.D | static | summary] [vro uter vr-name ]
l show ip mroute - Shows all the multicast route information.
l A.B.C.D A.B.C.D - Shows the multicast route information of the specified multicast source
and multicast address. The first A.B.C.D is the IP address of the multicast source, and the
second A.B.C.D is the multicast address.
l static - Shows the static multicast route information.

l summary - Shows the summary of multicast route.
l vrouter vr-name - Shows the multicast route information of the specified VRouter.
Viewing Multicast FIB Information

To view the multicast FIB information, in any mode, use the following command:
sh o w mfib [ A.B.C.D A.B.C.D | summary] [vro uter vr-name ]
l show mfib- Shows all the multicast FIB information.
l A.B.C.D A.B.C.D - Shows the multicast FIB information of the specified multicast source
and multicast address. The first A.B.C.D is the IP address of the multicast source, and the
second A.B.C.D is the multicast address.
l summary - Shows the summary of multicast FIB.
l vrouter vr-name - Shows the multicast FIB information of the specified VRouter.
IGMP
Internet Group Message Protocol (IGMP) is used to establish and maintain multicast group mem-
bership between hosts and routers. A host reports its membership of a group to its local router
over IGMP, and a router listens to reports from hosts and periodically sends out queries to check
if any group member is alive. If no report is received from the member, the router side will
determine there is no member in the multicast group.
The latest version of StoneOS supports IGMPv1 (defined in RFC1112) , IGMPv2 (defined in
RFC2236) and IGMPv3 (defined in RFC3376). And it also supports IGMP Proxy (operating on
the Application Layer) and IGMP Snooping (operating on the Link Layer).
IGMP Proxy
IGMP Proxy is designed to create multicast routing tables and forward multicast data by inter-
cepting the IGMP packets between the hosts and routers. IGMP Proxy acts differently on the
two interfaces of the Hillstone device:

On the upstream interface that connects to the multicast router, it acts as a host, responsible for
responding to the queries from the router. When a new member is added to the multicast group,
or when the last member exits, the proxy will proactively send a packet to report the member
status on the upstream interface.
On the downstream interface that connects to the host, it acts as a router, responsible for the regis-
tration, query and deletion of group members.
To configure a IGMP proxy, take the following steps:
1. Enable multicast. For detailed operation, see Enabling/Disabling a Multicast Route.
2. Enable an IGMP proxy.
3. Configure the upstream interface to the host mode.
4. Configure the downstream interface to the router mode.
5. Configure a policy rule.
Enabling an IGMP Proxy
To enable or disable the IGMP proxy function, in the VRouter configuration mode, use the fol-
lowing commands:
l Enable: ip igmp-proxy enable
l Disable: no ip igmp-proxy enable
command:
l vrouter-name - Specifies a Vrouter. If the name exists, the system will directly enter the
Vrouter configuration mode.

Configuring an IGMP Proxy Mode for an Interface
To configuring an IGMP proxy mode (either router mode or host mode) for an interface, in the
ip igmp -p ro xy {ro uter-mo de | h o st-mo de} [ A.B.C.D ] [v2| v3]
l router-mode - Configures the IGMP proxy mode of the downstream interface to the router
mode.
l host-mode - Configures the IGMP proxy mode of the upstream interface to the host mode.
l [A.B.C.D] - Specifies the multicast address. The IGMP proxy mode will only be applied to
this address.
l v2 – Specifies the protocol version of the IGMP message is IGMPv2. By default, the
IGMPv2 protocol is used.
l v3 –Specifies the protocol version of the IGMP message is IGMPv3.
To cancel the IGMP proxy mode for the specified interface, in the interface configuration mode,
n o ip igmp -p ro xy {ro uter-mo de | h o st-mo de} [ A.B.C.D ]
Viewing IGMP Proxy Information
To view the IGMP Proxy information, in any mode, use the following command:
sh o w ip igmp -p ro xy [ A.B.C.D ] [vro uter vrouter-name ]
l show ip igmp-proxy - Shows all the IGMP Proxy information in the system.
l [A.B.C.D] - Shows the IGMP Proxy information of the specified multicast address.
l [vrouter vrouter-name] - Shows the IGMP Proxy information of the specified VRouter.

IGMP Snooping
IGMP Snooping is designed to create multicast routing entries for a specific multicast address on
a Layer 2 device by listening to the IGMP packets between hosts and routers. With IGMP Snoop-
ing enabled, the Hillstone device can forward multicast data based on the created multicast rout-
ing entries, efficiently reducing the cost of multicast communication. If IGMP Snooping is
disabled, Hillstone device only advertises multicast data.
To configure IGMP Snooping, take the following steps:
1. Enable multicast. For detailed operation, see Enabling/Disabling a Multicast Route.
2. Enable IGMP Snooping.
3. Configure IGMP Snooping.
Enabling IGMP Snooping
To enable or disable the IGMP Snooping function, in the VSwitch configuration mode, use the
following commands
l Enable: ip igmp-snooping enable
l Disable: no ip igmp-snooping enable
To create or enter the VSwitch configuration mode, in the global configuration mode, use the fol-
lowing command:
l Number - Specifies the VSwitch’s identifier. The value range may vary from different plat-
forms. For example, the command vswitch vswitch2 will create a VSwitch named VSwitch2,
as well as an interface named VSwitchif2. Besides the system will enter the configuration
mode of VSwitch2. If the specified VSwitch exists, the system will directly enter the VSwitch
configuration mode.

Configuring IGMP Snooping
To configuring IGMP Snooping, in the interface configuration mode, use the following command:
ip igmp -sn o o p in g {ro uter-mo de [ A.B.C.D ] | h o st-mo de [ A.B.C.D ] | disab le | auto }
l router-mode - Configures the IGMP Snooping mode of the downstream interface to the
router mode.
l host-mode - Configures the IGMP Snooping mode of the upstream interface to the host
mode.
l [A.B.C.D] - Specifies the multicast address.
l disable - Disables IGMP Snooping for the interface.
l auto - The system will determine the interface mode automatically based on the IGMP
packet.
To cancel the IGMP Snooping mode, in the interface configuration mode, use the following com-
mand:
n o ip igmp -sn o o p in g {ro uter-mo de A.B.C.D | h o st-mo de A.B.C.D }
Dropping Unknown Multicast
By default dropping unknown multicast is disabled. With this function enabled, the device will
drop the packets that are destined to unknown multicast groups, thus saving the bandwidth. To
enable the function, in the VSwitch configuration mode, use the following command:
un kn o wn -multicast dro p
To disable the function, in the VSwitch configuration mode, use the following command:
n o un kn o wn -multicast dro p
Viewing IGMP Snooping Information
To view the IGMP Snooping information, in any mode, use the following command:

sh o w ip igmp -sn o o p in g [ A.B.C.D ] [vswitch name ]
l show ip igmp-snooping - Shows all the IGMP Snooping information.
l [A.B.C.D] - Shows the IGMP Snooping information of the specified multicast address.
l [vswitch name] - Shows the IGMP Snooping information of the specified VSwitch.
BFD
BFD (Bidirectional Forwarding Detection) is a unified detection mechanism for the entire net-
work, which is used to fast detect and monitor the forwarding and connection status of the link
and the IP route. To enhance the network performance, the protocol neighbor must have the abil-
ity to detect the communication failures quickly. Thus, the backup communication can be estab-
lished to restore the communication in time.
BFD creates sessions between two routers for monitoring the bidirectional forwarding path
between these two routers, which provides services for the upper level protocol, for example,
routing protocol. BFD does not have the discovering mechanism and upper level protocol will
notify BFD to create sessions with specifies objects. If no BFD packets are received from the
peer during the detection period after creating sessions, BFD will notify the upper-level service
and the upper-level service will execute the corresponding operations.
In the current StoneOS, BFD can integrate with static route, OSPF route, and BGP route. Thus,
StoneOS can realize the detection of the forwarding and connection status on the link that runs
static route, OSPF route, and BGP route.
BFD Work Mode

Establishing a BFD session has two modes: active mode and passive mode. StoneOS now sup-
ports the active mode.
l Active mode: No matter whether BFD control packets are received or not from the peer
before creating sessions, the BFD control packets will be sent actively.

l Passive mode: BFD control packets will not be sent before creating sessions until the control
packets, which are sent from the peer, are received. During the process of initiating the ses-
sions, one of the two sides must run in the active mode.
BFD has two detection modes that will work after creating sessions: asynchronous mode and
inquiry mode. Two sides in the communication must be in the same mode.
l Asynchronous mode: Devices that works in the asynchronous mode send the BFD control
packets periodically. If the peer does not receive the BFD control packets during the detec-
tion period, the session is considered as the down status.
l Inquiry mode: Assume that there is an independent method to confirm the connection status
with the peer system. In this way, after creating the BFD session, the device will stop sending
the BFD control packets periodically except for the requirements of verifying the connection
apparently.
BFD Echo
The BFD Echo function makes the local device send the BFD Echo packets periodically and the
peer device only returns the packets to the local device via the forwarding channel. You can use
the Echo function to discover failures fast.
The Echo function can integrate with the detection methods. If you enable the Echo function in
the asynchronous mode, the device will reduce the sending of the control packets. If you enable
the Echo function in the inquiry mode, you can cancel the sending of BFD packets after the BFD
session is established.
Notes: To use the Echo function, ensure the peer device can forward the Echo
packets after you enable the Echo function in the local device.
Configuring BFD
Configuring BFD involved the following sections:

l Configuring the BFD detection methods
l Configuring the BFD session parameters
l Enabling/Disabling the Echo function
l Specifying the interval of receiving Echo packets
l Configuring the source IP address of the Echo packets
Configuring the BFD Detection Methods
There are two detection methods after creating the BFD session: asynchronous mode and the
inquiry mode. Two sides in the communication must be in the same mode. By default, the detec-
tion mode of the BFD session is the asynchronous mode. You can change the mode according to
your requirements. To use the inquiry mode, use the following command:
b fd deman d en ab le
To change back to the asynchronous mode, use the following command:

n o b fd deman d en ab le
Configuring the BFD Session Parameters
After creating the BFD sessions, you can modify the minimum interval of receiving/sending BFD
session packets and edit the multiple for calculating the timeout value. To configure the BFD ses-
sion parameters, use the following command in the interface configuration mode:
b fd min -tx min-tx-value min -rx min-rx-value detect-multip lier value
l min-tx-value – Specifies the minimum interval of sending BFD packets. The unit is mil-
lisecond. The default value is 100 and it is in the range of 100 to 1000.
l min-rx-value – Specifies the minimum interval of receiving BFD packets. The unit is mil-
lisecond. The default value is 100 and the range is 100 to 1000.
l value – Specifies the multiple for calculating the timeout value. The detailed information of

To restore the value to the default one, use the following command in the interface configuration
mode: no bfd min-tx min-rx detect-multiplier.
Notes:
l In the asynchronous mode, the system compares the value of the min-tx-
value parameter of the local device with the value of the min-rx-value of the
peer device, uses the bigger one times the value of the value parameter con-
figured for the peer device, and uses the result as the timeout value.
l In the inquire mode with the Echo function enabled, the system compares
the value of the min-tx-value parameter of the local device with the interval
of receiving Echo packets configured for the peer device, uses the bigger one
times the value of the value parameter configured for the local device, and
uses the result as the timeout value.
l In the asynchronous mode with the Echo function enabled, the system com-
pares the value of the min-tx-value parameter of the local device with the
interval of receiving Echo packets configured for the peer device, uses the
bigger one times the value of the value parameter configured for the peer
device, and uses the result as the timeout value.
For more information about configuring the interval of receiving Echo packets, see
Specifying the Interval of Receiving Echo Packets.
Enabling/Disabling the Echo Function
By default, the Echo function is disabled. To enable this function, use the following command in
b fd ech o en ab le
Use the following command in the interface configuration mode to disable the function:
no bfd echo enable

Specifying the Interval of Receiving Echo Packets
To specify the interval of receiving Echo packets, use the following command in the interface con-
figuration mode:
b fd min -ech o -rx value
l value – Specifies the interval of receiving BFD Echo packets. The unit is millisecond. The
default value is 0 and the range is 100 to 1000.
To restore the value to the default one, use the following command in the interface configuration
mode: no bfd min-echo-rx.
Configuring the Source IP Address of the Echo Packets
A large number of ICMP redirection packets sent from the peer leads to the network congestion.
To avoid the network congestion, you can configure the source IP address of the Echo packets.
To configure the source IP address, use the following command in the global configuration mode:
b fd ech o -so urce-ip echo-src-address
l echo-src-address – Specifies the source IP addresses of the BFD Echo packets.
To delete the configured source IP address, use the following command in the global con-
figuration mode: no bfd echo-source-ip.
Notes:
l You can specify a random source IP address of the Echo packets. Hillstone
recommends you use an IP address which does not belong to the network seg-
ments where interfaces of the device locate.
l The destination IP address of the Echo packets that sent from the local
device is the interface IP address of the local device.

Configuring BFD Multi-hop Detection
BFD sessions support one-hop detection and multi-hop detection. You can select the detection
method according to the session networking.
l One-hop detection: BFD can detect the connectivity of the IP link between two directly-con-
nected systems.
l Multi-hop detection: BFD can detect the link connectivity of any path between two devices.
Notes:
l In the current system, only BFD multi-hop session detection can integrate
with the BGP route.
l BFD multi-hop session detection only supports the asynchronous mode, but
not the query mode and echo function.
Creating a BFD Multi-hop Detection Template
The BFD multi-hop detection template is used to specify the encryption authentication mode of
BFD control packets, the minimum interval and the detection time multiple for sending or receiv-
ing BFD multi-hop session packets. To create a BFD multi-hop detection template, in the global
bfd template template-namemulti-hop
l template-name - Specifies the name of the BFD multi-hop detection template and enter the
BFD multi-hop detection template configuration mode. If the specified name already exists,
enter the BFD multi-hop detection template configuration mode directly.
To delete the specified BFD multi-hop detection template, in the global configuration mode, use
the command no bfd templatetemplate-name.

Specifying the Encrypted Authentication Mode of BFD Control Packets
As the number of network hops increases, BFD control packets may be tampered more easily. In
BFD sessions, BFD control packets can be encrypted and authenticated. To specify the encrypted
authentication mode of BFD control packets, in the BFD multi-hop detection template con-
authentication-type {m-md5 | m-sha1 | md5 | sha1 | simple} key-id {plainplain-string}
l m-md5 | m-sha1 | md5 | sha1 | simple - Specifies the authentication algorithm: Meticulous
MD5 algorithm (m-md5), Meticulous SHA1 algorithm (m-sha1), MD5 algorithm( md5),
SHA1 algorithm (sha1) and simple authentication (simple).
l key-id – Specifies the authentication ID.
l plain plain-string – Specifies the key in the form of plain text.
To delete the specified encrypted authentication mode of BFD control packets, in the BFD
multi-hop detection template configuration mode, use the commandno authentication-type.
Configuring BFD Multi-hop Session Parameters.
After the BFD multi-hop session is established, you can modify the minimum interval and the
detection time multiplier for sending or receiving BFD multi-hop session packets. To configure
the BFD multi-hop session parameters, in the BFD multi-hop detection template configuration
interval min-tx min-tx-valuemin-rxmin-rx-value detect-multiplier value
l min-tx-value – Specifies the minimum interval for sending the BFD multi-hop session pack-
ets. The range is 100 to 1000 milliseconds, and the default value is 100 milliseconds.
l min-rx-value – Specifies the minimum interval for receiving the BFD multi-hop session pack-
ets. The range is 100 to 1000 milliseconds, and the default value is 100 milliseconds.
l detect-multipliervalue– Specifies the detection time multiplier to calculate the detection

timeout time. The default value is 3, and the range is 3 to 50.

To restore to the default value, in the BFD multi-hop detection template configuration mode, use
the commandno interval min-txmin-rx detect-multiplier.
Integrating BFD with Routing Protocols

BFD can integrate with following routing protocols:
l Integrating BFD with the static route
l Integrating BFD with the OSPF route
l Integrating BFD with the BGP route
l Integrating BFD with the IS-IS Route
Integrating BFD with the Static Route
The static route does not have the neighbor discovering mechanism. Thus, when BFD integrates
with the static route, a failure detected by the BFD session indicates that the next hop is not
reachable and this route will not be added to the routing table.
To integrate BFD with the static route and enable the BFD detection function for the specified
next hop, use the following command in the VRoute configuration mode:
ip ro ute { A.B.C.D/M | A.B.C.D A.B.C.D } interface-name A.B.C.D b fd
l A.B.C.D/M | A.B.C.D A.B.C.D – Specifies the network address of the static route. Hill-
stone devices support two formats: A.B.C.D/M or A.B.C.D A.B.C.D, for example,
1.1.1.0/24 or 1.1.1.0 255.255.255.0.
l interface-name A.B.C.D – Specifies the IP address of the next-hop interface.
l bfd – Enables the BFD detection function for the specified next hop.
To cancel the integration, use the following command in the VRouter configuration mode:
n o ip ro ute { A.B.C.D/M | A.B.C.D A.B.C.D } interface-name A.B.C.D b fd

Integrating BFD with the OSPF Route
By integrating BFD with the OSPF route, the system realizes the quick link detection which has
higher performance than the Hello detection mechanism of the OSPF protocol. With the integ-
ration, OSPF protocol improves its convergence performance.
To integrate BFD with the OSPF rout and enable the BFD detection function on the specified
interfaces that corresponds to the OSPF route, use the following command in the interface con-
figuration mode:
ip o sp f b fd
To cancel the integration, use the following command in the interface configuration mode:
n o ip o sp f b fd
Integrating BFD with the BGP Route
To integrate BFD with the BGP route and enable the BFD detection function for the specified
BGP neighbor, you can select the one-hop or multi-hop detection. In the BGP instance con-
n eigh b o r A.B.C.D fall-o ver b fd[multi-h o p bfd-template-name ]
l A.B.C.D – Specifies the IP address of the BGP peer.
l multi-hop bfd-template-name – When the multi-hop detection mode is used, specify the
name of the BFD multi-hop detection template to bind this template. If this parameter is not
specified, the single-hop detection mode will be used.
To cancel the integration, use the following command in the BGP instance configuration mode:
n o n eigh b o r A.B.C.D fall-o ver b fd
Integrating BFD with the IS-IS Route
By integrating BFD with the IS-IS route, and BFD works with IS-IS to more quickly detect the
faults that occur on neighboring devices or links. In this manner, fast route convergence is imple-
mented.

To integrate BFD with the IS-IS route and enable the BFD detection function on the specified
interfaces that corresponds to the IS-IS route, use the following command in the interface con-
figuration mode:
isis b fd
n o isis b fd
Viewing BFD Session Information

To view the BFD session information, use the following command in any mode:
sh o w b fd sessio n [in terface interface-name | n eigh b o r A.B.C.D | detail ]
l interface interface-name - Shows the information of the BFD sessions of the specified inter-
face.
l A.B.C.D – Specifies ID of the neighbor router.
l detail – Shows the detailed information of the BFD sessions of all routers.
MPLS
MPLS is a technique which enables the forwarding of packets based on labels. A label is a fixed-
length local identifier, encapsulated between the link layer and the network layer. It is used to
identify the FEC (Forwarding Equivalence Class) to which a packet belongs, so that a group of
packets can be forwarded in the same manner, for example, over the same path or with the same
forwarding treatment. For packets carrying MPLS labels, forwarding is based on label lookup and
replacement only, rather than on the destination IP address in traditional IP forwarding.
There are MPLS networks which contain LSRs (Label Switching Routers) as basic units. LSRs loc-
ating on the edge of an MPLS network are called LERs (Label Edge Routers) which interconnect
with non-MPLS networks.
When an IP packet enters the MPLS network, the ingress LER parses the packet's header, encap-
sulates the packet with a label and then forwards it to the next hop. All subsequent MPLS nodes
will do packet forwarding based on the label of the received packet without parsing the IP header,
until the label is removed when the packet leaves the MPLS network.

In the MPLS network, when StoneOS device is deployed in Layer-2 security zone mode, it is cap-
able of decapsulating the MPLS label to obtain the IP packet and then send the packet at to
related service modules for security control. After that, the IP packet will be encapsulated with
the previously removed labels and then transparently sent to other LSR.
StoneOS device can decapsulate at most five-layer MPLS labels. Packets encapsulating in more
than 5-layer labels will be treated as non-IP packets and processed based on the configuration of
the l2-nonip-action command.
MPLS packet security control is disabled by default. To enable this function, use the following
command in the VSwitch configuration mode (enter the mode by using command vswitch
vswitch Number):
mpls-tunnel-inspection-enable
To disable this function, use the following command in the VSwitch configuration mode:
no mpls-tunnel-inspection-enable
To enable MPLS debugging, use the following command in any mode:
debug dp mpls {basic | error}
l basic – Enables MPLS basic information debugging.
l error – Enables MPLS error information debugging.
To disable MPLS debugging, use the following command in any mode:

undebug dp mpls {basic | error}
l basic – Disables MPLS basic information debugging.
l error – Disables MPLS error information debugging.
Protocol Independent Multicast (PIM)

The Protocol Independent Multicast (PIM) indicates that static route or any unicast routing pro-
tocol, such as RIP, OSPF, IS-IS, or BGP, can provide the routing information for IP multicast.
Multicast routing is not dependent on the unicast routing protocols, except that the multicast rout-
ing tables are generated by the unicast routing protocols.
According to different mechanisms, PIM is divided into the following two modes:

l Protocol Independent Multicast-Dense Mode (PIM-DM): applies to small-scale networks in
which receivers are densely distributed.
l Protocol Independent Multicast-Sparse Mode (PIM-SM): applies to large-scale networks in

which receivers are sparsely distributed.
Currently, system only supports the PIM-SM mode.
Basic Principles of PIM-SM

PIM-SM can resolve P2MP data transmission problems in a large-scale network where users are
sparsely distributed, so as to PIM-SM enable users to receive data on demand.
PIM-SM assumes that no host wants to receive multicast data. The PIM device forwards multicast
data to the host only when a host requests multicast data explicitly.
PIM-SM sends the multicast information to the PIM device in the PIM domain through the con-
figured RP (Rendezvous Point) and BSR (BootStrap Router), and then an RPT (Rendezvous
Point Tree) will be built. Multicast data can be forwarded to the receiver along the RPT through
the RP.
The key concepts of PIM-SM are as follows:
l PIM Domain: A network formed by PIM devices.
l DR (Designated Router): There are two types of DR in a PIM network.

l Multicast source DR: A PIM device that is directly connected to the multicast source in a
PIM-SM domain and is responsible for sending Register messages to the RP.
l Receiver DR: A PIM device that is directly connected to group members (receiver hosts) and
is responsible for forwarding multicast data to the group members.
l RP (Rendezvous Point): An RP is the core of a PIM-SM network, which can be divided into
the static RP and dynamic RP. An RPT is a shared tree with an RP as the root and members of
multicast group as the leaves in a PIM-SM network.
l BSR (BootStrap Router): A BSR of a PIM-SM network, which is responsible for collecting
and distributing RP information.
l RPT (Rendezvous Point Tree): An RPT is a multicast distribution tree (MDT) with an RP as
the root and members of multicast group as the leaves.
l SPT (Shortest Path Tree): A shortest path tree (SPT) is a multicast distribution tree (MDT)
with the multicast source as the root and members of multicast group as leaves.
Configuring PIM-SM
PIM-SM configurations include basic configurations and configurations of PIM-SM on different

interfaces.
The basic configurations of PIM-SM include:
l Enabling/Disabling a Multicast Route (For details, see the Static Multicast Routing >
Enabling/Disabling a Multicast Route section)
l Enabling/Disabling the PIM-SM
l Configuring a Candidate RP
l Configuring a Candidate BSR

l Configuring a Static RP
l Configuring the Switchover to SPT
The PIM-SM configurations for the interfaces include:
l Enabling/Disabling the PIM-SM for Interfaces
l Configuring the Priority of DR
l Specifying the Interval for Sending the Hello Packets
l Specifying the Interval for Sending IGMP General Query Messages.
l Specifying the IGMP General Query Timeout
l Specifying the Maximum Response Time for IGMP General Query
Notes: The PIM-SM function cannot be configured with the static multicast routing
function or the IGMP Proxy function at the same time.
Basic Configurations
You can configure PIM-SM for different VRouter. The basic configurations of PIM-SM must be
configured in the PIM-SM configuration mode. To enter the PIM-SM configuration mode, in the
ip vroutervrouter-name (entering the VRouter configuration mode)
router pim(entering the PIM-SM configuration mode)
Enabling/Disabling the PIM-SM
By default, the PIM-SM function is disabled. To enable or disable the PIM-SM function, in the
PIM-SM configuration mode, use the following commands:
l Enable: pim-sm enable
l Disable: no pim-sm enable

Configuring a Candidate RP
Select PIM devices in the PIM-SM domain to configure as the candidate RP (Rendezvous Point),
and then the RP will be elected from the candidates. Configure the candidate BSR at the same
time, and then the BSR will be elected from the candidate BSR (BootStrap Router), which is
responsible for collecting and distributing the RP information in the network.
To configure the candidate RP, in the PIM-SM configuration mode, use the following commands:
rp-candidateinterface-name [interval interval-time ] [priority level]
l interface-name – Specifies the interface where the candidate RP resides. The interface must
be enabled with PIM-SM.
l interval-time – Specifies the interval for sending candidate RP messages. The range is 1 to
16383 seconds. The default value is 60 seconds.
l priority level – Specifies the priority (the smaller the value, the higher the priority). In the
RP election, the candidate RP with the higher priority will be elected as the RP. The range is
0 to 255 and the default priority is 0.
To delete the configuration of candidate PR, in the PIM-SM configuration mode, use the fol-
lowing command:
no rp-candidate
Notes: When configuring a candidate RP, you do not need to specify a multicast
address. The default multicast address is 224.0.0.0/4.
Configuring a Candidate BSR
In a PIM-SM domain, you need to configure one or more candidate BSR, and the BSR will be gen-
erated from the candidate BSR automatically. The BSR will collect and distribute the RP inform-
ation.
To configure the candidate BSR, in the PIM-SM configuration mode, use the following com-
mands:
bsr-candidateinterface-name [priority level]

l interface-name –Specifies the interface where the candidate BSR resides. The interface must
be enabled with PIM-SM.
l priority level – Specifies the priority (the higher the value, the higher the priority). If there is
only one candidate BSR in the PIM-SM domain, it will be become the BSR. If there are mul-
tiple candidate BSRs, the candidate BSR with the higher priority will be elected as the BSR.
The range is 0 to 255, the default priority is 0.
To delete the configuration of candidate BSR, in the PIM-SM configuration mode, use the fol-
lowing command:
no bsr-candidate
Notes: When a dynamic RP is used, the candidate BSR and at least one candidate
BSR must be configured in the PIM-SM domain.
Configuring a Static RP
When there’s only one Rendezvous Point (RP) in the network, you’re suggested to configure
a static RP rather than a dynamic RP, which can save the bandwidth occupied by message
exchange between the Candidate RP and the BSR. In the PIM-SM domain, the static RP con-
figured on all the devices should be the same.
To specify the address of static RP, in the PIM-SM configuration mode, use the following com-
mands:
rp-addressA.B.C.D [A.B.C.D/M]
l A.B.C.D – Specifies the IP address of the interface where the static RP resides.
l A.B.C.D/M – Specifies the multicast address.
To delete the configured static RP address, in the PIM-SM configuration mode, use the following
command:
no rp-addressA.B.C.D [A.B.C.D/M]

Configuring the Switchover to SPT
Since the RPT (Rendezvous Point Tree) in the PIM-SM domain may not be the shortest path,
when the multicast data traffic becomes too high, the RP may become the fault point. To solve
the problem, by default, the RPT can be switched to the SPT (Shortest Path Tree). After the
switchover, the multicast data can be sent directly from the multicast source to the receiver along
the SPT. You can switch RPT to SPT as needed.
Figure: Before RPT switch to SPT
Figure: After RPT switch to SPT
To configure the switchover to SPT, in the PIM-SM configuration mode, use the following com-
mands:
spt-threshold {0 | infinity}
l 0 – Enable the switchover from RPT to SPT. This is the default option.
l infinity – Disable the switchover to SPT.

To restore the switchover to SPT, in the PIM-SM configuration mode, use the following com-
mands:
no spt-threshold
Configuring PIM-SM for Interfaces
The PIM-SM function for an interface must be configured in the interface configuration mode.
The PIM-SM configurations for the interfaces include:
l Enabling/Disabling the PIM-SM for Interfaces
l Configuring the Priority of DR
l Specifying the Interval for Sending the Hello Packets
l Specifying the Interval for Sending IGMP General Query Messages.
l Specifying the IGMP General Query Timeout
l Specifying the Maximum Response Time for IGMP General Query
Enabling/Disabling the PIM-SM for Interfaces
By default, the PIM-SM function for interface is disabled. To enable or disable the PIM-SM func-
tion for interface, in the interface configuration mode, use the following commands:
l Enable PIM-SM on the specified interface:ip pim sparse-mode
l Disable PIM-SM on the specified interface:no ip pim sparse-mode
Notes: The PIM-SM function only can be enabled on the Layer 3 interface.
Configuring the Priority of DR
The priority of the DR (Designated Router) is used to determine which router to use as the des-
ignated router (DR). To specify the priority of DR, in the interface configuration mode, use the
following commands:

ip pim dr-priority level
l level – Specifies the priority of the DR (the higher the value, the higher the priority). The
default value is 1. The range is 0 to 4294967294. All routers in the PIM-SM domain can be
specified as DR and the router with higher priority will be selected. If the priority of the
routers is the same, the one with a large IP address will be selected.
To restore the default priority, in the interface configuration mode, use the commandno ip pim
dr-priority.
Specifying the Interval for Sending the Hello Packets
After the PIM-SM function is enabled on an interface, Hello packets will be sent periodically.
You can specify the interval for sending Hello packets on the interface as needed. In the interface
ip pim query-interval interval
l interval – Specifies the interval for sending Hello packets. The range is 1 to 65535, and the
default interval is 30 seconds.
To restore to the default interval, in the interface configuration mode, use the commandno ip pim
query-interval.
Specifying the Interval for Sending IGMP General Query Messages
The network where the receiver host is located may connect to multiple multicast routers. These
multicast routers then elect a router as the querier automatically to maintain IGMP group mem-
bership of the interface. On the Hillstone device, after the PIM-SM function is enabled for the
interface, the querier will send IGMP general query messages to learn about the entry and exit of
multicast group members.
To specify the interval for sending IGMP general query messages, in the interface configuration
ip pim igmp-query-interval interval

l interval – Specifies the interval for sending IGMP general query messages. The range is 1 to
18000 seconds, and the default value is 60 seconds.
igmp-query-interval.
Specifying the IGMP General Query Timeout
If the multicast router in the network does not receive IGMP general query messages within the
specified timeout period, multicast routers will elect a querier again.
To specify the IGMP general query timeout value, in the interface configuration mode, use the fol-
lowing commands:
ip pim igmp-query-timeout timeout-value
l timeout-value – Specifies the IGMP general query timeout value. The range is 30 to 300
seconds, and the default value is 120 seconds.
igmp-query-timeout.
Specifying the Maximum Response Time for IGMP General Query
You can specify the maximum response time after the receiver host receives the general query
message. After the querier sends the IGMP general query message twice and no response from
the receiver host within the specified maximum response time, system will delete the receiver in
the multicast routing table.
To specify the maximum response time, in the interface configuration mode, use the following
commands:
ip pim igmp-query-max-response-timeresponse-time
l response-time – Specifies the maximum response time for IGMP general query. The range is
1 to 25 seconds, and the default value is 10 seconds.
igmp-query-max-response-time.

Viewing PIM-SM Information
To view the BSR information, in any mode, use the following command:
show ip pim bsr-route [vrouter vrouter-name]
l vrouter-name - Shows the BSR information of VRouter.
To view the PIM-SM interface information, in any mode, use the following command:
show ip pim interface [interface-name]
l interface-name - Shows the PIM information of the specified interface.
To view the PIM neighbor information, in any mode, use the following command:
show ip pim neighbor [vrouter vrouter-name]
l vrouter-name - Shows the PIM neighbor information of the specified VRouter.
To view the RP information, in any mode, use the following command:

show ip pim rp [vrouter vrouter-name | mapping [vrouter vrouter-name]]
l vrouter-name - Shows the RP information of the specified VRouter.
l mapping [vroutervrouter-name] - Shows all RP mapping information of the specified VRouter.
To view the RPF information, in any mode, use the following command:
show ip pim rpfsource-address [vrouter vrouter-name]
l source-address – Shows the RPF information of the specified multicast source IP address.
l vrouter-name - Shows the RPF information of the multicast source IP address of the specified
VRouter.
To view the IGMP multicast group information, in any mode, use the following command:
show ip pim igmp groups [group-address [vrouter vrouter-name]]

l group-address – Shows the IGMP multicast group information of the specified IP address.
l vrouter vrouter-name – Shows the IGMP multicast group information of the specified
VRouter.
To view the IGMP interface information, in any mode, use the following command:
show ip pim igmp interfaces [interface-name]
l interface-name – Shows the IGMP information of the specified interface (the interface
enabled with PIM-SM).
PIM-SSM
PIM-SM needs to maintain Rendezvous Points (RPs) to transmit multicast data. If receivers know
the exact location of a multicast source and want to request multicast data directly from a mul-
ticast source, Protocol Independent Multicast-Source-Specific Multicast (PIM-SSM) can enable
use hosts to rapidly join multicast groups. A shortest path tree (SPT) is set up between the mul-
ticast source and group members without maintaining an RP. The multicast data will be forwarded
to receivers along the SPT.
Configuring PIM-SSM
The basic configurations of PIM-SSM include:
l Enabling/Disabling a Multicast Route (For the details, refer to Static Multicast Routing >
Enabling/Disling a Multicast Route)
l Configuring the range of PIM-SSM multicast group address
Notes:
l PIM-SSM function is on the basis of the PIM-SM function. Configure PIM-
SM mode first before configuring the PIM-SSM (For details, refer to Protocol

Independent Multicast > Configuring PIM-SM).
l In HA environment, PIM-SSM only supports Active-Passive (A/P) mode.
Configuring Address Range of PIM-SSM Multicast Group
By default, the address range of PIM-SSM is 232.0.0.0/8. You can configure the address range of
the PIM-SSM multicast group as needed, and the address range of PIM-SSM group should be the
same within the network. When the address range of PIM-SSM multicast group is configured, the
PIM-SSM function will also be enabled.
To configure the address range of the PIM-SSM multicast group, in the PIM-SM configuration
p im-ssm {default | group-prefix/Mask }
l default - Uses the default address range of PIM-SSM multicast group: 232.0.0.0/8.
l group-prefix/Mask - Specifies the address range of the certain PIM-SSM multicast group.
To delete the configured address range, in the PIM-SM configuration mode, use the following
command:
n o p im-ssm
Configuring IGMP Packets Filtering

You can filter IGMP packets received form the interfaces with PIM-SM/PIM-SSM function
enabled to allow or deny multicast source or multicast group in the certain IGMP packets. By
default, all IGMP packets will be allowed to receive by interfaces.
To make interface allow or deny multicast group in the IGMPv1/IGMPv2 packets, in the inter-
face configuration mode, use the following command:
ip p im igmp {p ermit | den y} group-prefix/Mask

l permit- Allow interfaces to receive multicast group in the IGMPv1/IGMPv2 packets.
l deny- Make the interface deny receiving multicast group in the IGMPv1/IGMPv2 packets.
l group-prefix/Mask - Specify the address range of multicast group.
To restore to the default values, in the interface configuration mode, use the following command:
n o ip p im igmp {p ermit | den y}
To make interface allow or deny multicast source and multicast group in the IGMPv3 packets, in
the interface configuration mode, use the following command:
ip p im igmp v3 {p ermit | den y} { any | source-prefix/Mask }{ any | group-prefix/Mask }
l permit- Allow the interface to receive multicast source and multicast group in the IGMPv3
packets.
l deny- Make the interface deny receiving multicast source and multicast group in the IGMPv3
packets.
l any |source-prefix/Mask - Specify the address range of multicast source. any is for any mul-
ticast source address.
l any |group-prefix/Mask - Specify the address range of multicast group. any is for any mul-
ticast group address.
To restore to the default values, in the interface configuration mode, use the following command:
n o ip p im igmp v3 {p ermit | den y}
Adding Multicast Router Interface to Multicast Group

In a multicast environment, multicast receivers indicate their interest of receiving multicast data
by sending an IGMP report to the routers in the network. The routers are then responsible for
delivering the data from the source to the receivers. However, if the routers do not connect to
multicast receivers or the connected multicast receivers cannot send an IGMP report, data from
the source fails to reach the routers. To solve this issue, you can add the interface of multicast

routers to the multicast group by configuring join-group. The interface can be added to a specified
multicast group based on the IGMPv2 protocol or IGMPv3 protocol.
To set the type of protocol based on which the interface is added to a specified multicast group to
IGMPv2, run the following command in the interface configuration mode:
ip pim igmp join-groupgroup-address
l group-address - Specifies the IP address of the multicast group to which the interface is added
based on the IGMPv2 protocol.
In the interface configuration mode, run the no ip pim igmp join-groupgroup-address command to
remove the interface from the specified multicast group.
To set the type of protocol based on which the interface is added to a specified multicast group to
IGMPv3, run the following command in the interface configuration mode:
ip pim igmpv3 join-groupgroup-addresssource-address
l group-address - Specifies the IP address of the multicast group to which the interface is added
based on the IGMPv3 protocol.
l source-address - Specifies the IP address of multicast source data traffic that the interface
receives.
In the interface configuration mode, run the no ip pim igmp join-groupgroup-addresssource-

address command to remove the interface from the specified multicast group.
Notes:
l Only layer-3 interfaces can be added to the multicast group.
l To add an interface to the multicast group, the following requirements need

to be met:
l The PIM-SM function is enabled for the interface. For more inform-
ation, refer to Enabling/Disabling the PIM-SM for Interfaces.

l The device where the interface resides is receiver DR and has the
highest priority. For more information about how to configure the pri-
ority of DR, refer to Configuring the Priority of DR.
l The PIM-SM function is also enabled for the upstream device of the
device where the interface resides.
Examples of Configuring Routes

This section describes several route-related configuration examples, including an enabling/dis-
abling static route query configuration example, multi-VR configuration examples, a static mul-
ticast route configuration example, an IGMP Proxy configuration example and an inbound LLB
configuration example.
Example of Configuring Static Route Query

The interface ethernet0/0 and ethernet0/1 of the device connect to ISP Netcom and Telecom
respectively; the traffic from Trust and Trust1 in the Intranet goes to Netcom, and other traffic
goes to Telecom. The network topology is shown below:

As shown above, etherent0/0 and ethernet0/1 belong to the untrust zone, and their IPs are
202.10.11.2 and 202.10.10.2 respectively; etherent0/2 and ethernet0/3 belong to the Trust
zone, and their IPs are 202.10.2.1/24 and 202.10.3.1/24 respectively; etherent0/4 and eth-
ernet0/5 belong to the Trust1 zone, and their IPs are 202.10.4.1/24 and 202.10.5.1/24 respect-
ively; etherent0/6, ethernet0/7 and etherent0/8 belong to the Trust2 zone, and their IPs
202.10.6.1/24, 202.10.7.1/24 and 202.10.8.1/24 respectively.
Configuration Steps
Configurations of the security zones and interfaces are omitted. Only the configuration example of
routes is as follows:
hostname(config-vrouter)# ip ro ute 0.0.0.0/0 202.10.10.2(the traffic from this segment

goes to Telecom by default)

hostname(config-vrouter)# ip ro ute so urce 202.10.2.1/24 202.10.11.2(the traffic from
this segment goes to Netcom by default)



In the above source routing configuration, the traffic from the Trust and Trust1 zone will go to
Netcom, while the traffic from other zones will go to Telecom. If the Netcom line fails for any
reason, users in the Trust and Trust1 zones will not be able to access the Internet. In such a case
only when all the above 4 source routes are deleted will the traffic be completely migrated to the
Telecom line. If there are too many relevant source routes, the workload of deleting routes and
then adding routes after troubleshooting will be very heavy; besides the trivial work also possibly
leads to errors. The Hillstone’s solution is: when any line fails, disable the source route query,
and then users in the Trust and Trust1 zones will use the default route and be able to access the
Internet through the Telecom line. Use the following command:
hostname(config)# route disable sbr
After troubleshooting, to re-enable the source route query function, use the following command:
hostname(config)# hostname(config)# route enable sbr
Example of Configuring Multi-VR

This section describes two multi-VR configuration examples, including:
l Independent multi-VR forwarding
l Inter-VR forwarding

Independent Multi-VR Forwarding
There are overlapped IP addresses in Trust-vr and VR1, but the data transmission of the two VRs
should be independent, and should not affect each other. The network topology is shown below:
There are two VRs in the system: trust-vr and VR1. ethernet0/1 belongs to zone1, ethernet0/2
belongs to zone2, both zone1 and zone2 belong to trust-vr; ethernet0/3 belongs to zone3, eth-
ernet0/4 belongs to zone4, belong zone3 and zone4 belong to VR1. The IP address of eth-
ernet0/1 and ethernet0/3 is overlapped; the IP address of ethernet0/2 and ethernet0/4 is
overlapped as well.
Configuration Steps
Step 1：Enable multi-VR on the device:
hostname# exec vro uter en ab le
Warning: please reboot the device to make the change validation!
hostname# reb o o t
System reboot, are you sure? y/[n]: y
Step 2：After rebooting, create VR1:
hostname(config)# ip vrouter VR1
Step 3：Configure interfaces and security zones (by default zone1 and zone2 belong to trust-vr):
hostname(config)# zo n e zo n e1

hostname(config-zone-zone3)# vro uter VR1
hostname(config)#

Inter-VR Forwarding
There are two VRs in the system: trust-vr and VR1. The goal is to allow trust-vr forwarding data
through VR1. The network topology is shown below:
There are two VRs in the system: trust-vr and VR1. ethernet0/0 belongs to zone1, and zone1
belongs to trust-vr; ethernet0/2 and ethernet0/3 belong to zone2, and zone2 belongs to trust-vr.
The following configuration example allows trust-vr to forward data through VR1.
Configuration Steps
Step 1：Enable multi-VR on the device:
hostname# reb o o t
Step 2：After rebooting, create VR1:
hostname(config)# ip vrouter VR1
Step 3：Configure interfaces and security zones (by default zone1 and zone2 belong to trust-vr):

hostname(config)#
Step 4：Configure an inter-VR forwarding route:
hostname(config-vrouter)# ip ro ute 0.0.0.0/0 vro uter VR1
hostname(config)# ip vro uter VR1
hostname(config-vrouter)# ip ro ute 10.1.1.0/24 vro uter trust-vr
hostname(config-vrouter)# ip ro ute 10.1.2.0/24 vro uter trust-vr
hostname(config)#
Example of Configuring Static Multicast Route

This section describes a static multicast route configuration example.

Requirement
The multicast source sends data to multicast group. The multicast address is 224.91.91.2. Inter-
face ethernet0/0, the ingress interface of the multicast data, belongs to the trust zone; eth-
ernet0/1, the egress interface of the multicast data, belongs to the untrust zone. The goal is to
configure a static multicast route so that the multicast data can be properly transmitted to the cli-
ent PC that belongs to the multicast group. The network topology is shown below:
Configuration Steps
Step 1：Configure interfaces and security zones:

hostname(config)#
Step 2：Enable and configure a multicast route:
hostname(config-vrouter)# ip multicast-ro utin g
hostname(config-vrouter)# ip mro ute 1.1.1.2 224.91.91.2 iif eth ern et0/0 eif eth -
ern et0/1
hostname(config)#
Step 3：Configure a policy rule:
hostname(config)# address src
hostname(config)# address dst
hostname(config-policy-rule)# src-addr src
hostname(config-policy-rule)# dst-addr dst

hostname(config)#
Example of Configuring IGMP Proxy

This section describes an IGMP Proxy configuration example.
Requirement
The multicast source sends data to the multicast group. The multicast address is 224.91.91.2.
Interface ethernet0/0 is the upstream interface; ethernet0/1 and ethernet0/2 are the downstream
interfaces. Configure an IGMP Proxy so that the multicast data can be properly forwarded to the
client PC that belongs to the multicast group. The network topology is shown below:
Configuration Steps

hostname(config)#
Step 2：Enable a multicast route:
hostname(config)#
Step 3：Enable and configure an IGMP Proxy:
hostname(config-vrouter)# ip igmp -p ro xy en ab le
hostname(config-if-eth0/0)# ip igmp -p ro xy h o st-mo de
hostname(config-if-eth0/1)# ip igmp -p ro xy ro uter-mo de

hostname(config-if-eth0/2)# ip igmp -p ro xy ro uter-mo de
hostname(config)#
hostname(config)#
Example of Configuring IGMP Snooping

This section describes an IGMP Snooping configuration example.

Requirement
The multicast source sends data to the multicast group. The multicast address is 224.91.91.2. The
device is working in the transparent mode. Interface ethernet0/0 is the upstream interface; eth-
ernet0/1 and ethernet0/2 are the downstream interfaces. The goal is to configure IGMP snooping
so that the multicast data can be properly forwarded to the client PC that belongs to the multicast
group.
Configuration Steps
hostname(config-if-eth0/0)# zo n e l2-un trust
hostname(config)# in terface vswitch if1
hostname(config-if-vsw1)# ip address 192.30.1.100 255.255.255.0
hostname(config-if-vsw1)# exit
hostname(config)#
Step 2：Enable a multicast route:

hostname(config)#
Step 3：Enable and configure IGMP Snooping:
hostname(config-vswitch)# ip igmp -sn o o p in g en ab le
hostname(config-if-eth0/0)# ip igmp -sn o o p in g h o st-mo de
hostname(config-if-eth0/1)# ip igmp -sn o o p in g ro uter-mo de
hostname(config-if-eth0/2)# ip igmp -sn o o p in g ro uter-mo de
hostname(config)#
hostname(config-policy-rule)# src-zo n e l2-un trust
hostname(config-policy-rule)# dst-zo n e l2-trust

hostname(config)#
Example of Configuring BFD

This section lists three examples of configuring BFD as follows:
l Integrating BFD with the static route
l Integrating BFD with the OSPF route
l Integrating BFD with the BGP route
Requirement
The redundant link consists of two Hillstone devices and two routers. The BFD detection func-
tion is enabled between the routers and the Hillstone devices. The reachable network segment of
Router1 is 100.1.1.1/24. The following examples individually integrate BFD with the static
route, the OSPF route, and the BGP route between the Router1 and the device A. The network
topology is shown in the figure below:

Configuration Steps
Integrating BFD with the Static Route
Step 1： Configure interfaces of the device A:
hostname(config)#
Step 2：Configure the BFD session parameters on the interface of the device A. The default
detection method is asynchronous:

hostname(config-if-eth0/0)# b fd min -tx 100 min -rx 100 detect-multip lier 3
hostname(config)#
Step 3： Configure the device A to integrate BFD with the static route Router1:
hostname(config-vrouter)# ip ro ute 100.1.1.1/24 eth ern et0/1 1.1.1.2 b fd
hostname(config)#
Step 4：Configure the interface of Router1 and the BFD functions. The IP address of the inter-
face is 1.1.1.2/24.
Integrating BFD with the OSPF Route
Step 1：Configure interfaces of the device A:
hostname(config)#
Step 2：Configure the BFD session parameters on the interface of the device A, specify the
detection method as the inquiry method, enable the Echo function, and integrate BFD with the
OSPF route:
hostname(config-if-eth0/0)# b fd deman d en ab le
hostname(config-if-eth0/0)# b fd min -ech o -rx 100
hostname(config-if-eth0/0)# b fd ech o en ab le
hostname(config-if-eth0/0)# ip o sp f b fd
hostname(config)#

Step 3：Configure the OSPF route on the device A:
hostname(config-router)# ro ute id 1.1.1.1
hostname(config-router)# n etwo rk 1.1.1.1/24 area 0
hostname(config-router)# exit
hostname(config)#
Step 4：Configure the interface of Route1, BFD functions, and OSPF route. The IP address of
the interface is 1.1.1.2/24. Use the inquiry method, enable the Echo function, and ensure the
Echo packets can be forwarded.
Integrating BFD with the BGP Route
Step 1：Configure interfaces of the device A:
hostname(config)#
Step 2：Configure the BFD session parameters on the interface of the device A, specify the
detection method as the inquiry method and enable the Echo function.
hostname(config-if-eth0/0)# b fd deman d en ab le
hostname(config-if-eth0/0)# b fd min -ech o -rx 100
hostname(config-if-eth0/0)# b fd ech o en ab le
hostname(config)#
Step 3：Configure the BGP protocol on the device A and integrate BFD with BGP:

hostname(config-vrouter)# ro uter b gp 100
hostname(config-router)# ro ute id 1.1.1.1
hostname(config-router)# n eigh b o r 1.1.1.2 fall-o ver b fd
hostname(config-router)# n etwo rk 1.1.1.1/24
hostname(config)#
Step 4：Configure the interface of Route1, BFD functions, and BGP route. The IP address of
the interface is 1.1.1.2/24. Use the inquiry method, enable the Echo function, and ensure the
Echo packets can be forwarded.
Example of Configuring LLB

This section describes an inbound LLB configuration example.
Requirement
Ethernet0/6 and ethernet0/7 are connected to telecom and netcom links respectively. With
inbound LLB enabled, the device will return the IP address defined in the ISP static address
named telecom after receiving a DNS request from netcom users, and will return the IP address
defined in the ISP static address named telecom after receiving a DNS request from telecom
users. The network topology is shown below:

Configuration Steps
Configurations of interfaces are omitted. Only the configurations of ISP information and inbound
LLB are provided.
Step 1: Configure ISP information:
hostname(config)# isp -n etwo rk teleco m
hostname(config-isp)# 101.1.1.0/24
hostname(config-isp)# exit
hostname(config)# isp -n etwo rk n etco m
Step 2: Enable SmartDNS and configure SmartDNS rules:
hostname(config)# llb in b o un d smartdn s en ab le
hostname(config)# llb in b o un d smartdn s test
hostname(config-llb-smartdns)# do main www.test.co m
hostname(config-llb-smartdns)# ip 100.1.1.2 isp teleco m in terface eth ern et0/0 weigh t

10
hostname(config-llb-smartdns)# ip 200.1.1.2 isp n etco m in terface eth ern et0/0 weigh t

10
hostname(config-llb-smartdns)# exit
Step 3: Confirm the above configurations have taken effect by command show:
hostname(config)# sh o w isp -n etwo rk all
ISP telecom status: Active
Binding to nexthop: 0
Subnet(IP/Netmask): 1
101.1.1.0/24
ISP netcom status: Active
201.1.1.0/24
hostname(config)# sh o w llb in b o un d smart test
domain:domain name; IP: ip address; ISP: isp name; IF: interface;
PROXY: proximity address book status; E: enable; D:disable
TRACK: track object name; W: ip weight; S:ip status;A:active;
I: inactive
===================================================-
==========
-------------------------------------------------------------
name: test
domain count: 1
rule count: 2
status: enable
domains: www.test.com;
ip addresses:

---------------------------------------------------------------------
ID IP ISP IF PROX TRACK W S
1 100.1.1.2 telecom ethernet0/0 D 10 A
3 200.1.1.2 netcom ethernet0/1 D 10 A
===================================================-
================
When PC1 requests www.test.com, the device will return the IP address for telecom link
(100.1.1.2); when PC2 requests www.test.com, the device will return the IP address for netcom
link (200.1.1.2).
Example of Configuring PIM-SM

This section describes a PIM-SM configuration example.
Requirement
The multicast source sends data to the multicast group. The multicast address is 224.91.91.2. The
receiver PC receives multicast data in the multicast mode, and the PIM domain adopts the SM
mode. Assume that the device is the candidate RP, the interface loopback1 is used as the inter-
face for electing RP, the interface ethernet0/0 is the upstream interface, and the interface eth-
ernet0/1 is the downstream interface. After PIM-SM is configured, multicast data can be
forwarded to the receiver PC. The network topology is shown below:
Figure : Network Topology of Configuring PIM-SM
Configuration Steps
Step 1: Enable a multicast route.
hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config)#
Step 2：Enable and configure PIM-SM.

hostname(config-vrouter))# router pim
hostname(config-vrouter)# pim-sm enable
hostname(config-vrouter)# rp-candidate loopback1
hostname(config-vrouter)# bsr-candidate loopback1
hostname(config-vrouter))# exit
hostname(config)#
Step 3：Configure the interface and enable the PIM-SM for the interface.
hostname(config)# interface loopback1

hostname(config-if-loo1))# zone trust
hostname(config-if-loo1)# ip address 2.2.2.2/24
hostname(config-if-loo1)# ip pim sparse-mode
hostname(config-if-loo1))# exit
hostname(config-if-eth0/0)# zone untrust
hostname(config-if-eth0/0)# ip pim sparse-mode

hostname(config-if-eth0/1)# zone trust
hostname(config-if-eth0/1)# ip pim sparse-mode
hostname(config)#

Chapter 4 System Management
l "Naming Rules" on Page 533
l "Configuring a Host Name" on Page 533
l "Configuring Tab Title at WebUI Login" on Page 534
l "Configuring System Admin Users" on Page 535
l "Creating a Trusted Host" on Page 561
l "Configuring NetBIOS Name Resolution" on Page 563
l "Management of System User" on Page 565
l "Configuring a MGT Interface" on Page 577
l "Configuring a Storage Device" on Page 584
l "Managing Configuration Files" on Page 589
l "System Maintenance and Debugging" on Page 609
l "Rebooting the System" on Page 615
l "Upgrading StoneOS" on Page 615
l "SCM HA" on Page 625
l "Device HA Switchover When Switch Module failed" on Page 626
l "License Management" on Page 627
l "Simple Network Management Protocol (SNMP)" on Page 653
l "Network Configuration Protocol (NETCONF)" on Page 665

l "HSM Agent" on Page 668
l "Network Time Protocol (NTP)" on Page 673
l "Configuring Schedule" on Page 681
l "Configuring a Track Object" on Page 683
l "Configuring a Threshold" on Page 692
l "Graceful Shutdown" on Page 624
l "Monitor Alarm" on Page 694
l "CPU Cache Error Monitor" on Page 697
l "The Maximum Concurrent Sessions" on Page 698
l "Connecting to Hillstone Cloud Service Platform" on Page 714
l "Configuring the RESTful API Interface to Upload Files" on Page 720
Naming Rules
When you name an object, follow the conventions below:
l Hillstone recommends you to not use the following special characters: comma (,), single quo-
tation marks (‘‘), quotation marks (“”), tab, space, semicolons (;), backslash (\), slash
(/), angle brackets (<>), and other special characters (&, #). It is recommend that you should
use figures (0-9) and letters (a-z, A-Z) in the name.
l If an object name has space in it, you need to enclose the entire name in quotation marks
when you use CLI, but this does not apply to WebUI operations.
Configuring a Host Name

A host name distinguishes one device from another. The default host name is the platform model.
To edit a host name, in the global configuration mode, use the following command:
533 Chapter 4 System Management

h o stn ame host-name
l host-name – Specifies the host name of the Hillstone device. You can specify up to 63 char-
acters. After executing the command, the command prompt will be changed to the specified
host name.
To restore to default value, in global configuration mode, use the command no hostname.
For example, the following commands change the host name to hillstone:
hostname# configure
hostname(config)# h o stn ame h illsto n e
h illsto n e(config)#
Configuring the Displayable Length of the Host Name

You can configure the length of the host name that can be displayed by the system. The part of
the host name exceeding the configured length will be displayed as "~" . To configure the dis-
playable length of the host name, in the global configuration mode, use the following command:
hostname-display-length length
l length – Specifies the host name that can be displayed by the system. The length range is 1
to 63 characters. The default value is 16 characters, that is, when the length of the host name
exceeds 16 characters, the exceeding part will be displayed as "~".
To restore to the default value, in the global configuration mode, use the following command:
no hostname-display-length
Viewing the Displayable Length of the Host Name

To view the displayable length of the host name, in any mode, use the following command:
show hostname-display-length
Configuring Tab Title at WebUI Login

At WebUI login, the browser tab title is "Hillstone Networks".

You can modify this title by configuring it as any one of the device's host name, model number
and management address, or as a combination of any two or three items of them. The con-
figuration will take effect at next-time WebUI login.
To configure the browser tab title at WebUI login, in the global configuration mode, use the fol-
lowing command:
webui-title-display-mode [hostname] [platform] [manage-address]
l hostname - Specifies the device's host name as the tab title.
l platform- Specifies the device' model number as the tab title.
l manage-address - Specifies the device' management address as the tab title.
If this command is executed with none of these items specified, or the tab title configuration is
deleted, the default tab title will be displayed. If multiple items are specified, the sequence of the
items is not limited. The sequence of the items displayed in the actual tab title is consistent with
the configuration sequence.
To delete the tab title configuration, in the global configuration mode, use the following com-
mand:
no webui-title-display-mode
To view the tab title configuration, in any mode, use the following command:
show webui-title-display-mode
Configuring System Admin Users

Device administrators of different roles have different privileges. The system supports pre-
defined administrator roles and customized administrator roles.
By default, the system supports the following administrators, which cannot be deleted or edited:
l admin: can write, execute and write the system. Administrator role can manage all functions of
the device, view configurations and execute commands like import, export and save etc.
under configuration mode.

l admin-read-only: can write and execute, view configurations, and execute export command
under configuration mode.
l operator: can write, execute and write the system. Operator can modify settings others than
administrator privileges, reboot the system, restore factory default and upgrade StoneOS, view
configurations, but operators cannot view log messages, and execute some commands.
l auditor: can manage log messages, including view, export and clear logs. The table lists admin
user's permissions.
Permissions
Operation Administrator Administrator-read- Operator Auditor

only
Configure (including save con- √ χ √ χ

figuration)
Managing admin users √ χ χ χ
Restore factory default √ χ χ χ
Delete configuration file √ χ √ χ
Roll back configuration √ χ √ χ
Reboot √ χ χ χ
View configuration information √ √ √ χ
View log information √ √ χ √
Modify current admin password √ √ √ √
Command import √ χ √(except χ

upgrading
StoneOS)
Command export √ √ χ √

Permissions
Operation Administrator Administrator-read- Operator Auditor

only
Command clear √ √ √ √
Command ping/traceroute √ √ √ χ
Command debug √ √ √ χ
Command exec √ √ √ √
Command terminal width √ √ √ √
l The system has a default administrator “hillstone”. This default administrator can be edited.
l Except administrator, other roles cannot edit properties of a system admin user, but only its
own password.
l Auditor can manage one or more log messages, but an auditor’s log types are defined by
users of administrator role.
The property settings of a system administrator are:
l Creating administrator roles
l Specifying administrator role's privileges
l Specifying administrator role's description
l Creating an admin user
l Assigning a role
l Configuring password
l Configuring accesses for admin users
l Configuring Single Sign-on (SSO)

l Configuring two-factor authentication for admin users logging in to the WebUI
l Configuring an API token for an admin user
l Configuring log types for auditors
l Specifying login limit
l Configuring Login Options for the Default Administrator
l Viewing Admin roles
l Viewing admin users
l VSYS admin users
Creating Administrator Roles

To create a new administrator role, use the following command in the global configuration mode:
admin ro le role-name
l role-name – Specifies the name of the administrator role. The length varies from 4 characters
to 95 characters. After executing this command, the system will create the administrator role
and enter the administrator role configuration mode. If the name already exists, it will enter
the administrator role configuration mode directly.
To delete an administrator role, use the no admin role role-name command.
Specifying Administrator Role's Privileges

To specify the administrator role’s privileges of CLI, use the following command in the admin-
istrator role configuration mode:
cli-p rivilege all {rw | n o n e}

l rw | none – rw represents the administrator role has the read-write privilege to all CLI com-
mands. none represents the administrator role does not have privilege of CLI and cannot use
CLI.
Specifying Administrator Role's Description

To specify administrator role’s description, use the following command in the administrator role
configuration mode:
l description – Specify the description for the administrator role. You can specify up to 255
characters.
Use the no description command to delete the description.
Creating an Admin User

To create an admin user and enters its configuration mode, under global configuration mode, use
admin user user-name
l user-name - Specifying a name for the admin user. The length is from 4 to 31 characters. This
command not only creates the admin user, also enters the user’s configuration mode; if the
admin user exists, it enters its configuration mode directly.
To delete an admin user, under global configuration mode, use the command no admin user user-
name.
When you are under an admin user’s mode, you can edit its role, password, access methods and
log types (for auditor roles).
Assigning a Role
To assign a role for an admin user, in the user's configuration mode, use the following command:
ro le {admin | o p erato r |audito r |admin -read-o n ly}

l admin - Specifying the role of this user as an Administrator.
l operator - Specifying the role of this user as an Operator.
l auditor - Specifying the role of this user as an Auditor.
l admin-read-only - Specifying the role of this user as an Administrator-read-only.
Configuring Password
Password is required for an admin account. To define a password, in the admin user’s con-
p asswo rd password
l password – Specify a password for admin user. The length is from 4 to 31 characters.
To cancel a password, under the admin user's configuration mode, use the command no password.
If you login as an operation, auditor or administrator-read-only, you can edit your own password
under any mode:
exec admin user p asswo rd up date password
l password –Enter the new password. The length is from 4 to 31.
Notes: If you use an Administrator account, you have the privilege to edit the pass-
word of every user.
Configuring Password Policy for Admin Users
Password policy defines admin user’s password complexity. The password complexity controls
the total length of the password, the length of each element, and the validity period of the pass-
word. A password can be a combination of elements from the following types:
l Capital letters A to Z.
l Lowercase letters a to z.

l Figures 0 to 9.
l Other visible characters such as semicolon, slash(only support DBC case).
You must enter the password policy mode before you can change the complexity requirement.
Use the command password-policy to enter password policy configuration mode.
You can set the password complexity if the default-settings can not fit the security requirement.
You must enable password complexity checking before setting the password complexity.
To enable or disable password complexity checking, in password policy configuration mode, use
admin co mp lexity {en ab le | disab le}
l enable | disable – Enable or disable password complexity checking. By default, the password
complexity checking is disabled. After the feature is enabled, the default complexity requires
that the password must contain all the four types of formats: two uppercase letters, two lower-
case letters, two figures and two other visible characters (e.g.@).
To define the length of password elements, in password policy configuration mode, use the fol-
lowing command:
admin {cap ital-letters | n o n -alp h an umeric-letters | n umeric-ch aracters | small-letters} value
l capital-letters value – Specify the length of capital letters in password. The default value is 2
and the range is 0 to 16.
l non-alphanumeric-letters value– Specify the length of visible characters except letters and
figures in password. The default value is 2 and the range is 0 to 16.
l numeric-characters value – Specify the length of figures in password. The default value is 2
l small-letters value – Specify the length of lowercase letters in password. The default value is
2 and the range is 0 to 16.
To define the minimum length of password for the admin users, in password policy configuration

admin min -len gth length-value
l min-length length-value – Specify the minimum length of the password. The default value is
4, and the range is 4 to 16. After password complexity checking is enabled, the default value
is 8(two uppercase letters, two lowercase letters, two figures and two other visible characters),
Notes: You can define the minimum length of the password in order to strengthen
the security whether the password complexity checking is enabled or not.
The validity period of the password is used to limit the time that you use password. When you log
in, if the entered password has expired, the system will prompt to reset the password. After press-
ing Enter, please enter the new password again. If the new password does not meet the password
complexity requirements or the new passwords for the two times are not consistent, you need to
re-input. Given that continuous input for three times does not meet the requirement of the pass-
word, you can not connect to the device. You are still required to set a new password when log-
ging in again. The new password can be the same as the old one.
To define the validity period of the password for the admin users, in password policy con-
admin p asswo rd-exp iratio n value
l password-expiration value – Specifies the validity period of the password. The unit is day.
The range is 0 to 365. The default value is 0, which indicates that there is no restriction on
validity period of the password.
In the password policy configuration mode, use the command no admin complexity to resume the
default setting of password complexity checking.
To enable or disable the History Password Check function, in the password policy configuration
admin history-password-check {enable | disable}

l enable | disable – Enable or disable the History Password Check function. By default, this
function is disabled.
With the History Password Check function enabled, when you change your password, the system
verifies whether the new password is the same as the historical password. The new password can-
not be the same as the specified numbers of historical passwords. To configure the History Pass-
word Check function, in the password policy configuration mode, use the following command:
admin history-password-recordscount
l count - Specifies the number of historical passwords to be verified. The value rage is from 3
to 8. The default value is 5, indicating that the new password cannot be the same as the last
five historical passwords.
Viewing Password Policy for Admin Users
To view password policy for admin users, in any mode, use the command:
sh o w p asswo rd-p o licy
Configuring the Function of Resetting the Administrator Password by Security

Question
The function of resetting the administrator password by security question enables you to change
passwords through security question. You can easily reset the password without knowing the pre-
vious password. If this function is configured and enabled, when you enter the wrong username
or password for three consecutive times through the console port, the system will prompt you to
reset the password by the security question.
To configure the security question, in the global configuration mode, use the following com-
mands:
admin reset-password question {customvalue | predefined {question1 | question2 |
question3}}

l question custom value–Specifies the user-defined question, which can only include let-
ters, numbers, and special characters (excluding "). Chinese characters cannot be included
in the security question. When you enter a string, add double quotations to the value. The
value range is 1 to 256 characters.
l question predefined question1–Specifies predefined question 1 as the security question.

Question1 is "What is your aspiration?" .

Question2 is "What is your most impressed day?".

Question3 is "What do you like best?".
To configure the security answer, in the global configuration mode, use the following command:
admin reset-password answer value
l answer value–Specifies the security answer, which can only include letters, numbers, and
special characters (excluding "). Chinese characters cannot be included in the security ques-
tion. When you enter a string, add double quotations to the value. The value range is 1 to
256 characters.
To enable/disable the function of resetting the administrator password by security question, in

the global configuration mode, use the following commands:
admin reset-password {enable | disable}
l enable–Enables the function of resetting the administrator password by the security ques-
tion. To enable the function, you need to configure the security question and its answer
first.
l disable–Disables the function of resetting the administrator password by the security ques-
tion.
To delete the security question and its answer, in the global configuration mode, use the fol-
lowing commands:
no admin reset-password {question | answer}

l question–Deletes the security question and its answer at the same time. To perform this
operation, you need to disable the function of resetting the administrator password by secur-
ity question first.
l answer–Deletes the security answer only. To perform this operation, you need to disable
the function of resetting the administrator password by security question first.
To view the information about the function of resetting the administrator password by security
question, including the enabled/disabled status of the function, the content of the security ques-
tion, and the security answer, in any mode, use the following command:
show admin reset-password
Configuring Accesses for Admin Users

By default, a newly created admin user does not have its access opened to visit the device. To add
accesses for an admin user, in the user's configuration mode, use the following command:
access {co n so le | h ttp | h ttp s | ssh | teln et | n etco n f | an y}
l console – Allows the admin user to use Console port to access the device.
l http – Allows the admin user to use HTTP to access the device.
l https – Allows the admin user to use HTTPS to access the device.
l ssh – Allows the admin user to use SSH to access the device.
l telnet – Allows the admin user to use TELNET to access the device.
l netconf – Allows the admin user to use NETCONF to access the device.
l any – Allows the admin user to use any of the above methods to access the device.
Use this command to add access for admin user.

To cancel the specified access, in the user's configuration mode, use the command no access
{console | http | https | ssh | telnet | netconf | any}.

Notes: When the "Telnet" or "HTTP" login type is enabled, the system will prompt
the protocols are not secure.
Configuring Single Sign-on (SSO)

Single Sign-on (SSO) is supported only by virtual product -CloudEdge. This function is disabled
by default and can be enabled as required. By enabling this function and specifying the SSO
scheme of a third-party platform on CloudEdge, you can access CloudEdge without authen-
tication after logging in to that third-party platform. The system supports three SSO schemes:
l By specifying the SSO scheme as CAS_QIMING, you can log in to the CloudEdge without
authentication after logging in to the Venustech CSMP
l By specifying the SSO scheme as CTYUN, you can log in to the CloudEdge without authen-
tication after logging in to the e Cloud.
l By specifying the SSO scheme as 360-YUNZHEN, you can log in to the CloudEdge
without authentication after logging in to the 360 CSMP.
Enabling/Disabling SSO
To enable or disable the SSO function, in the global configuration mode, use the command:
Enable：admin sso-login enable
Disable：admin sso-login disable
Notes: When configuring SSO, the system time of the third-party platform and the
CloudEdge must be consistent. The time difference of this two parties cannot
exceed 10 minutes, otherwise the SSO will fail.
After enabling the SSO function, you need to specify one of the following SSO schemes of a
third-party platform: CAS_ QIMING, CTYUN and 360_YUNZHEN.

Specifying the SSO scheme as CAS_QIMING
To specify the SSO scheme as CAS_QIMING, in the global configuration mode, use the com-
mand:
admin sso-login type cas-qiming
After specifying the SSO scheme as CAS_QIMING, you need to specify the Service Ticket
check URL and the virtual router where the third-party SSO passes.
l To specify the Service Ticket check URL , in the CAS_QIMING SSO mode, use the fol-
lowing command:
ticket-check-url url
l To specify the virtual router where the third-party SSO passes, in the SSO mode, use the fol-
lowing command:
vrouter vrouter-name
Specifying the SSO Scheme as CTYUN
To specify the SSO Scheme as CTYUN, in the global configuration mode, use the following com-
mand:
admin sso-login type ctyun
Viewing/Deleting the Token Information of CTYUN
This function can be used only in CTYUN SSO. The system allows you to view or delete the
Token information of the administrator. Token information is used for authentication during SSO.
To view the administrator's Token information, in the global configuration mode, use the com-
mand:
show admin sso-token type ctyun
To delete the administrator's Token information, in the global configuration mode, use the com-
mand:

exec admin sso-token-del type ctyun owner username
l username– Specifies the username of the administrator whose Token information needs to
be deleted.
Specifying the SSO Scheme as 360_YUNZHEN
To specify the SSO scheme as 360_YUNZHEN, in the global configuration mode, use the com-
mand:
admin sso-login type 360-yunzhen
Viewing the Token Information of 360_YUNZHEN
This function can be used only in 360_YUNZHEN SSO. The system allows you to view the
Token information of the administrator. Token information is used for authentication during SSO.
To view the administrator's Token information, in the global configuration mode, use the com-
mand:
show admin sso-info type 360-yunzhen
Viewing the SSO Information
To view the SSO infomation , in any mode ,use the following command:
show http
Configuring Two-factor Authentication for Admin Users Logging in to the

WebUI
An administrator can log in to the WebUI by using SMS/Email two-factor authentication.
Enabling SMS/Email Two-factor Authentication
To configure SMS/Email two-factor authentication, in global configuration mode, use the fol-
lowing command:

admin {sms-auth [gatewayprovider-name | modem] | email-auth [smtpsmtp-name] | verification-
timeouttimeout | auth-sendersender-name}
l sms-auth– Enables the SMS authentication. After the SMS authentication is enabled, the
administrator who does not configure the mobile number will be unable to log in to the
device.
l gatewayprovider-name– Sets the method of the SMS authentication to SMS gateway.
l modem – Sets the method of the SMS authentication to SMS modem.
l email-auth– Enables the Email authentication. After the Email authentication is enabled, the
administrator who does not configure the email address will be unable to log in to the device.
l smtpsmtp-name – Specifies the mail server.
l verification-timeouttimeout– Specifies the validity period of SMS/email verification codes.

Valid values: 1 to 30 minutes. Default value: 5 minutes. You cannot log in to the device if
you do not enter the verification code within the validity period.
l auth-sendersender-name– Specifies the sender name, which can be 1 to 64 characters. The

name will be displayed in the text message/email.
In global configuration mode, use the no admin sms-auth command to disable the SMS authen-
tication.
In global configuration mode, use the no admin email-auth command to disable the Email authen-
tication.
Notes: You cannot enable the SMS/Email authentication and SSO from a third-
party platform at the same time.
Configuring the Mobile Number for an Administrator
After the SMS authentication is enabled, an administrator is required to pass a multi-factor authen-
tication by using a verification code. The administrator who does not configure the mobile

number will be unable to log in to the WebUI of the device. To configure the mobile number, in
administrator configuration mode, use the following command:
phonephone-number– Specifies the mobile number of the administrator.
Configuring the Email Address for an Administrator
After the Email authentication is enabled, an administrator is required to pass a multi-factor

authentication by using an email verification code. The administrator who does not configure the
email address will be unable to log in to the WebUI of the device. To configure the email address,
in administrator configuration mode, use the following command:
emailemail– Specifies the email address of the administrator.
Configuring an API Token for an Administrator

After you enable the SMS/Email authentication, the administrator can only use the API token
authentication when logging in to the device by using RESTful API. You can create an API token
for a specified administrator and update, renew, clear, enable, and disable the API token.
Creating an API Token
To create an API token, in administrator configuration mode, use the following command:
api-token create – By default, the newly created API token is enabled.
Changing the Validity Period of the API Token
To change the validity period of the API token, in administrator configuration mode, use the fol-
lowing command:
api-token expirationexpiration-time
l expiration-time – Changes the validity period of the API token. Valid values: 0 to 365 days.
Default value: 60 days. The value 0 indicates that the API token is valid for a long term.
Updating the API Token
After an administrator updates the API token, the original API token immediately becomes
invalid. The validity period of the newly generated API token will be recalculated. To update the

API token, in administrator mode, use the following command:
api-token update
Renewing the API Token
An administrator can renew the API token in the enabled or expired state. The value of the API
token does not change after the renewal. The validity period of the API token will be recal-
culated.
api-token renewal
Enabling the API Token
An administrator can enable the API token. The validity period of the API token will be recal-
culated. For example, if the original validity period is 30 days, the validity period will become 30
days again after you enable this API token. To enable the API token, in administrator con-
api-token enable
Disabling the API Token
An administrator can disable the API token. If needed, the administrator can use this API token
again by using the enable command. To disable the API token, in administrator configuration
api-token disable
Deleting the API Token
An administrator can delete the API token. To do this, use the following command:
api-token delete
Viewing API Token
You can use the show command in any mode to view the API token of a specified administrator:
show admin api-token user-name
Example:

hostname(config)# sh o w admin ap i-to ken test
============================================================-
====
API Token:(Displays the API token value, which is used to log in to RESTful
API) ewoJInR5cCI6CSJKV1QiLAoJImFsZyI6CSJTSEEyNTYiCn0-
=.ewoJInVzZXJuYW1l-
IjoJInRl-
c3QiLAoJInZzeXN-
faWQiOgk-
wCn0-
=.$020100rE$cmWWDXrSBhBtQvY+Pco1mSf-
fmhmICNk7NKAhxeS08wX/Kb08=
Begin Time: 2022-11-17 21:08:42(Displays the point in time when the

API token takes effect)
Expiration: 60 days(Displays the validity period of the API token)
Time To Expiration: 60 days(Displays the remaining days of the API
token)
Current status: normal(Displays the current status of the API token. The
value normal indicates that the API token is enabled.)
============================================================-
====
Configuring Log Types for Auditors

An admin user of auditor role is only allowed to view, export and clear log messages. The log
types that can be visited by auditor is also defined by Administrator. To specify the log types,
under auditor’s configuration mode, use the command:
lo g {co n fig | even t | n b r | th reat | san db o x | n etwo rk | o p eratio n | io t-mo n ito r | sh are-
access-detect | en dp o in t-tag| sessio n | n at | urlfilter| p b r| dlp | cf| n b c | traffic | ip s}

l config – Specifies that the auditor can manage configuration logs.
l event – Specifies that the auditor can manage event logs.
l nbr – Specifies that the auditor can manage NBR logs.
l network – Specifies that the auditor can manage network logs.
l iot-monitor – Specifies that the auditor can manage IoT monitor logs.
l threat – Specifies that the auditor can manage threat logs.
l sandbox – Specifies that the auditor can manage sandbox logs.
l share-access-detect – Specifies that the auditor can manage share access logs.
l operation – Specifies that the auditor can manage operation logs.
l endpoint-tag – Specifies that the auditor can manage endpoint tag logs.
l session – Specifies that the auditor can manage session logs.
l nat – Specifies that the auditor can manage NAT logs.
l urlfilter – Specifies that the auditor can manage URL filter logs.
l pbr – Specifies that the auditor can manage PBR logs.
l dlp – Specifies that the auditor can manage DLP logs.
l cf – Specifies that the auditor can manage CF logs.
l nbc - Specifies that the auditor can manage NBC logs.
l traffic - Specifies that the auditor can manage IPS logs.
l ips - Specifies that the auditor can manage IPS logs.
Repeat this command to spcify more than one log types.

To cancel access to a log type, use the command no log {config | event | nbr | threat | sandbox
| network | operation | iot-monitor | share-access-detect | endpoint-tag | session | nat | url-
filter | pbr| dlp | cf| nbc | traffic | ips}.
Specifying Login Limit

If an admin user failes to enter correct password for the specified times, the user will be dis-
allowed to login again within the specified duration. To specify a lockout duration, under global
admin lo cko ut-duratio n time
l lockout-duration time – Specifying lockout duration. The unit is minute. The length is 1 to
65525. The default value is 2.
Use the command no admin lockout-duration to resume to the default value.

To specify the maximum login failure time, under the global configuration mode, use the com-
mand:
admin max-lo gin -failure times
l max-login-failure times – Specify the maximum error password times. The default value is 3,
Use the command no admin max-login-failure to resume to the default failure time.
Notes: This command is available only for admin user of administrator role.
Specifying Login Limit

If an admin user failes to enter correct password for the specified times, the IP or user account
will be disallowed to login again within the specified duration.
To specify a lockout duration of IP, under global configuration mode, use the following com-
mand:
admin lo cko ut-duratio n time

l lockout-durationtime – Specifying lockout duration. The unit is minute. The length is 1 to
Use the command no admin lockout-duration to resume to the default value.

To specify a lockout duration of user account, under global configuration mode, use the following
command:
admin lo cko ut-duratio n -user time
l lockout-duration-usertime – Specifying lockout duration. The unit is minute. The length is 1

Use the command no admin lockout-duration-userto resume to the default value.

To specify the maximum login failure time of IP, under the global configuration mode, use the
command:
admin max-lo gin -failure times
l max-login-failuretimes – Specify the maximum error password times. The default value is
256, and the range is 1 to 256.
Use the command no admin max-login-failure to resume to the default failure time.
To specify the maximum login failure time of user account, under the global configuration mode,
use the command:
admin max-lo gin -failure-user times
l max-login-failure-usertimes – Specify the maximum error password times. The default value
is 3, and the range is 1 to 5.
Use the command no admin max-login-failure-user to resume to the default failure time.
Notes: This command is available only for admin user of administrator role.

Configuring the Maximum Number of Admin Users
You can configure the maximum number of admin users. After configuring, the admin users that
you can create at most will be the specified number. You can adjust it as needed. If the maximum
is adjusted, only you restart device can the specified value take effect. To configure the maximum
number of admin users, in the global configuration mode, use the following commands:
capacity management max-administrative-userscapacity-num
l capacity-num - Specify the maximum number of admin users, ranging from 1 to 128.
Use the command no capacity management max-administrative-users to resume to the default

value . The default value verifies on different pflatform.
Notes: This command is a local configuration command and does not support HA
synchronization. In HA environment, if the maximum number of admin users set
on the master device is different from that on the backup device, the HA status may
be normal, while system will prompt an alarm regularly.
Configuring Login Options for the Default Administrator

System has a default administrator "hillstone" and a default password "hillstone". However, there
is a risk that the default username and password may be cracked. To avoid that risk, when you
logs in with the default username and password for the first time, the system will prompt to
change the default password. Then, you can log in again with the new password.
Administrator is logging in with default account and password:
Please change your password:
new password: ******（Enter the new password）
Please input the new password again
new password: ****** （Enter the new password again）
Notes: In the HA Active-Passive (A/P) mode, the backup device does not support
this function, and you can log in with the default username and password.

Enabling Telnet/HTTP Login Type for the Default Administrator
By default, The Telnet and HTTP login types for the default administrator "hillstone" are dis-
abled. To enable the Telnet or HTTP login type for the default administrator, refer to Configuring
Accesses for Admin Users.
Viewing Admin roles

To show admin roles：show admin role [role-name]
Viewing Admin Users

To view admin users, under any mode, use the command:
l To show admin users: show admin user
l To show details of an admin user: show admin user user-name
l To show lockout duration: show admin lockout-duration
l To show maximum login failure time: show admin max-login-failure
l To show the SMS and Email authentication configuration of admin users: show admin mul-
tiple-factor-auth
Example:
hostname(config)# sh o w admin multip le-facto r-auth
============================================================-
=
Multiple-factor-auth status: sms(Displays the status of two-factor

authentication. The value sms indicates that the SMS authentication is enabled
and the value email indicates that the Email authentication is enabled.)
Sender name:(Displays the sender name of the text message/email)
Verify code timeout: 5 (minutes)(Displays the validity period of SMS/e-
mail verification codes)

SMS config:(Displays the configuration of the SMS authentication)
---------------------------------------------
SMS agent: gateway(Displays the method of the SMS authentication)

SMS service provider: 11(Displays the service provider of the SMS gate-
way)
Email config:(Displays the configuration of the email authentication)
---------------------------------------------
Email server name:(Displays the name of the mail server)

============================================================-
=
VSYS Admin Users

The admin users of each VSYS are independent from other VSYS. VSYS admin users also have
different roles of Administrator, Administrator-ready-only, operator and auditor. Their roles and
previleges are the same with normal admin users.
When creating VSYS administrators, you must follow the requirements listed below:
l Backslash (\) cannot be used in administrator names.
l The non-root administrators are created by root administrators or root operators after logging
into non-root VSYS.
l After logging into root VSYS, the root administrators can switch to non-root VSYS and con-
figure it.
l Non-root administrators can enter the corresponding non-root VSYS after the successful
login, but the non-root administrators cannot switch to the root VSYS.
l Each administrator name should be unique in the VSYS it belongs to, while administrator
names can be the same in different VSYSs. In such a case, when logging in, you must specify

the VSYS the administrator belongs to in the format of vsys_name\admin_name. If no VSYS
is specified, you will enter the root VSYS.
The table lists VSYS admin user’s permissions.
Permissions
Root Root VSYS Root Root Non-root Non-root Non- Non-

VSYS Admin- VSYS VSYS VSYS VSYS root root
Operation
Admin- isrator- Oper- Aud- Admin- Admin- VSYS VSYS
isrator read-only ator itor isrator isrator- Oper- Aud-
read-only ator itor
Configure √ χ √ χ √ χ √ χ
(including
save con-
figuration)
Managing √ χ χ χ √ χ χ χ
admin users
Restore fact- √ χ χ χ χ χ χ χ
ory default
Delete con- √ χ √ χ √ χ √ χ
figuration
file
Roll back √ χ √ χ √ χ √ χ
con-
figuration
Reboot √ χ √ χ χ χ χ χ
View con- √ √ √ χ View View View χ

figuration info in info in info in

Permissions

Operation
read-only ator itor
information current current current

VSYS VSYS VSYS
View log √ √ χ √ √ √ χ √
information
Modify cur- √ √ √ √ √ √ √ √
rent admin
password
Command √ χ √ χ √ χ √ χ
import
Command √ √ √ √ √ √ √ √
export
Command √ √ √ √ √ √ √ √
clear
Command √ √ √ χ √ √ √ χ
ping/tracero-
ute
Command √ √ √ χ χ χ χ χ
debug
Command √ √ √ √ √ √ √ √
exec

Permissions

Operation
read-only ator itor
Command √ √ √ √ √ √ √ χ
terminal
width
Creating a Trusted Host

Hillstone device allows only trusted hosts to manage the system. Trusted hosts are recognized by
their IP address range, or MAC address/range. If the host address is in the specified range, the
host is a trusted host.
By default, the address range of the trusted host is 0.0.0.0/0, which means all hosts are trusted.
Therefore, you are suggested to configure a proper address range and delete the default range after-
ward.
Notes: When you cannot access the device from a particular host, check the IP set-
tings of the trusted host.
To set the IP range for the trusted host, in the global configuration mode, use the following com-
mand:
admin h o st {ran ge A.B.C.D A.B.C.D | A.B.C.D netmask | A.B.C.D/M | an y} {h ttp | h ttp s |
ssh | teln et | n etco n f | an y }
l rangeA.B.C.D A.B.C.D | A.B.C.D netmask | A.B.C.D/M | any – Specifies the IP range of

the trusted host, such as 1.1.1.1 255.255.0.0. any means any IP address.

l http | https | ssh | telnet | netconf | any – Specifies the login type of the trusted host. any
menas any type of HTTP, HTTPS, SSH, Telnet and NETCONF.
To set the IP range and MAC address/range, in the global configuration mode, use the following
command:
admin host {range A.B.C.D A.B.C.D | A.B.C.D netmask |

A.B.C.D/M | any} mac-host { range H.H.H H.H.H | H.H.H | any}
{http | https | ssh | telnet | netconf | any }
l range A.B.C.D A.B.C.D | A.B.C.D netmask | A.B.C.D/M | any – Specifies the IP range of
the trusted host, such as 1.1.1.1 255.255.0.0. any means any IP address.
l range H.H.H H.H.H | H.H.H | any}– Specifies the MAC address or range of
the trusted host, such as 1111.1111.1111 2222.2222.2222. any means any MAC address.
l http | https | ssh | telnet | netconf | any – Specifies the login type of the trusted host. any
menas any type of HTTP, HTTPS, SSH, Telnet and NETCONF.
You can repeat the above commands to set more range of the trusted hosts. At most 128 range
can be set in the system.
Use the command no admin host {range A.B.C.D A.B.C.D | A.B.C.D netmask | A.B.C.D/M |
any} to disable the specified IP range.
Use the command no admin host {range A.B.C.D A.B.C.D | A.B.C.D netmask | A.B.C.D/M |
any} mac-host{ range H.H.H H.H.H | H.H.H| any} to disable the specified IP
range and MAC address/range.
When IP range is used to match the trusted hosts, use the command no admin host
{rangeA.B.C.D A.B.C.D | A.B.C.D/M | any} {http | https | ssh | telnet | netconf | any } to
disable the specified login type.
When IP range and MAC address/range are used to match the trusted hosts, use the command no
admin host {range A.B.C.D A.B.C.D | A.B.C.D/M | any} mac-host{ range H.H.H
H.H.H | H.H.H| any} {http | https | ssh | telnet | netconf | any } to disable the spe-
cified login type.

Creating an IPv6 Trusted Host
Trusted hosts are recognized by their IP addresses. If the host IP address is in the specified IPv6
range, the host is a trusted host.
To set the IP range for the trusted host, in the global configuration mode, use the following com-
mand:
admin host { X:X:X:X::X/M | range X:X:X:X::X X:X:X:X::X | any} {http | https | ssh | tel-
net | netconf | any}
l X:X:X:X::X/M | range X:X:X:X::X X:X:X:X::X | any - Specifies the start IP and end IP of
trusted hosts, for example, “1.1.1.1 255.255.0.0”. any means you can access the device
from any host.
l http | https | ssh | telnet | netconf | any - Specifies the protocol you can use to access the
device from a trusted host. any means all the four protocols are enabled.
You can specify up to 128 trusted IP ranges.

To delete a trusted IP range, use the command no admin hostX:X:X:X::X/M.
To disable access to the device over the specified protocol, use the command no admin host {
X:X:X:X::X/M | rangeX:X:X:X::X X:X:X:X::X | any} {http | https | ssh | telnet | netconf |
any}.
Viewing Trusted Host IP

To view information on configured trusted IP range, in any mode, use the following command:
sh o w admin h o st
Configuring NetBIOS Name Resolution

The feature of NetBIOS name resolution enables the system to get all registered NetBIOS names
of computers in the managed network, and store them in the cache, so that it can provide IP
address-NetBIOS name resolution service for functional modules.
So far, NetBIOS name resolution is only used by the traffic logging feature to display the host
name in its logs. Therefore, you should enable the NetBIOS name resolution if you want to view

host names in traffic logs. For information about how to configure traffic log, see “Displaying
Hostname/Username in the Traffic Logs” of “Logs”.
To configure NetBIOS name resolution, take the following steps:
1. Enable the NetBIOS host name resolution service for the specified zone (the zone should
not the one being connected to WAN).
2. StoneOS automatically looks up NetBIOS names for IP addresses in the stat-sets.
This process may take a while and the results are stored in the NetBIOS cache table. The table is
updated regularly by the system.
Notes: The computer’s host name cannot be searched unless it is enabled with
NetBIOS.
Enabling NetBIOS Name Resolution

To enable NetBIOS name resolution for a zone, in the zone configuration mode, use the fol-
lowing command:
n b t-cach e en ab le
To disable NetBIOS name resolution, use the following command:

n o n b t-cach e en ab le
Tip: To enter a zone configuration mode, use the command zone zone-namezone
zone-name.
Resolving an IP to NetBIOS Name

To resolve an IP address of a host to its NetBIOS host name and MAC address, in the global con-
n b tstat ip 2n ame ip-address [vro uter vrouter-name ]

l ip-address - Specifies the IP address to be resolved.
l vrouter vrouter-name - Specifies the VR of the host. If this parameter is not defined, StoneOS
uses the default VR (trust-vr).
Clearing NetBIOS Cache

To clear NetBIOS cache, in the global configuration mode, use the following command:
clear n b t-cach e [ ip-address ][vro uter vrouter-name ]
l ip-address - Specifies the IP address and NetBIOS cache data related to this IP address are
cleared by the system. If this parameter is not defined, all NetBIOS cache data are cleared.
l vrouter vrouter-name - Specifies the VR and NetBIOS cache data related to this VR are
cleared by the system. If this parameter is not specified, all NetBIOS cache data are cleared.
Viewing NetBIOS Cache

To view NetBIOS cache data (including IP address, host name, MAC address and VR), in any
sh o w n b t-cach e [ ip-address ][vro uter vrouter-name ]
l ip-address - Shows NetBIOS cache data related to the specified IP address. If this parameter
is not defined, all NetBIOS cache data are displayed.
l vrouter vrouter-name - Shows NetBIOS data of the specified VR. If this parameter is not
defined, all NetBIOS cache data are displayed.
Management of System User

In StoneOS, user refers to the user who uses the functions and services provided by the Hillstone
device, or who is authenticated or managed by the device. The authenticated users consist of local
user and external user. The local users are created by administrators. They belong to different local
authentication servers, and are stored in system's configuration files. The external users are stored
in external servers, such as AD server or LDAP server. StoneOS supports user group to facilitate

user management. Users belonging to one local authentication server can be allocated to different
user groups, while one single user can belong to different user groups simultaneously; similarly,
user groups belonging to one local authentication server can be allocated to different user groups,
while one single user group can belong to different user groups simultaneously. The following dia-
gram takes the default AAA server Local as an example and shows the relationship between users
and user groups:
As shown above, User1, User2 and User3 belong to UserGroup1, while User3 also belongs to
UserGroup2, and UserGroup2 also contains User4, User5 and UserGroup1.
Roles are designed with certain privileges. For example, a specific role can gain access to some spe-
cified network resources, or exclusively use some bandwidth. In StoneOS, users and privileges
are not directly associated. Instead, they are associated by roles. The mappings between roles and
users are defined by role mapping rules. When a role is assigned with some services, its mapped
users receive the corresponding services as well. StoneOS supports the AND, NOT or OR logical
calculation of roles.
Hillstone device supports the following role-based functions:
l Role-based policy: Access control over users according to their roles.
l Role-based QoS: Bandwidth control over users according to their roles.
l Role-based stat-set: Collects statistics on bandwidth, sessions and new sessions based on
roles.
l Role-based session limit: Implements session limits for specific users.

l SCVPN role-based host security check: Resource access control over users according to roles.
l Role-based PBR：Implements routing for users of different types.
Configuring Users
User configurations include static user binding configuration and authenticated user configuration.
Binding an IP/MAC Address to a User
To bind an IP address or MAC address to a user, in the global configuration mode, use the fol-
lowing command:
user-b in din g aaa-server-name user-name {ip { ipv4-address | ipv6-address } [auth -ch eck-o n ly
| vro uter vr-name ] | mac mac-address }
l aaa-server-name - Specifies the name of the user’s AAA server.
l user-name - Specifies the user name.
l ip {ipv4-address | ipv6-address} - Specifies the IP address, including IPv4 address and IPv6
address.
l auth-check-only - If this parameter is configured, the system checks if the user IP address con-
forms with the bound IP of this user. If it conforms, the user is allowed to enter authen-
tication stage.
l vrouter vr-name - Specifies the VR of the designated IP/MAC address. The default value is
the default VR (trust-vr).
l mac mac-address - Specifies the MAC address.
To remove the binding of IP/MAC and user, in the global configuration mode, use the following
command:
n o user-b in din g aaa-server-name user-name {ip { ipv4-address | ipv6-address } [auth -ch eck-
o n ly] | mac mac-address } [vro uter vr-name ]

Configuring Users in the Local AAA Servers
You can configure users/user groups to a local AAA server. To enter the local AAA server con-
figuration mode, in the global configuration mode, use the command aaa-server aaa-server-name
type local
user user-name
To create a local user, in the local AAA server configuration mode, use the following command:
l user-name - Specifies the user name. You can specify up to 63 characters.
This command creates a user and leads you into its configuration mode; if the user name exists,
you will directly enter the user configuration mode. To delete the specified user, in the AAA
server configuration mode, use the following command:
n o user user-name
Configurations of a local user include:
l Basic settings: password, expiration, description and user group configuration.
l Dial-up VPN settings: IKE ID configuration.
l PnPVPN settings: DNS server, WINS server, IP/netmask/gateway/tunnel routing of DHCP

address pool and tunnel routes. For detailed information, see “Configuring User’s
Network” of “VPN”.
Configuring Password
To specify a password, in the user configuration mode, use the following command:
p asswo rd [ irreversib le-cip h er ] password
l irreversible-cipher - Specifies method to encrypt the user's password as the irreversible

encryption algorithm.If this parameter is not specified, the encryption mode is reversible
encryption.

l In reversible encryption algorithm, system will use the reversible encryption algorithm
AES to encrypt the user password. In some authentication scenarios, system can
decrypt the password for authentication.
l In irreversible encryption algorithm,system will use the SHA irreversible encryption

algorithm to encrypt user passwords. The passwords cannot be decrypted. In this case,
the user can not authenticate through CHAP (Challenge Handshake Authentication Pro-
tocol, which is used in L2TP VPN and 802.1X).
l password - Specifies the user password. You can specify up to 31 characters.
To delete a password, in the user configuration mode, use the following command:
n o p asswo rd
Specifying a User Expiration Date
An expired user cannot pass the authentication, so it becomes an invalid user. By default, all users
have no expiration date set.
To specify the expiration date and time for a user, in the user configuration mode, use the fol-
lowing command:
exp ire Month/day/year HH:MM
l Month/day/year HH:MM - Specifies the date and time in the format of month/date/year
hour:minute. For example, expire 02/12/2010 12:00 indicates that the user is invalid since
12:00, February 12nd, 2010.
To cancel the expiration date configuration, in the user configuration mode, use the following
command:
n o exp ire
Describing a User
To give some description for a user, in the user configuration mode, use the following command:
desc string

l string - Specifies description at a maximum of 31 characters.
To delete the description, in the user configuration mode, use the following command:
n o desc
Specifying an IKE ID
The Dial-up VPN users need IKE IDs. To specify an IKE ID, in the user configuration mode,
ike_id {fqdn string | asn 1dn string | key-id string }
l fqdn string - Uses IKE ID of the FQDN (Fully Qualified Domain Name) type. string is the
ID content.
l asn1dn string- Uses IKE ID of the Asn 1dn type, which is only applicable to the user with a
certificate. string is the ID content.
l key-id string – Specifies the ID that uses the type of the Key ID. This type can only be used
in the XAUTH function.
To delete the IKE ID of a user, in the user configuration mode, use the following command:
n o ike_id
Specifying a User Group
You can categorize users into a group according to your need. One user is allowed to be in mul-
tiple groups.
To specify a group for a user, in the user configuration mode, use the following command:
gro up user-group-name
l user-group-name - Specifies the name of an existing group in the system. You can specify up
to 127 characters.
Repeat this command to define more user groups for a user. Note: If a user is added to more than
256 groups, only the first 256 group associations will take effect based on the association

sequence. This principle also applies when the group associations are configured on an external
authentication server.
To cancel a user-user group relationship, in the user configuration mode, use the following com-
mand:
n o gro up user-group-name
Tip: For more information about user group settings, see Configuring a User
Group.
Viewing User/User Group Information
To view the information of user/user group, in any mode, use the following commands:
l Show all users:

show user
l Show a specific user:

show user aaa-server server-name [name user-name]
l Show the IP/MAC and user bindings:

show user-binding aaa-server server-name
l Show user groups:

show user-group aaa-server server-name
Configuring a User Group

You can configure users or user groups on a local AAA server. To enter the local AAA server con-
figuration mode, in the global configuration mode, use the command aaa-server aaa-server-name
type local.
To create a local user group, in the local AAA server configuration mode, use the following com-
mand:
user-gro up user-group-name

l user-group-name - Specifies a name for the user group.
This command creates the user group and leads you into the user group configuration mode; if the
user group of the specified name exists, you will enter the user group configuration mode directly.
To delete the specified user group, use the following command:
n o user-gro up user-group-name
To add a member (either a user or another user group) to the user group, in the user group con-
memb er {user user-name | gro up user-group-name }
l user-group-name - Specifies the user group name. A user group can include up to five nested
layers, but a group cannot add itself as a member.
Repeat this command to add more members to a group.

To delete a member from a user group, in the user group configuration mode, use the following
command:
n o memb er {user user-name | gro up user-group-name }
Configuring a Role
Role configurations include:
l Creating a role
l Creating a role mapping rule
l Configuring a role combination
Creating a Role
To create a role, in the global configuration mode, use the following command:
ro le role-name

l role-name - Specifies a name for the role. You can specify up to 31 characters.
To delete a role, in the global configuration mode, use the following command:
n o ro le role-name
Creating a Role Mapping Rule
Role mapping rule defines the mapping relationship between a role and user/user group. StoneOS
supports up to 64 role mapping rules, and each rule has a maximum number of 256 entries.
When the authentication for SCVPN is set to USB Key certificate authentication ("User-
name/Password + USB Key Certificate" or "USB Key only"), the system can map a role for the
user according to the CN, OU or DN field of the USB Key certificate. For more information
about USB Key authentication, see “Authentication With USB Key Certificate” of “VPN”.
To enter the role mapping rule configuration mode, in the global configuration mode, use the fol-
lowing command:
ro le-map p in g-rule rule-name
l rule-name - Specifies a name for the role mapping rule. You can specify up to 31 characters.
This command creates a rule and leads you in the role mapping rule configuration mode; if this
rule exists, you will enter its configuration mode directly.
To delete the specified role mapping rule, in the global configuration mode, use the following
command:
n o ro le-map p in g-rule rule-name
To configure a role mapping rule, in the role mapping rule configuration mode, use the following
command:
To configure a role mapping rule, in the role mapping rule configuration mode, use the following
command:
match {an y | user user-name | user-gro up user-group-name | cn cn-field | o u ou-field |
user-attribute user-attribute-name | certificate-dn dn-field } ro le role-name

l any | useruser-name | user-group user-group-name | cn cn-field | ou ou-field| user-attribute
user-attribute-name | certificate-dn dn-field - Specifies the user, user group, certificate name,
organization unit, user attributes or distinguished name for the mapping. any refers to any
user, user group, certificate name, organization unit, user attributes or distinguished name in
the system.
l role role-name - Specifies a role to be mapped in this rule.
Repeat this command to add more mapping rules.

To delete the specified mapping rule, in the role mapping rule configuration mode, use the fol-
lowing command:
no match {any | user user-name | user-group user-group-name | cn cn-field | ou ou-field| user-
attribute user-attribute-name | certificate-dndn-field} role role-name
Configuring a User Attribute Instance
To configure a user attribute instance, you need to enter the configuration mode of the user attrib-
ute instance. In the global configuration mode, use the following command:
role-mapping-source user-attribute user-attribute-name protocol-type {radius | ad/ldap}
l user-attribute-name - Specifies the name of the user attribute instance.
l protocol-type {radius | ad/ldap} - Specifies the protocol type, which can be RADIUS
(radius) or AD/LDAP (ad/ldap).
After this command is performed, the system creates a user attribute instance with the specified
name and protocol type and enters the configuration mode of the user attribute instance. If the
specified user attribute instance name exists, you will directly enter the configuration mode of the
user attribute instance.
Notes: The system supports up to 64 user attributes instances.
In the global mode, use the no role-mapping-source user-attribute user-attribute-name command

to cancel the configured user attribute instance.

Configuring Filters
To configure filters for the user attribute instance, in the configuration mode of the user attribute
instance, use the following command:
attribute attribute-value {contain | end-with | equal-to | greater-than | less-than | same-as |
start-with} value
l attribute-value - Specifies the name of the user attribute. The name can be user-defined or
common names of user attributes.
l contain | end-with | equal-to | greater-than | less-than | same-as | start-with - Specifies the

mapping operation, which can be contain, end-with, equal-to, greater-than, less-than, same-as,
or start-with.
l value - Specifies the mapping value of the user attribute.
Notes:
l Each user attribute instance supports up to 8 filers.
l When protocol type is specified as RADIUS, the mapping operation asso-

ciated with string-typed user attributes can only be contain, start-with, end-
with, or same-as. The mapping operation associated with number-typed user
attributes can only be equal-to, greater-than, or less-than.
l When the mapping operation is contain, start-with, end-with, or same-as, the

mapping value can be strings or numbers. When the mapping operation is
equal-to, greater-than, or less-than, the mapping value can only be numbers.
In the configuration mode of the user attribute instance, use the following command to delete
configured filters of the user attribute instance:
no attribute attribute-value {contain | end-with | equal-to | greater-than | less-than | same-as |
start-with} value
Configuring the Matching Policy

To configure the matching policy of the user attribute instance, in the configuration mode of the
user attribute instance, use the following command:
match {once | all}
l once | all - Specifies the matching policy of the user attribute instance: Once or All. once–
The user is matched to the role mapped to the user attribute instance when the user hits any
filter configured in the user attribute instance. all - The user is matched to the role mapped to
the user attribute instance only when the user hits all filters configured in the user attribute
instance.
In the configuration mode of the user attribute instance, use the no match command to cancel the
specified matching policy of the user attribute instance.
Configuring a Role Combination
Roles can be grouped using logical calculation into a role combination. To configure a role com-
bination, in the global configuration mode, use the following command:
ro le-exp ressio n [n o t] r1 [{an d | o r} [n o t] r2 ] ro le r3
l [not] r1 - Specifies the first role in this combination. not means excluded; r1 refers to the
name of an existing role. For example, “not testrole1” means all roles other than testrole1.
l and | or - Specifies the logical operator.
l [not] r2 - Specifies the second role in this combination. r2 refers to the name of an existing
role.
l role r3 - Specifies the calculated result. r3 refers to the name of the result.
To delete the specified role combination, in the global configuration mode, use the following com-
mand:
n o ro le-exp ressio n [n o t] r1 [{an d | o r} [n o t] r2 ] ro le r3

Viewing Role Information
To view role related information, use the following commands:
l Show role information: show role
l Show role mapping rule information: show role-mapping-rule [rule-name]
l Show role combination information: show role-expression
Configuring a MGT Interface

You can login to the Hillstone device over Console port, Telnet, SSH, or WebUI and configure
their timeout settings, port number and PKI trust domain of HTTPS.
If you fail to login to the device three times in one minute over Telnet, SSH, HTTP or HTTPS,
your login attempts will be refused in two minutes.
Configuring a Console MGT Port

This section describes how to configure the baud rate and timeout value of the console port.
Configuring the Baud Rate
To configure the baud Rate of console port, in any mode, use the following command:
exec co n so le b audrate {9600 | 19200 | 38400 | 57600 | 115200}
l 9600 | 19200 | 38400 | 57600 | 115200 - Specifies the baud rate. The unit is bps.
Note:The default value is 115200bps for A series, K series(excluding K2680 and K2380), and
X8180. The default value is 9600bps for E series, X series(excluding X8180), K2680, and
K2380.
Notes: When you login to the device, the baud rate of your console terminal should
conform to the console baud rate specified here.

Configuring Timeout
If there is no configuration performed by the logged-in administrator until timeout, the system
will disconnect the connection.
To configure the console timeout value, in the global configuration mode, use the following com-
mand:
co n so le timeo ut timeout-value
l timeout-value - Specifies console timeout value. The value range is 0 to 60 minutes; the value
of 0 means no time limit. The default value is 10.
To restore to the default value of console timeout, in the global configuration mode, use the fol-
lowing command:
n o co n so le timeo ut
Configuring a Telnet MGT Interface

When you login to the device over Telnet, your Telnet port should conform with the device Tel-
net port specified here. If an established Telnet connection does not send Telnet request until
timeout, it will be disconnected.
To configure the Telnet timeout value, in the global configuration mode, use the following com-
mand:
teln et timeo ut timeout-value
l timeout-value - Specifies the Telnet timeout value. The range is 1 to 60 minutes. The default
value is 10.
To restore to the Telnet default timeout value, in the global configuration mode, use the fol-
lowing command:
no telnet timeout
To configure the allowed maximum number of sessions, in the global configuration mode, use the
following command:
teln et max-sessio n max-session

l max-session – Specifies the allowed maximum number of sessions. The maximum number of
sessions of difference platforms differs. The default value of each platform is the maximum
number of sessions.
To restore the session numbers to the default value, in the global configuration mode, use the fol-
lowing command:
n o teln et max-sessio n
To specify the port number of Telnet, in the global configuration mode, use the following com-
mand:
teln et p o rt port-number
l port-number - Specifies Telnet port number. The range is 1 to 65535. The default value is 23.
n o teln et p o rt
Telnet maximum login number defines how many times you can try to login to the device over
Telnet. If you fail more than the maximum times, your Telnet login attempts will be refused.
To specify the Telnet maximum login number, in the global configuration mode, use the fol-
lowing command:
teln et auth o rizatio n -try-co un t count-number
l count-number - Specifies the maximum login number. The value range is 1 to 10 times. The
default value is 3.
n o teln et auth o rizatio n -try-co un t
Configuring a SSH MGT Interface

This section describes how to configure SSH timeout value, port number and connection interval.
SSH timeout value defines the maximum idle time of a SSH connection. If an established SSH
connection does not send any SSH request until timeout, it will be disconnected.

To configure the SSH timeout value, in the global configuration mode, use the following com-
mand:
ssh timeo ut timeout-value
l timeout-value - Specifies the SSH maximum idle time. The value range is 1 to 60 minutes.
n o ssh timeo ut
To configure the allowed maximum number of sessions, in the global configuration mode, use the
following command:
ssh max-sessio n max-session
l max-session – Specifies the allowed maximum number of sessions. The maximum number of
sessions of difference platforms differs. The default value of each platform is the maximum
number of sessions.
To restore the session numbers to the default value, in the global configuration mode, use the fol-
lowing command:
n o ssh max-sessio n max-session
To set up the SSH port number, in the global configuration mode, use the following command:
ssh p o rt port-number
l port-number - Specifies the SSH port number. The value range is 1 to 65535. The default
value is 22.
To restore to the default SSH port number, in the global configuration mode, use the following
command:
n o ssh p o rt
SSH connection interval specifies the frequency of receiving SSH requests. When an SSH con-
nection is established, the device receives the next SSH connection request at an interval of the
time specified here.
ssh co n n ectio n -in terval interval-time

l interval-time - Specifies an interval time. The value range is 2 to 3600 seconds. The default
value is 2.
n o ssh co n n ectio n -in terval
Configuring a WebUI MGT Interface

This section describes how to configure parameters of WebUI (HTTP or HTTPS) access.
To define the WebUI timeout value, in the global configuration mode, use the following com-
mand:
web timeo ut timeout-value
l timeout-value - Specifies the WebUI timeout value. The value range is 1 to 1440 minutes.
To restore to the default WebUI timeout value, in the global configuration mode, use the fol-
lowing command:
no web timeout
To specify the HTTP port number, in the global configuration mode, use the following command:
h ttp p o rt port-number
l port-number - Specifies the port number of HTTP. When visiting WebUI over HTTP, the
browser’s HTTP port must be the same as the port number specified here. The value range
is 1 to 65535. The default value is 80.
To restore to the default HTTP port number, in the global configuration mode, use the following
command:
n o h ttp p o rt
To configure the anti-XSS service, in the global configuration mode, use the following command:
h ttp an ti-xss { disab le | en ab le | mo de {n o rmal| strict}}

l disable | enable – Disables/Enables the anti-XSS service. By default, this service is enabled.
l mode {normal| strict} – Specifies the mode of the anti-XSS service, including the character
matching mode and the regular expression mode.
In the global configuration mode, use the following command to restore the configurations to the
default.
n o h ttp an ti-xss { disab le | en ab le | mo de {n o rmal| strict}}
Click-jacking is a visual deception means. The attacker uses an invisible iframe to cover a web
page and induces the end user to perform operations on the web page. The end user will click
on the invisible iframe page without knowing it. To prevent the attacker's page from being
embedded in the WebUI page of the firewall, you can enable the anti-click-jacking function,
which will add an "X-Frame-Options sameorigin" field to the response to make sure all WebUI
pages of the firewall are from the same domain name. By default, the anti-click-jacking func-
tion is enabled.
To disable the anti-click-jacking function, in the global configuration mode, use the following
command:
http anti-click-jacking disable

To enable the anti-click-jacking function, in the global configuration mode, use the following
command:
http anti-click-jacking enable

Users can access the device via HTTPS or GM HTTPS:
l HTTPS: The system communicates with the client (browser) based on the TLS/SSL pro-
tocol;
l GM HTTPS: The system communicates with the client (GM browser) based on the GM
TLS/SSL protocol. In the SSL authentication process, two certificates are used, including the
signature certificate and the encryption certificate.
To enable or disable GM HTTPS, in the global configuration mode, use the following command:
https ssl-protocol-gm {enable | disable}

l enable | disable - Enables or disables GM HTTPS.
To specify the HTTPS port number, in the global configuration mode, use the following com-
mand:
h ttp s p o rt port-number
l port-number - Specifies the HTTPS port number. When visiting WebUI over HTTPS, the
browser’s HTTPS port number must be the same as the port number specified here. The
To restore to the default HTTPS port number, in the global configuration mode, use the fol-
lowing command:
n o h ttp s p o rt
To specify the PKI trust domain for HTTPS access, or specify the PKI trust domain of signature
certificate for GM HTTPS access, in the global configuration mode, use the following command:
h ttp s trust-do main trust-domain-name
l trust-domain-name - Specifies the name of the configured PKI trust domain. When users
access the device via HTTPS, in the SSL authentication process, the HTTPS server uses the
certificate stored in the specified PKI trust domain. When users access the device via GM
HTTPS, in the GMSSL authentication process, the HTTPS server uses the certificate stored
in the specified PKI trust domain as the signature certificate. By default, the system uses the
below default PKI trust domain: trust_domain_default.
To restore the default PKI trust domain, in the global configuration mode, use the following com-
mand:
n o h ttp s trust-do main
GM HTTPS applies two certificates. Therefore, when GM HTTPS is enabled, you should specify
the PKI trust domain of the encryption certificate. To specify the PKI trust domain of the encryp-
tion certificate, in the global configuration mode, use the following command:
https trust-domain-enc trust-domain-name

l trust-domain-name - Specifies the name of the configured PKI trust domain. When users
access the device via GM HTTPS, in the GMSSL authentication process, the HTTPS server
uses the certificate stored in the specified PKI trust domain as the encryption certificate. By
default, the system uses the below default PKI trust domain: trust_domain_default.
To restore to the default encryption trust domain for GM HTTPS access, in the global con-
n o h ttp s trust-do main -en c
Viewing MGT Interface Configuration Information

To view management interface configuration information, in any mode, use the following com-
mands:
l Show console port configuration information: show console
l Show Telnet configuration information: show telnet
l Show SSH configuration information: show ssh
l Show Web configuration information: show http
Configuring a Storage Device

Hillstone network behavior control feature allows you to keep full records of user network beha-
viors. The logs are stored in a local database in form of a database file.
The storage device that can accommodate local database can be an SD card, USB disk or the stor-
age expansion module provided by Hillstone.
Formatting a Storage Device

If a storage device cannot function, or its file system is not supported by StoneOS, or it has not
been formatted yet, you can execute formatting command to repair it, change its file system or
format it.
To format a storage device, in any mode, use the following command:
exec fo rmat [sd0 | usb 0 | usb 1 | sto rage X ]

l sd0 - Formats the SD card in the SD slot.
l usb0 | usb1 - Formats the USB disk inserted to the device’s USB port.
l storageX - Formats the storage expansion module in the specified slot. X is the slot number
and its value range varies from platform types.
Notes: Formatting a storage device erases all the data in it. You should back up your
files.
Removing a Storage Device

If you pull out the storage device with force, unsaved data may be lost. To ensure data integrity,
you should use the command below to safely remove the device.
To safely remove a storage device, in any mode, use the following command:
exec detach [sd0 | usb 0 | usb 1 | sto rage X ]
l sd0 - Removes the SD card from the SD slot.
l usb0 | usb1 - Removes the USB disk from the specified USB port.
l storageX - Removes the storage expansion module from the specified slot.
Upgrading Database Data

After you upgrade the system to a new version, both the earlier and new versions of data, such as
logs, monitoring data, and reports, exist in the database. Due to the format inconsistency between
these two versions of data, you may not be able to view the earlier version of data. To ensure that
system features can be displayed and used properly, you need to upgrade the earlier version of
data in the database to the data in the format that complies with the new version. If you do not
need the earlier version of data, delete it.
To upgrade database data, in any mode, use the following command:
exec database data {upgrade | delete}

l upgrade - Upgrade earlier version of data whose format is inconsistent with that of new ver-
sion of data. If the system is downgraded to a lower version, the upgrade status of data in the
database is Upgrade not started. In this case, you can use this command to downgrade data-
base data to data in the format that complies with the new version.
l delete - Delete earlier version of data whose format is inconsistent with that of new version of
data.
Viewing Upgrade Status of Database Data

The upgrade statuses of database data include "Upgrade not started", "Upgrading", and "No data-
base files need to be upgraded". To view the upgrade status of database data, in any mode, use the
following command:
show mysql data operate
An example command output is shown as follows:
hostname#show mysql data operate

Mysql database progress:
============================================
State Percentage
----------------------------------------------------------------------
Upgrade not started.
============================================
Configuring Storage Management

The storage management function help you manage system storage space by deleting logs or stop-
ping logging.
Configuring Threshold Alarm

When the system storage ratio or storage space reaches the specified threshold, the system will
perform the specified action to control the system storage.

To configure the threshold of alarm, in the global configuration mode, use the following com-
mand:
storage threshold percent percent-value {automatically-overwirte | stop-overwrite} mode
{global | by-log}
l percent percent-value – Specify the threshold of alarm. The storage ratio ranges from 1% to
90%.
l automatically-overwirte | stop-overwrite – When reached the specified threshold, the sys-

tem will perform the specified action, including override the earliest data and stop recording
data.
l automatically-overwirte - The system will delete earliest logs.
l stop-overwrite - The system will stop storing new logs.
l global | by-log – Specify the calculated mode of the storage threshold.
l global - The storage threshold is calculated based on the total storage space.
l by-log - The storage threshold is calculated based on the separate storage space of each
module log.
Note: For devices without hard disks, the storage threshold is calculated by-log by default,
and the storage space for logs and reports is a fixed value.
Enabling/Disabling Threshold Alarm

When the system storage ratio or storage space reaches the specified threshold, the system will
record a log message.
To enable/disable the threshold of alarm, in the global configuration mode, use the following com-
mand:
Enable: storage threshold alert-log enable
Disable: storage threshold alert-log disable

Configuring Storage Space of Log
The system allocates a default disk space size for the log of each module, and you can customize
the disk space size for the log as needed.
To configure the storage space of log, in the global configuration mode, use the following com-
mand:
storage threshold log {configuration | event | network | sandbox | threat | traffic {session |
nat} } percent-value
l {configuration | event | network | sandbox | threat | traffic {session | nat} } percent-value

- Specify the disk space size of the log.
To restore to the default disk space size of log, use the following command:
no storage threshold log {configuration | event | network | sandbox | threat | traffic {session |
nat} }
The default disk space size differs from devices and log types. After restoring to the default disk
space size of log, you can use the show storage threshold command to view the default settings.
Configuring Storage Space of Report

The system allocates a default disk space size for the report file, and you can customize the disk
space size for the report file as needed.
To configure the storage space of report, in the global configuration mode, use the following com-
mand:
storage threshold log report percent-value
l report percent-value - Specify the disk space size of the report file.
Note: For devices without hard disks, the storage space for reports is a fixed value.
Configuring Long-term Monitor Storage Size

You can customize the storage size of statistical data for the Long-term Monitor function.
To configure the storage size of statistical data for the Long-term Monitor function, run the fol-

storage threshold statistics-long-termpercent-value
l percent-value - Configure the storage size of statistical data for the Long-term Monitor func-
tion. Valid values: 0.01% to 90%. Default value: 10%.
Configuring a Packet Loss Storage Size

You can customize a storage size for packet loss statistics.
To configure a storage size for packet loss statistics, run the following command in the global con-
figuration mode:
storage threshold module-drop-counter percent-value
l percent-value - Specifies the storage size for packet loss statistics. Valid values: 0.1%-90%.
Default value: 2%. If the storage usage exceeds the threshold, earlier statistical data is deleted.
Managing Configuration Files

All information of system configuration, such as its initial and current configuration information,
is stored in the configuration files. You can use command lines or visit the WebUI to view all
sorts of system configurations. The information is stored and displayed in the format of command
line.
Managing Configuration Information

This section describes how to view, import, export and save the configuration information.
Notes: Passwords of local users will not be exported when you export configuration
information.
Viewing Configuration Information
Initial configuration information, stored in the configuration file, is used to configure the system
parameters when the device is powered on. If no proper initial configuration information is found,

the device uses default parameters to initialize the system. Similarly, the parameter settings the sys-
tem is using now are called current configuration information.
StoneOS saves ten versions of initial configuration information. The latest one is used by the sys-
tem as its initial configuration information when it starts up; the other versions are backup files.
The last saved configuration information is marked as "Startup" and the nine backup versions are
marked by number from 0 to 8 based on their saved time.
Notes: If you have rolled back to a specified saved initial configuration, the con-
figuration information is marked as "Startup".
To view the initial configuration information, in any mode, use the following command: show con-
figuration [startup]
To view configuration information other than the current one, in any mode, use the following
command:
sh o w co n figuratio n b ackup number
l number - Specifies the number of the configuration information.
To view the configuration information record other than the current one, in any mode, use the fol-
lowing command:
sh o w co n figuratio n
To view the current interface configuration information, in any mode, use the following com-
mand:
sh o w co n figuratio n in terface [ interface-name | last number ]
l interface-name – Specifies the interface name of the configuration information need to dis-
played.
l last number – Specifies the interface entry number of configuration information need to be
displayed. System will display the interface configuration information from the last specified
value entry to the end entry.
To view the current configuration information, in any mode, use the following command:
sh o w co n figuratio n reco rd

To view the current configuration information the system is using, in any mode, use the following
command:
sh o w co n figuratio n run n in g
To view the current address book configuration information the system is using, in any mode, use
sh o w co n figuratio n [ ipv4 | ipv6 ] address [last number | address-name ]
l [ipv4 | ipv6] - Specifies to display the configuration information of the IPv4 (ipv4) or IPv6
(ipv6) address entries, including the address entry name, type (pre-defined or user-defined)
and address members. If not specified, it will display the configuration information of all IPv4
and IPv6 address entries.
l last number – Specifies the address entry number of the configuration information need to
be displayed. System will display the address configuration information from the last specified
value entry to the end entry, including the address entry name, type (pre-defined or user-
defined) and address members.
l address-name - Specifies to display the configuration information of the address entry with the
specified name, including the address entry name, type (pre-defined or user-defined) and
address members.
To view the current policy configuration information the system is using, in any mode, use the fol-
lowing command:
sh o w co n figuratio n p o licy [last number ]
l last number – Specifies the policy entry number of the configuration information need to be
displayed. System will display the policy configuration information from the last specified
To view the current routing configuration information the system is using, in any mode, use the
following command:
sh o w co n figuratio n vro uter [last number ]

l last number – Specifies the routing entry number of the configuration information need to
be displayed. System will display the routing configuration information from the last specified
Output the current configuration information using the XML format, in any mode, use the fol-
lowing command:
sh o w co n figuratio n xml
Rolling Back to Previous Configurations
To roll back to the previous configuration, there are two ways:

In the execution mode, use the following command to roll back to the previous configuration.
StoneOS saves the latest ten versions of system configurations as initial configuration files for you
to use in system initiation. When the system restarts, the specified configuration will be used.
ro llb ack co n figuratio n b ackup number
l number - Specifies the number of initial configuration file.
In the configuration rollback mode, use the following command to roll back to the previous con-
figuration and exit the configuration rollback mode. The configuration will be valid without restart-
ing the device.
exec co n figuratio n ro llb ack
Notes: In the execution mode, you should use exec configuration start command to
enter the rollback mode.
For example：
hostname# exec configuration start (Enter the configuration rollback

mode)
hostname[TRN]# configure (Enter the global configuration mode)
…… (Execute any configuration, and the configuration

will be valid immediately)

hostname[TRN](config)# exec configuration rollback (Roll back the con-
figuration and exit the configuration rollback mode)
hostname#
Exiting the Configuration Rollback Mode
To exit the configuration rollback mode directly, you can use the following two ways:
In the configuration rollback mode, use the following command to exit the configuration rollback
mode directly.
exec co n figuratio n co mmit
For example：

mode)

hostname[TRN](config)# exec configuration commit (Exit the con-
figuration rollback mode directly)
hostname#
In the configuration rollback mode, use the command exitto exit the terminal directly.
Tip:
l When different users log in the device meanwhile, only the user who
enters the configuration rollback mode first can do further configuration,
and the later users cannot.
l When a user log in the device through different access methods, the user
of a certain access method enters in the configuration rollback mode first
can do further configuration, and the later users of other access methods

cannot. The user of other access methods can force the user of that access
method to exit the configuration rollback mode through command.
Configuring the Action
When exiting the configuration rollback mode by using command exit, system wil exit the con-
figuration rollback mode directly by default. To roll back to the previous configuration and exit
the configuration rollback mode, in the global configuration mode, take the following command:
cli-exit-actio n ro llb ack
To restore to the default value, in the global configuration mode, take the following command:
cli-exit-actio n co mmit
Deleting a Configuration File
To delete a configuration file from the system, in the configuration mode, use the following com-
mand:
delete co n figuratio n {startup | b ackup number }
l startup - Deletes the current configuration file.
l backup number - Deletes the specified backup configuration file.
Saving Configuration Information
When the current configurations are saved, they become the initial configuration information used
by the system as next start-up configurations.
To save the current configurations, in any mode, use the following command:
save [ string ]
l string - Give some description for the saved configuration. If you leave this parameter blank,
the former configurations will be replaced.

Backing up Configuration File Automatically
You can configure the function of back up the configuration file automatically, the device will
check the configuration file regularly, when the configuration file changes, the system will update
the configuration files to a FTP server , a TFTP server, a SFTP server or a FTPS server.
Notes: For any device platform, the maximum number of system configuration files
that can be backed up is 5.
To back up configuration file to a FTP server automatically, in the global configuration mode, use
the following command：
co n figuratio n auto -b ackup ftp ip-address [user user-name p asswo rd password ] [vro uter
vrouter-name ] p ath path [in terval time-value ]
l ip-address - Specifies the IP address of FTP server.
l user user-name password password - Specifies the user name and password accessing FTP
server.
l vrouter vrouter-name – Specifies the VRouter name.
l path path - Specifies the path of transferring the configuration files.
l interval time-value – Specifies the update interval. The value range is 1 to 7*24 hours. The
default value is 1 hour.If this parameter is not specified, the system will check the con-
figuration file hourly, and back up the changed configuration files to FTP server when con-
figurations are changed.
In the global configuration mode, use no configuration auto-backup ftp command to cancel the
settings of backing up configuration file to a FTP server automatically.
To back up configuration file to a TFTP server automatically, in the global configuration mode,
use the following command：
co n figuratio n auto -b ackup tftp ip-address [vro uter vrouter-name ] p ath path [in terval time-
value ]

In the global configuration mode, use no configuration auto-backup tftp command to cancel the
settings of backing up configuration file to a TFTP server automatically.
To back up configuration file to a SFTP server automatically, in the global configuration mode,
co n figuratio n auto -b ackup sftp ip-address [user user-name p asswo rd password ] [vro uter
In the global configuration mode, use no configuration auto-backup sftp command to cancel the
settings of backing up configuration file to a SFTP server automatically.
To back up configuration file to a FTPS server automatically, in the global configuration mode,
co n figuratio n auto -b ackup ftp s ip-address [user user-name p asswo rd password ] [vro uter
In the global configuration mode, use no configuration auto-backup ftps command to cancel the
settings of backing up configuration file to a FTPS server automatically.
Viewing backing up configuration file automatically Information
To view backing up configuration file automatically Information, in any mode, use the following
command:
sh o w co n figuratio n auto -b ackup
Exporting Configuration Information
Current and backup configurations can be exported to external destinations, including FTP server,
TFTP server, a SFTP server or a FTPS server and USB flash disk.
To export system configurations to an FTP server, in the execution mode, use the following com-
mand:
export configuration {startup [config-filetype zip [zip-password zip-password] ] | backup
number| all-vsys} to ftp server ip-address [vrouter vrouter-name] [ user user-name password pass-
word] [file-name]

l startup | backup number | all-vsys - Exports the current startup configurations, the specified
backup configurations or the current startup configurations of VSYS.
l config-filetype zip [zip-password zip-password] - When exporting the current startup con-
figurations, the system supports encrypted and unencrypted ZIP files. zip-password specifies
the compression password of the ZIP file.
l vrouter-name - Exports the configuration information of the specified VRouter.
l user user-name password password - Specifies the username and password of the FTP server.
l file-name - Specifies the name for the file.
To export configurations to a TFTP server, in the execution mode, use the following command:
export configuration { startup [ config-filetype zip [ zip-password zip-password ] ] |
backup number | all-vsys } to tftp server ip-address [ vrouter vrouter-name ] [ file-
name ]
To export configurations to a SFTP server, in the execution mode, use the following command:
exp o rt co n figuratio n {startup [ config-filetype zip [ zip-password zip-password ] ] |
b ackup number | all-vsys } to sftp server ip-address [vro uter vrouter-name ] [user user-name
p asswo rd password ] [ file-name ]
To export configurations to a FTPS server, in the execution mode, use the following command:
exp o rt co n figuratio n {startup [ config-filetype zip [ zip-password zip-password ] ] |
b ackup number | all-vsys } to ftp s server ip-address [vro uter vrouter-name ] [user user-name
p asswo rd password ] [ file-name ]
To export system configurations to USB flash disk, in the execution mode, use the following com-
mand:
export configuration { startup [ config-filetype zip [ zip-password zip-password ] ] |
backup number | all-vsys } to { usb0 | usb1 } [ vrouter vrouter-name ] [ file-name ]

Importing Configuration Information
Configuration files can be imported into the system from the FTP server, TFTP server, SFTP
server, FTPS server or USB flash disk inserted to the device USB port.
To import configurations from an FTP server, in the execution mode, use the following com-
mand:
import configuration [all-vsys | config-filetype zip [zip-password zip-password] ] from ftp server
ip-address user user-name password password [vrouter vrouter-name] file-name
l all-vsys – Imports configuration information of all VSYS.
l config-filetype zip [zip-password zip-password] - Specifies the imported file type as being
ZIP. If the file is encrypted, enter the compression password.
l vrouter-name - Exports configuration information for the specified VRouter.
l file-name - Specifies a name for the configuration file.
To import configurations from a TFTP server, in the execution mode, use the following com-
mand:
import configuration [all-vsys | config-filetype zip [zip-password zip-password] ] from tftp server
ip-address [vrouter vrouter-name] file-name
To import configurations from a SFTP server, in the execution mode, use the following com-
mand:
imp o rt co n figuratio n [ all-vsys | config-filetype zip [ zip-password zip-password ] ] from
sftp server ip-address [vro uter vrouter-name ] [user user-name p asswo rd password ] [ file-name ]
To import configurations from a FTPS server, in the execution mode, use the following com-
mand:

imp o rt co n figuratio n [ all-vsys | config-filetype zip [ zip-password zip-password ] ] from
sftp server ip-address [vro uter vrouter-name ] [user user-name p asswo rd password ] [ file-
name ]
To import configurations from a USB flash disk, in the execution mode, use the following com-
mand:
import configuration [all-vsys | config-filetype zip [zip-password zip-password] ] from {usb0 |
usb1} [vrouter vrouter-name] file-name
Enabling /Disabling Importing Configuration in USB Automatically
By default, when the device system starts, it will import the configuration files in USB auto-
matically, that is, replace all existing configuration files in the device, including predefined con-
figuration files and incremental configuration files (added on the basis of predefined
configuration) , you can disable this function by command, and then the configuration file will not
be imported automatically. To disable or enable this function, in global configuration mode, use
l Disable: configuration load-by-usb disable
l Enable: configuration load-by-usb enable
l When the device starts with the factory default configuration, system will import the incre-
mental configuration file in USB automatically. The name of the incremental configuration file
must be "sn-inject_XXX.cong", the "sn" indicates the device SN, and "XXX" indicates a user-
defined field, which consists of English characters, numbers, or underscores, and cannot
exceed 128 bytes. After the configuration file is automatically imported, the import log inform-
ation will be recorded in the USB root directory.
l The automatically imported configuration file must be a UTF-8 encoding file and the max-
imum size cannot exceed 16M.
l The automatically imported configuration files need to be stored in the root directory of USB.

Restoring Factory Defaults
You can either press the CLR button on the device or use the command in this section to reset
the device and restore factory defaults.
un set all
Notes: Use this command with caution. It clears all configurations on the device.
Switching the Working Mode of Fiber-optic Interfaces

The fiber-optic interfaces of the device itself and the interface expansion modules consist of four
types which are QSFP28, QSFP+, SFP+, and SFP. Their default working modes are 100G, 40G,
10G, and 1G (1000M). The application of the four fiber-optic interfaces is as follows.
l QSFP28 port: The QSFP28 port cannot be inserted with the optical fiber-to-copper module.
By default, it is in 100G working mode and can be switched to 40G working mode to connect
with a 40G interface. To switch it to the 40G working mode, in the interface configuration
mode, run the command: channel-speed 40000.
l QSFP+ port: The QSFP+ port cannot be inserted with the optical fiber-to-copper module.
By default, it is in 40G working mode. It can be split into four 10G interfaces to connect with
other 10G interfaces. In this condition, QSFP+ port still cannot be inserted with the optical
fiber-to-copper module. The IOC-A-2QSFP+ of A-Series Firewall cannot be switched to the
lower-speed working mode. To switch it to the 10G working mode, in the interface con-
figuration mode, run the command: channel-speed 10000.
l SFP+ port: By default, SFP+ port is in 10G working mode. According to the transmission
rate of the fiber-optic module or the fiber-optic-to-copper module, it can be automatically
switched to 1G working mode to connect with a 1G interface. If the working mode cannot be
switched automatically, in the interface configuration mode, run the command channel-speed
1000 to manually switch it to the 1G working mode.

l SFP port: By default, the SFP port is in 1G working mode and it cannot be switched to a
lower-speed working mode. The optical fiber-to-copper module can be inserted into the port.
To restore its default working mode, in the interface configuration mode, run the command:
no channel-speed
Notes:
l Delete relevant configuration of the interface before switching its working
mode.
l When the working mode is switched, the fiber-optic module of the switched
working mode needs to be inserted into the interface for connection.
l For more information about the supported fiber-optic interfaces of All Series
Firewalls, refer to Hardware Reference Guide and Expansion Modules Refer-
ence Guide.
Switching Mode
The 2x40GE(QSFP+) and 2x100GE(QSFP28) optical interfaces of SG-6000-A7600/A6800 can
be switched to the following three modes through the exec port-mode command:
l 2x40GE(QSFP+)+2x100GE(QSFP28) mode: The port 20 and 21 are in 40GE QSPF+

mode and the port 22 and 23 are in 100GE QSPF28 mode. This mode is the default mode.
l 2x100GE(QSFP28)+2x40GE(QSFP+) mode : The port 20 and 21 are in 100GE QSPF28

mode and the port 22 and 23 are in 40GE QSPF+ mode.
l 4x100GE(QSFP28) mode: Port 20-23 are in 100G QSFP28 mode.
To switch the mode, in any mode, use the following command:

exec port-mode { 2x40G+2x100G | 2x100G+2*40G | 4x100G}

l 2x40G+2x100G - Switch to 2x40GE(QSFP+)+2x100GE(QSFP28) mode. This mode is the
default mode.
l 2x100G+2x40G - Switch to 2x100GE(QSFP28)+2x40GE(QSFP+) mode.
l 4x100G - Switch to 4x100GE(QSFP28) mode.
Notes: The device needs to be restarted after switching modes.
Configuring the Negotiation Mode of Fiber-optic Interfaces

Fiber-optic interfaces have the following two negotiation modes:
l Auto-negotiation mode: This is the default negotiation mode. In this mode, an interface oper-
ates in auto-duplex mode at 1000Mb/s. After auto negotiation is completed, interfaces at both
ends operate in full-duplex mode at 1000Mb/s.
l Forced mode: In this mode, an interface operates in full-duplex mode at 1000Mb/s.
To ensure that interfaces at both ends can complete link negotiation, you need to make the nego-
tiation mode configuration of interfaces at both ends consistent. Negotiation mode configuration
involves the following scenarios:
l Interfaces at both ends are in auto-negotiation or forced mode: No configuration is required.
l The peer interface is in forced mode and the local interface is in auto-negotiation mode: In
interface configuration mode, use the sfp-to-copper force command to set the negotiation
mode of the local fiber-optic interface to forced. The negotiation will not succeed until the
negotiation mode of interfaces at both ends are consistent.
l The peer interface is in auto-negotiation mode and the local interface is in forced mode: In
interface configuration mode, use the no sfp-to-copper force command to set the negotiation
mode of the local fiber-optic interface to auto-negotiation. The negotiation will not succeed
until the negotiation mode of interfaces at both ends are consistent.

Notes: This function is supported only for certain devices, including A-series, E-
series, K9180, X8180, X9180, and X10800 devices.
Enabling/Disabling the Optical Fiber-to-Copper Module

After you insert the optical fiber-to-copper module into the device, the module is enabled by
default. To avoid that certain devices can complete link negotiation due to the optical fiber-to-
copper module even if no network cable is used to connect both ends, you are allowed to manu-
ally disable this module.
In interface configuration mode, use the sfp-to-copper shutdown command to disable the optical
fiber-to-copper module.
To enable the optical fiber-to-copper module again, in interface configuration mode, use the no
sfp-to-copper shutdown command.
Notes: This function is supported only for certain devices, including A-series, E-
series, K9180, X8180, X9180, and X10800 devices.
Deleting Configuration Information of Expansion Slots

For some models (SG-6000-X6150, SG-6000-X6180, SG-6000-X7180, and SG-6000-X10800)
that are running, you might have the requirements of changing/removing the expansion modules.
For the IOM modules, the configuration information of the expansion slots is complex. Before
executing the hot-swappable action, you must use the exec unset slot {number} command to
check and delete the configuration information of the expansion slots and initiate the modules.
To delete the configuration information of the expansion slots, use the following command:
exec un set slo t slot-number
l slot-number – Specifies the slot number where the IOM locates. The range is 1 to 128.
After executing this command, the system will display different prompts according to the dif-
ferent situations. You can perform the operations accordingly.

Notes:
l When the expansion slots are related to the interface configurations, you must
first delete the interface configurations that related to the expansion slots and
then execute the above command to delete the configuration information of
the expansion slots.
l When executing the hot-swappable action for the SCM, SSM and QSM, you
do not need to execute the above command.
Viewing the Configuration of Current Object

After the configuration of the specific object is completed, in the current configuration mode,
you can use the command show this to view the configuration of current object.
The table below shows the object names and its configuration mode that system supported to
view.
Object Name Configuration Mode Configuration Mode Prompt
Admin Administrator configuration hostname(config-admin)#

mode
AAA server AAA service configuration hostname(config-aaa-server)#

mode
Interface Interface configuration mode hostname(config-if-eth0/0)#
Zone Zone configuration mode hostname(config-zone-trust)#
Address Address configuration mode hostname(config-addr)#
Service Service configuration mode hostname(config-service)#
Service group Service group configuration mode hostname(config-svc-group)#
Policy-based PBR configuration mode hostname(config-pbr)#

Route

Object Name Configuration Mode Configuration Mode Prompt
VRouter VRouter configuration mode hostname(config-vrouter)#
Configure NAT NAT configuration mode hostname(config-nat)#

rules for the
default VR trust-
v
Viewing the Information of Optical Module

To view the information of optical module, including serial number, power, temperature, voltage,
module type, wavelength and max transmission distance. In any in any mode, use the following
commands:
sh o w tran sceiver [ interface-name ]
l interface-name – Specifies the interface name of optical module.
Example:
SG-6000# show transceiver

Transceiver status information is shown as below:
================ xethernet0/6 =====================
SFP+/XFP information: FINISARCORP / FTLF8519P2BNL / 111230
Serial Number: PLT4PH9 （Displays the serial number of the transceiver

module.）
Transmission media: Multi-mode （Displays the transmission mode of
the transceiver module, including Single-mode and Multi-mode.）
Module temperature: 32.38 （Displays the current temperature of the
transceiver module.）
Module temperature warning range:[-30.00 , 93.00 ] （Displays
the temperature range of the transceiver module.）
Tx supply voltage: 3.34 V （Displays the transmit supply voltage of the

Tx supply voltage warning range:[ 2.90 , 3.70 ] （Displays the
transmit supply voltage range of the transceiver module.）
Tx bias current: 5.59 mA （Displays the transmit bias current of the
Tx bias current warning range:[2.00 ， 14.00 ] （Displays the
transmit bias current range of the transceiver module.）
Tx optical power: -5.55 dBm （Displays the transmit power of the trans-
ceiver module.）
Tx optical power warning range:[-11.00 ,-2.00 ] （Displays the
transmit power range of the transceiver module.）
Rx optical power: -6.69 dBm （Displays the receive power of the trans-
ceiver module.）
Rx optical power warning range:[-18.01 , -1.00 ] （Displays the
receive power range of the transceiver module.）
Module Wavelength: 850.00 nm （Displays the wavelength of the trans-
ceiver module.）
single module max transmit distance: 0 km （Display the max trans-
mission distance of single mode.）
OM1 max transmit distance: 150 m （Display the max transmission dis-
tance of OM1 fiber.）
copper max transmit distance: 0 m （Displays the max transmission
distance of the copper cable.）
============================================================-
===

Notes: Due to physical differences in hardware, some optical ports may fail to read
information about the transceiver modules through this command.
Deleting Configuration Information of a virtual NIC

If the virtual NIC is forced to be deleted in CloudEdge, the unsaved data may be lost or other
abnormal situation may happen. Therefore, to ensure the integrity of data, take the following steps
when you delete the virtual NIC:
l Firstly, to shut down a virtual NIC, in any mode, use the following command:
exec detach-port port port-number
l port-number - Specify the port number of the virtual NIC that needs to be shut down.
The value of port-number is equal to the value of "X" of Etherent0/X on the device.
l After the above command has been executed, the status of physical / protocol / link state,
etc. of the corresponding interfaces will become Down (you can view it via the show inter-
face command).
l Secondly, delete the virtual NIC on the virtual manager.
l Finally, to make the module initialize normally, in the execution mode, delete the con-
figuration information of virtual NIC via the following command: exec unset-port port port-
number
l port-number – Specify the port number of the virtual NIC of which the configuration
information needs to be deleted. The value of port-number is equal to the value of "X"
of Etherent0/X on the device and the port-number value of command exec detach-port
port port-number.
After the above commands are executed, The NIC is removed safely.

Notes:
l Don’t delete the interface etherent0/0, otherwise the product license will
be invalid.
l CloudEdge supports up to 10 virtual NICs. The corresponding port number

of virtual NIC will continue to increases in accordance with the sequence of
NIC being inserted until the interfaces reach 10. When a port between two
ports is deleted, and then a vacancy will generate. At this time, if a new vir-
tual NIC is inserted, the port number of the new NIC will inherit the deleted
port number.
Configuring Banner
Banner used to display the statement after logining the system, the user can customize the Banner
information content. To edit the Banner, in the global configuration mode, use the following com-
mand:
admin lo gin -b an n er Banner-content
l Banner-content - Specifies the Banner content. The length varies from 1 characters to 4096
characters. After executing this command, the system will create the Banner of specified con-
tent. If the Banner already exists, it will modify the Banner for the specified content.
In the global configuration mode, use no admin login-banner command to delete the Banner.
Notes:
l In the edit Banner content, if you need to wrap, enter "\n", if you need a
space, enter the double quotes "".
l Support for displaying Banner when login to the device over SSH, Telnet, or
Console port.

System Maintenance and Debugging
Testing tools, the commands Ping and Traceroute, are used to test network availability and dia-
gnose system errors. Hillstone device also provides debugging feature for users to check and ana-
lyze the system.。
Ping
Ping is used mainly for testing network connection and host accessibility.
To check network availability, in any mode, use the following command:
p in g [ip v6 ] { ip-address | hostname } [co un t number ] [size number ] [so urce ip-address ]
[timeo ut time ] [vro uter vrouter-name ]
l ip-address | hostname - Specifies the IP address or hostname of the destination. When using
the dual-stack firmware, you can specify the IPv6 address.
l count number - Specifies the number of Ping packets. The value range is 1 to 65535. By
default, packet number is not limited.
l size number - Specifies the size of ping packet. The value range is 28 to 65500 bytes.
l source ip-address - Specifies the source interface name of ping packets.
l timeout time - Specifies the timeout value for the ping packets. The range is 0 to 3600
seconds. The default number is 0, which means no timeout.
l vrouter vrouter-name - Specifies the VRouter of the interface sending ping packets. The
default value is trust-vr.
The output of ping command includes the response status for each Ping packet and the final stat-
istics:
l The response status for each Ping packet. If there is no response, the output is “Destination
Host Not Responding”; otherwise, the output is the packet sequence, TTL and responding
time of the response packet. If the Ping packet does not reach the destination route or the

interface that sends the Ping packet changes, the output is “Network is unreachable”. If
the destination address of the Ping packet cannot be resolved, the output is “unknown host
hostname”.
l Final statistics. The final statistics includes sent packet number, received packet number, lost
packet percentage and time.
Here is a ping command example:
hostname(config)# p in g 10.200.3.1
Sending ICMP packets to 10.200.3.1
Seq ttl time(ms)
1 128 2.53
2 128 1.48
3 128 1.48
4 128 1.47
5 128 1.46
statistics:
5 packets sent, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.464/1.689/2.536/0.423 ms
Traceroute
Traceroute is used to test and record gateways of packets from source host to the destination. It is
mainly used to check whether the destination is reachable, and analyze the fault gateway in the net-
work. The common Traceroute function is performed as follows: first, send a packet with TTL 1,
so the first hop sends back an ICMP error message to indicate that this packet cannot be sent
(because of the TTL timeout); then this packet is re-sent, with TTL 2, TTL timeout is sent back
again; repeat this process till the packet reaches the destination. In this way, each ICMP TTL
timeout source address is recorded. As result, the path from the originating host to the destination
is identified.

To trace the gateways the command traceroute has traversed, in any mode, use the following com-
mand:
tracero ute [ ipv6 ]{ ip-address | hostname } [n umb eric] [p o rt port-number ] [p ro b e probe-num-
ber ] [timeo ut time ] [ttl [ min-ttl ] [ max-ttl ]] [so urce interface ] [use-icmp ] [vro uter vrouter-
name ]
l ip-address | hostname - Specifies the destination IP address or host name of traceroute.
l numberic - Specifies to display the address in numeric format without resolution.
l port port-number - Specifies the UDP port number. The value range is 1 to 65535. The
l probe probe-number - Specifies the number of probe packet in each hop. The range is 1 to
l timeout time - Specifies the timeout value of next probe packet. The range is 1 to 3600
l ttl [min-ttl] [max-ttl] - min-ttl is the minimum TTL value, with range from 1 to 255 and
default value being 1. max-ttl is the maximum TTL value, with range from 1 to 255 and
default value being 30. Specifying TTL is used to display the echo from the min-ttl hop to the
max-ttl hop.
l source interface - Specifies the the name of the interface sending traceroute probe packets.
l use-icmp - Uses ICMP packets to probe. If this parameter is not defined, the system uses
UDP packets to probe.
l vrouter vrouter-name - Specifies the VRouter of the egress interface of traceroute probe pack-
ets. The default value is the default VRouter (trust-vr).
Here is an example of applying command traceroute in network analysis:
hostname(config)# tracero ute 210.74.176.150
traceroute to 210.74.176.150 (210.74.176.150), 30 hops max, 52 byte packets

1 10.200.3.1 (10.200.3.1) 0.572 ms 0.541 ms 0.359 ms
2 192.168.3.1 (192.168.3.1) 0.601 ms 0.754 ms 0.522 ms
3 202.106.149.177 (202.106.149.177) 1.169 ms 1.723 ms 1.104 ms
4 61.148.16.133 (61.148.16.133) 2.272 ms 1.940 ms 2.370 ms
5 61.148.4.17 (61.148.4.17) 2.770 ms 61.148.4.101 (61.148.4.101) 6.030 ms 61.148.4.21

(61.148.4.21) 2.584 ms
6 202.106.227.45 (202.106.227.45) 4.893 ms 5.010 ms 3.917 ms
7 202.106.193.70 (202.106.193.70) 5.407 ms 202.106.193.126 (202.106.193.126) 4.247

ms 202.106.193.70 (202.106.193.70) 6.954 ms
8 61.148.143.30 (61.148.143.30) 3.459 ms 3.758 ms 2.853 ms
9***
10 * * *
This example shows which gateways the packets have traversed during the process from source
host to destination host and fault gateways.
System Debugging
System debugging helps you to diagnose and identify system errors. Basically, all the protocols
and functions can be debugged. By default, debugging of all functions is disabled. The debugging
function can only be configured through CLI.
To enable system debugging, in any mode, use the following command:
deb ug {all | function-name }
l all - Enables all debugging functions.
l function-name - Enables the specified protocol or feature debugging.
To disable all or one debugging function, in any mode, use the following command:
un deb ug {all | function-name }
You can disable debugging by pressing ESC key. As some debugging information has been
cached, the closing process may take several minutes.

To see the status of the debugging function, in any mode, use the following command:
sh o w deb ug
Notes: If you want to view debugging information on your terminal, enable debug
logging function (execute the command logging debug on).
Collecting and Saving Tech-support Information to File

In order to locate the system fault, you should collect the displayed information of all the show
commands and save as tech-support file. To collect and save the tech-support information to file,
sh o w tech -sup p o rt [cp u cpu-number | all]
l cpu-number – Collects and saves the tech-support information of specified CPU to file. You
can configure this parameter only in system with multiple CPUs.
l all –Collects and saves all the tech-support information to file. You can configure this para-
meter only in system with multiple CPUs.
Notes: You can collect and save all the tech-support information to file through
command show tech-support in system with single CPU.
Viewing the Tech-support Information
To view the tech-support information through Console port, in any mode, use the following com-
mand:
sh o w tech -sup p o rt [cp u cpu-number | all] to co n so le
l cpu-number – Displays the tech-support information of specified CPU to Console port. You
can configure this parameter only in system with multiple CPUs.

l all –Displays all the tech-support information to Console port. You can configure this para-
meter only in system with multiple CPUs.
Notes: You can view all the tech-support information though Console port by com-
mand show tech-support toconsole in system with single CPU.
Collecting the Tech-support Information Automatically
To collect the Tech-support Information Automatically, in any mode, use the following com-
mand:
sh o w tech -sup p o rt-auto in terval interval-time co un t count-time
l interval-time – Specifies the interval time to collect the tech-support information auto-
matically. The range is 10 to 1440. The unit is minute.
l count-time –Specifies the times to collect the tech-support information automatically. The
range is 1 to 10.
Notes:
l System can save 10 tech-support files at most. When the number of file
exceeds 10, the new file will cover the older file.
l When system executes this command, if you configure another command to

collect the tech-support information automatically, the new configuration will
cover the previous configuration.
Viewing the Information of Nvramlog or Watchdoglog File
To view the log information of nvramlog or watchdoglog in tech-support file, in any mode, use
sh o w tech -sup p o rt log-name

l log-name –Specifies the name of log information which is required to be displayed. You can
specify the name as vramlog or watchdoglog.
Deleting the Function of Automatically Collecting Tech-support Information
To delete the function of automatically collecting tech-support information, in any mode, use the
following command:
sh o w tech -sup p o rt-auto clear
Rebooting the System

Turning off the device and powering it on again can reboot it. In addition, you can also use com-
mand line or WebUI to restart the system.
To reboot the device, in the configuration mode, use the following command: reboot
hostname# reb o o t
System configuration has been modified. Save? [y]/n (type y or press Enter
to save the settings; type n to give up changes.)
Building configuration..
Saving configuration is finished
System reboot, are you sure? y/[n] (type y to reboot the system; type
n or press Enter to go back to the configuration mode.)
Save the current settings before rebooting the device if you don’t want to lose unsaved con-
figurations. Be careful when you execute this command, because network disconnection occurs
during the rebooting process.
Upgrading StoneOS
This section introduces StoneOS starting-up system and describes how to upgrade StoneOS.

Starting Process
The start-up system consists of three parts, which are Bootloader, Sysloader and StoneOS. There
functions are listed below:
l Bootloader - The first started program when the device is powered on. Bootloader loads
StoneOS or Sysloader and makes them start.
l Sysloader - The program that upgrades StoneOS.
l StoneOS - The operating system running on the device.
When a device is powered on, the Bootloader tries to start StoneOS or Sysloader. The Sysloader
is used to select existing StoneOS in the system and upgrade StoneOS via FTP, TFTP or USB
port. The upgrade of Sysloader is performed by the Bootloader via TFTP.
Bootloader
The Bootloader has two working modes: automatic mode and interactive mode.
In the automatic mode, Bootloader starts the existing StoneOS first. If no StoneOS exists or only
illegal ones present, the system stops and you must upgrade StoneOS in Sysloader.
To enter the interactive mode, press ESC during the starting process according to the prompt. In
the interactive mode, you can select a Sysloader stored in the flash to start, or download a new ver-
sion of Sysloader from the TFTP server and then start it.
StoneOS Quick Upgrading (TFTP)

The Sysloader downloads StoneOS from TFTP server, ensuring a fast system upgrading from net-
work.
To upgrade StoneOS, take the following steps:
Power on the device and enter Sysloader. For SG-6000-E/X series, please refer to the following
steps:
HILLSTONE NETWORKS
Hillstone Bootloader 1.3.2 Aug 14 2008-19:09:37

DRAM: 2048 MB
BOOTROM: 512 KB
Press ESC to stop autoboot: 4 (Press ESC during the 5-second count-
down.)
Run on-board sysloader? [y]/n: y (Type y or press Enter)
Loading: ##########################
Power on the device and enter Sysloader. For SG-6000-A/K series, please refer to the following
steps:
GNU GRUB version 2.02

SG6000-A-1-5.5R8P0.6.img
SG6000-A-1-5.5R8P0.6-v6.img
*SYSLOADER(Press up and down to select Sysloader and press
Enter)
Select Load firmware via TFTP from the menu:

Note: The sysloader menu may vary slightly on different platforms. Please refer to Introduction
To Sysloader Menu.
Sysloader 1.2.13 Aug 14 2008 - 16:53:42
1 Load firmware via TFTP
2 Load firmware via FTP
3 Load firmware from USB disks (not available)
4 Select backup firmware as active
5 Show on-board firmware
6 Reset
Please select: 1 (Type 1 and press Enter)
Specify Sysloader IP, TFTP server IP, gateway IP, and the name of StoneOS:
Local ip address [ ]: 10.2.2.10/16(Type the IP address of Sysloader and

press Enter.)
Server ip address [ ]: 10.2.2.3 (Type the IP address of TFTP server

and press Enter.)
Gateway ip address [ ]: 10.2.2.1 (If Sysloader and TFTP server are
not in the same network segment, you need to provide the
gateway IP address and press Enter; otherwise, just
press Enter.)
File name : StoneOS-3.5R2 (Type the name of StoneOS and press
Enter, and then the system begins to transfer the file.)
########################################################-
########################################################-
################################
Save StoneOS. Take the following steps:
File total length 10482508
Checking the image...
Verified OK
Save this image? [y]/n: y (Type y or press Enter to save the trans-
ferred StoneOS.)
Saving .........................................
Set StoneOS-3.5R2 as active boot image
Reboot the device.
Please reset board to boot this image
1 Load firmware via TFTP
2 Load firmware via FTP
3 Load firmware from USB disks (not available)
4 Select backup firmware as active
5 Show on-board firmware
6 Reset

Please select: 6 (Type 6 and press Enter. The system reboots.)
The device can save only two versions of StoneOS. If you want to save a new one, delete an exist-
ing one according to the prompt.
Other Upgrading Methods

Though downloading StoneOS from TFTP server is often used to upgrade the system, the device
also supports upgrading from FTP server and USB flash disk.
Upgrading StoneOS via FTP
To download StoneOS from FTP server and upgrade it, in the Sysloader program, take following
steps:
1. In Sysloader, select 2 and press Enter.
2. Type the Sysloader IP address behind the prompt Local ip address [ ]: and press Enter.
3. Type the FTP server IP address behind the prompt Server ip address [ ]: and press Enter.
4. If the Sysloader and FTP server are not in the same network segment, type the gateway IP
address of Sysloader behind the prompt Gateway ip address [ ]: and press Enter.
5. Type FTP user name behind the prompt User Name [anonymous ]: and press Enter.
6. Type the password of that user behind Password : and press Enter.
7. Type the file name of StoneOS behind the prompt File name : and press Enter. The system
starts to download the specified StoneOS.
8. When the downloading is complete, type y to save this version of StoneOS into the device
flash.
9. After the new StoneOS is saved, the system shows Sysloader menu and you can type 6 and
press Enter to start the system with the new StoneOS.

Tip: If an FTP server allows anonymous login, just press Enter when it requires a
username and password.
Upgrading StoneOS via USB
To upgrade StoneOS to a version saved in the USB flash disk, take the following steps:
1. Copy the StoneOS you want to use in your USB flash disk.
2. Plug the USB flash disk into the device USB port.
3. Enter Sysloader, select 3 in its menu, and press Enter.
4. Select the StoneOS you want and type y. The system starts to upload the StoneOS.
5. When it’s complete, type y if you want to save the StoneOS into the device flash.
6. In the Sysloader menu, select 6 and press Enter. The system starts with the new StoneOS.
Introduction to Sysloader Menu
This section introduces the function of each Sysloader menu item. Type the number of the oper-
ation you want, and press Enter, then follow instructions to continue.
Option Description
1. Load firmware via TFTP Upgrades StoneOS by downloading an OS

file from a TFTP server.
2. Load firmware via FTP Upgrades StoneOS by downloading an OS

file from an FTP server.
3. Load firmware from USB disks Upgrades StoneOS by fetching an OS file

from an USB disk on the device.
4. Select backup firmware as active Switches the saved backup StoneOS to be

Option Description
the active StoneOS used when the system

rebooting.
5. Show on-board firmware Shows all saved StoneOS with their status.
6. Reset Reboot the system.
7 Clear button Delete all configurations and restore to fact-

ory settings.
Note：SG-6000-A/X/E/K9180 platforms
do not support this option.
8 Load sysloader via FTP Upgrade sysloader from an FTP server.

Note：SG-6000-X/E platforms do not sup-
port this option.
9 Reset administrator password Reset the administrator password.

Note：SG-6000-X/E/K (including
K9180) platforms do not support this
option.
Upgrading StoneOS Using CLI

Besides Sysloader, you can upgrade StoneOS by typing command lines.
To upgrade StoneOS via FTP, in the configuration mode, use the following commands:
imp o rt image fro m ftp server ip-address [user user-name [p asswo rd password ] ] [vro uter
vrouter-name ] file-name
l user user-name password password - Specifies username and password of FTP server.

l vrouter-name - Updates StoneOS by using the specified VRouter.
l file-name - Specifies the name of StoneOS you want to use.
To upgrade StoneOS via TFTP, in the configuration mode, use the following command:
imp o rt image fro m tftp server ip-address [vro uter vrouter-name ] file-name
To upgrade StoneOS via USB, in the configuration mode, use the following commands:
imp o rt image fro m {usb 0 | usb 1} [vro uter vrouter-name ] file-name
Reboot the device to make the new StoneOS take effect.
Upgrading StoneOS via Hot Patch

When the device is running, hot patches can be loaded to the system to fix the system software
bug. You can upload the patch file through the FTP/TFTP server. After the patch is loaded into
the process, the patch can be activated to make it effective.
To import the patch file into the system via FTP server, in the configuration mode, use the fol-
lowing commands:
import patch from ftp serverip-address [vroutervrouter] [useruser-name] [passwordpassword] [file-
name]
l useruser-name] [passwordpassword - Specifies username and password of FTP server.
l filename - Specifies the name of the patch file that needs to be imported into the system.
To import the patch file into the system via TFTP server, in the configuration mode, use the fol-
lowing commands:
import patch from tftp serverip-address [vroutervrouter] [filename]
l filename - Specifies the name of the patch file that needs to be imported into the system.
To delete, load, activate and run the patch, in any mode, use the following commands:
exec patchpatch-name {delete | load | unload | activate | deactivate | run}

l patch-name - Specifies the name of the patch file.
l delete - Deletes the patch file with the specified name. Only patches in the unloading state
can be deleted.
l load - Loads the patch file with the specified name.
l unload - Unloads the patch file with the specified name.
l activate - Activates the patch file with the specified name. After the device is restarted, the
patch enters the inactive state.
l deactivate - Returns the specified patch state to inactive.
l run - Activates the patch file with the specified name. After the device is restarted, the patch
remains in the running state.
To show the status of patch, in any mode, use the following commands:
show patch
Backing up and Restoring Data

This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
When upgrading firmware to the latest versions, you may fail to upgrade successfully, which made
system data lost. StoneOS support to backup and restore data. You can backup data to FTP server
you specified when upgrading; and if upgrading failed, you can restore data from the FTP server.
In executive mode, type the following mode to backup data to the specified FTP server:
exp o rt db -data to ftp server ip-address [vro uter VR-name ]{user username p asswo rd password
filename | filename }
l ip-address - Specifies FTP server IP address.
l vrouter VR-name – Backup files through the VR.
l user username password password - Specifies the username and password of the FTP server.

l filename - Specifies the file name you want to export. If not specified, system will export files
with the name of its version.
In executive mode, type the following mode to restore data from the specified FTP server:
imp o rt db -data fro m ftp server ip-address [vro uter VR-name ][user username p asswo rd pass-
word ] filename
l ip-address - Specifies FTP server IP address.
l vrouter VR-name – Restore files through the VR.
l user username password password - Specifies the username and password of the FTP server.
l filename - Specifies the file name you want to import.
Synchronizing the Firmware

This function is only available on SG-6000-X10800.
When configuring two SCMs for the device, you should synchronize the firmware from the mas-
ter SCM to the backup SCM. By default, system will synchinoize automatically when starts. If
there’s a problem of automatic synchronization (such as failing to strart the backup SCM), in the
execution mode, use the following command to synchronize the firmware manually:
exec image syn c
Graceful Shutdown
Some of the modularized Hillstone platforms (SG-6000-X6150, SG-6000-X6180, SG-6000-
X7180 and SG-6000-X10800) support graceful-shutdown on a single hardware module. Graceful
shutdown will not interrupt any service running on the module, thus assuring uninterrupted oper-
ation of the whole system. At the time of writing only SSM and QSM support this function.
You need to stop the module from receiving new traffic in order to execute graceful shutdown.
After all the services have been processed, the status of the module will change to offline auto-
matically (you can view the status by command show module). At this point graceful shutdown is
completed. To reboot the module, use the command reboot slot {number}.
To shutdown the specified module gracefully, in any mode, use the following command:

exec system graceful-sh utdo wn slo t { number }
l number - Specifies the slot number for SSM/QSM. The value range is 1 to 10.
After executing the command, the system provides different prompts as listed below, specifically
depending on your running environment. Determine your next operation as prompt.
l Only one SSM is available, the operation is not supported .
l The module is not SSM or QSM. Can’t do the operation.
l Graceful-shutdown slot number is started. Don’t do any operation before it is finished. It

will take about a minute. You can use show system graceful-shutdown status to get status.
To reboot the specified module, use the command reboot slot {number}.
Tip: Graceful shutdown commands are also applicable to hot swap of SSM or
QSM. Before hot swap, use the command to shut down the module, and then
plug it.
SCM HA
Some Hillstone devices (SG-6000-X6150, SG-6000-X6180, and SG-6000-X7180，SG-6000-
X9180，SG-6000-X10800，SG-6000-K9180) support SCM HA. When a device is installed
with two SCMs, the SCM that is plugged into slot SC0/SCM0 is used as the master module, and
working in the Master mode; the SCM that is plugged into slot SC1/SCM1 is used as the backup
module, and working in the Backup mode. If a device is installed with only one SCM, the SCM is
used as the master module, and the newly installed SCM (if any) is used as the backup module. In
such a case the master and backup modules are not determined by the slot positions. If the master
SCM fails, the backup SCM will be promoted to the master module automatically to assure con-
tinuous business operation.
When using SCM HA, keep in mind that:

l Never configure any option on the backup SCM.
l After master-backup switching, the new backup SCM still works in the Backup mode after
rebooting, and will not preempt the master SCM.
l After master-backup switching, you need to re-establish the management connection, such as
Telnet or HTTP connection.
l To assure proper synchronization of license information, the system might prompt to reboot
the system (with network disconnection). Continue your operation as prompted.
To view the SCM HA status, use the command show module. In the output the module that is
labeled with M (e.g., Master) is the master SCM, and the module that is labeled with B (e.g.,
Backup) is the backup SCM.
Device HA Switchover When Switch Module failed

For some devices which are based on a fully distributed architecture (SG-6000-X9180，SG-
6000-X10800), the Switch Module (SWM) of the devices plays an important role in data for-
warding. When the SWM fails, it may result in packet loss, packet error or traffic failure. In order
to solve this problem, the system can take corresponding measures to ensure continuous business
operation when it detects the failure of the SWM, including:
l In a dual-SWM scenario, if only one SWM fails, the user can configure whether to switch the
device HA.
l In a dual-SWM scenario, if both SWMs fail, the device HA switchover is performed by

default.
l In a single-SWM scenario, if the SWM fails, the device HA switchover is performed by

default.
When the SWM fails, the device HA switchover is performed by default. To configure not to per-
form the device HA switchover, in the execution mode, use the following command:
ha config-swm-fault no-switchover

To configure to perform the device HA switchover when the SWM fails, in the execution mode,
no ha config-swm-fault
To view the device HA switchover configuration when the SWM fails, in any mode, use the fol-
lowing command:
show ha config-swm-fault
License Management
License used to authorize users features, services or extending the performance. If you do not buy
and install the corresponding License, the features, services and performances which is based on
License will not be used, or can not achieve the higher performance.
License classes and rules.
Platform License Description Valid Time Whether to

Restart
Platform Trial Platform license is the You cannot Not

basis of the other modify the required.
licenses operation. If the
existing con-
platform license is
invalid, the other figuration
licenses are not effect- when License

ive. The device have expires. The
been pre-installed plat- system will
form trial license for 15
restore to fact-
days in the factory.
ory defaults
when the
device
reboot.
Platform You can install the platform System can- Not

license after the device not upgrade required.
formal sale. The license the OS ver-
provide basic firewall and sion when the
VPN function. license
expires, but
the system
could still
work nor-
mally.
Function Description Valid Time Whether to

License Restart
VSYS Authorizing the available Permanent Restart is

number of VSYS. required for
each install-
ation.
SSL VPN Trial Authorizes the maximum After the trial

License number of SSL VPN users license
that can be connected to expires, the
the platform. The duration number of
of use of the license is SSL VPN
short. The actual available users that can
duration is determined by be connected
the protocol for the to the plat-
license. The available dur- form is
ation is a relative time, restored to its
such as 30 days. Multiple prior value.
SSL VPN trial licenses can

be used together.
SSL VPN Authorizing the number of Permanent All versions,

SSL VPN access. Through except the
installing multiple SSL following
VPN licenses, you can add should be
the number of SSL VPN restarted
access. after each
installation.
Versions
that do not
need restart-
ing
are5.5R6P21
and later
5.5R6P ver-
sions,
5.5R8P7 and
later 5.5R8P
versions,
5.5R9 and
later.
ZTNA Authorizing the maximum Permanent ZTNA

number of ZTNA access.
ZTNA license has a higher
priority than the ZTNA
trial license. Multiple
ZTNA licenses can be

installed to increase the
authorized number of
ZTNA access. When the
authorized number of
SCVPN access is inad-
equate, SCVPN access can
use the ZTNA license.
ZTNA access cannot use
the SCVPN license.
ZTNA Upgrade Converting the specified Permanent ZTNA

number of SSL VPN access Upgrade
to the equal number of
ZTNA access. The SSL
VPN license type is not lim-
ited. Multiple ZTNA
Upgrade Licenses can be
installed, but the converted
number of access cannot
exceed the total number of
SSL VPN access. If the
converted SSL VPN
license is not permanent,
the validity period of the
ZTNA license is the same
as the SSL VPN license
before the conversion.
ZTNA Trial Providing ZTNA trial. Mul- When the ZTNA Trial

tiple ZTNA trial licenses license
can be installed to increase expires, you
the number and validity can only use
period of ZTNA access. the default
authorization
of 8 ZTNA
concurrent
users.
QoS/iQoS Enable QoS function. Permanent Not

required.
Cloud sandbox Providing Cloud sandbox The valid Restart is

License function and white list time includ- required for
update, authorizing the ing 1 year, 2 the first
number of suspicious files years and 3 installation.
uploaded per day. Includ- years. System Do not
ing 4 licenses: Cloud sand- cannot ana- require
box-200, Cloud sandbox- lyze the col- restart when
300, Cloud sandbox-500 lected data you renew
and Cloud sandbox-1000. and cannot the sub-
The number of files update the scription.
allowed to upload per day white list
is different for different when the
licenses. license
expires. The
Cloud sand-
box pro-
tection

function can
only be used
according to
the local data-
base cache res-
ults. If you
restart the
device, the
function can-
not be used.
Twin-mode Providing the twin-mode System can- Not

License function. The related para- not upgrade required.
meters of the twin-mode the twin-
function can be displayed mode func-
and configured. tion and can-
not provide
the main-
tenance ser-
vice when
License
expired.
EPP Providing the End Point The End Not

Prevention function. Point Pre- required.
vention func-
tion cannot
be used when
the license

expires.
Service License Description Valid Time Whether to

Restart
AntiVirus Providing antivirus func- System can- Restart is

tion and antivirus signature not update required for
database update. the antiviru the first
signature data- installation.
base when the Do not
license require
expires, but restart when
the antivirus you renew
function the sub-
could still be scription.
used normally
URL DB Providing URL database System can- Restart is

and URL signature database not provide required for
update. the search the first
URL database installation.
online func- Do not
tion when the require
license restart when
expires, but you renew
the user- the sub-
defined URL scription.
and URL fil-
tering func-

tion can be
used nor-
mally.
IPS Providing IPS function and System can- Restart is

IPS signature database not update required for
update. the IPS sig- the first
nature data- installation.
base when the Do not
license require
expires, but restart when
the IPS func- you renew
tion could the sub-
still be used scription.
normally.
APP signature APP signature license is System can- Not

issued with platform not update required.
license, you do not need to the APP sig-
apply alone. The valid time nature data-
of license is same as plat- base when the
form license. license
expires, but
the included
functions and
rules could
still be used
normally.

Threat Pre- A package of features, System can- Whether to
vention including AntiVirus, IPS, not update all restart,
threat intelligence, and cor- signature data- please refer
responding signature databases when to the restart
base update. the license policies for
expires, but the indi-
the included vidual
functions and licenses of
rules could AntiVirus,
still be used IPS, threat
normally. intelligence.
IP Reputation Providing Perimeter Traffic System can- Restart is

Filtering function of IP not update required for
reputation and IP repu- the IP repu- the first
tation database update. tation data- installation.
From 5.5R6, StoneOS will base when the Do not
support the Perimeter license require
Traffic Filtering function of expires. restart when
IP Reputation instead of you renew
predefined black list. You the sub-
can buy the license of IP scription.
reputation to upgrade.
StoneShield A package of features, System can- Restart is

including Abnormal Beha- not update all required for
vior Detection, Advanced signature data- the first
Threat Detection, and cor- bases when installation.
responding signature data- the license Do not

base update. expires, but require
the included restart when
functions and you renew
rules could the sub-
still be used scription.
normally.
Antispam Providing Anti-Spam func- The Anti- Restart is

tion. Spam func- required for
tion cannot the first
be used when installation.
the license Do not
expires. require
restart when
you renew
the sub-
scription.
Botnet Pre- Providing Botnet Pre- System can- Restart is

vention vention function and Bot- not update all required for
net Prevention database signature data- the first
update. bases when installation.
license Do not
expires. But require
the functions restart when
included and you renew
rules could be the sub-
used nor- scription.
mally.

IoT mon- Providing the IoT policy Permanent. Not
itor&control function. required.
IoT mon- After the installation of The IoT Not

itor&control trail IoT monitor&control trail policy func- required.
license, you will get the tion cannot
same IoT policy function be used when
as system with IoT mon- the license
itor&control license. But expires. If
the duration will be you restart
shorter. the device,
the existing
IoT policy
configurations
will not be
lost, but
won't take
effect.
Threat intel- Providing the threat intel- The threat Not

ligence License ligence function. intelligence required.
function can-
not be used
when the
license
expires.
Bundle License1 A package of features, For expir- Whether to

including IPS, AntiVirus, ation, refer to restart,
threat intelligence, QoS, the respective

URL DB, and cor- license policy. please refer
responding signature data- to the restart
base update. policies for
the indi-
vidual
licenses of
IPS,
AntiVirus,
threat intel-
ligence,
QoS, URL
DB.
Bundle License3 A package of features, For expir- Whether to

including IPS, AntiVirus, ation, refer to restart,
threat intelligence, QoS, the respective please refer
URL DB, Botnet Pre- license policy. to the restart
vention, IP Reputation, policies for
Cloud sandbox, and cor- the indi-
responding signature data- vidual
base update. licenses of
IPS,
AntiVirus,
threat intel-
ligence,
QoS, URL
DB, Botnet
Prevention,

IP Repu-
tation,
Cloud sand-
box.
CloudEdge License
CloudEdge licenses are categorized to platform licenses, sub licenses, and function licenses . A
platform license is the base to install all other types of licenses. You can apply for all kinds of
licenses through SN number (i.e., old version license mechanism). If the virtual firewall is rein-
stalled, due to the change of SN number, you have to re-apply for a license.
From the version 5.5R5, the CloudEdge license has been upgraded to the latest version, with a dif-
ferent licensing mechanism. After the installation of the new platform license, the SN number of
the device will be changed to a virtual SN (vSN for short). If you want to continue to obtain func-
tion or sub licenses, they can be applied through the vSN number. For the new license does not
depend on the SN number of the original system after the re-installation of system, the new
license that was originally applied for can still be effective. At the same time, Hillstone provides
LMS ( license management system) to verify and manage licenses, which can ensure the security
of licenses.
Notes: If CloudEdge is a full license product, you do not need to purchase or install
any license. It is already a full feature firewall when you purchase it.
CloudEdge Platform Licenses
CloudEdge is pre-installed with a free default license without application. You can apply for the
platform license (the old version of the platform license) through the SN number or directly apply
for the new version of the license. Old version platform license is divided into base license and
trial license. The new platform license is divided into base license and sub license.
l Default License
CloudEdge has a built-in free default license. All features are available in system with default

license, such as SSL VPN, iQoS and IPS. However, performance is limited, e.g., only 2 IPSec
VPN tunnels and 2 SSL VPN users are supported. The license is valid for 30 days. After expir-
ation, all functions of the system can not be used, the OS version and all the signature data-
bases can not be upgraded.
l Platform Trial License

After the installation of Platform Trial License, you will get the same features as system with
Platform Base License. But the duration will be shorter. The duration is determined by the
agreement you signed, which is a relative period, for example, one month. After expiration,
the existing configuration can not be modified. After the reboot, the original configuration can
not be displayed, the default configuration instead, and only the platform functions are avail-
able while the performance is limited. So, reboot is not recommended.
l Platform Sub License

After the installation of Platform Sub License, you will get the same features as system with
Platform Base License. But the duration will be shorter. The duration is determined by the
agreement you signed, which is an absolute period, for example, March 1 to March 31. After
expiration, the existing configuration can not be modified. After the reboot, only the platform
functions are available while the performance is limited.
l Platform License
When a CloudEdge is officially purchased, you can buy a Platform License. Platform License
provides fundamental firewall features.
When it expires, the system can be normally functioning, but cannot be upgraded to higher
version.
CloudEdge Sub Licenses
Sub licenses control whether corresponding functions are enabled or not and the time limit as
well.

l IPSEC VPN Sub License
IPSEC VPN sub license enables IPSec VPN function and authorizes the maximum number of
IPSec VPN accesses. After installing multiple IPSEC VPN licenses, you can increment the
maximum number of IPSec VPN accesses. When the license expires, the IPSec VPN con-
nection will be disconnected. IPSec VPN function will not be allowed to configure. Until the
device is restarted, all the configurations of IPSec VPN will not be lost.
l SSL VPN Sub License

SSL VPN sub license enables SSL VPN function and authorizes the number of SSL VPN
accesses. After installing multiple SCVPN sub licenses, you can increment the number of SSL
VPN accesses. When the license expires, the SSL VPN connection will be disconnected. SSL
VPN function will not be allowed to configure. Until the device is restarted, all the con-
figurations of SSL VPN will not be lost.
l ZTNA Sub License

The priority of ZTNA sub license is higher than the ZTNA trial license and lower than the
ZTNA license. Multiple ZTNA sub licenses can be installed to increase the number and valid-
ity period of ZTNA access. The optimal validity period is adopted. When the license expires,
you can only use the default authorization of 8 ZTNA concurrent users.
l iQoS Sub License

iQoS sub license enables iQoS function. When the iQoS sub license expires, all the con-
figurations of iQoS will not be lost until the device is restarted.
l Virtual CPU License

Virtual CPU license authorizes the maximum number of vCPUs available to the CloudEdge.
The virtual CPU license does not expire. Different models of CloudEdge require different
vCPU and memory. You can apply for the corresponding number of vCPU licenses as the fol-
lows:

Platform Models Minimum Configuration
SG-6000-VM01 2 vCPU,2 GB memory
SG-6000-VM04 8vCPU,16GB memory
l Virtual CPU Sub License

Virtual CPU sub license authorizes the maximum number of vCPUs available to the
CloudEdge. After the license expires, system will restart and the number of available vCPUs
will revert to 2vCPU, which is the configuration of the minimum model SG-6000-VM01.
CloudEdge Function Licenses
Some functions are only enabled when that corresponding license is installed. The function ser-
vice includes:
l ZTNA License
Providing the ZTNA function, including the following types:
a. ZTNA license: ZTNA license is permanently valid and has the highest priority. Multiple
ZTNA licenses can be installed to increase the authorized number of ZTNA access.
When the authorized number of SCVPN access is inadequate, SCVPN access can use
the ZTNA license. ZTNA access cannot use the SCVPN license.
b. ZTNA Trial License: Providing ZTNA trial. Multiple ZTNA trial licenses can be
installed to increase the number and validity period of ZTNA access. When the license
expires, you can only use the default authorization of 8 ZTNA concurrent users.
c. ZTNA Upgrade License: Converting the specified number of SSL VPN access to the
equal number of ZTNA access. The SSL VPN license type is not limited. Multiple
ZTNA Upgrade Licenses can be installed, but the converted number of access cannot

exceed the total number of SSL VPN access. If the converted SSL VPN license is not
permanent, the validity period of the ZTNA license is the same as the SSL VPN license
before the conversion.
l Intrusion Prevention System (IPS) License

IPS License provides IPS function and its signature database upgrade. IPS License has its own
validity. When it expires, the IPS function works normally, but IPS signature database cannot
be upgraded.
l Anti-Virus (AV) License

AV License provides anti-virus function and its signature database upgrade. AV License has
its own validity. When it expires, the anti-virus function works normally, but AV signature
database cannot be upgraded.
l Sandbox License
Sandbox License provides sandbox function, which controls the suspicious file quantity
allowed to be uploaded to the cloud sandbox every day, also, it provides white list upgrade.
Sandbox License has its own validity. When it expires, the cloud analysis is stopped and the
white list can not be upgraded. However, if the suspicious traffic still matches the analysis
entries in the local cache, the sandbox function is still valid. After the system is restarted, the
sandbox function will not be used.
l URL DB License
URL DB License provides URL filter function and allows URL database to upgrade. URL DB
License has its own validity. When it expires, the URL filter function works normally, but
URL database cannot be upgraded.
l APP DB License
APP DB License allows APP database to upgrade. APP DB license is issued with platform
license. There is no need to apply for it. The validity of APP DB License also follows

platform license. When the platform license expires, APP signature database cannot be
upgraded.
l SR-IOV Throughput License /Trial License

SR-IOV Throughput License provides throughput improvements for SR-IOV network cards
of CloudEdge.When the license is installed, the throughput of SR-IOV card will be improved.
SR-IOV Throughput License will not be expired, but the trial license will expire.And the
throughput will return to the default value after expired.The default throughput of SR-IOV
network cards varies from platform, and the magnitude of increase after installing the license
varies as follows:
SR-IOV Throughput VM01 VM02 VM04 VM08
Default 2Gbps 4Gbps 8Gbps 16Gbps
After Installing License 10Gbps 20Gbps 40Gbps 80Gbps
Notes:
l Besides the licenses listed above, a hardware platform from Hillstone Net-
works can install other types of licenses, e.g. StoneShield, but currently,
CloudEdge does not support licenses other than those listed here.
l Perimeter Traffic Filtering (PTF) function can be seen in StoneOS, but it is

not available for the moment. Future versions will support the two functions.
l Currently, Anti-Virus (AV) License and Sandbox License are not available in
CloudEdge for private cloud platform.
Applying for a License

To apply for a license, take the following steps:
Use the command exec license apply applicant string to generate a license application request. For
more information, see Managing a License Using CLI”。

Send the request to the Hillstone agent.
Installing a License
A license contains a string of characters. When you get the license, take the following steps to
install it in the device:
If you use CLI to install a license, in any mode, use the command exec license install license-
string. For more information, see Managing a License Using CLI. After installing, you need to
reboot system to make the license effective.
Notes: Although license can be removed, you are strongly suggested not to uninstall
any license.
Connecting to License server

For Hillstone CloudEdge virtual firewall, after installing the license, you need to connect to the
license server to verify the validity of the license to prevent the license from being cloned. Sys-
tem supports two ways, one is connecting the firewall to the public network license server via
Internet to verify, the other is connecting the firewall to the internal network LMS (License Man-
agement System) via LAN to verify.You can choose one of the two ways according to the need.
l The way that used to verify validity via public network license server is applicable in some
small private clouds or industry cloud scenarios. After the virtual firewall being connected to
the public server, the server will verify validity of the license, (currently the public network
server does not support the distribution and management of the license). If the cloned license
is found or the virtual firewall is not connected to server to verify, the virtual firewall will be
restarted in 30 days.
l The way that used to verify validity via LAN vLMS is applicable in the large-scale public
cloud scenarios. After the virtual firewall being connected to the vLMS, the vLMS not only
verifies the validation of license, but also support automatic distribution and management of
license. If the cloned license is found, the server will recycle all virtual firewall licenses of

either the clone or the cloned one and restart the virtual firewall; if the virtual firewall does
not connect to the server to verify, it will restart in 30 days.
If you use CLI to connect to the license server, in any mode, use the command exec connect {
public-server | license-serverA.B.C.Dssl-port port-number} vroutervrouter-name.
For more information, see Connecting to License server. After connecting, you need to reboot
system to make the license effective.
For more information about LMS, refer to 《License Management System User Guide》.
Notes:
l CloudEdge with version 5.5R7 or above must connect the LMS with the ver-
sion 3.0 or above.
l If there are CloudEdges with 5.5R7 and the previous version, when LMS dis-
covers the license cloning behavior, the CloudEdge with the previous version
of 5.5R7 will be judged as cloning device.
l Suggestion: Please upgrade the LMS to version 3.0 or above, and then
upgrade the CloudEdge to 5.5R7 before connecting to the LMS.
Managing a License Using CLI

This section describes how to apply, install and uninstall a license using command lines.
Generating a Request for License
To generate a request for license, in any mode, use the following command:
exec licen se ap p ly ap p lican t string
l string - Specifies the name of the applicant.

Installing/Uninstalling a License
After obtaining the license, to install it, in any mode, use the following command:
exec licen se in stall license-string
l license-string - Pastes the license string.
To uninstall a license, in any mode, use the following command:

exec licen se un in stall license-name
l license-name - Specifies the name of the license you want to uninstall.
After installing some licenses, you need to type the command reboot to reboot system.
The following licenses will take effect after the reboot and other licenses will take effect directly.
l After installing the following licenses for the first time, you need to reboot the system: Plat-
form Trial, Platform, AV, IPS, Botnet C&C Prevention, Antispam, Stoneshield, URL, Sand-
box, Virtual CPU, LLB, IP Reputation.
l The system needs to be rebooted each time the following licenses are installed: AEL, VSYS.
Verifying the Licenses
For Hillstone CloudEdge virtual firewall, after installing the licenses, you need to connect to the
LMS to verify the validity of licenses, in any mode, use the following command :
exec lms en ab le { p ub lic | p rivate ip A.B.C.D p o rt port-number }vro uter vrouter-name
l public – Specify the public LMS to verify the validity of license .
l private A.B.C.D – Specify the Intranet LMS to verify the validity of license and specifies its
IP address. Note: If the actual deployed network topology is connected to the License server
through a proxy server, specify the address and port of the proxy server here.

l port port-number– Specify the port number of LMS. The value ranges from 1 to 65535.
l vrouter vrouter-name: Specifies the VRouter name.
The license will take effect after the device is rebooted. If it has not been rebooted before, after
successfully connecting to LMS, enter the command reboot to restart the device.
Notes: When you verify your license through public LMS, make sure that the inter-
face connected to the public server is in the trust-vr zone and that you can access
the Internet through the trust-vr zone.
Viewing License Summary Information
To view the license summary information, including the feature name, license state, license type,
expiration and resource, in any mode, use the following command:
show license summary
For example:
hostname# show license summary
===============================================
Feature State Type Expiration Resource
----------------------------------------------------------------------------------------------
URL DB Authorized Service license 2020/03/05(Upgrade effective time expired) 1
APP signature Authorized Service license 2020/03/05(Upgrade effective time expired) NULL
IPS Authorized Service license 2020/03/05(Upgrade effective time expired) 1
AntiVirus Authorized Service license 2020/03/05(Upgrade effective time expired) NULL
VSYS Authorized Permanent license Permanent 5
Cloud sandbox Authorized Service license 2020/03/05(Upgrade effective time expired) 1
Platform Authorized Service license 2030/10/02(Upgrade effective time) NULL
QoS Expired Trial license 0 days left NULL
Host route No License NULL NULL NULL

SCVPN No License NULL NULL NULL
IP Reputation No License NULL NULL NULL
Twin mode No License NULL NULL NULL
Botnet C&C Prevention No License NULL NULL NULL
Threat intelligence No License NULL NULL NULL
===============================================
The parameters in the results of above show command are explained as follows:
l Feature: Displays the names of all features that are controlled by the license.
l State: Displays the installation status or effective status of the license, including Expired,
Authorized, To be effective and No License.
l Type : Displays the types of the license, including Permanent license, Service license, Sub-
scribe license and Trial license.
l Expiration: Displays the expiration time of the license, which is different for different types of
licenses:
l Permanent license: "Permanent" indicates no expiration time.
l Service license: "Upgrade effective time expired" indicates that the feature is available,
but the upgrade effective time of the signature database has expired and the signature
database cannot be upgraded. "Upgrade effective time" indicates that it's within the
upgrade effective time of the signature database.
l Subscribe license: "2021/08/30 to 2021/09/28 (29 days left)" indicates that the feature
can be used for 29 days within the time range.
l Trial license: "2 days left" indicates that the feature can be used for 2 days. "0 days left"
indicates that the feature is expired and the state is shown as Expired.

l Resource: Displays the number of resources available for this feature, such as the number of
SCVPN users or the number of IPSec VPN tunnels.
The priority of the license effective mechanism is: Permanent license > Service license > Sub-
scription license > Trial license > Default license. For example, if the device installs both an
IPSec VPN subscription license with 150 tunnels and an IPSec VPN permanent license with 30
tunnels, the permanent license takes effect and the number of tunnel resources is 30. If you unin-
stall the permanent license, the subscription license takes effect and the number of tunnel
resources is 150.
Configuring HA Backup Device to Communicate with LMS through Master

Device
For Hillstone CloudEdge virtual firewall, when CloudEdge is deployed as HA, if there is not
enough public network IP available for backup devices to connect to the public network LMS,
you can configure communication through the master device to connect to the public publix LMS
to complete license verification. In this case, the master device will act as the proxy for the
backup device, and the authentication requests between the backup device and the public LMS
will be firstly forwarded to the master device through the HA link, and then to the public LMS
server. This function is disabled by default. To enable LMS connection through the master
device, using the following commands in the global configuration mode of the master device:
lms master-auth -p ro xy { en ab le | disab le }
l enable - Enable LMS connection through the HA master device. When enabled, the master
device will act as the proxy for the backup device, and the authentication requests between
the backup device and the public LMS will be firstly forwarded to the master device through
the HA link, and then to the public LMS server.
l disable - Disable LMS connection through the HA master device. This function can be dis-
abled when the backup device itself can connecte to the LMS.

Replacing the Digital Certificate used for Connecting CloudEdge and LMS
When CloudEdge is connected to LMS, digital certificates are used for authentication (two-way
authentication for authenticating the connection while one-way authentication for distributing the
connection). After the authentication is successful, CloudEdge and LMS are successfully con-
nected. You need to create a trust domain in CloudEdge to store CA certificates, local certificates,
and the private keys, which will be used for authenticating the connection between CloudEdge
and LMS. To create a trust domain and configure certificates and private keys, refer to Con-
figuring PKI.
LMS references the configured trust domain to obtain new certificates. In the global configuration
lms trust-domaintrust-domain-name
l trust-domain-name– Specifies the name of the configured trust domain where new cer-
tificates and private keys are stored. If this parameter is not configured, the default built-in cer-
tificates are used.
View LMS Information
To view LMS information, in any mode, use the following command:

sh o w lms
Batch Installing Licenses

When installing licenses to a large amount of devices, using this batch method will simplify the
process and minimize the mistakes.
Batch Installing Procedure
To install licenses in batch, take the following steps:
1. If you require many licenses, you need provide the device serial numbers and license types
information to Hillstone. For information about license, consult the local agent.

2. Hillstone generates license files according to your requests and send them to you in proper
ways, like email.
3. When you receive the license files, copy them to a FAT32 USB disk under the directory
named “\license” (the name must be in lower case). The license files cannot be changed;
otherwise they are unable to be installed.
4. Install the licenses to all the devices in the USB disk. See the section below.
Installing a License
After copying the license files to the proper directory in the USB disk, insert the USB disk into
the USB port of the device, the device automatically scans the USB disk and install the matched
license. You can view the status by checking the LED lights.
Power on the device, wait until it shows login prompt.
Insert the USB disk into the USB port.
The device automatically scans the USB disk, searches for a license with the same serial number
of the device, and installs it. The ALM light shows the installation status, as shown in the table
below:
Status ALM Indicator
Searching for a matched license from the directory Blinking green until installation
“license” in USB disk. completes
The installation is completed. Restore to former status
No matched license is found. Blinking red for 10 seconds and

then restore to the former status.
No “license” directory is found. No change.
Remove the USB disk from the device and you can install licenses to other devices using the
same method.

All matched licenses can be installed into the devices. To avoid reinstallation, used licenses are
removed from the “license” directory to a “license_installed” directory (automatically cre-
ated).
Reboot system to make license effective.
Simple Network Management Protocol (SNMP)

Simple Network Management Protocol (SNMP) is an application layer protocol for managing
devices on IP networks. It consists of four key components: Network Management System
(NMS), Network Management Protocol, SNMP agent and Management Information Base (MIB).
l Network Management System (NMS): A software system which uses the network managers
(like adventnet, solarwinds) to send requests, such as Get and Set, and receives the responses
from the SNMP agent so that it can manage and monitor network devices.
l SNMP Agent: A software module on a managed network device, which sends the local device
information to NMS.
l Network Management Protocol: It is used to exchange SNMP packets between NMS and
SNMP agent. It supports three basic functions, which are GET, SET and Trap. Get is used by
NMS to fetch the MIB value from the SNMP agent; Set is used by NMS to configure the MIB
value of the SNMP agent; Trap is used by the SNMP agent to sent event notifications to
NMS.
l Management Information Base (MIB): An information database maintained by SNMP Agent,

which contains specific characteristics of managed network devices, comprises object vari-
ables. The object variables can be requested or set by NMS.
Hillstone SNMP
Hillstone devices support SNMP agent function, which receives requests from and responds the
device information to NMS. Figure below illustrates how a NMS interacts with a security device
via SNMP.

Supported RFCs
Hillstone security device supports the following SNMP versions:
l SNMPv1: Simple Network Management Protocol. See RFC-1157.
l SNMPv2: See the following RFCs:
l RFC-1901 - Introduction to Community-based SNMPv2;
l RFC-1905 - Protocol Operations for Version 2 of the Simple Network Management

Protocol;
l RFC-1906 - Transport Mappings for Version 2 of the Simple Network Management Pro-
tocol.
l SNMPv3: See the following RFCs:
l RFC-2263 - SNMPv3 Applications;
l RFC-2264 - User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3);
l RFC-2265 - View-based Access Control Model (VACM) for the Simple Network Man-
agement Protocol (SNMP).

SNMPv1 protocol and SNMPv2 protocol use community-based strings to limit the NMS to get
device information. SNMPv3 protocol introduces a user-based security module for information
security and a view-based access control module for access control.
Supported MIBs
The device supports all relevant Management Information Base II (MIB II) groups defined in
RFC-1213, the Interfaces Group MIB (IF-MIB) using SMIv2 defined in RFC-2233, the User-
based Security Model (USM) for version 3 defined in RFC-2574 and the View-based Access Con-
trol Model (VACM) defined in RFC-2575. Besides, StoneOS offers a private MIB, which con-
tains the system information, IPsec VPN information and statistics information of the device.
You can use the private MIB by loading it into a SNMP MIB browser on the management host.
Supported Traps
Trap is an asynchronous notification from SNMP agent to SNMP client. The following traps are
supported in StoneOS:
l Warm start
l Authentication Ffailure
l Interface link down/up
l VPN SA negotiation status change
l HA status change
l System status changes, including CPU utilization over 80%, fan status change, memory low,
etc.
l Network attacks, including ARP spoofing, IP Spoofing, SYN Flood attack, etc.
l Configuration changes
Configuring SNMP
Hillstone device provides the following SNMP configuration options:

l Enabling/Disabling the SNMP agent function
l Configuring the SNMP port number
l Configuring SNMP engineID
l Creating an SNMPv3 user group
l Creating an SNMPv3 user
l Configure the IP address of the management host
l Configuring the recipient of a SNMP trap
l Configuring sysContact
l Configuring sysLocation
l Specifying the VRouter on which the SNMP is enabled
Enabling/Disabling the SNMP Agent Function
By default, the SNMP agent function is disabled. To enable the function, in the global con-
snmp-server manager
To disable it, use the command no snmp-server manager.
Configuring the SNMP Port Number
To specify the port number of the SNMP agent, in the global configuration mode, use the fol-
lowing command:
sn mp -server p o rt port-number
l port-number - Specifies the port number. The value range is 1 to 65535. The default value is
161.

Configuring SNMP Engine ID
SNMP EngineID is a unique identifier for the SNMP engine. The SNMP engine is the essential
component of the SNMP entity (NMS or network devices managed by SNMP). The functions of
the SNMP engine are sending/receiving SNMP messages, authenticating, extracting PDU, assem-
bling messages, communicating with SNMP applications, etc.
To configure the SNMP engineID of the local device, in the global configuration mode, use the
following command:
sn mp -server en gin eID string
l string - Specifies the engineID. The length is 1 to 23 characters.
Creating an SNMPv3 User Group
To configure a SNMPv3 user group, in the global configuration mode, use the following com-
mand:
sn mp -server gro up group-name v3 {n o auth | auth | auth -en c} [read-view {mib 2 | p rivmib |
vacm | usm}] [write-view usm]
l group-name - Specifies a name for the user group. The value range is 1 to 31 characters.
l noauth | auth | auth-enc - Specifies the security level of the user group. The security level
determines the security mechanism used when handling a SNMP packet. noauth means no
authentication nor encryption; auth means it requires MD5 or SHA authentication; auth-enc
indicates that it uses MD5 or SHA authentication and AES or DES packet encryption.
l read-view {mib2 | privmib | vacm | usm} - Specifies the read-only MIB view names of the
user group. The SNMPv3 user group can read the specified MIB, including the public MIB
defined in RFC-1213 and RFC-2233 (mib2), Hillstone Networks private MIB (privmib), the
View-based Access Control Model MIB defined in RFC-2575 (vacm) and the User-based
Security Model MIB for version 3 defined in RFC-2574 (usm). If this parameter is not spe-
cified, the SNMPv3 user group can read all MIB views.

l write-view usm - Specifies the writable MIB view names of the user group. The SNMPv3
user group can modify the User-based Security Model MIB for version 3 defined in RFC-2574
(usm). If this parameter is not specified, the SNMPv3 user group can modify all MIB (USM)
views.
The system allows up to five user groups, each of which with a maximum of five users. To delete
the specified user group, in the global configuration mode, use the command no snmp-server
group group-name.
Creating an SNMPv3 User
To configure a SNMPv3 user, in the global configuration mode, use the following command:
sn mp -server user user-name gro up group-name v3 remo te A.B.C.D/M [auth -p ro to co l {md5
| sh a} auth-pass [en c-p ro to co l {des | aes} enc-pass ]]
l user user-name - Specifies a name for the user. The value range is 1 to 31 characters.
l group group-name - Specifies a configured user group to the user.
l remote A.B.C.D/M - Specifies the IP address of the remote management host and network
mask.
l auth-protocol {md5 | sha} - Specifies that the user should be authenticated with MD5 or
SHA algorithm. If this parameter is not specified, no authentication nor encryption is required
for the user.
l auth-pass - Specifies authentication password. Use 8 to 40 characters.
l enc-protocol {des | aes} - Specifies that the user is encrypted with DES or AES.
l enc-pass - Specifies the encryption password. Use 8 to 40 characters.
The system allows up to 25 users. To delete the specified user, in the global configuration mode,
use the command no snmp-server user user-name.

Configuring the IP Address of the Management Host
To configure the management host’s address, in the global configuration mode, use the fol-
lowing command:
sn mp -server h o st { ip-address | ip-address/mask | ran ge start-ip end-ip } {versio n [ 1 | 2c ]
co mmun ity string [ro | rw] | versio n 3 }
l ip-address | ip-address/mask | range start-ip end-ip - Specifies the IP address or IP range of

the management host.
l version [1 | 2c] - Specifies that SNMP version is SNMPv1 (1) or SNMPv2C (2c).
l community string - Community strings are shared password between the managing process
and agent process, therefore, an SNMP packet whose community string does not match that
of the security device will be dropped. Specifies the community string (31 characters at most)
here and it only works for SNMPv1 and SNMPv2C.
l ro | rw - Specifies the read and write privileges of community string. The ro (read-only) com-
munity string can only read MIB; rw (read and write) community string can read and change
MIB. This is optional. By default, community string has read-only privilege.
l version 3 - Specifies that the SNMP version is version 3.
To delete the specified management host, in the global configuration mode, use the command no
snmp-server host {host-name | ip-address | ip-address/mask | range start-ip end-ip}.
Configuring Recipient of SNMP Trap
To configure the recipient of the SNMP trap packets, in the global configuration mode, use the
following command:
sn mp -server trap -h o st host-ip [ source-ip ip-address ] {versio n { 1 | 2c } co mmun ity string |
versio n 3 user user-name en gin eID string } [p o rt port-number ]

l host-ip - Specifies the IP address of SNMP trap recipient.
l source-ip ip-address – Specifies the source IP address that sends SNMP trap packets.
l port port-number - Specifies the SNMP version used to send trap packets. It can be SNMPv1
or SNMPv2C.
l version {1 | 2c} - Specifies to use SNMPv3 to send trap packets.
l community string - Specifies the community string of SNMPv1 or SNMPv2C.
l version 3 - Specifies the SNMPv3 user name.
l user string - Specifies the engineID of trap recipient.
l engineID string - Specifies the engineID of trap recipient.
l port port-number - Specifies the recipient host port number. The value range is 1 to
65535.The default value is 162.
To delete the specified trap recipient host, in the global configuration mode, use the command no
snmp-server trap-host host-ip [source-ip].
Notes: In the HA environment, the backup device does not synchronize with the
source IP address (source-ip) configured in the primary device for sending SNMP
trap packets. To specify the source IP address for the added trap host to send
SNMP trap packets, you can use thesnmp-server trap-host host-ip source-ip ip-
address command in the backup device.
Configuring sysContact
sysContact specifies the contact name for this managed device (here refers to the security device),
as well as information about how to contact this person.
To configure a sysContact, in the global configuration mode, use the following command:
sn mp -server co n tact string

l string - Specifies the contact string. You can specify up to 255 characters.
To delete the contact, in the global configuration mode, use the command no snmp-server con-
tact.
Configuring sysLocation
sysLocation specifies the physical location of this managed device (here refers to the security
device).
To configure sysLocation, in the global configuration mode, use the following command:
sn mp -server lo catio n string
l string - Specifies the location string. You can specify up to 255 characters.
To delete the sysLocation, in the global configuration mode, use the command no snmp-server
location.
Specifying the VRouter on Which the SNMP is Enabled
You can specify the VRouter on which the SNMP function is enabled. To specify the VRouter, in
sn mp -server vro uter vrouter-name
l vrouter-name – Specifies the name of the VRouter.
To disable the SNMP function in the VRouter, in the global configuration mode, use no snmp-
server vrouter.
Configuring SNMP Server
You can configure the SNMP server to get the ARP information through the SNMP protocol. To
configure the SNMP server, in the global configuration mode, use the following command:
arp -mib -query server ip-address co mmun ity string [vro uter vrouter-name ] [so urce interface-
name ] [ p o rt port-number ] [in terval value ]

l ip-address – Specifies the IP address of SNMP server.
l community string – Specifies the community string (31 characters at most) here and it only
works for SNMPv1 and SNMPv2C.
l vrouter vrouter-name – Specifies the name of VRouter.
l source interface-name – Specifies the name of the source interface for receiving ARP inform-
ation on the SNMP server.
l port port-number – Specifies the port number of SNMP server. The value range is 1 to
65535, the default value is 161.
l interval value – Specifies the interval for receiving ARP information on the SNMP server.
The value range is 5 to 1800 seconds, the default value is 60 seconds.
To delete the SNMP server, use the command no arp-mib-query server ip-address.
Clearing the ARP Table Information of SNMP Server
To clear the ARP table information of SNMP server, in any mode, use the following command:
clear arp -mib -query
Viewing the SNMP Server Information
To view SNMP server information, in any mode, use the following commands:
l Show SNMP server status: show snmp-server
l Show the ARP table information of the SNMP server: show snmp-group
l Show SNMP server configurations: show snmp-user
Viewing SNMP Information
To view SNMP configurations, in any mode, use the following commands:

l Show SNMP configurations: show arp-mib-query status
l Show SNMP configurations: show arp-mib-query table [ip-address]
l Show SNMP configurations: show configuration arp-mib-query
SNMP Configuration Examples

This section provides two SNMP configuration examples.
Requirements
The goal is to connect the NMS (PC with IP address 10.160.64.193) to a security device on inter-
face eth0/1 (IP: 10.160.64.194), as shown below:
l Example 1: Use NMS (PC of 10.160.64.193) to manage the security device through
SNMPv2C with community string “public”. In addition, the device is allowed to send trap
packets to NMS with community string “private”.
l Example 2: Use PC of IP 10.160.64.193 to manage the security device through SNMPv3,

with security level of MD5 authentication (password: password1) and DES encryption (pass-
word: password2). PC can read MIB-II and only has the right to modify usm MIB. Besides,
the security device is allowed to send trap packets.
Example 1

Step 1：Configure the security device:

To enter the global configuration mode:
To enable the SNMP service on the interface:

hostname(config-if-eth0/1)# man age sn mp
To enable SNMP of the device:

hostname(config)# sn mp -server man ager
To configure community and access privilege:

hostname(config)# sn mp -server h o st 10.160.64.193 versio n 2c co mmun ity p ub lic ro
To configure sysContact and sysLocation:

hostname(config)# sn mp -server co n tact cin dy-Tel:218
hostname(config)# sn mp -server lo catio n Ho stn ame-Netwo rk
To allow sending trap packets to NMS 10.160.64.193 with

community string “private”:
hostname(config)# sn mp -server trap -h o st 10.160.64.193 versio n 2c co mmun ity
p rivate
Step 2：Configure Network Management System (NMS).
Example 2
Step 1：Configure the security device:
To enter the global configuration mode:

To enable the SNMP service on the interface:

To enable SNMP of the device:

hostname(config)# sn mp -server man ager

To configure the local engineID:
hostname(config)# sn mp -server en gin eID h illsto n e
To specify that the NMS can only read MIB-II but has
write privilege over usm MIB:
hostname(config)# sn mp -server gro up gro up 1 v3 auth -en c read-view mib 2 write-view
usm
To specify user with MD5 authentication and DES encryp-

tion:
hostname(config)# sn mp -server user user1 gro up gro up 1 v3 remo te 10.160.64.193
auth md5 p asswo rd1 en c des p asswo rd2
To configure address of NMS:

hostname(config)# sn mp -server h o st 10.160.64.193 version 3
To configure trap recipient host so that it can send

trap packets to NMS:
hostname(config)# snmp-server trap-host 10.160.64.193 version 3 user user1 engineID
remote-engineid
To configure sysContact and sysLocation:

hostname(config)# snmp-server contact cindy-Tel:218
hostname(config)# sn mp -server lo catio n Ho stn ame-Netwo rk
Step 2：Configure Network Management System (NMS).
Network Configuration Protocol (NETCONF)

Network Configuration Protocol (NETCONF) provides a mechanism for managing network
devices. You can add, modify, and delete configurations of network devices, and obtain con-
figuration and status information of network devices. Through NETCONF, network devices
provide standard application programming interfaces (API). Applications can directly use these
application programming interfaces to send and obtain configurations from network devices.
Comparison between NETCONF and SNMP:

Function SNMP NETCONF
Configuration SNMP does not NETCONF provides a locking mechanism to avoid con-
management provide a locking mech- figuration conflicts arising from multi-user operations.
anism.
Inquiry You can inquire about You can inquire about all configurations of the system.
one or more nodes of
the table through mul-
tiple interactions with
the system.
Extensibility Poor extensibility Good extensibility. NETCONF adopts a layered archi-

tecture and each layer is independent. Therefore, the
impact on the upper-layer protocol will be minimalized
when you extend a layer of NETCONF. Also,
NETCONF adopts the XML, which allows the protocol
to be extensible in terms of management ability and sys-
tem compatibility.
Security Take the latest NETCONF exploits current security protocols to

SNMPv3 as an provide security protection. It is not bound to a specific
example. SNMPv3 only security protocol. Therefore, in practice, NETCONF is
provides the user-based more flexible than SNMP.
security module and Note: SSH is the priority at the NETCONF transport
cannot be added to layer. XML message is carried by SSH protocol.
other security modules.
Through the NETCONF client, you can modify the configuration of Hillstone devices and obtain
configuration and status information. You can configure the following function modules:

l Object module: You can create/delete/edit address book and host book through the
NETCONF client.
l Network module: You can create/delete/edit zone, interface, DNS server, DNS proxy,
DHCP, destination route, source route, policy route, OSPF, BGP, IPsec VPN, and SSL
VPN through the NETCONF client.
l Policy module: You can create/delete/edit a policy, SNAT, and DNAT through the
NETCONF client.
Notes:
l NETCONF function requires you to configure the login type of admin-
istrators and the trusted host as NETCONF, and the management method of
interfaces as NETCONF. It is recommended to configure the three options
before you enable NETCONF.
l When the root VSYS enables NETCONF, you can configure the login type
of non-root administrators as NETCONF to enable NETCONF on non-root
VSYS.
Enabling/Disabling the NETCONF Agent

By default, the NETCONF agent function is disabled.
To enable the NETCONF agent, in the global configuration mode, use the following command:
n etco n f-man ager en ab le
To disable the NETCONF agent, in the global configuration mode, use the following command:
n o n etco n f-man ager en ab le
Enabling/Disabling the NETCONF candidate
NETCONF candidate enables you to modify the configuration of the current device but apply the
modification later so that the current service traffic is not influenced. You can modify the con-
figuration of the candidate, and replace the current configuration with the candidate configuration

according to your own needs. The replacement takes effect immediately. By default, the
NETCONF candidate is disabled.
To enable the NETCONF candidate function, in the global configuration mode, use the following
command:
n etco n f-man ager can didate
To disable the NETCONF candidate function, in the global configuration mode, use the fol-
lowing command:
no netconf-manager candidate
Configuring the NETCONF Timeout

You can perform operations such as offering configuration to a Hillstone device through the
NETCONF client. If you do not perform any operations on the NETCONF client for a certain
amount of time, you will be required to log in again to perform subsequent operations. To con-
figure the timeout period, in the global configuration mode, use the following command:
netconf-manager timeout value
l value – Specifies the response timeout period for the NETCONF client. The value range is
from 5 to 30 minutes. The default value is 10 minutes.
Viewing NETCONF Agent Configuration Information

To view configuration information of NETCONF agent, in any mode, use the following com-
mand:
show netconf-manager
HSM Agent
Hillstone Security Management (HSM) is a centralized management platform to manage and con-
trol multiple Hillstone devices. HSM system consists of three modules: HSM Agent, HSM Server
and HSM Client. After deploying these modules and establishing security connection, you can use
the HSM Client to view logs, statistics and attributes of managed security devices, as well as mon-
itor system status and traffic information.

StoneOS running on each security device is designed with an HSM agent. After configuring this
agent, the device can connect to the HSM server and will be managed and controlled by the
server.
In addition, firewall can also send the following information to HSM:
l Interface information, including latency, jitter, packet loss rate, etc.
l Application data information on the interface, including application latency, jitter, upstream
and downstream packet loss rate, etc.
You can use command lines or WebUI to configure HSM agent (Hillstone SR Series only sup-
ports WebUI). The HSM agent configurations include:
l Configuring HSM agent
l Specifying a trust domain
l Changing Digital Certificate
l Enabling/Disabling HSM agent
l Viewing HSM agent configurations
Tip: For more information about HSM, see Hillstone Security

ManagementTMUser Guide.
Configuring HSM Agent

HSM agent on the security device allows HSM server to connect to and manage it.
To specify the IP address of HSM server, in the global configuration mode, use the following com-
mand:
n etwo rk-man ager h o st ip-address

l ip-address - Specifies the IP address of HSM server. This address cannot be 0.0.0.0,
255.255.255.255 or a multicast address.
To configure the port number of HSM server, in the global configuration mode, use the following
command:
n etwo rk-man ager h o st p o rt port-number
l port-number - Specifies the port number of HSM server. The value range is 1 to 65535. The
To configure the connection interface of the HSM server, in the global configuration mode, use
n etwo rk-man ager h o st so urce interface-name
l source interface-name - Specifies the connection interface of HSM server.
To modify the registering mode of the HSM server to plain mode (unencrypted), in the global con-
n etwo rk-man ager h o st p lain
To modify the registering mode of the HSM server to encrypted mode, in the global configuration
no network-manager host plain
To specify the password of HSM server, in the global configuration mode, use the following com-
mand:
n etwo rk-man ager h o st p asswo rd password
l password - Specifies the password. HSM server uses this password to authenticate the device.
The length is 1 to 31 characters.
To specify the VRouter on which the HSM agent is enabled, in the global configuration mode,
n etwo rk-man ager h o st vro uter vrouter-name

To clear the configuration of HSM server, in the global configuration, use the following com-
mand:
n o n etwo rk-man ager h o st
To ensure that the device can communicate normally with the HSM server in the NAT envir-
onment, you can configure the IP addresses of the FTP servers and log server. By default, the IP
address of the FTP server is the IP address of the HSM server, the port numb is 21; the IP
address of the log server is the IP address of the HSM server, the port number is 514.
To configure the IP address and the port number of the FTP server, in the global configuration
n etwo rk-man ager h o st ftp -server ip-address [p o rt port-number ]
l ip-address – Specify the IP address of the FTP server.
l port-number – Specify the port number of the FTP server.
In the global configuration mode, use the following command to restore the following values to
the default ones:
n o n etwo rk-man ager h o st ftp -server [p o rt]
To configure the IP address and the port number of the log server, in the global configuration
n etwo rk-man ager h o st syslo g-server ip-address [secure-tcp ] [p o rt port-number ]
l ip-address – Specify the IP address of the log server.
l secure-tcp – If this parameter is specified, system will transfer logs enerypted to HSM.
l port-number – Specify the port number of the log server.
In the global configuration mode, use the following command to restore the following values to
the default ones:
n o n etwo rk-man ager h o st syslo g-server [secure-tcp ][p o rt]

Changing Digital Certificate
Digital certificates are used for bidirectional authentication when the device is connected to the
HSM server. After bidirectional authentication succeeds, the device connects to the HSM server.
Create a trust domain to store the new CA certificate and the device can use the certificate to
verify the certificate provided by the HSM server. Create another trust domain to store the new
local certificate and the private key so that the HSM server can verify the certificate. If the local
certificate and private key are not configured, the device implements one-way authentication with
the HSM server: That is to say, the device verifies the certificate provided by the HSM server and
not vice versa. Import CA certificate, local certificate, and private key to the trust domain and
then you can change the digital certificates. To create a trust domain, import certificates and
private key, see PKI.
Reference the existing trust domain to obtain a new CA certificate, in the global configuration
network-manager host trust-domain trust-domain-name
l trust-domain-name–Specifies the name of the existing trust domain that stores the new
CA certificate in the system. If this parameter is not specified, the system uses the default
built-in CA certificate.
Reference the existing trust domain to obtain a new local certificate and private key, in the global
network-manager agent trust-domain trust-domain-name
local certificate and private key in the system. If this parameter is not specified, the system
uses CA certificate to implement one-way authentication with the HSM server.
Notes: If the HSM server does not support bidirectional authentication, the HSM
server will authenticate the device by default after the device provides the local cer-
tificate.

Enabling/Disabling HSM Agent
After configuring HSM server parameters on the device, you need to enable the HSM agent ser-
vice, which by default is disabled.
To enable HSM agent, in the global configuration mode, use the following command:
n etwo rk-man ager en ab le
To disable the HSM agent, in the global configuration mode, use the following command:
n o n etwo rk-man ager en ab le
Viewing HSM Agent Configuration Information

To view configuration information of HSM agent, in any mode, use the following command:
sh o w n etwo rk-man ager
Network Time Protocol (NTP)

The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of operating sys-
tems based on UDP with dedicated port 123.
Tip: For more information about NTP synchronization, see RFC1305.
For a security device, system time influences many functional modules, like VPN tunnel, sched-
ule and signature certificate, etc. NTP is used to synchronize the system time with NTP server.
There are two ways to synchronize time: manual setting and using NTP.
Notes: When using the signature license for the first time, do synchronize the sys-
tem time with the computer time in advance.

Configuring NTP
Configuring System Clock Manually
To configure the system clock manually, in the global configuration mode, use the following com-
mand:
clo ck time HH:MM:SS Month Day Year
l HH:MM:SS Month Day Year - Specifies the system clock. HH, MM and SS indicate hour,
minute and second respectively, Month, Day and Year indicate month, day and year respect-
ively.
Configuring Time Zone Manually
The system provides multiple predefined time zone. To configure time zone more accurately, you
can configure a customized time zone, and configure summer time for the customized time zone.
The default time zone of the system is GMT+8. To configure a time zone, in the global con-
clo ck zo n e { timezone-name | cus-timezone-name hours minutes }
l timezone-name - Specifies the name of the pre-efined time zone.
l cus-timezone-name - Specifies the name of customized time zone. The value range is 1 to 6
characters.
l hours minutes - Specifies the offset to UTC (Universal Time Coordinated). The value range of
hours is -13 to 12; the value range of minutes is 0 to 59.
For example, to configure a customized time zone named test, and set the offset to UTC to 6
hours and 30 minutes, use the following command:
hostname(config)# clock zone test 6 30

Configuring Summer Time
Summer time is a local time regulation for saving energy. According to the law issued by the
authority, during summer the clock will jump forward for one hour, and will jump backward for
one hour when the summer ends. You can specify the absolute time period and the periodic time
period of the summer time for the customized time zone.
To specify the absolute time period of the summer time, in the global configuration mode, use the
following command:
clo ck summer-time cus-timezone-name date start-date start-time end-date end-time [ com-
pensation-time ]
l cus-timezone-name - Specifies the name of customized time zone. The value range is 1 to 6
characters.
l date – Specifies the absolute time period of the summer time.
l start-date - Specifies the start date of summer time. The format is month/day/year, for
example, 7/20/2011.
l start-time - Specifies the start time of summer time. The format is hour:minute, for example,
10:30.
l end-date - Specifies the end date of summer time. The format is month/day/year, for
example, 7/20/2011.
l end-time - Specifies the end time of summer time. The format is hour:minute, for example,
10:30.
l compensation-time – Specifies the compensation time when the summer time starts. The
default value is 0. For example, when the summer time starts, in some places the clock will
jump forward for 1 hour and 30 minutes; when the summer time ends, the clock will jump
backward for 1 hour and 30 minutes. In such a case, the compensation time is 1 hour and 30
minutes. The format is hour:minute, such as 1:30.

For example, to configure a customized time zone named test, set the start time and end time of
summer time to 6/22/2011 10:30 and 9/23/2011 10:00 respectively, and the summer time is 2
hours and 30 minutes earlier than the non-summer time, use the following command:
hostname( config) # clock summer-time test date 6/22/2011

10:30 9/23/2011 10:00 2:30
To specify the periodical time period of the summer time, i.e. executing the summer time in a spe-
cified time period in every year, in the global configuration mode, use the following command:
clo ck summer-time cus-timezone-name recurrin g { [Mo n ] |[…] | [Sun ] }{after |
b efo re} start-day start-month start-time { [Mo n ] |[…] |[Sun ]} {after | b efo re} end-day end-
month end-time [co mp en satio n -time]
l cus-timezone-name – Specifies the name of customized time zone. The value range is 1 to 6
characters.
l recurring – Specifies the periodical time period of the summer time.
l { [Mon] |[…] | [Sun] }{after | before}start-day start-month start-time – Specifies the start
time of the periodical time period. For example, Mon before 22 6 10:30 means the start time
of the summer time in every year is 10:30 on the Monday of the first week before 22nd, June.
l { [Mon] |[…] |[Sun]} {after | before}end-day end-month end-time - Specifies the end time
of the periodical time period. For example, Fri after 23 9 10:00 means the end time of the
summer time in every year is 10:00 on the Friday of the first week after 23rd, September.
l compensation-time – Specifies the compensation time of the summer time when the sum-
mer time takes effect. The default value is 0. For example, when the summer time starts, the
system adjust the time of certain zones 1.5 hours ahead, and when the summer time ends,
adjust the time of certain zones 1.5 hours back. 1.5 hours is the compensation time you
defined. The format is “hour:minute”, for example, 1:30.
For example, to configure a customized time zone named test, set the start time as 10:30 on the
Monday of the first week before 22nd, June and set the end time as 10:00 on the Friday of the
first week after 23rd, September. The time during the summer time is 2.5 hours ahead.

hostname( config) # clock summer-time test recurring Mon
before 22 6 10:30 Fri after 23 9 10:00 2:30
Notes: The summer time may affect logs and modules that rely on time. For
example, in the above example, when the summer time ends on 9/23/2011 10:00,
the clock will jump backward for 2 hours and 30 minutes, i.e., jump backward to
7:30. Therefore, time range from 7:30 to 10:00 will appear twice on 9/23/2011.
To cancel the summer time configuration, in the global configuration mode, use the command no
clock summer-time cus-timezone-name date.
Viewing System Clock Configuration Information
To view the time zone settings, in any mode, use the command show clock.
To view the summer time settings, in any mode, use the command show config.
Configuring NTP Service
NTP is used to synchronize the system clock with NTP server. The system supports the fol-
lowing NTP configurations:
l Enabling/Disabling NTP Service
l Configuring an NTP Sever
l Configuring the Max Adjustment Value
l Configuring the Query Interval
l Enabling/Disabling NTP Authentication
l Configuring NTP Authentication
Enabling/Disabling NTP Service
By default, NTP service on Hillstone devices is disabled.

To enable/disable NTP service, in the global configuration mode, use the following commands:
l Enable: ntp enable
l Disable: no ntp enable
Configuring an NTP Server
You can specify up to three NTP servers, one of which with keyword “prefer” is the primary
NTP server, or, if no “prefer” is specified, the earliest configured NTP server is the first one
for time synchronization.
To configure an NTP server, in the global configuration mode, use the following command:
n tp server { ip-address | host-name } [key number ] [so urce interface-name ] [p refer] [vro uter
vrouter-name ]
l ip-address | host-name- Specifies the IP address or host name of the NTP server. The length
of the host name can be 1 to 127 characters.
l key number - Specifies the password of the NTP server if it requires so.
l source interface-name - Specifies the interface on which the security device sends and
receives NTP packets.
l prefer- If more than one NTP servers are specified, use this keyword to determine the primary
server.
l vrouter-name - Specifies NTP server for the specified VRouter.
To cancel the NTP server settings, use the command no ntp server {ip-address | host-name}.
Here is an example of configuring a NTP server:
hostname(config)# ntp server 10.160.64.5 prefer
Configuring the Max Adjustment Value
The maximum time adjustment value represents the acceptable time difference between the
device system clock and the time received from an NTP server. The device only adjusts its clock

with the NTP server time if the time difference between its clock and the NTP server time is
within the maximum time adjustment value.
To set the maximum adjustment value, in the global configuration mode, use the following com-
mand:
n tp max-adjustmen t time-value
l time-value - Specifies the time value. The value range is 0 to 3600 seconds. The value of 0
means no adjustment time. The default value is 10.
To restore to the default value, use the command no ntp max-adjustment.
Configuring the Query Interval
The device updates its clock with NTP servers at intervals of the value you set here.
To configure the query interval, in the global configuration mode, use the following command:
n tp query-in terval time-interval
l time-interval - The query interval. The value range is 1 to 60 minutes. The default value is 5.
To restore to the default value, use the command no ntp query-interval.
Enabling/Disabling NTP Authentication
By default, NTP authentication is disabled.

To enable/disable NTP authentication, in the global configuration mode, use the following com-
mands:
l Enable: ntp authentication
l Disable: no ntp authentication
Configuring NTP Authentication
If you choose to use NTP authentication, the security device only interact with servers that pass
the authentication.
To configure NTP authentication key ID and key, in the global configuration mode, use the fol-
lowing command:

n tp auth en ticatio n -key number md5 string
l number - Specifies the key ID number. The value range is 1 to 65535.
l string - Specifies MD5 authentication key. The length is 1 to 31 characters.
To cancel the authentication private key settings, in the global configuration mode, use the com-
mand no ntp authentication-key number.
Viewing NTP Status
To view the current NTP configurations, in any mode, use the command show ntp status.
NTP Configuration Example

Requirements of this configuration example are:
l NTP server IP address is 10.10.10.10;
l Authentication private key ID and key are 1 and aaaa respectively;
l The query interval is 3 minutes;
l The maximum adjustment time is 5 seconds.
Configure the following commands on the device:
hostname(config)# n tp auth en ticatio n -key 1 md5 aaaa
hostname(config)# n tp server 10.10.10.10 key 1 p refer
hostname(config)# n tp query-in terval 3
hostname(config)# n tp max-adjustmen t 5
hostname(config)# n tp auth en ticatio n
hostname(config)# n tp en ab le
hostname(config)# sh o w n tp status
ntp client is enabled, authentication is enabled
ntp query-interval is 3, max-adjustment time is 5

ntp server 10.10.10.10, key 1, prefer
Configuring Schedule
Schedules control the effective time for some functional modules, such as allowing a policy rule
or NAT rule to take effect in a specified time, and controls the duration for the connection
between a PPPoE interface and Internet. There are two types of schedule: periodic schedule and
absolute schedule. The periodic schedule specifies a time point or time range by periodic sched-
ule entries, while the absolute schedule decides a time range in which the periodic schedule will
take effect.
Creating a Schedule
To create a schedule, in the global configuration mode, use the following command:
sch edule schedule-name
l schedule-name - Specifies a name for the schedule. The length of it can be 1 to 31 characters.
This command creates a schedule and leads you into the schedule configuration mode; if the
schedule exists, you will enter its configuration mode directly.
To delete a schedule, use the command no schedule schedule-name. Note that you should unbind
the schedule from all the functional modules before deleting it.
Configuring an Absolute Schedule

Absolute schedule is a time range in which periodic schedule will take effect. If no absolute sched-
ule is specified, the periodic schedule will take effect as soon as it is referenced by any module.
To configure an absolute schedule, in the schedule configuration mode, use the following com-
mand:
ab so lute {[start start-date start-time ] [en d end-date end-time ]}
l start start-date start-time - Specifies the start date and time. start-date specifies the start date
in the format of month/date/year, e.g. 10/23/2007; start-time specifies the start time in the
format of hour:minute:second, e.g. 15:30:20. If this parameter is not specifies, it uses the

present time.
l end end-date end-time - Specifies the end date and time. end-date specifies the finish date in
the format of month/date/year, e.g. 11/05/2007; end-time specifies the finish time in the
format of hour:minute:second, e.g. 09:00:00. If the parameters are not specifies, there is no
end time for the absolute time.
To disable absolute schedule, use the command no absolute.
Configuring a Periodic Schedule

A periodic schedule is the collection of all the schedule entries within the schedule. You can add
up to 16 schedule entries to a periodic schedule. These entries can be divided into three types:
l Daily: The specified time of every day, such as Everyday 09:00:30 to 18:00:20.
l Days: The specified time of a specified day during a week, such as Monday Tuesday Saturday
09:00:15 to 13:30:45.
l Due: A continuous period during a week, such as from Monday 09:30:30 to Wednesday
15:00:05.
To specify a periodic schedule, in the schedule configuration mode, use the following command:
p erio dic {daily | weekdays | weeken d | [mo n day] […] [sun day]} start-time to end-time
l daily To specify a periodic schedule, in the schedule configuration mode, use the following
command:
l weekdays - Workday (from Monday to Friday).
l weekend - Weekends (Saturday and Sunday).
l [monday] […] [sunday] - Specifies particular days. For example, if you want Tuesday, Wed-
nesday and Saturday, type the key words tuesday wednesday saturday.

l start-time - Specifies the start time in the format of hour:minute:second, e.g. 09:00:00.
l end-time - Specifies the end time in the format of hour: minute:second, e.g. 16:30:30.
Repeat the command to add more entries.

To delete a periodic entry, use the command no periodic {daily | weekdays | weekend |
[monday] […] [sunday]} start-time to end-time.
To configure an entry which specifies a period of time in a week, in the schedule configuration
p erio dic {[mo n day] | […] | [sun day]} start-time to {[mo n day] | […] | [sun day]} end-time
l [monday] | […] | [sunday] - Specifies the start day in a week.
l start-time - Specifies the start time in the format of hour:minute:second, e.g. 09:00:00.
l [monday] | […] | [sunday] - Specifies the end day.
l end-time - Specifies the end time in the format of hour:minute:second, e.g. 16:30:30.
Repeat this command to add more entries.

To delete an entry, use the command no periodic {[monday] | […] | [sunday]} start-time to
{[monday] | […] | [sunday]} end-time.
Notes: In both absolute schedule and periodic schedule, the interval between the
Start time and the End time should not be less than 1 minute.
Configuring a Track Object

Track object is used to track if the specified object (IP address or host) is reachable and if the spe-
cified interface is connected, and if the specified object or link is congested. If the object is not
reachable or the link is not connected, the system will directly conclude the track fails; if the
object is reachable or the link is connected, the system will continue to detect if the object or link
is congested based on packet delay or interface bandwidth. Track is mainly used in HA, PBR,
LLB scenarios. By configuring track, you can assure the system is always selecting a comparatively
healthy link.

Notes:
l When the track failed, the system will drop all the sessions to the track
object.
l When the track object is congested, the system will still keep all the existing
sessions to the object, but will not allow any new session.
To configure a track object, in the global configuration mode, use the following command:
track track-object-name [lo cal]
l track-object-name - Specifies a name for the track object. The length of it can be 1 to 31 char-
acters.
l local - If you enter this parameter, the system will not synchronize configuration of this track
with the backup device. Without entering this parameter, this configuration will not be syn-
chronized with the backup device.
This command creates the track object and leads you into the track object configuration mode; if
the object exists, you will enter its configuration mode directly.
To delete the specified track object, use the following command:
n o track track-object-name
You are allowed to track your object by using five protocols of ICMP, HTTP, ARP, DNS and
TCP. Besides, the object also can be tracked by counting the traffic information of specified inter-
face.
Track by ICMP Packets

To track an object using Ping packets, in the object configuration mode, use the following com-
mand:
icmp { A.B.C.D | h o st host-name } in terface interface-name [in terval value ] [th resh o ld value ]
[src-in terface interface-name [p rio r-used-srcip ]] [weigh t value ]

l A.B.C.D | host host-name - Specifies the IP address or host name of the tracked object. The
length of the host name can be 1 to 63 characters.
l interface interface-name - Specifies the egress interface sending Ping packets.
l interval value - Specifies the interval of sending Ping packets . The value range is 1 to 255
l threshold value - Specifies the number which determines the tracking fails. If the system does
not receive response packets of the number specified here, it determines that the tracking has
failed, namely, the destination is unreachable. The value range is 1 to 255. The default value is
3.
l src-interface interface-name - Specifies the source interface of Ping packets.
l prior-used-srcip – If the secondary IP is specified for the source interface and specifies the
IP to be prior-used-srcip, system will use the IP to send track packets priorly. If the parameter
is not specified, system will use default IP of the source interface to send track packets.
l weight value - Specifies how important this entry failure is to the judgment of tracking failure.
Repeat the command to configure more Ping tracking entries.

To delete the specified tracking entry, use the following command:
n o icmp { A.B.C.D | h o st host-name } in terface interface-name [delay]
Dynamic Ping Message ID

When an object is tracked by using Ping packets, the header ID of ICMP messages sent by the
same track object is a fixed value. In this case, the ICMP messages may be blocked as DoS attacks
by other intermediate security devices . Therefore, the track will fail. To solve this issue, the sys-
tem supports the dynamic Ping message ID function. With this function enabled, the header ID
of ICMP messages sent by the same track object is a dynamic value. To configure this function,
use the following command in the object configuration mode:
dynamic-ping-msg-id {enable | disable}

l enable - Enable the dynamic Ping message ID function. With this function enabled, the
header ID of ICMP messages sent by the same track object is a dynamic value.
l disable - Disable the dynamic Ping message ID function. With this function disabled, the
header ID of ICMP messages sent by the same track object is a fixed value.
Track by IPv6 ICMP Packets
mand:
icmp6 {ipv6-address | host host-name} interface interface-name [interval value] [threshold value]
[src-interface interface-name [prior-used-srcip ipv6-address]] [weight value]
l ipv6-address | host host-name - Specifies the IPv6 address or host name of the tracked
object. The length of the host name can be 1 to 63 characters.
l interface interface-name - Specifies the egress interface sending Ping packets.
l interval value - Specifies the interval of sending Ping packets . The value range is 1 to 255
l threshold value - Specifies the number which determines the tracking fails. If the system does
not receive response packets of the number specified here, it determines that the tracking has
failed, namely, the destination is unreachable. The value range is 1 to 255. The default value is
3.
l src-interface interface-name - Specifies the source interface of Ping packets.
l prior-used-srcip ipv6-address – If the secondary IP is specified for the source interface and
specifies the IP to be prior-used-srcip, system will use the IP to send track packets priorly. If
the parameter is not specified, system will use default IP of the source interface to send track
packets.


no ip {A.B.C.D | host host-name} interface interface-name [delay]
Track by HTTP Packets

To track an object using HTTP packets, in the track object configuration mode, use the following
command:
h ttp { A.B.C.D | h o st host-name } in terface interface-name [in terval value ] [th resh o ld value ]
[src-in terface interface-name ] [weigh t value ]
l A.B.C.D | host host-name - Specifies the IP address or host name of the track object. The
l interface interface-name - Specifies the egress interface of sending HTTP test packets.
l interval value - Specifies the interval of sending HTTP packets. The value range is 1 to 255
l threshold value - Specifies the number which concludes the tracking fails. If the system does
not receive response packets of the number specified here, it concludes that the tracking has
failed. The value range is 1 to 255. The default value is 1.
l src-interface interface-name - Specifies the source interface of the HTTP packets.
Repeat the command to configure more HTTP tracking entries.

n o h ttp { A.B.C.D | h o st host-name } in terface interface-name [delay]

Track by ARP Packets
To track an object using ARP packets, in the track object configuration mode, use the following
command:
arp { A.B.C.D } in terface interface-name [in terval value ] [th resh o ld value ] [weigh t value ]
l A.B.C.D - Specifies the IP address of the track object.
l interface interface-name - Specifies the egress interface of sending ARP test packets.
l interval value - Specifies the interval of sending ARP packets. The value range is 1 to 255
l threshold value - Specifies the threshold number which concludes the tracking fails. If the sys-
tem does not receive response packets of the number specified here, it concludes that the
tracking has failed. The value range is 1 to 255. The default value is 3.
l weight value - Specifies how important this entry failure is to the judgment of tracking fail-
ure. The value range is 1 to 255. The default value is 255.
Repeat the command to configure more ARP tracking entries.

n o arp { A.B.C.D } in terface interface-name
Track by DNS Packets

To track an object using DNS packets, in the track object configuration mode, use the following
command:
dn s A.B.C.D in terface interface-name [in terval value ] [th resh o ld value ] [weigh t value ] [src-
in terface interface-name ]
l A.B.C.D - Specifies the IP address of track object.
l interface interface-name - Specifies the egress interface of sending DNS test packets.

l interval value - Specifies the interval of sending DNS packets. The value range is 1 to 255
l threshold value- Specifies the threshold number which concludes the tracking fails. If the sys-
l src-interface interface-name - Specifies the source interface of DNS test packets.
Repeat the command to configure more DNS tracking entries.

n o dn s A.B.C.D in terface interface-name [delay]
Track by TCP Packets

To track an object using TCP packets, in the track object configuration mode, use the following
command:
tcp {A.B.C.D | h o st host-name } p o rt port-number in terface interface-name [in terval value ]
[th resh o ld value ] [src-in terface interface-name ] [weigh t value ]
l A.B.C.D | host host-name - Specifies the IP address or host name of track object. The length
of the host name can be 1 to 63 characters.
l port port-number - Specifies the destination port of the track object. The value range is 0 to
65535.
l interface interface-name - Specifies the egress interface for sending TCP test packets.
l interval value - Specifies the interval of sending TCP packets. The value range is 1 to 255

l threshold value - Specifies the threshold number which concludes the tracking fails. If the sys-
l src-interface interface-name - Specifies the source interface of TCP test packets.
Repeat the command to configure more TCP tracking entries. For one single track object, you can-
not configure both the HTTP track on the host and TCP track on port 80 simultaneously.
n o tcp { A.B.C.D | h o st host-name } p o rt port-number in terface interface-name [delay]
Interface Status Track

To track interface status, in the track object configuration mode, use the following command:
in terface interface-name [weigh t value ]
l interface-name - Specifies the interface name.
Repeat the command to configure more tracking entries.

n o in terface interface-name
Interface Bandwidth Track

To track interface bandwidth, in the track object configuration mode, use the following com-
mand:
b an dwidth in terface interface-name directio n {in | o ut | b o th } h igh -watermark value lo w-
watermark value [in terval value ] [th resh o ld value ] [weigh t value ]

l interface-name - Specifies the interface name.
l direction {in | out | both} - Specifies the traffic direction to be tracked. in indicates ingress,
out indicates egress (the default direction), both indicates the both directions.
l high-watermark value low-watermark value – Specifies the high watermark and low water-
mark for the interface bandwidth. The value range is 1 to 100000000 kbps. When the inter-
face bandwidth is below the specified high watermark, the system will conclude the link is
normal; when the interface bandwidth exceeds or equals to the specified high watermark, the
system will conclude the link is congested; if congestion occurred, the system will not con-
clude the link restores to normal until the interface bandwidth is below or equals to the spe-
cified low watermark. Such a design can avoid link status’ frequent switching between
normal and congested.
l interval value - Specifies the tracking interval. The value range is 1 to 255 seconds. The
default value is 3.
l threshold value – Specifies the threshold number which concludes the entry is congested. If
the system detected interface overload for the times specified here in succession, it concludes
the entry is congested. The value range is 1 to 255. The default value is 1.
l weight value - Specifies how important this link congestion is to the judgment of track object
congestion. The value range is 1 to 255. The default value is 255.

n o b an dwidth in terface interface-name
Interface Quality Track

To track the link state of specified interface by counter the sampling traffic , in the track object

traffic-co n ditio n [ ip v6 ] in terface interface-name [co n ditio n -th resh o ld low-watermark high-
watermark ] [in terval value ] [th resh o ld value ] [weigh t value ]
l ipv6 – Specifies the interface quality track object as the IPv6 type. If this parameter is not
specified, the interface quality track object is specified as IPv4 type by default.
l interface-name – Specifies the tracked interface name.
l condition-threshold low-watermark high-watermark – Specifies the threshold value of new

session success rate. By default, the threshold low watermark is 30, and the threshold high
watermark is 50. The value range is 0 to 100. During a track period, when the new session suc-
cess rate is below the specified low watermark, system will conclude the track is failed; when
the new session success rate exceeds the specified high watermark, system will conclude the
track is successful; when the new session success rate is equal to or exceeds the low water-
mark, and equal to or below the low watermark, system will keep the previous track state.
l interval value – Specifies the duration of per track period. The unit is second. The value
range is 1 to 255. The default value is 3. After a track period is finished, system will reset the
tracked value of new session.
l threshold value – Specifies the threshold value which concludes the track entry is failed. The
l weight value – Specifies how important this track failure is to the judgment of track object
failure. The value range is 1 to 255. The default value is 255.

n o traffic-co n ditio n [ ip v6 ] in terface interface-name
Configuring a Threshold
Threshold is used to conclude if the track object failed or is congested. When the total weight
sum of the track entries that belong to the same category in the track object exceeds or equals to

the corresponding threshold, the system will conclude the track object failed or is congested.
Monitor Object FailureThreshold

If the sum of weight values of all track entries exceeds or equals to a certain value, the system con-
cludes that the tracking fails. The value is known as the track object failure threshold value.
To configure the track object failure threshold value, in the track object configuration mode, use
th resh o ld value
l value - Specifies the threshold value. The value range is 1 to 255. The default value is 255.
To restore to the default threshold value, in the track object configuration mode, use the fol-
lowing command:
n o th resh o ld
Fail Close
With this function enabled, system will check application layer IPS, AV, content filtering and
Web Content, application-layer behavior control. If you disable this feature , when the system
resources is too low , such as CPU usage high, memory or data packets buffer residual capacity is
insufficient, system will pass packets for controlling the resources utilization, so as not to affect
other functions. By default, this function is disabled.
Enabling/Disabling Fail Close

To enable fail close, under global configuration mode, use the following command:
fail-clo se en ab le
To disable fail close, under global mode, use the command:

n o fail-clo se en ab le
Notes: Fail close is not applicable for: FTP behavior control, web surfing,
MSRPC/SUNRPC/DNS (UDP) check of IPS.

Viewing Fail Close Status
To view the fail close status, in any mode, use the following command:
show fail-close
Enabling/Disabling Application Layer Security Bypass

System supports to bypass the application layer functions, including Intrusion Prevention System,
Anti Virus, and other application layer security protection function. To enable application layer
security bypass, under global mode, use the command:
ap p -security-b yp ass
To disable application layer security bypass, under global mode, use the command:
n o ap p -security-b yp ass
Notes: When the application layer security bypass and fail close are configured at
the same time, the application layer security bypass has a higher priority.
Viewing Application Layer Security Bypass Status

To view the application layer security bypass status, in any mode, use the following command:
show app-security-bypass
Monitor Alarm
The monitor alarm function is designed to monitor the utilization of system resources, and issue
an alarm according to the configuration. The current version supports log and SNMP Trap alarms.
You need to enter the monitor configuration mode to configure the monitor alarm function. To
enter the monitor configuration mode, in the global configuration mode, use the following com-
mand:
mo n ito r
After entering the monitor configuration mode, you can configure a monitor rule as needed for
the system resource object:

{cp u | memo ry utilizatio n | in terface-b an dwidth interface-name utilizatio n | lo g-b uffer {
co n fig | even t | ip s | n etwo rk | security | traffic{sessio n | n at | urlfilter}} utilizatio n |
p o licy utilizatio n | sessio n utilizatio n | sn at-reso urce utilizatio n } in terval interval-value ab so -
lute risin g-th resh o ld threshold-value samp le-p erio d period-value [co un t count-value ] {lo g
[ sn mp -trap ] | sn mp -trap }
l cpu | memory utilization | interface-bandwidth interface-name utilization | log-buffer { con-

fig | event | ips | nbc | network | security | traffic {session | nat | urlfilter}} utilization |
policy utilization | session utilization | snat-resource utilization - Specifies the monitor
object which can be cpu, memory, interface-bandwidth, log-buffer, policy, session or snat-
resource. When you use the X platforms and enter the cpu keyword, proceed to select mod-
ules.
l interface-name - Specifies the name of interface.
l config | event | ips | network | security | traffic {session | nat | urlfilter} - Specifies
the log type.
l utilization - Specifies the value of monitor object as the utilization of each object. Since
the default value for cpu is utilization, so you do not need to specify this parameter for
the monitor object of CPU.
l interval interval-value - Specifies the monitor interval, i.e., the interval for acquiring the value
of monitor object within the sampling period (sample-period period-value). The value range is
3 to 10 seconds.
l absolute - Specifies the value of monitor object as an absolute value.
l rising-threshold threshold-value - Specifies the rising threshold. The system will issue an
alarm if the value of monitor object exceeds the percentage specified here. The value range is
1 to 99.

l sample-period period-value - Specifies the sample period. The value range is 30 to 3600
seconds.
l count count-value - Specifies the count for the conditions the value of monitor object
exceeds the rising-threshold within the sampling period (sample-period). The value range is 1
to 1000. If this parameter is configured, when the count exceeds the rising-threshold within
the sampling period, the system will issue an alarm; if this parameter is not configured, when
the average value of monitor object exceeds the rising-threshold, the system will issue an
alarm.
l log [snmp-trap] | snmp-trap - Specifies the method which can be log, snmp-trap or both.
For example:
To configure the peak CPU utilization monitor:

hostname(config)# mo n ito r
hostname(config-monitor)# cp u in terval 5 ab so lute risin g-th resh o ld 65 samp le-p erio d

600 co un t 50 lo g
After the configuration, if the CPU utilization exceeds

the rising threshold of 65% within 600 seconds, and such
a condition occurs at least 50 times, then the system
will issue a log.
To configure the average session utilization monitor:
hostname(config-monitor)# sessio n utilizatio n in terval 8 ab so lute risin g-th resh o ld 90

samp le-p erio d 600 lo g
After the configuration, if the average session util-

ization exceeds the rising threshold of 90% within 600
seconds, then the system will issue a log.
To delete the specified monitor rule, in the monitor configuration mode, use the following com-
mand:

n o {cp u | memo ry utilizatio n | in terface-b an dwidth interface-name utilizatio n | lo g-b uffer {
co n fig | even t | ip s | n etwo rk | security | traffic {sessio n | n at | urlfilter}} utilizatio n |
p o licy utilizatio n | sessio n utilizatio n | sn at-reso urce utilizatio n }
Notes:
l For every monitor object, only the last configured monitor rule takes effect.
l The system does not support monitor alarm for port resources whose IP
address is translated into an egress IP address (eif-ip) after SNAT.
To view the monitor alarm configuration, in any mode, use the following command:
sh o w mo n ito r
CPU Cache Error Monitor

The CPU Cache Error Monitor function supports SG-6000 E series and SG-6000 X series
devices.
In order to solve the problem of abnormal operation of device caused by CPU Cache Error, users
can configure CPU Cache Error monitor function. After configuring this feature, when the num-
ber of CPU Cache Errors of the system reported reaches the specified threshold, the device will
restart or not restart.
You need to enter the monitor configuration mode to configure the CPU Cache Error monitor
function. To enter the monitor configuration mode, in the global configuration mode, use the fol-
lowing command:
mo n ito r
After entering the monitor configuration mode, use the following command to configure the CPU
Cache Error monitor function:
cache-error-config threshold-num num reboot {enable | disable}
l threshold-num num - Specifies CPU Cache Error monitor threshold. When the number of
CPU Cache Errors of the system reported reaches this value, the device will restart or not

restart according to the configuration. The value range is 100 to 5000. The default value is
3000.
l reboot {enable | disable} - Specifies the action of the device after the number of CPU Cache
Errors reported reaches the specified threshold, which can be enable (enable) or not (disable).
For example:
hostname(config-monitor)# cach e-erro r-co n fig th resh o ld-n um 1000 reb o o t en ab le
After the configuration, if the number of CPU Cache

Errors of the system reported reaches 1000, the device
will restart.
In the monitor configuration mode, use the command no cache-error-config to cancel the CPU
Cache Error monitor function.
To view the CPU Cache Error monitor configuration, in any mode, use the following command:
show cache-error-config
The Maximum Concurrent Sessions

If multi-VR, AV, IPS, URL signature database, Sandbox, Anti-Spam, Botnet Prevention and/or
NetFlow is enabled on devices, or IPv6 firmware version is used, the maximum concurrent ses-
sions might change. For more information, see the table below:
Platform / Expan-
Firmware Max Concurrent Sessions
sion Module
SG-6000 A-Ser- StoneOS IPv4 With multiple virtual routers, anti-virus, IPS, URL sig-
ies devices version nature database, Sandbox, Anti-Spam, Botnet Pre-
vention and/or NetFlow enabled on the system , the
maximum concurrent sessions will not change.
StoneOS IPv6 l The original maximum concurrent sessions of the

Platform / Expan-
sion Module
version IPv6 version is the same as that of the IPv4 ver-

sion;
l With multiple virtual routers, anti-virus, IPS,

URL signature database, Sandbox, Anti-Spam,
Botnet Prevention and/or NetFlow enabled on
the system , the maximum concurrent sessions
will not change.
SG-6000 K-Ser- StoneOS IPv4 l With multiple virtual routers enabled: the max-
ies devices version imum concurrent sessions will drop by 15%.
(Excluding The formula is: Actual maximum concurrent ses-
K9180) sions = original maximum concurrent sessions*
(1-0.15);
l With anti-virus, IPS, URL signature database,

Sandbox, Anti-Spam and/or Botnet Prevention
enabled: the maximum concurrent sessions will
drop by 50%.
The formula is: Actual maximum concurrent ses-
sions = original maximum concurrent sessions*
(1-0.5);
l With multiple virtual routers plus anti-virus, IPS,

URL signature database, Sandbox, Anti-Spam
and/or Botnet Prevention enabled sim-
ultaneously, the maximum concurrent sessions
will further drop by 50%.

Platform / Expan-
sion Module

(1-0.15)*(1-0.5);
l With NetFlow enabled: the maximum concurrent

sessions will drop by 25%.
(1-0.25);
l With multiple virtual routers and NetFlow plus

anti-virus, IPS, URL signature database, Sandbox,
Anti-Spam and/or Botnet Prevention enabled
simultaneously, the maximum concurrent ses-
sions will further drop.
(1-0.15)*(1-0.25)*(1-0.5).

sion;

the system , the change of the maximum con-
current sessions in the IPv6 version is the same
as that in the IPv4 version.

Platform / Expan-
sion Module
E3965, E5168, StoneOS IPv4 l With multiple virtual routers enabled: the max-
E5260, E5268, version imum concurrent sessions will drop by 15%.
E5560, E5568, The formula is: Actual maximum concurrent ses-
E5660, E5760, sions = original maximum concurrent sessions*
E5960, E6160, (1-0.15);
E6168, E6360,
E6368
drop by 50%.
(1-0.5);

(1-0.15)*(1-0.5);

(1-0.25);

Platform / Expan-
sion Module

(1-0.15)*(1-0.25)*(1-0.5).

version IPv6 version is 75% of that of the IPv4 version;

QSM StoneOS IPv4 l With multiple virtual routers enabled: the max-
Other SG-6000 version imum concurrent sessions will drop by 15%.
E-series devices The formula is: Actual maximum concurrent ses-
except the sions = original maximum concurrent sessions*
devices listed (1-0.15);
above
drop by 50%.

Platform / Expan-
sion Module

(1-0.5);

(1-0.15)*(1-0.5);

(1-0.25);

(1-0.15)*(1-0.25)*(1-0.5).

Platform / Expan-
sion Module

SSM-300 StoneOS IPv4 l With multiple virtual routers enabled: the max-
version imum concurrent sessions will drop by 15%.
(1-0.15);

drop by 50%.
(1-0.5);


Platform / Expan-
sion Module

(1-0.15)*(1-0.5);

(1-0.25);

(1-0.15)*(1-0.25)*(1-0.5).
StoneOS IPv6 l For X9180 and X10800, the original maximum

version concurrent sessions of the IPv6 version is 2/3 of
that of the IPv4 version;
l For K9180, the original maximum concurrent ses-

sions of the IPv6 version is the same as that of
the IPv4 version;


Platform / Expan-
sion Module

SSM-200 StoneOS IPv4 l With multiple virtual routers enabled: the max-
SSM-100 version imum concurrent sessions will drop by 15%.
(1-0.15);

drop by 50%.
(1-0.5);

(1-0.15)*(1-0.5);

Platform / Expan-
sion Module

(1-0.25);

(1-0.15)*(1-0.25)*(1-0.5).

version IPv6 version is 2/3 of that of the IPv4 version;

current sessions in the IPv6 version is the
same as that in the IPv4 version.
SIOM StoneOS IPv4 l With multiple virtual routers enabled: the max-
version imum concurrent sessions will drop by 15%.
(1-0.15);

Platform / Expan-
sion Module

drop by 50%.
(1-0.5);

(1-0.15)*(1-0.5);

(1-0.25);


Platform / Expan-
sion Module

(1-0.15)*(1-0.25)*(1-0.5).

sion;

current sessions in the IPv6 version is the
same as that in the IPv4 version.
IOM-P100-300 StoneOS IPv4 l With multiple virtual routers enabled: the max-
IOM-P40-300 version imum concurrent sessions will drop by 15%.
(1-0.15);

drop by 50%.
(1-0.5);

Platform / Expan-
sion Module

(1-0.15)*(1-0.5);

(1-0.25);

(1-0.15)*(1-0.25)*(1-0.5).
StoneOS IPv6 l For X9180 and X10800, the original maximum

version concurrent sessions of the IPv6 version is 88.3%
of that of the IPv4 version;
l For K9180, the original maximum concurrent ses-

sions of the IPv6 version is the same as that of

Platform / Expan-
sion Module
the IPv4 version;

IOM-8SFP+ StoneOS IPv4 With NetFlow enabled: the maximum concurrent ses-
version sions will drop by 25%.
The formula is: Actual maximum concurrent sessions =
original maximum concurrent sessions*(1-0.25).
Note: Other unlisted functions has no effect on the max-
imum concurrent sessions of the system.

version IPv6 version is 2/3 of that of the IPv4 version;

IOM-200; StoneOS IPv4 With NetFlow enabled: the maximum concurrent ses-
IOM-100 version sions will drop by 25%.
The formula is: Actual maximum concurrent sessions =

Platform / Expan-
sion Module
original maximum concurrent sessions*(1-0.25).

Note: Other unlisted functions has no effect on the max-
imum concurrent sessions of the system.

version IPv6 version is 67.5% of that of the IPv4 ver-
sion;

IOM-80; StoneOS IPv4 l With fast forwarding data enabled on the IOM:
IOM-20 version the maximum concurrent sessions will drop by
60%.
(1-0.6);

(1-0.25).


Platform / Expan-
sion Module

Adjusting the Maximum Concurrent Sessions

You can adjust the maximum concurrent sessions of IPv4 of some A series or K series devices as
needed. To adjust the maximum concurrent sessions of IPv4, use the following command in the
exec session-adjust value
l value - Specifies the maximum concurrent sessions of IPv4. Please refer to the table below for
the value range.
Platform Value
A1000 120,000 - 600,000
A1100 120,000 - 600,000
A2000 400,000 - 2,000,000
A2600 400,000 - 2,000,000
A2700 440,000 -2,200,000
A2800 500,000 - 2,500,000
A3000 700,000 - 3,500,000
A3600 960,000 - 4,800,000

Platform Value
A3700 2,000,000 - 10,000,000
A3800 2,000,000 - 10,000,000
A5200 3,000,000 - 15,000,000
A5500 3,600,000 - 18,000,000
A5600 5,000,000 - 25,000,000
A5800 6,000,000 - 30,000,000
A6800 7,000,000 - 35,000,000
A7600 8,400,000 - 42,000,000
K2580 2,000,000 - 10,000,000
K3280 3,000,000 - 15,000,000
Connecting to Hillstone Cloud Service Platform

Hillstone Cloud Service Platform is a cloud security services platform, which mainly provides the
cloud services including CloudView, Cloud Sandbox and CloudVista (Threat Intelligence Center).
Hillstone Cloud Service is the cloud capability center of Hillstone and the brain of the cloud-net-
work integration. After the service is enabled, your device will be connected with the Hillstone
cloud, which will provide you with a wider range of threat intelligence, improve the protection
capability of your device, and enable you to carry out real-time monitoring, inspection and report
acquisition of the device and traffic on the cloud anytime and anywhere. These Hillstone cloud
applications can greatly enhance the security, visibility, and usability of networks.
The following sections describe how to connect to the cloud service platform in StoneOS:
l Configuring the Cloud Service Server
l Changing Digital Certificate
l Enabling CloudView

l Enabling CloudVista
l Joining the User Experience Improvement Program
l Showing Configurations of the Cloud Service Platform
Notes: For more information about the cloud sandbox settings, refer to Threat Pre-
vention > Sandbox.
Configuring the Cloud Service Platform Server

Before connecting to the cloud service platform, you need to configure the IP address (or domain
name), user name and password of the cloud service platform server. The IP address (or domain
name), user name and password of the cloud service platform server should be configured in the
Cloud Server configuration mode.
To enter the Cloud Server configuration mode, in the global configuration mode, use the fol-
lowing command:
cloud server
To configure the IP address or domain name of the cloud service platform server, in the Cloud
Server configuration mode, use the following command:
address {A.B.C.D |domain}
l A.B.C.D/domain - Specifies the IP address or domain name of the cloud service platform
server. The default value is cloud.hillstonenet.com.cn.
To cancel the specified IP address or domain name, in the Cloud Server configuration mode,
use the command no address .
To configure the user name and password of the cloud service platform server, in the Cloud
usern ame user-name p asswo rd pass-word

l username user-name - Specifies the user name of the cloud service platform server to bind the
device with this account.
l password pass-word - Specifies the password of the user。
To cancel the specified user name and password, in the Cloud Server configuration mode, use
the command no username .
To configure the virtual router of the cloud service platform server, in the Cloud Server con-
vro uter vr-name
l vr-name – Specifies the VRouter of the cloud service platform server.
To cancel the specified VRouter, in the Cloud Server configuration mode, use the command no
vrouter .
Changing Digital Certificate

Digital certificates are used for bidirectional authentication when the device is connected to the
cloud platform. After bidirectional authentication succeeds, the device connects to the cloud plat-
form. Create a trust domain to store the new CA certificate and the device can use the certificate
to verify the certificate provided by the cloud platform. Create another trust domain to store new
local certificate and the private key so that the cloud platform can verify the certificate. Import
the new CA certificate, local certificate, and private key to the trust domain and then you can
change the digital certificates. To create a trust domain, import certificates and private key, see
PKI.
Reference the existing trust domain to obtain a new CA certificate, in the Cloud Server con-
server-trust-domain trust-domain-name
CA certificate in the system. If this parameter is not specified, the system uses the default
built-in CA certificate.
Reference the existing trust domain to obtain a new local certificate and private key, in the Cloud

agent-trust-domain trust-domain-name
local certificate and private key in the system. If this parameter is not specified, the system
uses the default built-in local certificate and private key.
Enabling CloudView
CloudView is a SaaS product. It is deployed on the public cloud to provide users with online on-
demand services. Hillstone devices register with the cloud service platform and upload device
information, traffic data, threat events, system logs and so on to the cloud service platform, and
the visual display is provided by CloudView . Users can monitor the device status, gain reports
and threat analysis through the Web or mobile phone APP. In addition, you can also use
CloudView to send configuration to the device. When the Cloud Configuration function is
enabled, the system will load the configuration sent from CloudView.
The following sections describe how to enable the CloudView service in StoneOS:
l Enabling CloudView
l Enabling the Data Uploading
l Enabling Cloud Configuration
Enabling CloudView
You can enable the CloudView service in the Cloud View configuration mode. To enter the
Cloud View configuration mode, in the global configuration mode, use the following command:
cloud-view
To enable the CloudView service, in the Cloud View configuration mode, use the following com-
mand:
enable
To disable the CloudView service, in the Cloud View configuration mode, use the command no
enable.
Enabling the Data Uploading

To upload the monitoring data to the cloud service platform, in the Cloud View configuration
upload-type {log-event | session | threat-event | traffic | url | inspection | ips-buffer | fast-pat-
tern| sample-collect| all}
l log-event - Specifies to upload the event logs to the cloud service platform. The upload inter-
val is 10 minutes by default. Before enabling this function, make sure that the event logging
function is enabled (logging event on).
l session - Specifies to upload the session data to the cloud service platform.
l threat-event - Specifies to upload the threat events to the cloud service platform. The upload
interval is 60 minutes by default.
l traffic - Specifies to upload the traffic data to the cloud service platform.
l url - Specifies to upload the URL data to the cloud service platform.
l inspection - Specifies to upload the collected cloud inspection data to the cloud service plat-
form. With the cloud inspection function, the device can receive and execute the inspection
instructions from the cloud, and upload the collected inspection data to the cloud service plat-
form, which enables you to carry out real-time monitoring and management on the cloud any-
time and anywhere.
l ips-buffer - Specifies to upload the buffer data of IPS detection engine to the cloud service
platform. Buffer data include the Top 20 threat rules (and their corresponding IDs) that are
ranked by hit counts.
l fast-pattern - Specifies to upload some signature strings in the IPS signature DB to the cloud
service platform. These strings help to analyze false positive by prefiltering packets.
l sample-collect Specifies to upload encrypted traffic of the device to the cloud service plat-
form.
l all - Specifies to upload all the data described above to the cloud service platform.

To cancel the specified uploading data type, in the Cloud View configuration mode, use the fol-
lowing command:
no upload-type {log-event | session | threat-event | traffic | url | inspection | ips-buffer | fast-
pattern| sample-collect| all}
Enabling the Cloud Configuration
To allow CloudView to send configuration to the device, in the CloudView Configuration mode,
load-config enable
In the CloudView Configuration mode, use the no load-config enable command to disable cloud
configuration.
With the Cloud Configuration function enabled, the system will load the real-time configuration
sent by CloudView.
l PTF Dynamic IP Blacklist: Log in to CloudView to send the configuration of the PTF
dynamic IP blacklist to the root VSYS of the device. Both IPv4 and IPv6 addresses are sup-
ported. You can also specify the virtual router to take effect as well as the block duration.
When the system receives the configuration task from CloucView, corresponding dynamic IP
blacklist entries, configuration logs, and operation logs are generated.
Enabling CloudVista
To enable the CloudVista service, in the Cloud Server configuration mode, use the following com-
mand:
vista enable
To disable the CloudVista service, in the Cloud Server configuration mode, use the command no
vista enable.
Joining the User Experience Improvement Program

With the user experience improvement program, the threat prevention data of the devie will be
uploaded to the cloud service platform and used for internal research, which reduces the false pos-

itives and improves the protection capability of your device. To join the user experience improve-
ment program, in the Cloud Server configuration mode, use the following command:
user-experience-improvement-plan enable
To cancel to join the user experience improvement program, in the Cloud Server configuration
mode, use the command no user-experience-improvement-plan enable.
Showing Configurations of the Cloud Service Platform

To view the configurations of the cloud service platform, in any mode, use the following com-
mand:
show cloud server
Configuring the RESTful API Interface to Upload Files

To upload files through /rest/file interface, in the global configuration mode, use the following
command:
restful-api-control /rest/file {enable | disable}[version 5.5R4]
l enable - After enabling this function, you can use the /rest/file interface to upload files. The
suffix and size of the file will not be checked.
l disable- The /rest/file interface cannot be used, and an error will be returned directly when
uploading a file. By default, the /rest/file interface is disabled.
l version 5.5R4 - Compatible with some formats of RESTful API of 5.5R4 version .
Clearing Alarm Status of Indicators

When the LED indicators (PWR, STA, and ALM) on the front panel are red, they indicate abnor-
malities. When the device restores to normal, you can manually clear the alarm status of the indic-
ators through configuration.
To manually clear the alarm status of the indicators, in the global configuration mode, use the fol-
lowing command:
clear led {PWR | STA |ALM}

l PWR | STA |ALM - Specifies the LED indicator (PWR, STA, or ALM) whose alarm status
needs to be cleared.
Automatically Clearing Alarm Status of Indicators

If the ALM indicator on the front panel is red due to the following issues, you can configure the
system to automatically clear the alarm status of the ALM indicator when the issues are solved and
the device restores to normal.
l Lack of power supply module
l Device temperature exceeds the acceptable level
l Fan is broken
To make the system automatically clear the alarm status of the ALM indicator, in the global con-
led-alarm-autoclear
In the global configuration mode, use the no led-alarm-autoclear command to cancel the con-
figuration for the system to automatically clear the alarm status of the ALM indicator.

Chapter 5 Virtual System (VSYS)
Virtual systems (VSYS) divide a physical device into multiple logical virtual firewalls. Each VSYS
has its own system resources, performs most of the firewall functionalities, working as a com-
pletely independent firewall. VSYSs cannot communicate directly from each other.
VSYS has the following characters:
l Each VSYS has its own administrators;
l Each VSYS has independent virtual routers, zones, address book, service book, etc;
l Each VSYS has independent physical and logical interfaces;
l Each VSYS has independent policy rules.
l Each VSYS has independent logs.
The supported default VSYS number varies from different platforms. You can expand the number
by purchasing and installing the license.
Notes: SG-6000-A1100，SG-6000-A1000, SG-6000-A200 and SG-6000-A200W

do not support VSYS function.
VSYS Objects
This section describes VSYS objects, including root VSYS, non-root VSYS, administrator,
VRouter, VSwitch, zone, and interface.
Root VSYS and Non-root VSYS

The system contains only one root VSYS which cannot be deleted. You can create or delete non-
root VSYSs after installing a VSYS license and rebooting the device. When creating or deleting
non-root VSYSs, you must follow the rules listed below:

l When creating or deleting non-root VSYSs through CLI, you must be under the root VSYS
configuration mode.
l Only the root VSYS administrators and root VSYS operators can create or delete non-root
VSYS. For more information about administrator permissions, see “Administrator”.
l When creating a non-root VSYS, the following corresponding objects will be created sim-
ultaneously:
l A non-root VSYS administrator named admin. The password is vsys_name-admin.
l A VRouter named vsys_name-vr.
l A L3 zone named vsys_name-trust.
For example, when creating the non-root VSYS named vsys1, the following objects
will be created:
l The non-root administrator named admin with the password vsys1-admin.
l The default VRouter named vsys1-vr.
l The L3 zone named vsys1-trust and it is bound to vsys1-vr automatically.
l When deleting a non-root VSYS, all the objects and logs in the VSYS will be deleted sim-
ultaneously.
l The root VSYS contains a default VSwitch named VSwitch1, but there is no default VSwitch
in a newly created non-root VSYS. Therefore, before creating l2 zones in a non-root VSYS, a
VSwitch must be created. The first VSwitch created in a non-root VSYS will be considered as
the default VSwitch, and the l2 zone created in the non-root VSYS will be bound to the
default VSwitch automatically.
Administrator
The admin users of each VSYS are independent from other VSYS. VSYS admin users also have
different roles of Administrator, Administrator-ready-only, operator and auditor. Their roles and
723 Chapter 5 Virtual System (VSYS)

previleges are the same with normal admin users.
When creating VSYS administrators, you must follow the rules listed below:
l Backslash (\) cannot be used in administrator names.
l The non-root administrators are created by root administrators or root operators after logging
into non-root VSYS.
l After logging into root VSYS, the root administrators can switch to non-root VSYS and con-
figure it.
l Non-root administrators can enter the corresponding non-root VSYS after the successful
login, but the non-root administrators cannot switch to the root VSYS.
l Each administrator name should be unique in the VSYS it belongs to, while administrator
names can be the same in different VSYSs. In such a case, when logging in, you must specify
the VSYS the administrator belongs to in the format of vsys_name\admin_name. If no VSYS
is specified, you will enter the root VSYS.
Table below shows the permissions to different types of VSYS administrators.
Permissions

Operation
read-only ator itor
Configure √ χ √ χ √ χ √ χ
(including
save con-
figuration)
Managing √ χ χ χ √ χ χ χ

Permissions

Operation
read-only ator itor
admin users
Restore fact- √ χ χ χ χ χ χ χ
ory default
Delete con- √ χ √ χ √ χ √ χ
figuration
file
Roll back √ χ √ χ √ χ √ χ
con-
figuration
Reboot √ χ √ χ χ χ χ χ
View con- √ √ √ χ View View View χ

figuration info in info in info in
information current current current
VSYS VSYS VSYS
View log √ √ χ √ √ √ χ √
information
Modify cur- √ √ √ √ √ √ √ √
rent admin
password
Command √ χ √ χ √ χ √ χ

Permissions

Operation
read-only ator itor
import
Command √ √ √ √ √ √ √ √
export
Command √ √ √ √ √ √ √ √
clear
Command √ √ √ χ √ √ √ χ
ping/tracero-
ute
Command √ √ √ χ χ χ χ χ
debug
Command √ √ √ √ √ √ √ √
exec
Command √ √ √ √ √ √ √ χ
terminal
width
VRouter, VSwitch, Zone, Interface

VRouter, VSwitch, zone, and interface in VSYS have two properties which are shared and ded-
icated. Objects with dedicated property are dedicated objects, while doing specific operations to
the object with the shared property will make it a shared object. The dedicated object and shared
object have the following characters:

l Dedicated object: A dedicated object belongs to a certain VSYS, and cannot be referenced by
other VSYSs. Both root VSYS and non-root VSYS can contain dedicated objects.
l Shared object: A shared object can be shared by multiple VSYSs (CloudEdge, TAI(X8180),
and A-series platforms do not support shared object). A shared object can only belong to the
root VSYS and can only be configured in the root VSYS. A non-root VSYS can reference the
shared object, but cannot configure them. The name of the shared object must be unique in
the whole system.
Figure below shows the reference relationship among dedicated and shared VRouter, VSwitch,
zone, and interface.
As shown in the figure above, there are three VSYSs in StoneOS: Root VSYS, VSYS-A, and
VSYS B. Root VSYS contains shared objects (including Shared VRouter, Shared VSwitch, Shared
L3-zone, Shared L2-zone, Shared IF1, and Shared IF2) and dedicated objects.
VSYS-A and VSYS-B only contain dedicated objects. The dedicated objects VSYS-A and VSYS-
B can reference the shared objects in Root VSYS. For example, A-zone2 in VSYS-A is bound to
the shared object Shared VRouter in Root VSYS, and B-IF3 in VSYS-B is bound to the shared
object Shared L2-zone in Root VSYS.
Shared VRouter
A shared VRouter contains the shared and dedicated L3 zones of the root VSYS. Bind a L3 zone
to a shared VRouter and configure this L3 zone to have the shared property. Then this zone
becomes a shared zone.

Shared VSwitch
A shared VSwitch contains the shared and dedicated L2 zones of the root VSYS. Bind a L2 zone
to a shared VSwitch and configure this L2 zone to have the shared property. Then this zone
becomes a shared zone.
Shared Zone
The shared zones consist of L2 shared zones and L3 shared zones. After binding the L2 zone with
the shared property to a shared VSwitch, it becomes a shared L2 zone; after binding the L3 zone
with the shared property to a shared VRouter, it becomes a shared L3 zone. A shared zone can
contain interfaces in both root VSYS and non-root VSYS. All function zones cannot be shared.
Shared Interface
After binding an interface in the root VSYS to a shared zone, it becomes a shared interface auto-
matically.
Interface Configuration
Only RXW administrator in the root VSYS can create or delete interfaces. Configurations to an
interface and its sub-interfaces must be performed in the same VSYS.
Configuring VSYS
VSYS configurations include:
l Creating a Non-root VSYS
l Creating a VSYS Profile
l Entering the VSYS
l Configuring the Shared Property
l Exporting a Physical Interface
l Allocating a Logical Interface

l Configuring VSYS Log
l Configuring Cross-VSYS Traffic Forwarding
Creating a Non-root VSYS

The root administrator can create non-root VSYS. To create a non-root VSYS, in the global con-
figuration mode of the root VSYS, use the following command:
vsys vsys-name
l vsys-name - Specifies the name of the VSYS to be created. It is a string composed of 1 to 23

characters. The word root cannot be configured and the backslash (\) cannot be used in the
specified name.
After executing the command, the system creates a non-root VSYS with the specified name and
enters the configuration mode of the created non-root VSYS. If the specified name exists, the sys-
tem enters the configuration mode of the non-root VSYS directly.
To delete the specified non-root VSYS, in the global configuration mode of the root VSYS, use
n o vsys vsys-name
Configure the Alias of Non-root VSYS
The system does not allow the name of the non-root VSYS to be modified, which might lead to
large amount of workload and impact on clients' business when clients need to modify the name
of the non-root VSYS. To solve this issue, the system suppots to configure the alias of non-root
VSYS, which meets clients' need to modify the name of the non-root VSYS and avoids the neg-
ative impact on the business that the non-root VSYS bears when its name is modified.
By default, the alias of non-root VSYS is null.
To configure the alias of non-root VSYS, in the global configuration mode of the non-root VSYS,
alias alias_name

l alias_name - Specify the alias of the non-root VSYS. It is a string composed of 1 to 23 char-
acters. The word root cannot be configured and the backslash (\) cannot be used in the spe-
cified name. The name only supports lowercase and capital letters a-z, numbers 0-9, "-" and "_
".
To delete the specified alias of non-root VSYS, in the global configuration mode of the root
VSYS, use the following command:
no alias
Notes:
l When creating a new non-root VSYS, the specified VSYS name cannot be the
same with the name or alias of ther non-root VSYS.
l When configuring the alias of non-root VSYS, the specified alias cannot be
the same with name or alias of ther non-root VSYS.
Specifying the Description for VSYS
To specify the description for a non-root VSYS, in the VSYS configuration mode, use the fol-
lowing command:
descriptionstring
l string – Specifies the description of the VSYS.
To delete the description of the VSYS, use the following command:

no description
Creating a VSYS Profile

VSYSs work independently in functions but share system resources including concurrent ses-
sions, zone number, policy rule number, SNAT rule number, DNAT rule number, session limit
rules number, memory buffer, URL resources and IPS resources. You can specify the reserved
quota and maximum quota for each type of system resource in a VSYS by creating a VSYS profile.

Reserved quota refers to the resource number reserved for the VSYS; maximum quota refers to
the maximum resource number available to the VSYS. The root administrator has the permission
to create VSYS profiles. The total for each resource of all VSYSs cannot exceed the system capa-
city.
To create a VSYS profile, in the global configuration mode of the root VSYS, use the following
command:
vsys-p ro file vsys-profile-name
l vsys-profile-name - Specifies the name of the VSYS profile to be created. It is a string com-
posed of 1 to 31 characters.
After executing the command, the system creates a VSYS profile with the specified name and
enters the configuration mode of the created VSYS profile. If the specified name exists, the sys-
tem enters the configuration mode of the VSYS profile directly.
To delete the specified VSYS profile, in the global configuration mode of the root VSYS, use the
following command:
n o vsys-p ro file vsys-profile-name
Notes:
l Up to 128 VSYS profiles are supported.
l The default VSYS profile of the root VSYS named root-vsys-profile and the
default VSYS profile of non-root VSYS named default-vsys-profile cannot be
edited or deleted.
l Before deleting a VSYS profile, you must delete all the VSYSs referencing
the VSYS profile.
Configuring Resource Quota
You can configure the quota of a VSYS, including CPU (cpu), concurrent sessions (session),
zones (zone), keywords (keyword), keyword categories (keyword-category), policy rules (policy),

SNAT rules (snat), DNAT rules (dnat), session limit rules number (session-limit), statistics se t
(statistic-set), new session rates (cps) and IPSec VPN tunnels (tunnel-ipsec).
To configuring the resource quota of a VSYS, in the VSYS profile configuration mode, use the fol-
lowing command:
{cp u | sessio n | zo n e | keywo rd {simp le | regexp } | keywo rd-catego ry | p o licy | sn at |
dn at | sessio n | sessio n -limit | statistic-set{n o n -sessio n -b ased | sessio n -b ased} | tun n el-
ip sec | scvpn-user | cp s} max max-num [reserve reserve-num ] [alarm alarm-num ]
l {simple | regexp} - Only applicable to keyword. simple is used to specify the quota of simple
keyword. regexp is used to specify the quota of regular expression keyword.
l max max-num- Specifies the maximum quota value. The reserved quota and maximum quota
vary from different platforms. The reserved quota should not exceed the maximum quota.
Table below shows the value range of the maximum quota and minimum number of reserved
quota.
l reservereserve-num - Specifies the reserved quota values.
l alarm alarm-num - Only applicable to CPU. With this parameter configured, the system will
generate alarm logs when the CPU utilization exceeds the specified percentage. The value
range is 50 to 99.
Minimum number of reserved

System Resource Value range of maximum quota
quota
CPU 1 – 10000 0
sessions min (max-num①, 256) – max- 0

num①
Zones （max-num①-res-num③） – 0
max-num①
Keywords in l Simple: 0 – max-num① 0

each keyword
l Regular expression: 0 – 10

System Resource Value range of maximum quota
quota
category
Keyword cat- 0 – max-num① 0

egories
Policy rules 0 – max-num① 0
SNAT rules 0 – max-num1 ② 0
DNAT rules 0 – max-num1 ② 0
Session Limit l root VSYS l root VSYS

Rules Number Profile: 128(fixed value) Profile: 10(fixed value)
l non-root l non-root
VSYS Profile: 0 – 118 VSYS Profile: 0
Statistics set 0 - 32 0
IPSec VPN tun- 0 – max-num① 0

nels
SCVPN users’ 0 – max-num① 0

number
New session rate 10-50000000 --
max-num①: The overall capacity limit of the module

max-num1 ②: The individual capacity limit of each VSYS of the module
res-num③: The reserved quota of the module
To restore to the default quota, in the VSYS profile configuration mode, use the following com-
mand:
n o {cp u | sessio n | zo n e | keywo rd {simp le | regexp } | keywo rd-catego ry | p o licy | sn at |
dn at | sessio n | sessio n -limit | statistic-set{n o n -sessio n -b ased | sessio n -b ased} | tun n el-
ip sec | scvpn-user | cp s} max max-num [reserve reserve-num ] [alarm alarm-num ]

Configuring the Quota of Log Buffer
After configuring to send logs to the memory buffer, you can specify the reserved buffer quota
and maximum buffer quota for each type of logs in a VSYS by creating a VSYS profile. Reserved
quota refers to the memory buffer value reserved for each type of logs; maximum quota refers to
the maximum memory buffer value available to each type of logs. The root administrator has the
permission to create VSYS profiles. If the logs’ capacity in a VSYS exceeds its maximum quota,
the new logs will override the earliest logs in the buffer.
To configure the quota of buffer for each type of logs, in the VSYS profile configuration mode,
lo g {co n figuratio n | o p eratio n | even t | n etwo rk | th reat | traffic {sessio n | n at |
web surf}} b uffer-size max max-num reserve reserve-num
l max max-num reserve reserve-num- Specifies the maximum quota (max max-num) and
reserved quota (reserve reserve-num) of configuration logs, operation logs, event logs, net-
work logs, threat logs, traffic logs(including session logs, NAT logs and websurf logs) in a
VSYS. The range of reserved quota or maximum quota varies from different platforms. The
reserved quota should not exceed the maximum quota.
Configuring URL Filter
The root administrator can configure whether enable URL filter or not in a VSYS Profile. Then
you can bind a VSYS Profile to a non-root VSYS to enable or disable URL filter. VSYSs share
URL resources including URL, URL category and URL Profile. You can specify the reserved
quota and maximum quota for each type of URL resources.
To enable URL filter or configure URL resources in a VSYS Profile, you need to enter urlfilter
configuration mode first, in the VSYS profile configuration mode, use the following command:
urlfilter
To enable or disable URL filter, in the urlfilter configuration mode, use the following command:

l Enable: enable
l Disable: no enable
To configure URL resources quota, in the urlfilter configuration mode, use the following com-
mand:
{url | url-catego ry | url-p ro file} max max-num reserve reserve-num
l max max-num reserve reserve-num - Specifies the maximum quota (max max-num) and
reserved quota (reserve reserve-num) of tatal URLs, user-defined URL category and URL Pro-
file in a VSYS. The range of reserved quota or maximum quota varies from different plat-
forms. The reserved quota should not exceed the maximum quota. Table below shows the
value range of the maximum quota and minimum number of reserved quota. The default value
of maximum quota is the system capacity. The default value of minimum quota is 0.

URL Resource Value range of maximum quota
quota
URL 0 – Capacity 0
User-defined 0 – 26 0
URL category
URL Profile 0 – 32 0
Configuring IPS
The root administrator can configure whether enable IPS or not in a VSYS Profile. Then you can
bind a VSYS Profile to a non-root VSYS to enable or disable IPS. VSYSs share IPS Profile
resources. You can specify the reserved quota and maximum quota.
To enable IPS or configure IPS Profile resources in a VSYS Profile, you need to enter IPS con-
figuration mode first, in the VSYS profile configuration mode, use the following command:
ip s
To enable or disable IPS, in the IPS configuration mode, use the following command:

l Enable: enable
To configure IPS Profile resources quota, in the IPS configuration mode, use the following com-
mand:
p ro file max max-num reserve reserve-num
l max max-num reserve reserve-num - Specifies the maximum quota (max max-num) and
reserved quota (reserve reserve-num) of IPS Profile in a VSYS. You can create up to four IPS
profiles in a non-root VSYS. That is, the range of maximum quota is from 0 to 4. The default
value is 4. The default value of the reserved quota is 0, which means only predefined IPS Pro-
files can be used in non-root VSYS.
Configuring Anti-Virus
The root administrator can configure whether enable Anti-Virus or not in a VSYS Profile. Then
you can bind a VSYS Profile to a non-root VSYS to enable or disable Anti-Virus. VSYSs share AV
Profile resources. You can specify the reserved quota and maximum quota.
To enable AV or configure AV Profile resources in a VSYS Profile, you need to enter AV con-
av
To enable or disable Anti-Virus, in the AV configuration mode, use the following command:
l Enable: enable
To configure AV Profile resources quota, in the AV configuration mode, use the following com-
mand:
p ro file max max-num reserve reserve-num

l maxmax-numreservereserve-num –Specifies the maximum quota (maxmax-num) and
reserved quota (reservereserve-num) of AV Profile in a VSYS. The range of maximum quota
varies from 0 to 32. The reserved quota should not exceed the maximum quota. The default
value of maximum quota is 32 and the default value of reserved quota is 0.
Configuring Perimeter Traffic Filtering
The root administrator can configure whether enable perimeter traffic filtering or not in a VSYS
Profile. Then you can bind a VSYS Profile to a non-root VSYS to enable or disable perimeter
traffic filtering. VSYSs share user-defined black/white list resources. You can specify the reserved
quota and maximum quota.
To enable perimeter traffic filtering or configure user-defined black/white list resources in a
VSYS Profile, you need to enter AV configuration mode first, in the VSYS profile configuration
perimeter-traffic-filtering
To enable or disable perimeter traffic filtering, in the perimeter traffic filtering configuration
l Enable: enable
To configure user-defined black/white list resources quota, in the perimeter traffic filtering con-
userdefin e max max-num reserve reserve-num
l maxmax-numreservereserve-num – Specifies the maximum quota (maxmax-num) and

reserved quota (reservereserve-num) of user-defined black/white list in a VSYS. The range of
maximum quota varies from 0 to 1000. The reserved quota should not exceed the maximum
quota. The default value of maximum quota is 1000 and the default value of reserved quota is
0.

Configuring QoS
Root RXW administrators can configure whether enable QoS or not in a VSYS Profile. Then you
can bind a VSYS Profile to a non-root VSYS to enable or disable QoS. You can specify the
reserved quota and maximum quota for root-pipe.
To enable QoS or configure QoS Profile resources in a VSYS Profile, you need to enter QoS con-
iqos
To enable or disable QoS, in the QoS configuration mode, use the following command:
l Enable: enable
To configure QoS Profile resources quota, in the QoS configuration mode, use the following com-
mand:
root-pipe max max-num reserve reserve-num
l max max-num reserve reserve-num – Specifies the maximum quota (max max-num) and
reserved quota (reserve reserve-num)of root-pipe in a VSYS. The reserved quota should not
exceed the maximum quota. The default value of maximum quota and reserved quota is 0.
Enabling/Disabling the CPU Resource Quota

By default, the configured CPU resource quota will take effect immediately. You can also use the
following command to disable the VSYS CPU resource check. That is, the configured CPU
resource quota will not take effect and each VSYS will preempt the CPU resource in system. To
disable or enable CPU resource quota, in the global configuration mode of the root VSYS, use the
following command:
l Disable: vsys-resource cpu disable
l Enable: vsys-resource cpu enable

Notes: For some Hillstone devices (X7180, X9180, X10800, K9180), it is not sup-
ported to enable or disable the configured CPU resource quota.
Binding a VSYS Profile to a VSYS

To bind a VSYS profile to an existing VSYS, in the VSYS configuration mode, use the following
command:
p ro file vsys-profile-name
l vsys-profile-name - Specifies the name of the VSYS profile to be bound.
To restore to the default binding, in the VSYS configuration mode, use the command no profile.
Notes:
l When binding a VSYS profile to a VSYS, if the total number of the reserved
quota in all VSYSs exceeds the current capacity, the binding operation will
fail.
l Only after cancelling the binding can you delete the VSYS profile.
Entering the VSYS

To enter a root VSYS, take the following steps:
1. Start a connection client on the local PC, type the management IP and port to connect with
the device.
2. Type the username and password according to the prompt, which can be the username and
password of the root administrator or the user configured in the authentication server (local
server / Radius server / TACACS+ server) of the root VSYS.
3. Press Enter to enter the root VSYS.
To enter a non-root VSYS, the following three ways are available:

The first way: to enter a non-root VSYS, take the following steps:
1. Enter a root VSYS.
2. In the global configuration mode of the root VSYS, use command vsysvsys-name to create a
non-root VSYS. For more information on creating non-root VSYS, see Creating a Non-root
VSYS.
the device.
4. Type the username (vsys_name\admin) and password (vsys_name-admin) of the non-root

administrator according to the prompt.
For example, if the management IP of root VSYS is 10.90.89.1, after typing the username
(hillstone) and password (hillstone), you can enter the root VSYS. After creating the non-
root VSYS (vsys1), you should type the management IP 10.90.89.1, the non-root admin-
istrator username (vsys1\admin) and password (vsys1-admin), and then you can enter the
non-root VSYS directly. For more information on configuring administrators, see Con-
figuring System Admin Users.
5. Press Enter to enter the non-root VSYS.
Notes: If you directly enter the non-root VSYS through the above method, you can-
not exit the current non-root VSYS and back to the root VSYS by using the com-
mand exit-vsys. You should logout the system and enter the root VSYS again.
The second way: the root VSYS administrator can enter the non-root VSYS from root VSYS. The
administrator in the root VSYS can configure the functions of the non-root VSYS after entering it.
To enter a non-root VSYS, in the execution mode or the global configuration mode of the root
VSYS, use the following command:
enter-vsys vsys-name
l vsys-name - Specifies the name of the non-root VSYS.

To exit the current non-root VSYS and back to the execution mode or global configuration mode
of the root VSYS, in the execution mode or global configuration mode of the non-root VSYS, use
the command exit-vsys.
The third way: to enter a non-root VSYS via the authentication server (local server / Radius
server / TACACS+ server) configured in the non-root VSYS, take the following steps:
1. Enter a non-root VSYS.
2. In the global configuration mode of the non-root VSYS, use command aaa-serveraaa-server-
name [type] {local | radius | tacacs+} to create and configure an AAA server (local server
/ Radius server / TACACS+ server). For more information on AAA server, see "Con-
figuring an AAA Server" on Page 988.
3. In the global configuration mode of the non-root VSYS, use command admin auth-server
server-name to specify the configured AAA server as the authentication server for the non-
root administrator. For more information on specifying an authentication server for the sys-
tem administrator, see "Configuring Authentication and Authorization for the Server" on
Page 1052.
the device.
5. Type the username and password configured in the AAA server according to the prompt.
6. Press Enter to enter the non-root VSYS.
Configuring the Shared Property

To make the VRouter, VSwitch, or zone in the root VSYS shared, in the VRouter/VSwitch/zone
configuration mode of the root VSYS, use the following command:
vsys-sh ared
To remove the shared property, in the VRouter/VSwitch/zone configuration mode of the root
VSYS, use the command no vsys-shared.

Exporting a Physical Interface
By default, all the physical interfaces on the device belong to the root VSYS. RXW administrator
in the root VSYS can export physical interfaces in the root VSYS to non-root VSYSs, and also,
the root administrator in the root VSYS can export the physical interfaces in non-root VSYSs back
to the root VSYS. The physical interfaces to be exported should not be bound to any zone, or be
the member of BGroup interface, aggregate interface or redundant interface, or have any sub-inter-
face. All the interfaces that are related to the physical interface in the non-root VSYS (e.g., the
sub-interface created after the physical interface is exported from the root VSYS to non-root
VSYS) can only be used in the non-root VSYS.
To export a physical interface to a non-root VSYS, in the interface configuration mode, use the fol-
lowing command:
exp o rt-to vsys-name
l vsys-name – Specifies the non-root VSYS name to which the interface will be exported.
To export a physical interface to a non-root VSYS by alias, in the interface configuration mode,
exp o rt-to alias alias_name
l alias alias_name – Specifies the non-root VSYS alias to which the interface will be exported.
To export the physical interface in the non-root VSYS back to the root VSYS, in the interface con-
figuration mode, use the command no export-to.
Allocating a Logical Interface

The root administrator in the root VSYS can allocate the logical interfaces in the root VSYS to
non-root VSYSs, and also, can restore the allocated logical interfaces to the root VSYS.
To allocate a logical interface in the root VSYS to a non-root VSYS, in the interface configuration
vsys vsys-name
l vsys-name - Specifies the name of the non-root VSYS to which the interface will be allocated.

To allocate a logical interface in the root VSYS to a non-root VSYS by alias, in the interface con-
vsys alias alias_name
l alias alias_name – Specifies the alias of the non-root VSYS to which the interface will be
allocated.
To restore the interface to the root VSYS, in the interface configuration mode, use the command
no vsys.
Binding a Track Object

You can bind a track objet to a non-root VSYS, thus monitoring the status of this VSYS. To com-
plete the binding, in the non-root VSYS configuration mode, use the following command:
vsys-track-status track track-name
l track-name - Specifies the name of the track object. Ensure that this track object is created in
this non-root VSYS.
To complete the binding by alias, in the non-root VSYS configuration mode, use the following
command:
vsys alias alias_name
l alias alias_name – Specifies the alias of the track object. Ensure that this track object is cre-
ated in this non-root VSYS.
To cancel the binding, in the non-root VSYS configuration mode, use the following command:
n o vsys-track-status track track-name
Notes:
l After you cancel the binding, you can delete the track object.
l For more information about configuring track object, see “Configuring a

Track Object” of “System Management”.

Monitoring a Specified VSYS
In the root VSYS, you can monitor the status of a specified VSYS. According to the change of the
status, you can take corresponding actions. To monitor a specified VSYS, use the following com-
mand in the track object configuration mode in the root VSYS
vsys vsys-name weigh t value
l vsys-name – Specifies the VSYS name. This is the one that you want to monitor.
l weight value – Specifies the weight. Specifies how important this entry failure is to the judg-
ment of track object failure. The value range is 1 to 255. The default value is 255.
Notes: Monitoring the status of a specified VSYS is only available in High Avail-
ability.
Rolling Back to Previous Configurations

To roll back to the previous configuration, there're two ways:
In the execution mode, use the following command to roll back to the previous configuration.
StoneOS saves the latest ten versions of system configurations as initial configuration files for you
to use in system initiation. When the system restarts, the specified configuration will be used.
ro llb ack co n figuratio n b ackup number
l number - Specifies the number of initial configuration file.
In the configuration rollback mode, use the following command to roll back to the previous con-
figuration and exit the configuration rollback mode. The configuration will be valid without restart-
ing the device.
exec co n figuratio n ro llb ack
Notes:
l In the execution mode, you should use exec configuration start command to

enter the rollback mode.
l You cannot switch among VSYS when starting the rollback mode.
l For each VSYS, you can enable and disable the rollback mode separately.
l For each VSYS, only one user is allowed to enable and disable the con-
figuration of rollback mode at a time.
l IF configuring the rollback mode for root VSYS, system cannot operate the
followings: switching HA status, switching between HA master and backup
device, creating or deleting HA Cluster, creating or deleting VSYS, and modi-
fying VSYS resources quota.
For example：

mode)

hostname[TRN](config)# exec configuration rollback (Roll back the con-
figuration and exit the configuration rollback mode)
hostname#
Exiting the Configuration Rollback Mode
To exit the configuration rollback mode directly, you can use the following two ways:
In the configuration rollback mode, use the following command to exit the configuration rollback
mode directly.
exec co n figuratio n co mmit
For example：

mode)

hostname[TRN](config)# exec configuration commit (Exit the con-
figuration rollback mode directly)
hostname#
In the configuration rollback mode, use the command exitto exit the terminal directly.
Tip:
l When different users log in the device meanwhile, only the user who
enters the configuration rollback mode first can do further configuration,
and the later users cannot.
l When a user log in the device through different access methods, the user
of a certain access method enters in the configuration rollback mode first
can do further configuration, and the later users of other access methods
cannot. The user of other access methods can force the user of that access
method to exit the configuration rollback mode through command.
Configuring the Action
When exiting the configuration rollback mode by using command exit, system wil exit the con-
figuration rollback mode directly by default. To roll back to the previous configuration and exit
the configuration rollback mode, in the global configuration mode, take the following command:
cli-exit-actio n ro llb ack
To restore to the default value, in the global configuration mode, take the following command:
cli-exit-actio n co mmit

Notes: For each VSYS, you can use the above command separately to specify its
own action.
Configuring VSYS Log

At the time of writing, the system supports logs for AAA, NAT/NAT444, policy, routing, attack
defense, interface, DNS, service, DHCP and system management events in VSYS. For more
information about how to configure and view logs, see “Logs”.
Notes: In non-root VSYS, the system does not support debugging, IPS and NBC
logs.
Configuring Cross-VSYS Traffic Forwarding

In order to realize the cross-VSYS traffic forwarding function, the system introduces the concept
of Simple-Switch, it is a special VSwitch, which can only learn MAC address, forward the known
unicast packet or flooding. You can create a VWANIF interface, and assigned to the designated
VSYS, the different VSYS can communicate with each other through the VWANIF interface, so
that the device is now directly forwarded across different VSYS traffic data packets.
To configure the cross-VSYS traffic forwarding function, take the following steps:
1. Enabling the cross-VSYS traffic forwarding.
2. Configuring a Simple-Switch.
Including create a Simple-Switch, create a L2 zone and binding the L2 zone to the Simple-
Switch.
3. Creating a VWANIF interface and VPort interface.

After you create a VWANIF interface, you need to create a corresponding VPort interface
for the VWANIF interface.
4. Configuring the VPort interface.

Binding the VPort interface to the L2 zone that has been added to the Simple-Switch.

5. Configuring the VWANIF interface.
Allocating the VWANIF interface to a VSYS, configuring the zone and IP address for the
VWANIF interface.
Enabling/Disabling the Cross-VSYS Traffic Forwarding
By default, the cross-VSYS traffic forwarding function is disabled. To enable/disable the cross-
VSYS traffic forwarding function, in the global configuration mode, use the following commands:
l Enable: vsys-switch-mode
l Disable: no vsys-switch-mode
Configuring a Simple-Switch
Simple-Switch is a special VSwitch, which can only learn MAC address, forward the known uni-
cast packet or flooding. You can create multiple Simple-Switchs, each Simple-Switch is virtually
an independent broadcast domain.
Creating a Simple-Switch
To create a Simple-Switch, in the global configuration mode, use the following commands:
vswitch vswitch Number [simp le-switch ]
l Number - Specifies the numeric identification for the VSwitch. The value range varies from
different platforms. Cannot be specified as VSwitch1.
l simple-switch - Specifies this parameter to create the Simple-Switch and enter the Simple-
Switch configuration mode .
To delete the Simple-Switch, in the global configuration mode, use the following command:
n o vswitch vswitch Number
Binding the L2 Zone to the Simple-Switch
Binding the L2 zone to a Simple-Switch in two steps.

First, create a L2 zone. In the global configuration mode, use the following command:
zo n e zone-name l2
l zone-name - Specifies the name of Layer 2 zone.
l l2 - Specifies the zone as a Layer 2 zone.
Then, in the zone configuration mode, use the following command to bind the L2 zone to a
Simple-Switch:
b in d vswitch-name
l vswitch-name - Specifies the name of Simple-Switch to which the Layer 2 zone is bound.
Creating a VWANIF interface
VWANIF interface is a Layer 3 interface, each time you create a VWANIF interface, you need to
create a corresponding VPort interface for the VWANIF interface.
To create a VWANIF interface, in the global configuration mode, use the following command:
in terface vwan if id
l id - Specifies the ID of the VWANIF interface. If the specified VWANIF interface does not
exist, this command creates a VWANIF interface and leads you to its configuration mode. If
the specified VWANIF interface exists, you will enter its configuration mode directly.
To clear the specified VWANIF interface, use the command no interface vwanif id
Creating a VPort Interface
To create a VPort interface, in the global configuration mode, use the following command:
in terface vp o rt id
l id – Specifies the ID of the VPort interface, this number must be the same as the number of
the paired VWANIF interface. If the specified VPort interface does not exist, this command

creates a VPort interface and leads you to its configuration mode. If the specified VPort inter-
face exists, you will enter its configuration mode directly.
To clear the specified VPort interface, use the commandno interface vportid.
After the VPort interface is created, you need to bind the VPort interface to the L2 zone that has
been added to the Simple-Switch, in the global configuration mode, use the following command:
zo n e zone-name
l zone -name – Specifies the L2 zone name that has been added to the Simple-Switch.
Configuring the VWANIF Interface
In order to realize the cross-VSYS traffic forwarding, you also need to allocate the VWANIF inter-
face to a VSYS, and configure the zone , IP address (IPv4 or IPv6) for the VWANIF interface.
Notes: How to configure the zone and IP address (IPv4 or IPv6) for the VWANIF
interface, refer to Configuring Interface section.
Allocating a VWANIF Interface
After you create the VWANIF interface, you need to allocate the VWANIF interface to a VSYS,
in the interface configuration mode, use the following command:
vsys vsys-name
l vsys-name - Specifies the name of the VSYS to which the VWANIF interface will be alloc-
ated.
Viewing Cross-VSYS Traffic Forwarding Information
To view the cross-VSYS traffic forwarding information, in any mode, use the following command:
sh o w vsys-switch -mo de

Viewing the VWANIF interface Configuration Information
To view the VWANIF interface configuration, in any mode, use the following command:
sh o w in terface vwan if id
Viewing the VWANIF Interface IPv6 Configuration Information
To view the VWANIF interface IPv6 configuration, in any mode, use the following command:
sh o w ip v6 in terface vwan if id
Viewing VSYS Information

To view the VSYS information, in any mode of the root VSYS, use the following command:
sh o w vsys [ vsys-name ]
l vsys-name - Specifies the name of the VSYS whose information you want to view. If this para-
meter is not specified, the information of all the VSYSs in the system will be displayed.
To view the VSYS information by alias, in any mode of the root VSYS, use the following com-
mand:
sh o w vsys alias alias_name
l alias alias_name – Specifies the alias of the VSYS whose information you want to view.
Viewing VSYS Profile Information

To view the VSYS profile information, in any mode of the root VSYS, use the following com-
mand:
sh o w vsys-p ro file [ vsys-profile-name ]
l vsys-profile-name - Specifies the name of the VSYS profile whose information you want to
view. If this parameter is not specified, the information of all the VSYS profiles in the system
will be displayed.

VSYS Configuration Examples
This section describes three typical VSYS configuration examples:
l Example 1: L3 traffic transmitting in a single VSYS
l Example 2: L3 traffic transmitting among multiple VSYSs via shared VRouter
l Example 3: L2 traffic transmitting among multiple VSYSs via shared VSwitch
l Example 4: Traffic transmitting among multiple VSYSs via Simple-Switch
Example 1: L3 Traffic Transmitting in a Single VSYS

An enterprise deploys Hillstone device in its network. The goal is to enable Dept. A to visit
Intranet server through ethernet0/0 and ethernet0/3 in a single VSYS. The topology is shown as
below:
To meet the above requirement, a VSYS and corresponding policy rules are needed. Below is the
logical illustration.
Configuration Steps
Step 1：Create VSYS-a

hostname(config)# vsys vsys-a
hostname(config-vsys)# exit
hostname(config)#
Step 2：Export ethernet0/0 and ethernet0/3 to VSYS-a by the root administrator of the root
VSYS:
hostname (config-if-eth0/0)# exp o rt-to vsys-a
hostname(config)#
Step 3：Enter VSYS-a to configure ethernet0/0, ethernet0/3 and related policy rules:
hostname(config)# en ter-vsys vsys-a
hostname(vsys-a)(config)# zo n e vsys-a-trust
hostname(vsys-a)(config-zone-vsys-a-trust)# exit
hostname(vsys-a)(config)# in terface eth ern et0/0
hostname(vsys-a)(config-if-eth0/0)# zo n e vsys-a-trust
hostname(vsys-a)(config-if-eth0/0)# ip address 192.168.1.1/24
hostname(vsys-a)(config-if-eth0/0)# exit
hostname(vsys-a)(config)# zo n e vsys-a-un trust
hostname(vsys-a)(config-zone-vsys-a-untrust)# exit
hostname(vsys-a)(config-if-eth0/3)# zo n e vsys-a-un trust

hostname(vsys-a)(config)# p o licy-glo b al
hostname(vsys-a)(config-policy)# rule
hostname(vsys-a)(config-policy-rule)# src-zo n e vsys-a-trust
hostname(vsys-a)(config-policy-rule)# dst-zo n e vsys-a-un trust
hostname(vsys-a)(config-policy-rule)# src-addr an y
hostname(vsys-a)(config-policy-rule)# dst-addr an y
hostname(vsys-a)(config-policy-rule)# service an y
hostname(vsys-a)(config-policy-rule)# actio n p ermit
hostname(vsys-a)(config-policy-rule)# exit
hostname(vsys-a)(config-policy)# exit
hostname(vsys-a)(config)# exit-vsys
hostname(config)#
Example 2: L3 Traffic Transmitting among Multiple VSYSs via Shared

VRouters
A Hillstone device is deployed for enterprise A and enterprise B. VSYS-a is configured for enter-
prise A and VSYS-b is configured for enterprise B. The interface ethernet0/0 is used by enter-
prise A only and ethernet0/7 is used by enterprise B only. The interface ethernet0/3 is shared by
enterprise A and B, and the two enterprises visit Internet through enthernet0/3. See the topology
below:

To meet the above requirement, the shared VRouter, corresponding routes, SNAT rules, and
policy rules are needed. Below is the logical illustration.

Configuration Steps
Step 1: Configure Root VSYS:
Create vsys-a and vsys-b

hostname(config)# vsys vsys-b
hostname(config)#
Configure ethernet0/3, routes, SNAT rules, and DNS

server

hostname(config -if-eth0/3)# zo n e un trust
hostname(config -if-eth0/3)# ip address 10.160.65.203/21
hostname(config -if-eth0/3)# exit
hostname(config-vrouter)# sn atrule fro m an y to an y eif eth ern et0/3 tran s-to eif-ip
mo de dyn amicp o rt
rule ID=3
hostname(config)#
Share trust-vr in Root VSYS

hostname(config-vrouter)# vsys-sh ared
hostname(config)#
Share untrust zone in Root VSYS

hostname(config)# zo n e un trust
hostname(config-zone-untrust)# vsys-sh ared
hostname(config-zone-untrust)# exit
hostname(config)#
Step 2: Configure VSYS-a:
Login the system using the root administrator’s cre-

dential of Root VSYS, and export ethernet0/0 to VSYS-a

hostname(config)#
Enter VSYS-a and configure ethernet0/0, policy rules,

and cross-VR routes
hostname(vsys-a)(config-if-eth0/0)# zo n e vsys-a-trust
hostname(vsys-a)(config-policy-rule)# src-zo n e vsys-a-trust
hostname(vsys-a)(config-policy-rule)# dst-zo n e un trust
hostname(vsys-a)(config)# ip vro uter vsys-a-vr
hostname(vsys-a)(config-vrouter)# ip ro ute 0.0.0.0/0 vro uter trust-vr
hostname(vsys-a)(config-vrouter)# exit
hostname(config)#
Step 3: Configure VSYS-b:
Login the system using the root administrator’s cre-

dential of Root VSYS, and export ethernet0/7 to VSYS-b

hostname (config-if-eth0/7)# exp o rt-to vsys-b
hostname(config)#
Enter VSYS-b and configure ethernet0/7, policy rules,

and cross-VR routes
hostname(config)# en ter-vsys vsys-b
hostname(vsys-b)(config)# in terface eth ern et0/7
hostname(vsys-b)(config-if-eth0/7)# zo n e vsys-b -trust
hostname(vsys-b)(config-if-eth0/7)# ip address 192.169.1.1/24
hostname(vsys-b)(config-if-eth0/7)# exit
hostname(vsys-b)(config)# p o licy-glo b al
hostname(vsys-b)(config-policy)# rule
hostname(vsys-b)(config-policy-rule)# src-zo n e vsys-b -trust
hostname(vsys-b)(config-policy-rule)# dst-zo n e un trust
hostname(vsys-b)(config-policy-rule)# src-addr an y
hostname(vsys-b)(config-policy-rule)# dst-addr an y
hostname(vsys-b)(config-policy-rule)# service an y
hostname(vsys-b)(config-policy-rule)# actio n p ermit
hostname(vsys-b)(config-policy-rule)# exit
hostname(vsys-b)(config-policy)# exit
hostname(vsys-b)(config)# ip vro uter vsys-b -vr
hostname(vsys-b)(config-vrouter)# ip ro ute 0.0.0.0/0 vro uter trust-vr
hostname(vsys-b)(config-vrouter)# exit
hostname(vsys-b)(config)# exit-vsys
hostname(config)#

Example 3: L2 Traffic Transmitting among Multiple VSYSs via Shared
VSwitch
An enterprise deploys a Hillstone device in its network. VSYS-a is configured for Dept. A, and
VSYS-b is configured for Dept. B. The interface ethernet0/0 is used by VSYS-a only and eth-
erent0/7 is used by VSYS-b only. The interface etherenet0/3 is shared by Dept. A and Dept. B,
and the two departments visit an Intranet server through ethernet0/3. See the topology below:
To meet the above requirement, the shared VSwitch and corresponding policy rules are needed.
Below is the logical illustration.

Configuration Steps
Step 1：Configure Root VSYS:
Create vsys-a and vsys-b

hostname(config)# vsys vsys-b
hostname(config)#
Share VSwitch1 in Root VSYS

hostname(config-vswitch)# vsys-sh ared
Share L2-trust zone in Root VSYS

hostname(config)# zo n e l2-trust
hostname(config-zone-l2-tru~)# vsys-sh ared
hostname(config)#
Configure ethernet0/3
hostname(config -if-eth0/3)# zo n e l2-trust
hostname(config)#
Step 2: Configure VSYS-a:
Log into the system using the root administrator’s cre-

dential of Root VSYS, and export ethernet0/0 to VSYS-a

hostname(config)#
Enter VSYS-a, and create a VSwitch and a L2 zone. Bind

the created L2 zone to the shared VSwitch1
hostname(vsys-a)(config)# zo n e a-l2 l2
hostname(vsys-a)( config-zone-a-l2)# b in d vswitch 1
hostname(vsys-a)( config-zone-a-l2)# exit
hostname(vsys-a)(config)#
Configure ethernet0/0 and policy rules

hostname(vsys-a)(config-if-eth0/0)# zo n e a-l2
hostname(vsys-a)(config-policy-rule)# src-zo n e a-l2
hostname(vsys-a)(config-policy-rule)# dst-zo n e l2-trust
hostname(config)#
Step 3：Configure VSYS-b:

Log into the system using the root administrator’s cre-
dential of Root VSYS, and export ethernet0/7 to VSYS-b
hostname (config-if-eth0/7)# exp o rt-to vsys-b
hostname(config)#
Enter VSYS-b, and create a VSwitch and a L2 zone. Bind the created L2 zone to the shared
VSwitch1
hostname(config)# en ter-vsys vsys-b
hostname(vsys-b)(config)# zo n e b -l2 l2
hostname(vsys-b)( config-zone-b-l2)# b in d vswitch 1
hostname(vsys-b)( config-zone-b-l2)# exit
hostname(vsys-b)(config)#
Configure ethernet0/7 and policy rules

hostname(vsys-b)(config)# in terface eth ern et0/7
hostname(vsys-b)(config-if-eth0/7)# zo n e b -l2
hostname(vsys-b)(config-if-eth0/7)# exit
hostname(vsys-b)(config)# p o licy-glo b al
hostname(vsys-b)(config-policy)# rule

hostname(vsys-b)(config-policy-rule)# src-zo n e b -l2
hostname(vsys-b)(config-policy-rule)# dst-zo n e l2-trust
hostname(vsys-b)(config-policy-rule)# src-addr an y
hostname(vsys-b)(config-policy-rule)# dst-addr an y
hostname(vsys-b)(config-policy-rule)# service an y
hostname(vsys-b)(config-policy-rule)# actio n p ermit
hostname(vsys-b)(config-policy-rule)# exit
hostname(vsys-b)(config)# exit-vsys
hostname(config)#

Example 4: Traffic transmitting among multiple VSYSs via Simple-Switch
An enterprise deploys a Hillstone device in its network. VSYS-v1 is configured for Dept. A, and
VSYS-v2 is configured for Dept. B. The interface ethernet0/0 is used by VSYS-v1 only and eth-
erent0/2 is used by VSYS-v2 only. To make Dept. A and Dept. B belong to two different vsys,
and can access each other through ethernet0/0 and ethernet0/2, see the topology below:
To meet the above requirement, the Simple-Switch, VWANIF interface, VPort interface and cor-
responding route, policy rules are needed. Below is the logical illustration.

Configuration Steps
Step 1：Configure Root VSYS:
Create vsys-v1 and vsys-v2

hostname(config)# vsys vsys-v1
hostname(config)# vsys vsys-v2
hostname(config)#
Configure VSwitch2 Simple-Switch in Root VSYS

hostname(config)# vsys-switch -mo de
hostname(config)# vswitch vswitch 2 simp le-switch

Configure L2-simple zone in Root VSYS
hostname(config)# zo n e l2-simp le l2
hostname(config-zone-l2-sim~)# b in d vswitch 2
hostname(config-zone-l2-sim~)# exit
hostname(config)#
Configure vwanif1, vport1

hostname(config)# in terface vwan if1
hostname(config -if-vwa1)# vsys vsys-v1
hostname(config -if-vwa1)# exit
hostname(config)#in terface vp o rt1
hostname(config -if-vpo1)# zo n e l2-simp le
hostname(config -if-vpo1)# exit
hostname(config)#
Configure vwanif2, vport2

hostname(config)# in terface vwan if2
hostname(config -if-vwa1)# vsys vsys-v2
hostname(config -if-vwa1)# exit
hostname(config)#in terface vp o rt2
hostname(config -if-vpo1)# zo n e l2-simp le
hostname(config -if-vpo1)# exit
hostname(config)#
hostname(config -if-eth0/0)# vsys vsys-v1
hostname(config)#

hostname(config -if-eth0/2)# vsys vsys-v2
hostname(config)#
Step 2: Configure VSYS-v1:
hostname(config)# en ter-vsys vsys-v1
hostname(vsys-v1)(config)# in terface vwan if1
hostname(vsys-v1)(config-if-vwa1)# zo n e vsys-v1-trust
hostname(vsys-v1)(config-if-vwa1)# ip v6 en ab le
hostname(vsys-v1)(config-if-vwa1)# ip v6 address 6666::1/64
hostname(vsys-v1)(config-if-vwa1)# exit
hostname(vsys-v1)(config)# in terface eth ern et0/0
hostname(vsys-v1)(config-if-eth0/0)# zo n e vsys-v1-trust
hostname(vsys-v1)(config-if-eth0/0)# ip v6 en ab le
hostname(vsys-v1)(config-if-eth0/0)# ip v6 address 2222::1/64
hostname(vsys-v1)(config-if-eth0/0)# exit
hostname(config)#
Configure route for VSYS-v1

hostname(vsys-v1)(config)# ip vro uter vsys-v1-vr
hostname(vsys-v1)(config-vrouter)# ip v6 ro ute 3333::1/64 6666::2
hostname(vsys-v1)(config-vrouter)# exit
hostname(vsys-v1)(config)# p o licy-glo b al
hostname(vsys-v1)(config-policy)# default-actio n p ermit
hostname(vsys-v1)(config-policy)# exit
hostname(vsys-v1)(config)# exit-vsys
hostname(config)#

Step 3: Configure VSYS-v2:
hostname(config)# en ter-vsys vsys-v2
hostname(vsys-v2)(config)# in terface vwan if2
hostname(vsys-v2)(config-if-vwa2)# zo n e vsys-v2-trust
hostname(vsys-v2)(config-if-vwa2)# ip v6 en ab le
hostname(vsys-v2)(config-if-vwa2)# ip v6 address 6666::2/64
hostname(vsys-v2)(config-if-vwa2)# exit
hostname(vsys-v2)(config)# in terface eth ern et0/2
hostname(vsys-v2)(config-if-eth0/2)# zo n e vsys-v2-trust
hostname(vsys-v2)(config-if-eth0/2)# ip v6 en ab le
hostname(vsys-v2)(config-if-eth0/2)# ip v6 address 3333::1/64
hostname(vsys-v2)(config-if-eth0/2)# exit
hostname(config)#
Configure route for VSYS-v2

hostname(vsys-v2)(config)# ip vro uter vsys-v2-vr
hostname(vsys-v2)(config-vrouter)# ip v6 ro ute 2222::1/64 6666::1
hostname(vsys-v2)(config-vrouter)# exit
hostname(vsys-v2)(config)# p o licy-glo b al
hostname(vsys-v2)(config-policy)# default-actio n p ermit
hostname(vsys-v2)(config-policy)# exit
hostname(vsys-v2)(config)# exit-vsys
hostname(config)#

Chapter 6 High Availability (HA)
Overview
HA (High Availability) provides a failover solution for malfunction of the communication line or
devices in order to ensure smooth communication and effectively improve the network reliability.
To implement the HA function, you need to group two Hillstone devices as an HA cluster, using
the identical hardware platform, firmware version, and licenses. When one device is unavailable or
cannot handle the request from the client properly, the request will be promptly directed to the
other device that works normally, thus ensuring uninterrupted network communication and
greatly improving the reliability of communications.
Hillstone devices support two HA modes: Active-Passive (A/P) and Peer Active-Active (A/A)
mode.
l Active-Passive (A/P) mode: In the HA cluster, configure two devices to form an HA

group, with one device acting as a master device and the other acting as its backup device.
The master device is active, forwarding packets, and meanwhile synchronizes all of its net-
work and configuration information and current session information to the backup device.
When the master device fails, the backup device will be promoted to master and take over
its work to forward packets. This A/P mode is redundant, and features a simple network
structure for you to maintain and manage. The relationship between the devices in A/P
mode is shown below:

l Peer Active-Active (A/A) mode: the Peer A/A mode is an HA Active-Active mode. In the
Peer A/A mode, two devices are both active, perform their own tasks simultaneously, and
monitor the operation status of each other. When one device fails, the other will take over the
work of the failure device and also run its own tasks simultaneously. In the Peer A/A mode,
only the device at the active status can send/receive packets. The device at the disabled
status can make two devices have the same configuration information but its interfaces do not
send/receive any packets. The Peer A/A mode is more flexible and is suitable for the deploy-
ment in the asymmetric routing environment. The relationship between the devices in the
Peer A/A mode is shown in the figure below:
HA Cluster
For the external network devices, an HA cluster is a single device which handles network traffic
and provides security services. The HA cluster is identified by its cluster ID. After specifying an
HA cluster ID for the device, the device will be in the HA state to implement HA function.
HA Group
System will select the master and backup device of the same HA group ID in an HA cluster
according to the HCMP protocol and the HA configuration. The master device is in active state
and processes network traffic. When the master device fails, the backup device will take over its
work.
771 Chapter 6 High Availability (HA)

When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created.
In Active-Passive (A/P) mode, the device only has HA group 0. In Peer Active-Active (A/A)
mode, the latest Hillstone version supports two HA groups, i.e., Group 0 and Group 1.
HA Node
To distinguish the HA device in an HA group, you can use the value of HA Node to mark the
devices. StoneOS support the values of 0 and 1.
In the HA Peer mode, the system can decide which device is the master according to the HA
Node value. In the HA group 0, the device whose HA Node value is 0 will be active and the
device whose HA Node value is 1 is at the disabled status. In the HA group 1, the device whose
HA Node value is 0 is at the disabled status and the device whose HA Node value is 0 is active.
HA Group Interface and Virtual MAC

In the HA environment, each HA group has an interface to forward traffic, which is known as Vir-
tual Forward Interface. The master device of each HA group manages a virtual MAC (VMAC)
address which corresponds to its interface and the traffic is forwarded on the interface. Different
HA groups in an HA cluster cannot forward data among each other. VMAC address is defined by
HA base MAC, HA cluster ID, HA group ID and the physical interface index.
HA Selection
In an HA cluster, if the group ID of the HA devices is the same, the one with higher priority will
be selected as the master device.
HA Synchronization
To ensure the backup device can take over the work of the master device when it fails, the master
device will synchronize its information with the backup device. There are 3 types of information
that can be synchronized: configuration information, files and RDO (Runtime Dynamic Object).
The specific content of RDO includes:

l Session information (The following types of session information will not be synchronized:
the session to the device itself, tunnel session, deny session, ICMP session, and the tent-
ative session)
l IPsec VPN information
l SCVPN information
l DNS cache mappings
l ARP table
l PKI information
l DHCP information
l MAC table
l WebAuth information
System supports two methods to synchronize: real-time synchronization and batch syn-
chronization. When the master device has just been selected successfully, the batch syn-
chronization will be used to synchronize all information of the master device to the backup
device. When the configurations change, the real-time synchronization will be used to syn-
chronize the changed information to the backup device. Except for the HA related configurations
and local configurations (for example, the host name), all the other configurations will be syn-
chronized.
Notes:
l If you configure Local property for an interface , the system will not syn-
chronize this configuration with the backup device. For this reason, it is
recommended not to configure the Local property for the business interface.
l For some models (SG-6000-X6150, SG-6000-X6180, SG-6000-X7180, and

SG-6000-X10800), in the Active-Passive (A/P) mode , the backup device

dose not support hot plugging of IOM module, otherwise it will affect the
synchronization configuration information.
Configuring HA
To configure the HA function, take the following steps:
1. Configure an HA group, including specifying the device priority (for selection) and HA
packets-related parameters.
2. Configure an HA virtual forward interface.
3. Configure the HA link, including an HA link interface and an HA link IP address, for the
device synchronization and HA packets transmission.
4. Configure an HA cluster. Specify the HA cluster ID and HA node ID, and enable the HA
function.
WebUI: Select System > HA from the menu bar. In the HA dialog, configure the options.
Configuring an HA Group
The HA group need to be configured in the HA group configuration mode. To enter the HA
group configuration mode, in the global configuration mode, use the following command:
h a gro up group-id
l group-id – Specifies the HA group ID. The value range is 0 to 1.
After executing the command, the system will enter the HA group configuration mode. To delete
the specified HA group, in the global configuration mode, use the following command:
no ha group group-id
In the HA group configuration mode, you can perform the following configurations:
l Specifying the priority
l Specifying the Hello interval

l Specifying the Hello threshold
l Configuring the preempt mode
l Specifying the gratuitous ARP packet number
l Specifying the description
l Specifying the track object
Specifying the Priority
The priority specified by the command is for used for HA selection. The device with higher pri-
ority (the smaller number) will be selected as the master device. To specify the priority, in the HA
group configuration mode, use the following command:
p rio rity number
l number – Specifies the priority. The value range is the 1 to 254. The default value is 100.
To restore to the default priority, in the HA group configuration mode, use the following com-
mand:
n o p rio rity
Tip: When the priorities are identical, the device with smaller value in the 10th to
14th bit of the device S/N will be priorized.
Specifying the Hello Interval
Hello interval refers to the interval for the HA device to send heartbeats (Hello packets) to other
devices in the HA group. The Hello interval in the same HA group must be identical. To specify
the Hello interval, in the HA group configuration mode, use the following command:
h ello in terval time-interval

l time-interval – Specifies the interval for sending heartbeats. The value range is 50 to 10000
milliseconds. The default value is 1000.
To restore to the default Hello interval, in the HA group configuration mode, use the following
command:
n o h ello in terval
Specifying the Hello Threshold
If the device does not receive the specified number of Hello packets from the other device, it
will judge that the other device’s heartbeat fails. To specify the Hello threshold, in the HA
h ello th resh o ld value
l value – Specifies the Hello threshold value. The value range is 3 to 255. The default value is
3.
To restore to the default Hello threshold, in the HA group configuration mode, use the following
command:
no hello threshold
Specifying the Hello Transport Protocol
This feature is only supported for CloudEdge. By default, the transport protocol of Hello packets
is VRRP.But in a virtualized environment, the virtual core switch restricts both the transmission
rate and the packet size of VRRP packets, affecting the synchronization function between the HA
master and the backup device. You can change the transport protocol of Hello with UDP protocol
to prevent the restriction, in the HA group configuration mode, use the following command:
h a tran smit udp
To restore to the default protocol VRRP, in the HA group configuration mode, use no ha trans-
mit udp command:

Notes:
l When device is added to HA cluster and HA function take effective, you can
not change the Hello transport protocol.If you want to change it, execute the
commandno ha clusterfirstly.
l The master device and the backup device shoud be configured with the same
Hello transport protocol.
Configuring the Preempt Mode
When the preempt mode is enabled, once the backup device find its own priority is higher than
the master device, it will upgrade itself to the master device and the original master device will
become the backup device. When the preempt mode is disabled, even if the device's priority is
higher than the master device, it will not take over the master device unless the master device
fails. When configuring the preempt mode, you can also set the delay time to make the backup
device take over the master device after the specified delay time. To configure the preempt mode,
in the HA group configuration mode, use the following command:
p reemp t [ delay-time ]
l delay-time – Specifies the delay time. The value range is 1 to 600 seconds. The default value
is 30.
To cancel the preempt mode, in the HA group configuration mode, use no preempt command.
Specifying the Gratuitous ARP Packet Number
When the backup device is selected as the master device, it will send an ARP request packet to
the network to inform the relevant network devices to update its ARP table. This command is
used to specify the number of ARP packets the upgraded master device will send. The maximum
number of gratuitous ARP packages sent by new master device is determined by the number of
sending gratuitous ARP packets specified by this command. The system will send five gratuitous
ARP packets immediately after device switching, and sending one ARP packets per second until
the number of gratuitous ARP packets reaches the number specified by this command. To specify

the gratuitous ARP packet number, in the HA group configuration mode, use the following com-
mand:
arp number
l number – Specify the gratuitous ARP packet number. The value range is 10 to 180. The
To restore to the default gratuitous ARP packet number, in the HA group configuration mode,
use no arp command.
Sending Gratuitous ARP Packets
When the backup device is promoted to the master device, since the new master device only sent
rather limited ARP packets to the network, some servers in the network may be unable to receive
any ARP packets and therefore unable to update the ARP table. As a result, these servers may be
unable to provide normal service within a short period. To solve the problem, the system sup-
ports sending gratuitous ARP packets manually via a specified interface. To send gratuitous ARP
packets via the specified interface, in the execution mode, use the following command:
sen d gratuito us-arp in terface interface-name [co un t num | in terval num ]
l interface interface-name – Specifies the interface on which gratuitous ARP packets are sent.
This interface can be a physical interface, VSwitch interface, aggregate interface or redundant
interface with an IP address configured.
l count num – Specifies the count for sending ARP packets. The value range is 0 to 60. The
default value is 5. Value 0 indicates sending the packets consistently. You can stop sending by
pressing Ctrl+C.
l interval num – Specifies the interval for sending ARP packets. The value range is 1 to 60

To specify description information, in the HA group configuration mode, use the following com-
mand:
descrip tio n string
l string – Specifies the description information.
To cancel the description information, in the HA group configuration mode, use no description
command.
Specifying the Track Object
The track object is used to monitor the working status of the device. When the device cannot
work normally, the system will take the corresponding action. To specify the track object, in the
HA configuration mode, use the following command:
mo n ito r track track-object-name
l track-object-name – Specifies the name of the track object configured in the system.
To cancel the track object, in the HA configuration mode, use no monitor track command.
Notes: It is recommended that the track object in the HA group should be con-
figured with the Local property. For more information about how to configure the
track object, see “Configuring a Track Object” of “System Management”.
Configuring an HA group interface

To configure the interface for HA Group 0, in the global configuration mode, use the following
command:
interface {ethernet m/n | redundant number | aggregate number | tunnel number | loopback
number | bgroup number | ethernet m/n.tag | redundant number.tag | aggregate number.tag |
vswitch number}

Tip: For more information about how to create and configure an interface, see
“Interface” of “Firewall”.
To configure the interface for HA Group 1, in the global configuration mode, use the following
command:
interface {ethernet x/y:1 | redundant x:1 | aggregate x:1 | tunnel x:1 | loopback x:1 | ethernet
x/y.u:1 | redundantx.y:1 | aggregatex.y:1 | vswitchif x:1 }
l ethernet x/y:1 : Specifies ethernetx/y as the interface for Group 1 and uses this interface for
data forwarding.
l redundant x:1 : Specifies redundantx as the interface for Group 1 and uses this interface for
data forwarding.
l aggregate x:1 : Specifies aggregatex as the interface for Group 1 and uses this interface for data
forwarding.
l tunnel x:1 : Specifies tunnelx as the interface for Group 1 and uses this interface for data for-
warding.
l loopback x:1 : Specifies loopbackx as the interface for Group 1 and uses this interface for data
forwarding.
l ethernet x/y.u:1 : Specifies ethernetx/y.u as the interface for Group 1 and uses this interface
for data forwarding.
l redundantx.y:1 : Specifies redundantx.y as the interface for Group 1 and uses this interface for
data forwarding.
l aggregate x.y:1 : Specifies aggregatex.y as the interface for Group 1 and uses this interface for
data forwarding.

l vswitchif x:1 : Specifies vswitchifx as the interface for Group 1. In HA peer mode, vswitchi-
fx:1 is used for data forwarding in mix mode of Layer 2 and Layer3, and users can manage the
device through this interface in transparent Mode.
To cancel the specified interface, in the global configuration mode, use the following command:
no interface {ethernet x/y:1 | redundant x:1 | aggregate x:1 | tunnel x:1 | loopback x:1 | eth-
ernet x/y.u:1 | redundant x.y:1 | aggregatex.y:1 | vswitchif x:1 }
Configuring the Next-hop IP Address of the Interface

In the HA Peer mode network environment, to avoid the situation that fails to find the routes
when synchronizing data with the peer device, you can configure the next-hop IP address of the
interface, which ensures the successful creation of the sessions. To specify the next-hop IP
address of the interface, use the following command in the interface configuration mode:
direct-send default-nexthop { A.B.C.D | X:X:X:X::X} [local]
l A.B.C.D | X:X:X:X::X – Specifies the next-hop IPv4 or IPv6 address of the interface.
l local – If you enter this parameter, the system will not synchronize this configuration with
the backup device. Without entering this parameter, this configuration will not be syn-
In the interface configuration mode, use the following command to cancel the above con-
figurations:
no direct-send default-nexthop { A.B.C.D | X:X:X:X::X} [local]
Configuring SNAT Port Distribution

HA supports the SNAT port distribution function. The function is that when you configure the
same SNAT address pools for two HA devices, the system will averagely distribute the SNAT
port resources according to the values of HA Node. If you disable this function, the SNAT
address pool configured for each HA device must differ and each device will occupy the entire
port resources. The SNAT port distribution function can only take effect I the HA Peer mode.

To enable the SNAT port distribution function, use the following command in the global con-
figuration mode:
split-port-pool by ha-node
In the global configuration mode, use the following command to disable this function:
no split-port-pool by ha-node
Configuring a HA Link
The synchronization between the master and backup device and the Hello packets are transmitted
over the HA link. There are two types of HA links, control Link and data Link. The control link
is used to synchronize all data between two devices and the data link is used to synchronize the
data packet information such as session information. According to your requirements, you can
choose whether to configure the data link. If you configure the data ink, the Hello packets will be
transmitted over the data link and the information of data synchronization and others will be trans-
mitted over the control link. Without the data link configured, all synchronization information
will be transmitted over the control link.
You need to specify the HA link interface first, and then specify the IP address of the interface.
Notes: To configure the HA link interface of SG-6000-X10800/X9180/X8180,

you need to pay attention to the following：
l You can only synchronize the data information through HA date link inter-
face.
l By default, all HA interfaces (HA0 and HA1) of SCMs will be configured as

the the HA control link automatically, and you don’t need to configure. To
connect the HA control link, take the following methods：
l Connect the HA0 of master SCM on the master device with the HA0
of the master SCM on the backup device.
l Connect the HA1 of master SCM on the master device with the
HA0 of the backup SCM on the backup device.

l Connect the HA0 of backup SCM on the master device with the
HA1 of the master SCM on the backup device.
l Connect the HA1 of backup SCM on the master device with the
HA1 of the backup SCM on the backup device.
Specifying an HA Link Interface
You can specify up to two HA control link interfaces. The later configured HA link interface
serves as the backup interface for the first configured one. When the first interface disconnects,
the later configured interface will take over the task of transmitting HA packets.
For X series devices, the system supports to configure the interface on I/O module as the HA
control link interface in order to avoid the abnormal HA heartbeat and synchronization message
due to the abnormal link of the interface on the control module. By default, the HA control link
interface is on the control module.
To specify an HA control link interface, in the global configuration mode, use the following com-
mand:
ha link interface interface-name
l interface-name – Specifies the name of the interface.
To specify a HA data link interface, in the global configuration mode, use the following com-
mand:
ha link data interface interface-name
l data – Specify the type of the HA link as the data link. After specifying this data link, the ses-
sion information will be synchronized over this data link. You can configure the physical inter-
face or aggregate interface as the interface of the data link. You can specify at most one
aggregate interface as the HA data link interface, or at most two physical interfaces as the HA
data link interface.

To delete the specified HA link interface, in the global configuration mode, use the following
command:
no ha link interface interface-name
no ha link data interface interface-name
Notes: For X series devices, only the interface of the IOM-2Q8SFP+ -200 module
card of the X7180 device can be specified as the HA assist link interface. Other
module card interfaces do not support this function.
Specifying the Work Mode of HA Link Interface
The two physical interfaces of the HA data link interface can work in Active-passive mode or
Load-balance mode. To specify the work mode of the HA data link interface, in the global con-
ha data-link mode {active-passive | load-balance}
l active-passive – Specify the work mode of the HA data link interface as Active-passive
mode. After specifying this work mode, the first configured HA data link interface works as
the master interface, and the later configured HA data link interface serves as the backup inter-
face for the first one. When the first interface fails, the later configured interface will take over
the work of the failure interface. When the master interface restores to normal, it will take all
the data link work again.
l load-balance - Specify the work mode of the HA data link interface as Load-balance mode.
The load-balance mode is the default mode. After specifying this work mode, the two HA
data link interfaces perform their own tasks simultaneously, and monitor the operation status
of each other. When one interface fails, the other will take over the work of the failure inter-
face and also run its own work simultaneously. When the failure interface restores to normal,
the two HA data link interfaces perform their own work again.
To restore to the default work mode of the HA data link interface, in the global configuration

no ha data-link mode
Specifying the IP Address of HA link
To configure the IP address (IPv4 or IPv6 address) of the HA link, in the global configuration
ha link {ip ip-address/Mask | ipv6 ipv6-address/Mask }
l ip ip-address/Mask – Specifies the IPv4 address and the netmask of the HA link, both
IP/netmask (e.g. 1.1.1.1/24) and IP wildcard netmask (e.g. 1.1.1.1 255.255.255.0) are sup-
ported.
l ipv6 ipv6-address/Mask - Specifies the IPv6 address prefix and the prefix length of the HA
link. The value range of the prefix length is 1 to 128.
To cancel the specified IP address, in the global configuration mode, use the following command:
no ha link {ip ip-address/Mask | ipv6 ipv6-address/Mask }
Specifying an HA Assist Link Interface
In the Active-Passive (A/P) mode, you can specify the HA assist link interface to receive and
send heartbeat packets (Hello packets), and ensure the main and backup device of HA switches
normally when the HA link fails.
To specify an HA assist link interface, in the global configuration mode, use the following com-
mand:
ha assist-link interfaceinterface-name
l interface-name – Specifies the name of the interface. You can configure only one HA assist
link interface.
To delete the specified HA assist link interface, in the global configuration mode, use the fol-
lowing command:
no ha assist-link interface interface-name

Notes:
l Before the HA link is restored, the HA assist link interface can only receive
and send heartbeat packets and the data packets cannot be synchronized. You
are advised not to modify the current configurations. After the HA link is
restored, execute the command exec ha sync rdo session to
manually synchronize session information.
l The HA assist link interface must use an interface other than the HA link
interface and be bound to the zone.
l You need to specify the same interface as the HA assist link interface for the
main and backup device, and ensure that the interface of the main and backup
device belongs to the same VLAN.
l For X series devices, only the interface of the IOM-2Q8SFP+ -200 module
of the X7180 device can be specified as the HA assist link interface, and the
other devices do not support this function.
Specifying the MAC Address of HA Link Interface on ClouldEdge
The MAC address of HA link interface refers to the source MAC address for the HA device to
send heartbeats (Hello packets) to other devices in HA group. By default, system uses the default
MAC address to send Hello packets. Users can specify the MAC address of control link interface
or customize a MAC address as the MAC address of HA link interface. To specify the MAC
address of HA link interface, in the global configuration mode, use the following command:
ha link mac { 1st-interface-mac | mac-address}
l 1st-interface-mac – Specifies the MAC address of control link interface as the MAC address
of HA link interface. When there is more than one configured control link interfaces, system
will use the MAC address of the first control link interface as the MAC address of HA link

interface.
l mac-address – Specifies a customized MAC address as the MAC address of HA link inter-
face.
In the global configuration mode, use the following command to restore the default MAC address
of HA link interface.
no ha link mac
Enable the Real MAC Address of Interface On CloudEdge
This function is only supports for the interface of CloudEdge, except HA link interface and the
interface configured with the Local property. By default, the interface forwards traffic with the vir-
tual MAC address provided by system. After configuring the function, each interface will use its
real MAC address for communication. To enable the real MAC address of interface, in the global
no ha virtual-mac enable
To restore to the default virtual MAC address, in the global configuration mode, use tha virtual-
mac enable command.
Notes: When device is added to HA cluster and HA function take effective, you
can not change the MAC address of interface.If you want to change it, execute the
command no ha cluster firstly.
Configuring HA Negotiation through Two Layer Unicast Mode
System supports HA negotiation through two-layer unicast mode. You can configure the HA peer
IP address or configure the peer IP and MAC address concurrently in each device. After that, this
two device will negotiate through two-layer unicast mode.
To configure HA peer IP address (IPv4 or IPv6 address) or mac address, in the global con-
ha peer {ip ip-address | ipv6 ipv6-address} [mac mac-address]

l ip ip-address - Specifies the IPv4 address of HA link interface of peer device.
l ipv6 ipv6-address - Specifies the IPv6 address of HA link interface of peer device.
l mac mac-address - Specifies the MAC address of HA link interface of peer device.
In the global configuration mode, use no ha {ip | ipv6}to restore the default configuration.
Notes: When device is added to HA cluster and HA function take effective, you
can not modify the HA peer ip or mac address .If you want to modify it, execute the
command no ha cluster firstly.
Specifying the MTU Value of HA link Interface

After specifying the HA link interface, you can continue to specify the MTU value of HA link
interface as required. After it is specified, the sender will send the message separately and the
receiver will reorganize the message after receiving it when the size of the message exceeds the
MTU value of the HA link interface. To configure the MTU value of the HA link interface, in the
ha link mtu value
l value – Specifies the MTU value of the HA link interface. The default value is 1500.
To cancel the specified MTU value, in the global configuration mode, use the following com-
mand: no ha link mtu.
Configuring a HA Cluster
After configuring the HA group, HA group interface and HA link interface, you need to add the
device to the HA cluster to make the HA function take effective. If there are more than one pair
of HA devices in the network, you need to configure different HA cluster IDs, otherwise the
MAC addresses may conflict. To configure an HA cluster, in the global configuration mode, use
ha cluster cluster-id [[peer-mode node ID [symmetric-routing]]| node ID]

l cluster-id – Specifies the HA cluster ID. The value varies depending on the HA virtual
MAC prefix.
l peer-mode node ID – Configures the HA Peer mode and specifies the role of this device in
the HA cluster. The range is 0 to 1. By default, the group 0 in the device whose HA Node ID
is 0 will be active and the group 0 in the device whose HA Node ID is will be in the disabled
status.
l symmetric-routing - If you enter this parameter, the device will work in the symmetrical rout-
ing environment.
l node ID - Specifies the HA Node value for the device. The values for two devices must be
different. The range is 0 to 1. You need to specify the HA node value for SG-6000-X10800.
If you do not specify this value for other devices, the devices will obtain the Node ID value
by automatic negotiation.
To disable the specified HA cluster, in the global configuration mode, use no ha cluster com-
mand.
Configuring HA VMAC Prefix

This feature is only supported for CloudEdge. If more than 8 HA clusters in a network segment
need to be configured, you can configure the prefix of the HA virtual base MAC address, i.e., the
HA virtual MAC prefix, in order to avoid the HA virtual MAC address duplication. When the
length of prefix is set to 7 hexadecimal, you can deploy up to 128 HA clusters on the same net-
work segment. When the length of prefix is set to 8 or by default, you can deploy up to 8 HA
clusters on the same network segment. After the configuration is complete, the system will
prompt the HA virtual MAC range to be generated and the configuration will take effect after
reboot. To configure the HA virtual MAC prefix, in the global configuration mode, use the fol-
lowing command:
ha virtual-mac-prefix prefix-addr

l prefix-addr – Specifies the prefix of the HA base MAC in hexadecimal format. Its length can
only be configured as seven or eight. By default, the HA virtual MAC prefix is 0x001C54FF.
It should be noted that 0x00000000, 0x0000000, 0xFFFFFFFF, 0xFFFFFFF or multicast
addresses (i.e., the second hexadecimal number is odd) are invalid.
To restore to the default prefix, in the global configuration mode, use no ha virtual-mac-prefix
command.
Tip: With the HA function enabled, if you want to modify the HA virtual MAC
prefix, you may need to disable the HA function first.
Viewing HA VMAC Prefix
To view the current HA virtual MAC prefix and the maximum number of HA clusters that can be
configured, use the following command in any mode:
show ha cluster
Configuring a Management IP
To manage the HA backup device, you need to configure a management IP for the backup device.
To configure a management IP address, in the interface configuration mode, use the following
command:
manage ip ip-address
l ip-address - Specifies the management IP address.
Configuring the Layer 3 Port Down-up Function

The Layer 3 port down-up function is enabled by default. When this function is disabled, the fol-
lowing types of physical interfaces do not perform down-up operations when the device is
switched from a master device to a backup device for HA switching:

l The physical interface that is bound to a Layer 3 zone.
l The physical interface that belongs to a redundant interface, and the redundant interface is
bound to a Layer 3 zone.
l The physical interface that belongs to an aggregate interface, and the aggregate interface is
bound to a Layer 3 zone.
To enable or disable the Layer 3 port down-up function, in the global configuration mode, use the
following command:
ha l3-port-force-down-up {enable | disable}
l enable - Enable the Layer 3 port down-up function.
l disable - Disable the Layer 3 port down-up function.
Manually Synchronizing HA Information

In some exceptional circumstances, the master and backup configurations may not be syn-
chronized. In such a case you need to manually synchronize the configuration information of the
master and backup device. To determine if you need to manually synchronize the HA inform-
ation, take the following steps:
1. View the relevant configuration information of both master and backup device by using the
command show.
2. According to the displayed configuration information, determine whether you need to

manually synchronize the HA information:
l If the configuration information is consistent, then you don’t need to synchronize manually;
l If the configuration information is inconsistent, you need to run the corresponding commands
to manually synchronize the configuration (for more information about the relevant com-
mands, see table below).

Notes:
l You do not need to manually synchronize the inconsistent local configuration

information, such as the interface timeout information.
l For dynamic information, such as session information, you do not need to

synchronize the information manually unless the dynamic information is not
synchronized properly.
Commands to synchronize HA information manually are shown as belows:
Manual syn-
HA synchronization clear synchronization
show command chronization com-
information times command
mand
All static con- show ha sync exec ha sync all -

figuration and state all
dynamic data
Configuration inform- show con- exec ha sync con- clear ha sync config
ation figuration figuration
File information show file exec ha sync file file- -

name
ARP table show arp exec ha sync rdo arp -
DNS configuration show ip hosts exec ha sync rdo dns clear ha sync dns
information
DNS rewrite rule show dns-rewrite- exec ha sync rdo dns- -

information rule rewrite
DHCP configuration show dhcp exec ha sync rdo dhcp clear ha sync dhcp
information

Manual syn-
mand
MAC address table show mac exec ha sync rdo mac -
PKI configuration show pki key exec ha sync rdo pki clear ha sync pki
information show pki trust-
domain
MAC address table show session exec ha sync rdo ses- -

sion
IPSec VPN inform- show ipsec sa exec ha sync rdo vpn clear ha sync vpn
ation show isakmp sa
IPSec VPN inform- show scvpn client exec ha sync rdo clear ha sync scvpn
ation test scvpn
show scvpn
show scvpn host-

check-profile
show scvpn pool
show scvpn user-

host-binding
show scvpn ses-

sion
show auth-user
scvpn

Manual syn-
mand
L2TP information show l2tp tunnel exec ha sync rdo l2tp -
show l2tp pool
show l2tp client

{tunnel-name
name [user user-
name]| tunnel-id
ID}
show auth-user
l2tp [interface
interface-name |
vrouter vrouter-
name | slot slot-
no]
WebAuth information show auth-user exec ha sync rdo -

webauth webauth
NTP information show ntp exec ha sync rdo ntp clear ha sync ntp
Route information show ip route exec ha sync rdo route clear ha sync route
Multicast routing show ha sync stat- exec ha sync rdo clear ha sync mroute
information istic mroute mroute
show ha sync
state mroute

Enabling/Disabling Automatic HA Session Synchronization
By default the system will synchronize sessions between HA devices automatically. Session syn-
chronization will generate some traffic, and will possibly impact device performance when the
device is overloaded. You can enable or disable automatic HA session synchronization according
to the device workload to assure stability.
To enable or disable automatic HA session synchronization, in the global configuration mode, use
l Enable: ha sync rdo session
l Disable: no ha sync rdo session
Enabling/Disabling Scheduled Comparison of HA Configurations
After the scheduled comparison of HA configurations is enabled, system will check the HA con-
figurations every 1 hour and record logs if the configuration is found changed. By default, the
scheduled comparison of HA configurations is disabled.
To enable or disable the scheduled comparison of HA configurations, in global configuration
l Enable: ha configuration-consistency-check enable
l Disable: no ha configuration-consistency-check enable
Manually Switching Main and Backup Device Status of HA

To switch main and backup device status of HA manually, in any mode, use the following com-
mand:
exec ha master switch-over

Notes:
l This command is only supported on the main device of HA.
l As the switching operation executes, this device is executing batch syn-

chronization or some Hillstone devices (SG-6000-X6150, SG-6000-X6180,
SG-6000-X7180, and SG-6000-X10800) are executing batch synchronization
of SCM, which will result in failed switching of HA main and backup device
status.
Backing up Statistical Data

In HA cluster, when one device fails, the other will take over the work of the failed device and
also run its original work simultaneously to ensure uninterrupted work. In order to keep statistical
data(such as monitor and log data) consistent after device switching, you can configure statistical
data backup. After this feature is enabled, the system will send statistical data to both devices in
the HA state, so that all data and configurations of two devices can be backed up. Due to the large
amount of data to back up, we recommend that you configure Ten-GigabitEthernet interface
(interface expansion module which owns Ten-GigabitEthernet interface is needed) or aggregate
interface as ha link interface, otherwise it may cause inconsistent data. By default, this feature is
disabled.
To back up statistical data to the other HA member, in the global configuration mode, use the fol-
lowing command:
ha analysis-data multicast
In the global configuration mode, use the following command to disable backup:
no ha analysis-data multicast
Notes: Currently, you can only back up statistical data via CLI, not WebUI.

Configuring Backup Device Configuration Mode
The system supports backup device configuration mode to enhance the consistency between the
master device and the backup device. In this mode, the user can manually modify the con-
figuration of the backup device by using the command of the corresponding function when the
user finds that the configuration of the master device and the backup device is not synchronized
correctly.
In the execution mode, use the following command:
l Enter the backup device configuration mode: exec ha slave-force-config enable
l Quit the backup device configuration mode: exec ha slave-force-config disable
Notes: After entering the backup device configuration mode, the master device can
still be normally configured, and the configuration of the master device and the
backup device can still be synchronized.
Viewing the Backup Status of Statistical Data
You can view the backup status of statistical data as needed, including whether statistical data
backup is enabled or not, device online status, device priority, etc. To view the backup status of
statistical data, in any mode, use the following command:
show ha apm state
Configure the Deployment Mode of HA on Cloudplatform

For virtual firewall CloudEdge, When it is deployed with HA scenario on cloud platform , there
are two ways:
l Via HAVIP, you can configure the high availability virtual IP address (HAVIP) on the cloud
platform to deploy the HA scenario.
l Via Accesskey , you can configure the access key and secondary IP addresson the cloud plat-
form to deploy the HA scenario.

To enable the "HAVIP " way of CloudEdge's HA deployment, in the global configuration mode ,
ha cloud-deploy havip enable
To disable the "AccessKey/AppID" way of CloudEdge's HA deployment, in the global con-
figuration mode , use the following command:
ha cloud-deploy havip disable
Specifying the Cloud platform of HA deploying

For CloudEdge , When "AccessKey/AppID" way is configured , you need continue to specify
the cloud platform that CloudEdge is deployed， in the global configuration mode , use the fol-
lowing command:
ha cloud-deploy platform { tencent | aliyun |aws}
In the global configuration mode , use the command no ha cloud-deploy platform to delete the
cloud platform .
Viewing the HA Cloud Deployment Information

For CloudEdge , to view the HA cloud deployment information in any mode, use the following
command:：
show ha cloud-deploy
Specifying the AccessKey of Cloud Platform

For CloudEdge , When "AccessKey/AppID" way is configured , you need continue to specify
the AccessKey of cloud platform that CloudEdge is deployed， in the global configuration mode
, use the following command:
cloud-deploy accesskeyid key-id accesskeysecret password
l key-id - Enter the AccessKey or APP ID applied for on the cloud platform.
l password - Enter the key password applied for on the cloud platform.
In the global configuration mode , use the command no cloud-deploy accesskeyid to delete the
configuration of AccessKey.

Checking the Connectivity to Cloud Platform API
For virtual firewall CloudEdge, after configuring the access key and password corresponding to
the cloud platform, you can manually check the connectivity with the cloud platform API. In any
exec cloud-deploy check cloud-connection
Verifying the Access ID and Password of the Cloud platform

For virtual firewall CloudEdge, after configuring the access key and password corresponding to
the cloud platform,you can manually verify whether the access ID and password are correct. In
any mode, use the following command:
exec cloud-deploy check accesskey
Viewing the AccessKey of Cloud Platform

For CloudEdge , to view the AccessKey information of Cloud Platform , in any mode, use the fol-
lowing command:：
show cloud-deploy accesskey
Enabling/Disabling Platform Checking of HA devices

For Hillstone CloudEdge virtual firewall, when it is deployed as HA, system will check the plat-
form consistency of HA master and backup device by default. You can disable the checking func-
tion in an HA environment for platform upgrade(e.g., VM01 upgraded to VM02). During the
upgrade process, the HA device will remain in a negotiated successful state and the user business
will not be interrupted. After the upgrade is completed, please enable the chencking again.
To disable the platform checking, in the global configuration mode , use the following command:
ha platform-check disable
To enable the platform checking, in the global configuration mode , use the following command:
ha platform-check enable

Viewing the Status of HA Platform checking
To view the status of platform checking, in any mode, use the following command:
show ha platform-check status
Configuring HA Traffic
For the HA devices that are deployed in asymmetric routing environment (i.e., inbound and out-
bound traffic may take different routes), you can enable HA traffic to assure the inbound and out-
bound packets of a session are processed on the same device, thus avoiding session failure. Figure
below illustrates a typical HA traffic application topology.
As shown in the figure above, the left route is from PC to the FTP server by the way of Device
A. the righ route is the same start and ending by the way of Device B. the metric value of these
two routes are different from each other, making the network an asymmetric route,In addition,
the FTP requests from PC are sent to the FTP server via Device A. In order to assure the
response packets from the FTP server are returned to PC via Device A, you need to enable HA
traffic on both Device A and Device B.
To enable HA traffic, use the following two steps:

1. Configure the two HA device to HA Peer mode;
2. Enable HA traffic.
Enabling HA Traffic
HA traffic is disabled by default. To enable or disable the function, in the global configuration
l To enable: ha traffic enable
l To disable: no ha traffic enable
Notes: After enabling the HA traffic function, the traffic between devices increase.
Hillstone recommends you first configure the interface of the data link.
Configuring HA Traffic Delay
When processing outbound packets, the device with HA traffic enabled will synchronize packet-
related information with the pairing device. If the peer device responses (i.e., inbound packet)
before the synchronization is completed, the sessions will not be matched and the response to the
request packet will be dropped. To solve this problem, in the transparent mode, you can con-
figure HA traffic delay. The device will wait for the specified delay time so that the syn-
chronization will be completed, and then process inbound packets.
To configure HA traffic delay, in the global configuration mode, use the following commands:
ha traffic delay num
l num - Specifies the delay time. The value range is 1 to 50 ms. The default value is 3.
To cancel the above configurations, use the following command in the global configuration mode:
no ha traffic delay

Configuring First Packet Forwarding
In the routing mode, you can configure the first packet forwarding function to ensure that when
processing outbound packets, the device will synchronize packet-related information with the pair-
ing device. To configure the first packet forwarding function, use the following command in the
ha traffic first-packet [max-size num]
l max-size num – Specifies the size of the first packet. The unit is byte. The value is 64 to
1024. Without configuring this parameter, the default value is 124.
no ha traffic first-packet
Configuring First Packet Forwarding Bounce Back
In the routing mode/transparent mode, you can configure the first packet forwarding bounce back
function to ensure that when processing outbound packets, the device will synchronize packet-
related information with the peer device.
l In the routing mode, the local device synchronizes the outbound packets and packet-related
information to the peer HA device. After the peer device completes the session creation, it
will return the outbound packets to the local device. After that, the local device performs the
next step of forwarding processing.
l In the transparent mode, the local device sends the session synchronization information to the
peer HA device, and then continues to send outbound packets. When the peer device com-
pletes the session creation, it will return the outbound packets to the local device, and then
the local device will perform the next step of forwarding processing.
To configure the first packet forwarding bounce back function, use the following command in the
ha traffic first-packet-bounce-back [max-size num]

no ha traffic first-packet-bounce-back
Configuring HA Route Rematch by Session
In the HA Active-Passive (A/P) mode, you can enable the HA route rematch by session function
if the master device and backup device are interconnected with other devices(such as switches)
using different interfaces and IP addresses which are not in the same network segment. With this
function enabled, the backup device will match the route again for the session synchronized from
the master device and find a new egress interface for the route, thus avoiding session failure after
HA switchover. Figure below illustrates a typical HA route rematch by session application topo-
logy.

As shown in the figure above, Device A and Device B work in HA A/P mode, with Device A as
the master and Device B as the backup device:
l Device A connects to Switch01 through interface eth0/2. Interface eth0/3 is not connected.
A static route with the destination IP of eth0/2 is configured.
l Device B connects to Switch01 through interface eth0/3. Interface eth0/2 is not connected.
A static route with the destination IP of eth0/3 is configured.
When HA switches, Device B becomes the primary device, but the next hop of the route syn-
chronized from Device A is still the IP address of Switch01, causing the session failure. When the
HA route rematch by session function is enabled on Device B, Device B will match the route and
find the egress interface again for sessions synchronized from Device A, thus avoiding the session
failure.
Notes:
l In the above typical scenario, you need to disable the eth0/3 of Device A
and the eth0/2 of Device B by using the command shutdown.
l The HA session rematch route function supports for Destination Routing,

Destination-Interface-Based Routing (DIBR), Source-Based Routing (SBR),
Source-Interface-Based Routing (SIBR), and Policy-Based Routing (PBR).
The HA session rematch route function is disabled by default. To enable the function, in the
ha session-rematch-route
To disable the HA session rematch route function, in the global configuration mode, use the com-
mand no ha session-rematch-route.
Viewing HA Configuration
To view the HA configuration information, use the following commands:

l Show the HA cluster configuration information: show ha cluster
l Show the HA group configuration information: show ha group {config | group-id}
l Show the HA link status: show ha link status
l Show the HA synchronization state: show ha sync state {pki | dns | dhcp | vpn | ntp | con-
fig | flow | scvpn | route | mroute }
l Show the HA traffic status: show ha traffic
l Show the HA synchronization statistics: show ha sync statistic {pki | dns | dhcp | vpn | ntp
| config | scvpn | route| mroute }
l Show the HA protocol statistics: show ha protocol statiscitc
l Show the synchronized or unsynchronized HA session information: show session {sync |

unsync}
l Show the HA statistics: show ha flow [[slot slot-number]| [cpu cpu-number]]statistics
l Show key information of the HA switchover: show ha state change info [all]
l all - Show key information for HA switchover of last three times, including HA state
change time, HA state change event, HA state change reason, CPU information,
memory information, session information and HA interface rate. If this parameter is not
specified, the system will show key information for the latest HA switchover.
l Show current status (enable or disable) of the HA route rematch by session function: show ha
session-rematch-route
Enabling HAVIP function that Alibaba Cloud provides to deploy HA

Only the CloudEdge deployed on Alibaba Cloud supports this function. With this function
enabled, vADC will use the HAVIP function that Alibaba Cloud provides to deploy HA. If you
use the secondary IP of the interface for HA deployment or do not want to deploy HA, you need

to disable this function. To enble/disable HAVIP, in the global configuration mode, use the fol-
lowing command:
l Enable: ha aliyun-deploy havip enable
l Disable: ha aliyun-deploy havip disable
Configuring the Accesskey of Alibaba Cloud

Only the CloudEdge deployed on Alibaba Cloud supports this function. Specify the AccessKey
ID and password of your Alibaba Cloud account.
aliyun accesskeyid id accesskeysecret value
HSVRP
The system supports the Hillstone Virtual Redundant Protocol (HSVRP) function. In peer active-
active (A/A) scenarios, if a device fails, traffic that originally flows into the interface of this
device will be redirected to another healthy device. This ensures that network communication is
not interrupted.
The HSVRP function provides the HSVRP group, which consists of a group of interfaces on two
HA devices. The virtual IP address of the HSVRP group takes effect on the primary interface
first. In other words, traffic that accesses the virtual IP address flows into the primary interface of
the HSVRP group. If the device where the primary interface belongs fails, traffic will be redir-
ected to the secondary interface on another device. This avoid network communication inter-
ruptions.
Typical Scenario
HSVRP is usually deployed in HA peer mode. In the following scenario, HA group 0 of the
M0D1 device is at the active status and HA group 1 of the D0M1 device is at the disabled status.
HA group 1 of the D0M1 device is at the active status and HA group 0 of the D0M1 device is at
the disabled status. The eth0/1 and eth0/1:1 interfaces are service forwarding interfaces of HA
group 0 and group 1 respectively. After the HSVRP function is configured, the virtual IP address
of the HSVRP group takes effect on eth0/1 first. If M0D1 fails, the virtual IP address takes

effect on eth0/1:1 and redirects traffic that accesses eth0/1 to eth0/1:1. This ensures that the
business of HA group 0 is not affected.
In the following scenario, an HSVRP group is configured and the virtual IP address of the
HSVRP group is 20.1.1.1. The virtual IP address is referenced by the eth0/1 and eth0/1:1 inter-
faces and takes effect on eth0/1 first. The gateway of a PC over the internal network is destined
for the virtual IP address (20.1.1.1). When the PC accesses the server:
l If M0D1 and D0M1 are running as normal, the virtual IP address (20.1.1.1) takes effect on
eth0/1 and access traffic is redirected by M0D1.
l If M0D1 fails, the virtual IP address (20.1.1.1) takes effect on eth0/1:1 and D0M1 takes over
M0D1 to redirect access traffic.
Basic Concepts
HSVRP Group
HSVRP group is a virtual entity that has a virtual IP address and a virtual MAC address. In HA
scenarios, after an HSVRP group is configured, the group does not take effect until referenced by
a group of interfaces on HA devices.
Referencing an HSVRP Group by an Interface
After an interface references an HSVRP group, the virtual IP address of the HSVRP group takes
effect. One interface can reference up to two HSVRP groups. If an interface references two
HSVRP groups, the interface needs to be used as the primary interface of an HSVRP group and
the secondary interface of another HSVRP group.

If the interface is used as the primary interface of an HSVRP group, the virtual IP address of the
HSVRP group takes effect on the interface first. If the interface is used as the secondary interface
of an HSVRP group, the virtual IP address of the HSVRP group takes effect on the interface only
when the device where the primary interface of the HSVRP group belongs fails.
For example, in peer A/A scenarios, M0D1 uses eth0/1 as the service forwarding interface and
D0M1 uses eth0/1:1 as the service forwarding interface. Two HSVRP groups hsvrp 1 and hsvrp
2 configured with a virtual IP address are created.
l Example 1: The eth0/1 and eth0/1:1 interfaces reference only hsvrp 1. The eth0/1 interface
is used as the primary interface of hsvrp 1 and the eth0/1:1 interface is used as the secondary
interface of hsvrp 1.
In this case, the virtual IP address of hsvrp 1 takes effect on eth0/1, which receives traffic
that accesses the virtual IP address. The eth0/1:1 interface is in the backup state. The virtual
IP address of hsvrp 1 takes effect on eth0/1:1 and eth0/1:1 starts taking over traffic of
eth0/1 only when M0D1 fails.
l Example 2: The eth0/1 and eth0/1:1 interfaces reference both hsvrp 1 and hsvrp 2. The
eth0/1 interface is used as the primary interface of hsvrp 1 and the secondary interface of
hsvrp 2. The eth0/1:1 interface is used as the secondary interface of hsvrp 1 and the primary
interface of hsvrp 2.
In this case, the virtual IP address of hsvrp 1 takes effect on eth0/1 and the virtual IP address
of hsvrp 2 takes effect on eth0/1:1. That is, eth0/1 receives traffic that accesses the virtual
IP address of hsvrp 1 and eth0/1:1 receives traffic that accesses the virtual IP address of
hsvrp 2 within the same period. The eth0/1 and eth0/1:1 interfaces serve as a backup for
each other.
l If M0D1 fails, eth0/1:1 takes over traffic of eth0/1. Traffic that accesses the virtual IP
address of both hsvrp 1 and hsvrp 2 reaches eth0/1:1.
l If D0M1 fails, eth0/1 takes over traffic of eth0/1:1. Traffic that accesses the virtual IP
address of both hsvrp 1 and hsvrp 2 reaches eth0/1.

HSVRP Group Status
The system determines the interface on which the virtual IP address of an HSVRP group takes
effect based on the status of the HSVRP group. This interface processes traffic that accesses the
virtual IP address. Only one interface takes effect at a time. If the device where this interface
belongs fails, the interface on another device takes over traffic of the faulty device to ensure busi-
ness continuity in the network.
An HSVRP group can be in the active or inactive state. If the status of the HSVRP group on the
interface is active, it indicates that the HSVRP group takes effect on this interface, which pro-
cesses traffic that accesses the virtual IP address. If the status of the HSVRP group on the inter-
face is inactive, it indicates that the HSVRP group does not take effect on this interface and
another interface processes traffic that accesses the virtual IP address. If the status of the HSVRP
group on an interface is active, the status of the same HSVRP group on another interface is inact-
ive at the same time.
The status of an HSVRP group on an interface is determined by whether the interface is the
primary interface of the HSVRP group and whether the device where the interface belongs runs as
normal:
l If the device where the primary interface belongs runs as normal, the status of the HSVRP
group on the primary interface is active. Otherwise, the status of the HSVRP group on the sec-
ondary interface is active.
l If the device where the primary interface belongs recovers from a failure, the status of the
HSVRP group on the primary interface changes from inactive to active.
When the status of the HSVRP group on the interface changes from inactive to active, the inter-
face uses the virtual IP address and virtual MAC address of the HSVRP group to send gratuitous
ARP packets, redirects traffic that accesses the virtual IP address to itself, and then forwards the
traffic.

Configuring HSVRP
l Creating an HSVRP Group
l Configuring the Virtual IP Address of an HSVRP Group
l Viewing an HSVRP Group
l Referencing an HSVRP Group by an Interface
Creating an HSVRP Group
You can create up to 255 HSVRP groups. To create an HSVRP group, use the following com-
mand in global configuration mode:
hsvrp id id
l id - Specifies the ID of the HSVRP group. Valid values: 1 to 255. For example, hsvrp id 1 and
hsvrp id 2 indicates different HSVRP groups. After the command is executed, you will enter
the configuration mode of the HSVRP group.
In global configuration mode, use the no hsvrp id id command to delete a specified HSVRP
group.
Notes: Before you delete an HSVRP group, you need to cancel the reference to the
HSVRP group by interfaces.
Configuring the Virtual IP Address of an HSVRP Group
The IP address of an HSVRP group and the IP address of the interface to which the HSVRP
group is bound can belong to the same network segment or different network segments. To con-
figure the virtual IP address of an HSVRP group, use the following command in HSVRP group
configuration mode:
ip address {A.B.C.D | A.B.C.D/M}

l A.B.C.D | A.B.C.D/M - Specifies the IP address of the HSVRP group.
l If you specify the IP address in the A.B.C.D format, the subnet mask is
255.255.255.255. In this case, the specified IP address and the IP address of the inter-
face to which the HSVRP group is bound needs to belong the same network segment.
l If you specify the IP address in the A.B.C.D/M format, the specified IP address and
the IP address of the interface to which the HSVRP group is bound needs to belong dif-
ferent network segments.
In HSVRP group configuration mode, use the no ip address [A.B.C.D | A.B.C.D/M] command
to cancel the configuration.
Tips: After you configure the virtual IP address of an HSVRP group, the system auto-
matically generates the virtual MAC address corresponding to the HSVRP group
based on the HSVRP group ID. The generated virtual MAC address is in the format
of 00-00-5E-00-01-id, in which "id" indicates the hexadecimal HSVRP group ID. For
example, the virtual MAC address of hsvrp 17 is 00-00-5E-00-01-11.
Viewing an HSVRP Group
To view an HSVRP group, use the following command in any configuration mode:
show hsvrp [id id]
l id id - Specifies the ID of the HSVRP group whose information you want to view, including
the virtual IP address, virtual MAC address, primary interface name, secondary interface name,
and the name of the interface on which the virtual IP address takes effect.

Referencing an HSVRP Group by an Interface
In peer mode, to ensure that the interface address of the M0D1 or D0M1 device is still reachable
when the device fails, the interface needs to reference an HSVRP group. After the interface ref-
erences a configured HSVRP group and provides the IP address of the HSVRP group externally,
traffic that accesses the IP address of the HSVRP group will reach this interface and be processed
by the device where this interface belongs.
The following types of interfaces can reference an HSVRP group: physical interface, aggregate
interface, redundant interface, VSwitch interface, or subinterface of preceding interfaces.
To reference an HSVRP group for an interface, in global configuration mode, use the following
command to go to the interface configuration mode of the interface:
interface interface-name
l interface-name - Specifies the interface name and you will enter the configuration mode of the
interface.
In interface configuration mode, use the following command to reference a configured HSVRP
group for the interface:
hsvrp id id {primary | secondary}
l id - Specifies the ID of the HSVRP group.
l primary - Sets the interface to the primary interface of the HSVRP group. If both devices in
peer A/A mode run as normal, the referenced HSVRP group is in the active state on the inter-
face.
l secondary - Sets the interface to the secondary interface of the HSVRP group. If both devices
in peer A/A mode run as normal, the referenced HSVRP group is in the inactive state on the
interface.
In interface configuration mode, use the no hsvrp id id {primary | secondary} command to can-
cel the reference to the HSVRP group.

Notes:
l The IP address of an interface cannot be the same as the virtual IP address of
the referenced HSVRP group.
l After an interface references an HSVRP group, you can still use the IP
address of the interface itself. However, we recommend that you use the IP
address as the management IP address instead of as the IP address of other
service forwarding interfaces.
l If an interface is used as a primary interface and secondary interface respect-

ively and is bound to two HSVRP groups, the IP address of these two
HSVRP groups needs to belong to the same network segment.
l If an HSVRP group needs to be referenced, the IP address of the interface

needs to be a static IP address configured manually, which cannot be
obtained dynamically.
l If an interface needs to reference an HSVRP group, the interface cannot be

configured with the management IP address or have the local attribute
enabled, and the secondary IP address of the interface cannot be the same as
the IP address of the referenced HSVRP group.
l After an interface references an HSVRP group, you can configure only static
routes for network devices connected to the interface and cannot use
dynamic routing protocols.

Twin-mode HA
Introduction
Currently , data centers providing important data information and office services in many indus-
tries. In order to improve the reliability, companies generally build two or more data centers, and
the extended mode of L2 (DCI: Data Center Interconnection) is used for inter-connections
between two data centers. Two data centers running independently, providing business services
and mutual backup, constitute a redundant data center.
The Hillstone devices are deployed in the data center under the routing mode, used to check
traffic and isolated by policy across different regions. Because of the DCI, the asymmetric L3
traffic that across the data center and different regions may occurs (i.e., inbound and outbound
traffic may take different routes), the policy isolation will not take effect. To resolve this problem,
system provides the Twin-mode HA function. This function will optimizes the traffic forwarding,
ensuring the business continuity and efficiency of redundant data centers.
Notes:
l Currently, only some devices (All platforms of X series, E3960 and above
platforms of E series and A3000 and above platforms of A series) support the
function.
l Before configuring Twin Mode, make sure you have already installed Twin-
mode License。
l Currently, only the IP address and peer IP address of the twin-mode HA A/P
link interface supports IPv6.
l You must enable HA function before enable the Twin-mode HA function,

and the devices must in Active-Passive (A/P) mode.

l In twin-mode A/P mode or twin-mode A/A mode, you must configure the
same HA cluster ID for the data center.
Currently, The system supports functions for Twin-mode HA listed in Table below. For more
details and configuration, see relevant section.
Function
Application Layer Interface High Availablity Routing

Gateway (ALG) (HA)
Application Layer System Management Log Virtual System

Identification and (VSYS)
Control
Network Address Monitor Report SNMP

Translation (NAT)
Attack Defense Firewall
Twin-mode HA Deployment Scenarios

There are three kinds of typical L2TP twin-mode deployment scenarios:

l Active-Passive（A/P）deployment scenarios
As shown in the figure above, configure two data center to form an HA group, with one data
center acting as a master device and the other acting as its backup device. When the master
data center fails, the backup data center will be promoted to master and take over its work to
forward packets. The Hillstone devices are deployed on each data center (you can use 3
straight series deployment or deploy the device in the gateway location), and make up the HA
A/P mode.
l Active-Active（A/A）deployment scenarios
As shown in the figure above, the two data centers perform their own tasks simultaneously,

and monitor the operation status of each other. When one data center fails, the other will
take over the work of the failure device and also run its own tasks simultaneously to ensure
uninterrupted work. The Hillstone devices are deployed on each data center and make up
the HA A/P mode. Through Twin-mode HA function, the problem of asymmetric L3
traffic that across the data center and different regions is solved.
l Gateway deployment scenarios: This deployment scenarios is a special Active-Active

（A/A）deployment scenarios.
As shown in the figure above, the Hillstone devices are deployed in the data center as a
gateway and make up the HA A/P mode. The two data centers consist of twin-mode A/A
mode, and backup each other. Since the extended device of L2 filters the same IP address
and MAC address of the data center gateway, this problem is solved by deploying the gate-
way mode and configuring the twin-mode HA gateway function.
Twin-mode HA Synchronization
To ensure the backup device can take over the work of the master data center when it fails, the
master data center will synchronize its information with the backup data center. In different
deployment modes, the system supports different synchronous mode and synchronous inform-
ation types.
In twin-mode HA A/P mode, the types of information that can be synchronized includes:
l IPv4 configuration information
l IPv4/IPv6 session information

l IPv4 ARP tabel
l IPv4 pinhole
l IPv4 track information
l IPv4/IPv6 dynamic route information
l IPv4 NTP information
l IPv4 signature file
l IPv6 ND neighbor information
l IPv6 PMTU entries
In twin-mode HA A/A mode, the system supports two synchronous mode: Part synchronization
and No synchronization. About configuration steps, refer to Specifying the deployment mode and
synchronization mode. The types of information that can be synchronized includes:
l IPv4 configuration information (Policy/Service Book/Address Book/IPS/AV/URL/Sched-

ule)
l IPv4 session information
l IPv4 pinhole
l IPv4 signature file
Configuring Twin-mode HA
The Twin-mode HA need to be configured in the Twin-mode configuration mode. To enter the
Twin-mode configuration mode, in the global configuration mode, use the following command:
twin-mode
After executing the command, the system will enter the Twin-mode configuration mode.
In the Twin-mode configuration mode, you can perform the following configurations:

l Specifying the deployment mode and synchronization mode for Twin-mode HA
l Specifying the Node
l Specifying the Priority
l Configuring the Preempt Mode
l Specifying the Hello Interval
l Specifying the Hello Threshold
l Configuring Twin-mode HA Link
l Enabling / Disabling Twin-mode HA
Notes:
l Before configuring the twin-modefunction, you should install the Twin-mode
License first.
l The deployment mode, node value, link must be specified.
Specifying the deployment mode and synchronization mode
Currently, supports two deployment modes for Twin-mode HA: A/A mode and A/P mode. The
system supports two synchronization mode: Part synchronization and No synchronization. In the
Twin-mode configuration mode, use the following command:
mode {active-active [no-sync | part-sync] | active-passive }
l active-active [no-sync | part-sync] – Specifies the deployment mode is A/A mode.
l no-sync - Specifies the synchronization mode is no synchronization.
l part-sync - Specifies the synchronization mode is part synchronization mode. About specific

synchronization information content, refer to Twin-mode HA Synchronization
l active-passive – Specifies the deployment mode is A/P mode.
To cancel the specified deployment mode, in the Twin-mode configuration mode, use the fol-
lowing command:
no mode
Specifying the Node
To distinguish the data center, you can use the value of Node to mark the data center. To specify
the Node, in the global configuration mode, use the following command:
node node-ID
l node-ID – Specifies the Node. The range is 0 to 1.
To cancel the specified Node, in the Twin-mode configuration mode, use the following com-
mand:
no node
Notes:
l You must specify the different Node for each data center.
l User needs to restart the device to make it take effect after modifying the
Node.
Specifying the Priority
The priority specified by the command is for used for HA selection. The device with higher pri-
ority (the smaller number) will be selected as the master device of data center. To specify the pri-
ority, in the Twin-mode configuration mode, use the following command:
priority number

l number – Specifies the priority. The value range is the 1 to 254. The default value is 100.
To restore to the default priority, in the Twin-mode configuration mode, use the following com-
mand:
no priority
Tip: When the priorities are identical, the device with Node 0 will be priorized.
Configuring the Preempt Mode
When the preempt mode is enabled, once the backup device find its own priority is higher than
the master device, it will upgrade itself to the master device and the original master device will
become the backup device. When the preempt mode is disabled, even if the device's priority is
higher than the master device, it will not take over the master device unless the master device
fails. When configuring the preempt mode, you can also set the delay time to make the backup
device take over the master device after the specified delay time. To configure the preempt mode,
in the Twin-mode configuration mode, use the following command:
preempt [delay-time]
l delay-time – Specifies the delay time. The value range is 1 to 600 seconds. The default
value is 3.
To cancel the preempt mode, in the Twin-mode configuration mode, use the following command:
no preempt
Hello interval refers to the interval for the HA device to send heartbeats (Hello packets) to other
devices in the HA group. The Hello interval in the same HA group must be identical. To specify
the Hello interval, in the Twin-mode configuration mode, use the following command:
hello interval time-interval

l time-interval – Specifies the interval for sending heartbeats. The value range is 1 to 100
seconds. The default value is 1s.
To restore to the default Hello interval, in the Twin-mode configuration mode, use the following
command:
no hello interval
Specifying the Hello Threshold
If the device does not receive the specified number of Hello packets from the other device, it
will judge that the other device’s heartbeat fails. To specify the Hello threshold, in the Twin-
mode configuration mode, use the following command:
hello threshold value
l value – Specifies the Hello threshold value. The value range is 5 to 255. The default value is
10.
To restore to the default Hello threshold, in the Twin-mode configuration mode, use the fol-
lowing command:
no hello threshold
Configuring Twin-mode HA Link
There are two types of Twin-mode HA links, control Link and data Link. Currently, system only
support to specify the physical interfaces and aggregation interfaces as a Twin-mode HA link inter-
face.
You need to specify the Twin-mode HA link interface first, and then specify the IP address and
peer IP address of the interface.
Specifying a Twin-mode HA Link Interface
To specify a Twin-mode HA link interface, in the Twin-mode configuration mode, use the fol-
lowing command:
link { control | data } interface interface-name

l control | data – Specifies the Twin-mode HA link type.
To delete the specified Twin-mode HA link interface, in the Twin-mode configuration mode, use
no link { control | data } interface interface-name
Notes:
l Data link interface does not allow specifying on the X-series device panel
interface ethernet0/0- ethernet0/3.
l Control Link and Data Link can specify up to two interfaces.
l When asymmetric data traffic is larger, it is recommended that users use two
data links or using a aggregate interface to ensure sufficient bandwidth for
transmitting data traffic.
Specifying the IP Address of Twin-mode HA link Interface
After the Twin-mode HA link interface is specified, to configure the IPv4 or IPv6 address of the
Twin-mode HA link interface, in the Twin-mode configuration mode, use the following com-
mand:
link {ip | ipv6} ip-address netmask
l ip | ipv6 – Specifies the IP address of the Twin-mode HA link interface. It can be an IPv4
(ip) or IPv6 (ipv6)address.
l ip-address netmask – Specifies the IPv4 address and the netmask or the IPv6 address prefix
and the prefix length of the Twin-mode HA link interface.
To cancel the specified IP address, in the Twin-mode configuration mode, use the following com-
mand:
no link {ip | ipv6}

Specifying the Peer IP Address
The peer IP supports both IPv4 or IPv6 address. To configure the peer IP address, in the Twin-
mode configuration mode, use the following command:
peer-ip {ip | ipv6} ip-address
l ip | ipv6 – Specifies the IP address of the peer. It can be an IPv4 (ip) or IPv6 (ipv6)address.
l ip-address – Specifies the IPv4 address or the IPv6 address of the peer. You can configure
up to two peer IP adresses.
To cancel the specified peer IP address, in the Twin-mode configuration mode, use the following
command:
no peer-ip
Notes:
l Currently, only the IP address and peer IP address of the twin-mode HA A/P
link interface supports IPv6 configurations.
l The type of the IP address and the peer address of the twin-mode HA A/P
link interface must be the same, such as IPv4 or IPv6.
Enabling/Disabling Twin-mode HA
By default the Twin-mode HA function is disabled. To enable or disable Twin-mode HA, in the
Twin-mode configuration mode, use the following command:
l Enable: enable

Specifying the Forwarding Mode of Asymmetric Traffic
For the asymmetric traffic, Twin-mode HA provides two forwarding mode: tunnel mode and layer
2 tunnel mode.
l Tunnel Mode: The encapsulated package will be sent to the peer data center through Data
Link, after the traffic was de-encapsulated , the peer data center will transfer it. By default, the
forwarding mode is tunnel mode.
l Layer 2 Tunnel Mode: The MAC address of the packet is modified as the virtual MAC
(VMAC) address which corresponds to its interface of peer data center, the traffic is for-
warded through layer 2 tunnel. With this mode, the user needs to enable the layer 2 tunnel for-
warding mode at all business interfaces of the device.
To enable the layer 2 tunnel forwarding mode, in the interface configuration mode, , use the fol-
lowing command:
twin-mode-l2-tunnel-enable
To restore to the default forwarding mode, in the interface configuration mode, use the following
command:
no twin-mode-l2-tunnel-enable
Notes: The forwarding mode must be specified. The two modes cannot be mixed,
otherwise the function is not effective.
Configuring Twin-mode HA First Packet Forwarding Bounce Back
In twin-mode HA Active-Active（A/A）deployment scenarios, you can configure the first

packet forwarding bounce back function. With this function enabled, the local device sends the
new session synchronization information and the first packet that triggered the new session to the
peer device successively. When the peer device completes the session creation, it will return the
received first packet to the local device, and then the local device will perform the next step of
forwarding processing, thus solving the problem of packet loss caused by reply packet not finding

the session due to the untimely session synchronization of the peer device in the asymmetric rout-
ing environment.
To configure the Twin-mode first packet forwarding bounce back function, use the following
command in the Twin-mode configuration mode:
first-packet-bounce-back [max-size num]
To cancel the above configurations, use the following command in the Twin-mode configuration
mode:
no first-packet-bounce-back
Configuring Twin-mode HA Gateway
In the gateway deployment scenarios, because the extended device of L2 filters the same IP
address and MAC address of the data center gateway, the asymmetric traffic blocked. In order to
avoid this problem, you needs to enable the twin-mode gateway function, and configure gateway
interface IP address for sending the ARP request message, the system will take this IP address as
the source of IP, Twin-mode virtual MAC (VMAC) as the source MAC address to send the ARP
request message, and forward the data traffic with Twin-mode virtual MAC (VMAC) address as
the source address, so as to solve the problem of asymmetric traffic.
To enable the twin-mode gateway function and configure gateway interface IP address for sending
the ARP request message, in the interface configuration mode, use the following command:
twin-mode-gateway sender-ip ip-address
l ip-address – Specifies the gateway interface IP address for sending the ARP request message.
This IP address must be in the same network segment as the IP address of the gateway inter-
face.
To disable this function and delete the specified IP address, in the interface configuration mode,
no twin-mode-gateway sender-ip ip-address

Notes: The gateway interface IP for sending ARP request messages of both data cen-
ters must be different.
Configuring the Switching Mode of Twin-mode HA Session State
In the twin-mode HA A/A mode, system supports two switching modes of twin-mode HA ses-
sion state, including unidirectional switching and bidirectional switching.
l Unidirectional switching: When a link of access extranet server fails in the data center, the sys-
tem will quickly switch the inactive twin-mode HA session state to the active state, and
ensure that the traffic will not be interrupted.
l Bidirectional switching: When you need to modify the traffic forwarding path of data center,
you can use this switching mode, the system will quickly switch the inactive twin-mode HA
session state to the active state, so as to optimize the traffic paths.
To configure the switching mode of twin-mode HA session state, in the Flow configuration
twin-mode-sess-owner-change {follow-init-direction | follow-two-direction}
l follow-init-direction – Unidirectional switching, when the traffic hits the upstream traffic of
the inactive session, the system will switch the session state.
l follow-two-direction – Bidirectional switching, when the traffic hits both the upstream and
downstream traffic of the inactive session, the system will switch the session state.
To disable this function, in the Flow configuration mode, use the following command:
no twin-mode-sess-owner-change
Tip: To enter the flow configuration mode, in the global configuration mode, use
the command flow.

Manually Synchronizing Twin-mode HA Configuration Information
In some exceptional circumstances, the master and backup configurations of data center may not
be synchronized. In such a case you need to manually synchronize the twin-mode HA con-
figuration information of the master and backup data center. To determine if you need to manually
synchronize the twin-mode HA information, take the following steps:
1. View the relevant configuration information of both master and backup datacenter by using
the command show twin-mode configuration difference on the master device.
2. According to the displayed configuration information, determine whether you need to manu-
ally synchronize the twin-mode HA information:
l If the configuration information is consistent, then you don’t need to synchronize manually;
l If the configuration information is inconsistent, you need to run the commandexec twin-mode
sync configurationto manually synchronize the configuration.
Notes: The command exec twin-mode sync configuration can only be executed on
the master HA device of the master data center.
Viewing/Clearing the Transfer Packet Count of Twin-mode HA
To view the transfer packet count of Twin-mode HA, in any mode, use the following command:
show twin-mode-counter
To clear the transfer packet count of Twin-mode HA, in any mode, use the following command:
clear twin-mode-counter
Viewing Twin-mode HA Configuration
To view the Twin-mode HA configuration information, use the following commands:

l Show the Twin-mode HA configuration information: show twin-mode configuration
l Show the Twin-mode HA link information: show twin-mode link
l Show the Twin-mode HA peer status: show twin-mode peer
l Show the Twin-mode HA status: show twin-mode status

Examples of HA
This section describes three HA configuration examples:
l Example 1: configuration example of HA in A/P mode
l Example 2: configuration example of HA Peer A/A mode and HA traffic
Example 1: Example of HA in A/P Mode
Requirement
To goal is use two Hillstone devices, which are of the same hardware platform, firmware version,
and license, to a form an HA cluster in Active-Passive mode. In addition, the two devices are
using the same interface to connect to the network. The network topology is shown below:
Configuration Steps
Step 1: Configure the interfaces and policy rules on Device A:

Device A
hostname(config)#
Step 2: Configure a track object which is used for tracking the status of interface of the master
device, and if the interface ethernet0/0 fails, the device will implement failover:
hostname(config)# track tracko b j1
hostname(config-trackip)# in terface eth ern et0/0 weigh t 255
hostname(config-trackip)# exit
hostname(config)#
Step 3: Configure an HA group:

Device A
hostname(config)# h a gro up 0
hostname(config-ha-group)# p rio rity 50
hostname(config-ha-group)# mo n ito r track tracko b j1
hostname(config-ha-group)# exit
hostname(config)#
Device B
hostname(config)#
Step 4: Configure HA link interfaces and enable the HA function:
Device A
hostname(config)# h a lin k in terface eth ern et0/2
hostname(config)# h a lin k ip 1.1.1.1/24
hostname(config)#
Device B
hostname(config)#
Step 5: Configure an HA cluster to enable HA:

Device A
hostname(config)# ha cluster 1
Device B
hostname(config)# ha cluster 1
Step 6: Configure the management IPs of the master device and backup device after syn-
chronization:
Device A
hostname(config-if-eth0/1)# man age ip 192.168.1.253
Device B
hostname(config-if-eth0/1)# man age ip 192.168.1.254
Step 7: Configure a track object on Device B, and if the interface ethernet0/0 on Device B fails,
the device will implement failover:
Device B
hostname(config-ha-group)# mo n ito r track tracko b j1
hostname(config)#
After the above configuration, the system will select Device A as the master device for for-
warding traffic. Device B acts as the backup device. Device A will synchronize its configuration
information and status to Device B. When Device A fails and cannot forward traffic, or the eth-
ernet0/0 of Device A is disconnected, Device B will switch to the master device without inter-
rupting user’s communication, and continue to forward the traffic.

Example 2: Example of HA Peer Mode and HA Traffic
Requirement
This section describes how to configure HA Peer mode and HA traffic in asymmetrical routing
environment. Before configuring, make sure the two Hillstone devices that will adopt HA Peer
mode are using the same hardware platform, firmware version, license, and the interfaces that are
connected to the network belong to the same security zone.
After completing the configuration, both of the two devices enable HA traffic. When PC requests
any virus file in zip format from the FTP server, this function can assure the inbound and out-
bound packets will be processed on Device A, and related logs will also be generated on Device
A. The network topology is shown below:

Configuration Steps
The following steps omit the configuration of interfaces and zones, and only focus on the con-
figuration of HA Peer mode and HA traffic.
Step 1: Configure HA Peer mode and HA link interfaces:
Device A
hostname(config)# h a lin k in terface eth 0/1
hostname(config)# h a lin k data in terface eth 0/3
hostname(config)# h a cluster 1 p eer-mo de n o de 0
Device B
hostname(config)# h a lin k data in terface eth 0/3
hostname(config)# h a cluster 1 p eer-mo de n o de 1
Step 2: Enable HA traffic:
Device A
hostname(M0D1) (config)# h a traffic en ab le
hostname(M0D1) (config)# exit
Device B
hostname(D0M1) (config)# h a traffic en ab le
hostname(D0M1) (config)# exit
Step 3: Configure the asymmetric routing environment. Assume that all routers use the OSPF pro-
tocols and you have set the default metric and cost:

Device A
hostname(M0D1) (config) # ip vro uter trust-vr
hostname(M0D1) (config-vrouter)# ro uter o sp f
hostname(M0D1) (config-router) # ro uter-id 1.1.1.1 lo cal
hostname(M0D1) (config-router) # n etwo rk 20.1.1.1/24 area 0
hostname(M0D1) (config-router) # n etwo rk 30.1.1.1/24 area 0
hostname(M0D1) (config-router)# n etwo rk 60.1.1.1/24 area 0
hostname(M0D1) (config-router)# n etwo rk 70.1.1.1/24 area 0
hostname(M0D1) (config-router)# exit
hostname(M0D1)# co n fig
hostname(M0D1) (config)# in terface eth 0/2
hostname(M0D1) (config-if-eth0/2)# zo n e trust
hostname(M0D1) (config-if-eth0/2)# ip address 30.1.1.1/24
hostname(M0D1) (config-if-eth0/2)# exit
hostname(M0D1) (config)# in terface eth 0/2:1
hostname(M0D1) (config-if-eth0/2:1)# zo n e trust
hostname(M0D1) (config-if-eth0/2:1)# ip address 60.1.1.1/24
hostname(M0D1) (config-if-eth0/2:1)# exit
hostname(M0D1) (config)# in terface eth 0/4
hostname(M0D1) (config-if-eth0/4)# zo n e trust
hostname(M0D1) (config-if-eth0/4)# ip address 20.1.1.2/24
hostname(M0D1) (config-if-eth0/4)# exit
hostname(M0D1) (config)# in terface eth 0/4:1
hostname(M0D1) (config-if-eth0/4:1)# zo n e trust
hostname(M0D1) (config-if-eth0/4:1)# ip address 70.1.1.2/24
hostname(M0D1) (config-if-eth0/4:1)# exit
hostname(M0D1) (config-if-eth0/4:1)# en d

Device B
hostname(D0M1) (config)# ip vro uter trust-vr
hostname(D0M1) (config-vrouter)# ro uter o sp f
hostname(D0M1) (config-router)# ro uter-id 1.1.1.2 lo cal
Step 4: Configure a track object to monitor the status of ethernet0/1 on R3. If the interface fails,
all the sessions will be switched to Device B:
Device A
hostname(M0D1) (config)# track track1
hostname(M0D1) (config-trackip)# ip 30.1.1.2 in terface eth 0/2
hostname(M0D1) (config-trackip)# exit
hostname(M0D1) (config)# h a gro up 0
hostname(M0D1) (config-ha-non-group)# mo n ito r track track1
hostname(M0D1) (config-ha-non-group)# exit
Step 5: Configure an AV profile on Device A and bind to the security zone:
Device A
hostname(M0D1) (config)# av-p ro file av
hostname(M0D1) (config-av-prifile)# p ro file-typ e ftp actio n lo g-o n ly
hostname(M0D1) (config-av-prifile)# file-typ e zip
hostname(M0D1) (config-av-prifile)# exit
hostname(M0D1) (config)# zo n e un trust
hostname(M0D1) (config-zone-untrust)# av en ab le av
hostname(M0D1) (config-zone-untrust)# exit

Chapter 7 IPv6
System supports IPv6 (Internet Protocol Version 6). Compared with IPv4, IPv6’s noticeable
advantages include larger address space, simplified header, flexible header expansion and options,
hierarchical address allocation, automatic stateless address allocation, data security supported by
IPsecIPSec header, stronger QoS management support, etc.
StoneOS is dual-stack firmware that supports both IPv4 and IPv6. It also supports tunneling tech-
nique (the latest version supports manual IPv6 tunnel) for IPv6 communication.
This chapter describes IPv6 configuration of StoneOS, including:
l Configuring an IPv6 address
l Configuring IPv6 NDP
l Configuring IPv6 system management
l Configuring IPv6 SNMP
l Configuring IPv6 debugging
l Configuring an IPv6 route
l Configuring IPv6 DNS
l Configuring PMTU
l Configuring an IPv6 policy rule
l Configuring IPv6 ALG
l NDP protection
l Configuring an IPv6 6to4 tunnel
l Configuring an IPv6 4to6 tunnel
l Configuring NAT-PT
Chapter 7 IPv6 838

l Configuring NAT64 and DNS64
l IPv6 configuration examples
Notes: All the IPv6-related functions in the current firmware version support mul-
tiple VRs, i.e.,system support the default VR trust-vr.
Configuring an IPv6 Address

Hillstone devices support dual stacks, so the interfaces can support IPv4 and IPv6 addresses sim-
ultaneously. By default only IPv4 is enabled. To enable IPv6 on an interface, in the interface con-
ipv6 enable
After enabling IPv6 on the interface, the system will also generate a link-local unicast IPv6
address for the interface.
To disable IPv6 and delete the link-local address allocated to the interface automatically, use the
command no ipv6 enable. However, if the interface is configured with other IPv6 options, this
command is not allowed.
For example, to enable IPv6 on ethernet0/1, use the following command:
hostname(config-if-eth0/1)# ip v6 en ab le
After enabling IPv6 on an interface, you can configure the following IPv6 options for the inter-
face:
l Specifying a global IPv6 address
l Specifying address auto-config
l Specifying an EUI-64 address
l Specifying a link-local address
839 Chapter 7 IPv6

l Specifying an IPv6 MTU
l Viewing IPv6 Configuration
Specifying a Global IPv6 Address

Typically the global IPv6 address specified for an interface follows the format of IPv6 address pre-
fix/prefix length. Besides, the system also supports the format of IPv6 general prefix, i.e., an
address consisting of general prefix and sub-prefix. The general prefix need to be configured in the
global configuration mode, and can be referenced when users are specifying an address for an inter-
face. To specify a global IPv6 unicast address for an interface, in the interface configuration mode,
ipv6 address {ipv6-address/Mask | general-prefix-name sub-prefix/Mask }
l ipv6-address – Specifies the IPv6 address prefix.
l Mask – Specifies the prefix length. The value range is 1 to 128.
l general-prefix-name – Specifies the name of general prefix.
l sub-prefix/Mask – Specifies the sub-prefix.
Suppose the name of general prefix is test-prefix, the IPv6 address prefix is 2002:ae3:1111::/48,
the sub-prefix is 0:0:0:2222::1/64, then the command ipv6 address test-prefix 0:0:0:2222::1/64
will specify the IPv6 address 2002:ae3:1111:2222::1/64 for the interface.
To cancel the specified global IPv6 unicast address, use the following commands:
no ipv6 address (cancels all the IPv6 addresses on the interface)
no ipv6 address {ipv6-address/Mask | general-prefix-name sub-prefix/Mask } (cancels the spe-
cified IPv6 address on the interface)
Configuring an IPv6 General Prefix

The system supports IPv6 and 6to4 general prefix. The 6to4 general prefix follows the format of
2002:a:b::/48, where a:b is a hexadecimal address translated from the IPv4 address of the ref-
erenced interface (specified by interface-name). To configure an IPv6 general prefix, in the global
Chapter 7 IPv6 840

ipv6 general-prefix prefix-name {X:X:X:X::X/M | 6to4 interface-name}
l prefix-name – Specifies the name of general prefix.
l X:X:X:X::X/M – Specifies the IPv6 address prefix for the general prefix.
l 6to4 – Specifies to use 6to4 general prefix.
l interface-name – Specifies the interface referenced by the 6to4 general prefix (references the
IPv4 address of the interface).
To delete the specified IPv6 general prefix, in the global configuration mode, use the following
command:
no ipv6 general-prefix prefix-name {X:X:X:X::X/M | 6to4 interface-name}
To view the IPv6 general prefix defined in the system, in any mode, use the following command:
show ipv6 general-prefix
Specifying Address Auto-config

In the address auto-config mode, the interface receives the address prefix in RA packets first, and
then combines it with the interface identifier to generate a global address. To specify address
auto-config, in the interface configuration mode, use the following command:
ipv6 address autoconfig [default]
l default – If the interface is configured with a default router, this option will generate a
default route to the default router.
To cancel address auto-config, in the interface configuration mode, use the following command:
no ipv6 address autoconfig
Specifying an EUI-64 Address

To specify an IPv6 address that uses EUI-64 interface ID, in the interface configuration mode,
ipv6 address ipv6-address/Mask eui-64
841 Chapter 7 IPv6

l ipv6-address – Specifies the IPv6 address prefix.
l Mask – Specifies the prefix length. The value range is 1 to 128. If the length value is not lar-
ger than 64, the last 64 bits of the address will use the generated interface ID; if the length
value is larger than 64, the last (128-prefix) bits of the address will use the generated interface
ID.
To cancel the specified EUI-64 address, in the interface configuration mode, use the command:
no ipv6 address ipv6-address/Mask eui-64
Specifying a Link-local Address

Link-local address is used for communication between adjacent nodes of a single link, for
example, communication between hosts when there is no router on the link. By default the sys-
tem will generate a link-local address for the interface automatically if the interface is enabled with
IPv6 (in the interface configuration mode, use the command ipv6 enable). You can also specify a
link-local address for the interface as needed, and the specified link-local address will replace the
automatically generated one. To specify a link-local for an interface, in the interface configuration
ipv6 address ipv6-address link-local
l ipv6-address – Specifies an IPv6 address.
To cancel the specified link-local address (and restore to the default link-local address), in the
interface configuration mode, use the command no ipv6 address ipv6-address link-local.
Specifying an IPv6 MTU

To specify an IPv6 MTU for an interface, in the interface configuration mode, use the following
command:
ipv6 mtu value
l value – Specifies the MTU value. The default MTU value is 1500 bytes. The range is 1280
bytes to 1800/2000 bytes (The max MTU may vary on different platforms.). If the Jumbo
Chapter 7 IPv6 842

Frame function is enabled, the MTU value range is changed to 1280 bytes to 9300 bytes and
the default MTU value is 1500 bytes. For more information about the Jumbo Frame function,
see Jumbo Frame.
To restore to the default MTU, in the interface configuration mode, use the command no ipv6
mtu.
Viewing IPv6 Configuration

To view IPv6 configuration of an interface, in any mode, use the following command:
show ipv6 interface [interface-name] [prefix]
l interface-name – Shows IPv6 configuration of the specified interface. If this parameter is not
specified, the system will show all the interfaces which are enabled with IPv6.
l prefix – Shows IPv6 prefix of the specified interface.
Configuring IPv6 Neighbor Discovery Protocol

NDP (Neighbor Discovery Protocol) is a basic component of IPv6. This protocol operates on the
link layer, and is responsible for looking for other nodes on the link, determining link layer
addresses of other nodes, looking for available routers and maintaining information of other reach-
able nodes. Except for IPv4 ARP, router discovery and redirection functions of ICMP, NDP also
provides more advanced functions, e.g., detection mechanism for unreachable neighbors.
StoneOS supports the following NDP configurations:
l Configuring DAD
l Specifying reachable time
l Configuring RA parameters
l Specifying a RA interval
l Specifying RA lifetime
l Specifying DRP
843 Chapter 7 IPv6

l Configuring RA suppress on LAN interfaces
l Adding/Deleting static IPv6 neighbor cache
Configuring DAD
This function is implemented by sending NS (Neighbor Solicitation) requests. After receiving an
NS packet, if any other host on the link finds the address of the NS requester is duplicated, it will
send an NA (Neighbor Advertisement) packet advertising the address is already in use, and then
the NS requester will mark the address as Duplicate, indicating the address is an invalid IPv6
address.
The configuration of DAD includes specifying NS packets attempts times and interval.
To specify NS packet attempts times for an interface, in the interface configuration mode, use the
following command:
ipv6 nd dad attempts times
l times – Specifies NS packet attempts times. The value range is 0 to 20. The default value is
1. Value 0 indicates DAD is not enabled on the interface. If the system does not receive any
NA response packet after sending NS packets for the attempts times, it will verify the IPv6
address is the unique available address.
To restore to the default attempts time, in the interface configuration mode, use the command no
ipv6 nd dad attempts.
To specify an NS packet interval for an interface, in the interface configuration mode, use the fol-
lowing command:
ipv6 nd ns-interval interval
l interval – Specifies an interval for sending NS packets. The value range is 1000 to 3600000
milliseconds. The default value is 1000.
To restore to the default NS packet interval, in the interface configuration mode, use the com-
mand no ipv6 nd ns-interval.
Chapter 7 IPv6 844

Specifying Reachable Time
After sending an NS packet, if the interface receives acknowledge from a neighbor within the spe-
cified time, it will consider the neighbor as reachable. This time is known as reachable time. To
configure reachable time, in the interface configuration mode, use the following command:
ipv6 nd reachable-time time
l time – Specifies reachable time. The value is 0 to 3600000 milliseconds. The default value is
30000.
To restore to the default value, in the interface configuration mode, use the command no ipv6 nd
reachable-time.
Specifying RA Parameters
Routers send RA (Router Advertisement) packets periodically to advertise availability information
and link/Internet parameters, including address prefix, recommended hop limit value, local MTU,
auto-config type flag used by the node, DNS configuration options, etc.
Specifying a Hop Limit
Hop limit refers to the maximum number of hops for IPv6 or RA packets sent by the interface.
To specify a hop limit, in the interface configuration mode, use the following command:
ipv6 nd hoplimit number
l number - Specifies the hop limit. The value range is 0 to 255. The default value is 64.
To restore to the default hop limit, in the interface configuration mode, use the following com-
mand:
no ipv6 nd hoplimit
Advertising MTU
You can specify whether to include MTU in RA packets sent on device interfaces and advertise to
other routers. By default MTU is advertised. To specify to advertise MTU, in the interface
845 Chapter 7 IPv6

ipv6 nd adv-linkmtu
To specify not to advertise MTU, in the interface configuration mode, use the following com-
mand:
no ipv6 nd adv-linkmtu
Specifying DNS Configuration Options
You can specify to include DNS configuration options in RA packets sent on device interfaces
and advertise to IPv6 hosts. IPv6 hosts that receive DNS configuration options can perform auto-
matic DNS configuration. DNS configuration options include:
l RDNSS (Recursive DNS Server) configuration option: This option contains the IP addresses
of recursive DNS servers. IPv6 hosts use recursive DNS servers for DNS name resolution.
l DNSSL (DNS Search List) configuration option: This option is a list of DNS suffix domain
names. IPv6 hosts searches for short, unqualified domain names from this list when they per-
form DNS query .
Notes: DNS configuration options can only be configured on layer 3 interfaces.
To specify the RDNSS configuration option, in the interface configuration mode, use the fol-
lowing command:
ipv6 nd ra dns server {suppress | ipv6-addresslifetime {infinite | rdnss-life}}
l suppress - After this parameter is configured, RA packets sent on the specified interface no
longer deliver the RDNSS configuration option.
l ipv6-address - Specifies the IP addresses of the recursive DNS server.
l lifetime {infinite | rdnss-life} - Specifies the valid time of the RDNSS configuration option.
If infinite is specified, the option will be valid permanently. If rdnss-life is configured, the
value range is 0 to 4294967295 seconds.
Chapter 7 IPv6 846

To cancel the specified RDNSS configuration option, in the interface configuration mode, use the
following command:
no ipv6 nd ra dns server {suppress | ipv6-address}
To specify the DNSSL configuration option, in the interface configuration mode, use the fol-
lowing command:
ipv6 nd ra dns search-list {suppress | list lifetime {infinite | dnssl-life}}
l suppress - After this parameter is configured, RA packets sent on the specified interface no
longer deliver the DNSSL configuration option.
l list - Specifies the list of DNS suffix domain names.
l lifetime {infinite | dnssl-life} - Specifies the valid time of the DNSSL configuration option.
If infinite is specified, the option will be valid permanently. If dnssl-life is configured, the
value range is 0 to 4294967295 seconds.
To cancel the specified DNSSL configuration option, in the interface configuration mode, use the
following command:
no ipv6 nd ra dns search-list {suppress | list}
Specifying an Auto-config Type Flag
You can notify the connected hosts whether to obtain IP addresses and other configuration para-
meters via auto-config method (e.g., DHCP) by specifying an auto-config type flag in the RA pack-
ets. To specify to obtain IP addresses via auto-config, in the interface configuration mode, use the
following command:
ipv6 nd managed-config-flag
To cancel the above configuration, in the interface configuration mode, use the command no ipv6
nd managed-config-flag.
To specify to obtain other configuration parameters other than IP addresses via auto-config, in the
ipv6 nd other-config-flag
847 Chapter 7 IPv6

To cancel the above configuration, in the interface configuration mode, use the command no ipv6
nd other-config-flag.
Specifying an IPv6 Prefix and Parameters
RA packets will advertise the IPv6 prefix of interface. You can also specify the IPv6 prefix to be
advertised, and configure its related parameters. In the interface configuration mode, use the fol-
lowing command:
ipv6 nd prefix {ipv6-prefix/M | default} [no-advertise | [valid-lifetime preferred-lifetime [off-
link | no-autoconfig]]] | [at valid-date [ preferred-date [off-link | no-autoconfig]]]
l ipv6-prefix/M – Specifies the IPv6 prefix and its length to be advertised.
l default – Specifies the default parameter for all the prefixes.
l no-advertise – Do not advertise IPv6 prefix in RA packets.
l valid-lifetime – Specifies valid lifetime for the IPv6 prefix. The value range is 0 to
4294967295 seconds. The default value is 2592000 (30 days).
l preferred-lifetime – Specifies the preferred lifetime for the IPv6 prefix. The default value is
604800 (7 days). The preferred lifetime should not be larger than the valid lifetime.
l off-link – Specifies off-link status for the prefix, i.e., the node that receives the RA packets
will not write the prefix to its own routing table; if the prefix already exists in the routing
table, the node will delete it.
l no-autoconfig – Advertises the host that receives the packets not to use the prefix as an
IPv6 auto-configured address.
l valid-date – Specifies a valid date for the prefix, i.e., the prefix is only valid before the date.
The format is MM/DD/YYYY HH:MM, such as 09/20/2010 09:30.
l preferred-date – Specifies a preferred valid date for the prefix. The format is
MM/DD/YYYY HH:MM. This date must be earlier than the valid date.
Chapter 7 IPv6 848

To cancel the above IPv6 prefix parameters, in the interface configuration mode, use the fol-
lowing command:
no ipv6 nd prefix {ipv6-prefix/M | default}
Specifying a RA Interval
RA interval refers to the interval at which interface sends RA packets. This interval should not be
larger than the lifetime of RA packets configured via CLI. To reduce the possibility of sending
RA packets simultaneously with other routers on the same link, the system usually select a ran-
dom number between the maximum and minimum interval as the actual RA interval. To configure
a RA interval, in the interface configuration mode, use the following command:
ipv6 nd ra interval max-interval [min-interval]
l max-interval – Specifies the maximum interval. The value range is4 to 1800 seconds. The
l min-interval – Specifies the minimum interval. The value range is 3 to 1350 seconds. The
minimum interval should not be larger than 75% of the maximum interval and must be larger
than 3. If this parameter is not specified, the system will use 1/3 of the maximum interval as
the minimum interval.
To restore to the default RA interval, in the interface configuration mode, use the following com-
mand:
no ipv6 nd ra interval
Specifying RA Lifetime
RA lifetime refers to the valid time during which the router is used as the default router of the
interface. To specify RA lifetime, in the interface configuration mode, use the following com-
mand:
ipv6 nd ra lifetime time
849 Chapter 7 IPv6

l time – Specifies RA lifetime. The value range is 0 to 9000 seconds. The default value is
1800. Value 0 indicates the router is not the default route of the interface. For other values
other than 0, the value should not be smaller than the RA interval.
To restore to the default RA lifetime, in the interface configuration mode, use the following com-
mand:
no ipv6 nd ra lifetime
Specifying DRP
DRP is the abbreviation for Default Router Preference. When a node receives an equal-cost route
from different routers, it will select a preferred router based on DRP. To specify DRP, in the inter-
face configuration mode, use the following command:
ipv6 nd router-preference {high | medium | low}
l high – Specifies DRP as high.
l medium – Specifies DRP as medium.
l low – Specifies DRP as low.
To restore to the default value, in the interface configuration mode, use the following command:
no ipv6 nd router-preference
Configuring RA Suppress on LAN Interfaces

By default FDDI interfaces with IPv6 unicast route configured will send RA packets auto-
matically, and interfaces of other types will not send RA packets. To configure RA suppress on a
LAN interface, in the interface configuration mode, use the following command:
ipv6 nd ra suppress
The above command will disable the interface to transfer RA packets. To re-enable the interface
to transfer RA packets, in the interface configuration mode, use the following command:
no ipv6 nd ra suppress
Chapter 7 IPv6 850

Adding/Deleting a IPv6 Neighbor Cache Entry
IPv6 neighbor cache entries, key for unicast address connections, are a group of entries that store
a single neighbor's information respectively. To view IPv6 neighbor cache entries in the system,
show ipv6 neighbor [interface interface-name | slot slot-num | static | vrouter vr-name | ipv6-
address | generic]
l interface-name – Shows IPv6 neighbor cache entries of the specified interface.
l ipv6-address – Shows IPv6 neighbor cache entries of the specified address.
l slot slot-num – Shows IPv6 neighbor cache entries of the specified slot. Only for some
devices (X6150, X6180, X7180, X10800).
l vrouter vr-name – Shows IPv6 neighbor cache entries of the specified VRouter.
l static – Shows static IPv6 neighbor cache entries.
l generic – Shows statistics of neighbor cache entries.
To add a static IPv6 cache entry, in the global configuration mode, use the following command:
ipv6 neighbor ipv6-address interface-name mac-address
l ipv6-address – Specifies the IPv6 address.
l interface-name – Specifies the name of interface.
l mac-address – Specifies the MAC address corresponding to the IPv6 address.
To delete a static IPv6 cache entry, in the global configuration mode, use the following command:
clear ipv6 neighbor [ipv6-address] [vrouter vr-name]
l ipv6-address – Deletes the IPv6 neighbor entry of the specified address.
l vrouter vr-name – Deletes the IPv6 neighbor cache entries of the specified VRouter.
851 Chapter 7 IPv6

IPv6 System Management
StoneOS supports FTP, TFTP, HTTP and HTTPS protocols for IPv6, i.e., it allows you to visit
FTP and TFTP servers by IPv6 addresses; besides it also allows you to visit its WebUI by the
IPv6 address. HTTP and HTTPS services for IPv4 and IPv6 share the same protocol port num-
ber.
You can export the following objects to the IPv6 address of an FTP or TFTP server: con-
figuration file, system firmware, license, partial logs (alarm, event, security), PKI certificate,
SCVPN user-host binding list and URL database. In the execution mode, use the following com-
mands:
l To export the configuration file: export configuration {{startup | backup} number} to {ftp
server ipv6-address [vrouter vrouter-name] [user username password string] | tftp server ipv6-
address [vrouter vrouter-name]} [file-name]
l To export the system firmware: export image name to {ftp server ipv6-address [vrouter
vrouter-name] [user username password string] | tftp server ipv6-address} [file-name]
l To export the license: export license name to {ftp server ipv6-address [user username pass-
word string] | tftp server ipv6-address} [file-name]
l To export logs: export log { event | security} to {ftp server ipv6-address [user username pass-
word string] | tftp server ipv6-address} [file-name]
l To export the PKI certificate: export pki trust-domain-name {cacert | cert | pkcs12 pass-
word} to {ftp server ipv6-address [user username password string] | tftp server ipv6-address}
[file-name]
l To export the SCVPN user-host binding list: export scvpn user-host-binding to {ftp server
ipv6-address [user username password string] | tftp server ipv6-address} [file-name]
l To export the URL database: export urlfilter-database to {ftp server ipv6-address [user user-
name password string] | tftp server ipv6-address} [file-name]
Chapter 7 IPv6 852

You can import the following objects from the IPv6 address of an FTP or TFTP server: applic-
ation signature database, configuration file, custom firmware for SCVPN and WebAuth webpage,
system firmware, ISP file, license, PKI certificate, SCVPN user-host binding list and URL data-
base. In the execution mode, use the following commands:
l To import the application signature database: import application-signature from {ftp server
ipv6-address [user username password string] | tftp server ipv6-address} file-name
l To import the configuration file: import configuration from {ftp server ipv6-address [user
username password string] | tftp server ipv6-address} file-name
l To import the customized picture for SCVPN or WebAuth webpage: import customize
{scvpn • To import the license:| webauth} from {ftp server ipv6-address [user username pass-
word string] | tftp server ipv6-address} file-name
l To import the system firmware: import image from {ftp server ipv6-address [user username
password string] | tftp server ipv6-address} file-name
l To import the ISP file: import ispfile from {ftp server ipv6-address [user username password
string] | tftp server ipv6-address} file-name
l To import the license: import license from {ftp server ipv6-address [user username password
string] | tftp server ipv6-address} file-name
l To import the PKI license: import pki trust-domain-name {cacert | cert | pkcs12 password}
from{ftp server ipv6-address [user username password string] | tftp server ipv6-address} file-
name
l To import the SCVPN user-host binding list: import scvpn user-host-binding from {ftp server
ipv6-address [user username password string] | tftp server ipv6-address} file-name
Tip: For more detailed information about the command parameters, see related
chapters.
853 Chapter 7 IPv6

Configuring IPv6 SNMP
StoneOS allows you to view the general IPv6-related MIB information via SNMP. The con-
figuration of SNMP IPv6 includes:
l Configuring an IPv6 management host
l Configuring an IPv6 trap destination host
l Creating an SNMPv3 user (IPv6 remote management host)
Tip: For more information about the SNMP configuration, see“Configuring

SNMP”of “System Management”.
Configuring an IPv6 Management Host

To configure an IPv6 management host, in the global configuration mode, use the following com-
mand:
snmp-server ipv6-host {host-name | ipv6-address} {version [1 | 2c] community string [ro | rw] |
version 3 }
l host-name | ipv6-address – Specifies hostname or IPv6 address of the management host.
l version [1 | 2c] – Specifies the SNMP version as SNMP v1 or SNMP v2C.
l community string – Specifies the community string. The length is 1 to 31 bits. The com-
munity string is a password between the management and proxy processes; therefore, SNMP
packets with inconsistent community strings will be dropped. This parameter only applies for
SNMP v1 and v2C.
l ro | rw – Specifies a privilege for the community string. ro stands for read-only, and such a
community string can only read information in the MIB; rw stands for read-write, and such a
community string can not only read but also modify information in the MIB. This parameter is
Chapter 7 IPv6 854

optional. By default the privilege is ro.
l version 3 – Specifies the SNMP version as SNMP v3.
To delete the specified IPv6 management host, in the global configuration mode, use the com-
mand no snmp-server ipv6-host {host-name | ipv6-address}.
Configuring an IPv6 Trap Destination Host

You can configure an IPv6 destination host that is used to receive SNMP trap packets. To con-
figure an IPv6 trap destination host, in the global configuration mode, use the following com-
mand:
snmp-server ipv6-trap-host ipv6-address [ipv6-source-ip ipv6-address] {version {1 | 2c} com-
munity string | version 3 user user-name engineID string } [port port-number]
l ipv6-trap-hostipv6-address – Specifies the hostname or IPv6 address of the trap destination

host.
l ipv6-source-ip ipv6-address - Specifies the source IPv6 address that sends SNMP trap pack-
ets.
l version {1 | 2c} – Specifies to send trap packets via SNMPv1 or SNMPv2C.
l community string – Specifies the community string for SNMPv1 or SNMPv2C.
l version 3 – Specifies to send trap packets via SNMPv3.
l user user-name – Specifies the SNMPv3 username.
l engineID string – Specifies engine ID of the trap destination host.
l port port-number – Specifies the port number of the destination host that receives trap pack-
ets. The value range is 1 to 65535. The default value is 162.
To delete the specified trap destination host, in the global configuration mode, use the command
no snmp-server ipv6-trap-host ipv6-address [ipv6-source-ip].
855 Chapter 7 IPv6

Notes: In the HA environment, the backup device does not synchronize with the
source IP address (ipv6-source-ip) configured in the primary device for sending
SNMP trap packets. To specify the source IPv6 address for the added IPv6 trap
host to send SNMP trap packets, you can use the snmp-server ipv6-trap-host ipv6-
address ipv6-source-ip ipv6-address command in the backup device.
Creating an SNMPv3 User

To configure an SNMPv3 user, in the global configuration mode, use the following command:
snmp-server user user-name group group-name v3 {remote remote-ip | ipv6-remote ipv6-
address} [auth-protocol {md5 | sha} auth-pass [enc-protocol {des | aes} enc-pass]]
l user user-name – Specifies the username. The length is 1 to 31 characters.
l group group-name – Specifies a user group defined in the system for the user.
l remote remote-ip – Specifies the IP address of the remote management host.
l ipv6-remote ipv6-address – Specifies the IPv6 address of the remote management host.
l auth-protocol {md5 | sha} – Specifies the authentication protocol as MD5 or SHA. If this
parameter is not specified, the default security level will be no authentication and no encryp-
tion.
l auth-pass – Specifies the authentication password. The length is 8 to 40 characters.
l enc-protocol {des | aes} – Specifies the encryption protocol as DES or AES.
l enc-pass – Specifies the encryption password. The length is 8 to 40 characters.
The system supports up to 25 users. To delete the specified user, in the global configuration
mode, use the command no snmp-server user user-name.
Chapter 7 IPv6 856

Configuring IPv6 Debugging
System supports ping to an IPv6 address. To ping an IPv6 address, in any mode, use the fol-
lowing command:
ping ipv6 ipv6-address [count number] [size number] [source {ipv6-address | interface-name}]
[timeout time] [vrouter vr-name]
l ipv6-address – Specifies the destination address to which ping packets are sent.
l count number – Specifies the number of ping packets. The value range is 1 to 65535. The
default value is 5.
l size number – Specifies the size of ping packets. The length is 28 to 65535 bytes.
l source {ipv6-address | interface-name} – Specifies the source address where ping packets
originate. It can be either an IP address or an interface.
l timeout time – Specifies timeout for ping packets. The value range is 0 to 3600 seconds.
The default value is 0, i.e., never timeout.
l vrouter vr-name – Specifies the VRouter that sends ping packets.
Configuring IPv6 Routing

StoneOS supports IPv6 DBR, SBR, SIBR and DIBR. To configure an IPv6 static route, you need
to enter the VRouter configuration mode. In the global configuration mode, use the following
command:
ip vrouter vrouter-name
l vrouter-name – Specifies the name of VRouter, and enter the VRouter configuration mode.
Configuring an IPv6 DBR Entry

To add an IPv6 DBR entry, in the VRouter configuration mode, use the following command:
857 Chapter 7 IPv6

ipv6 route ipv6-address/M {null0 | ipv6-address | vrouter vrouter-name | interface-name [ipv6-
address]} [distance-value] [name name][weight weight-value] [descriptiondescription ] [track track-
name]
l ipv6-address/M – Specifies the segment of the destination address.
l null0- Specifies the Null0 interface.
l ipv6-address | vrouter vrouter-name | interface-name [ipv6-address] – Specifies the next

hop which can be a gateway address (ipv6-address) , VRouter（vrouter vrouter-name）or an
interface (interface-name).
l distance-value – Specifies the administration distance of the route. This parameter is used to
l name – Specifies the name of router.
l weight-value – Specifies the weight of traffic forwarding in load balance. The value range is 1
l descriptiondescription - Specifies the description of router. The range is 1 to 63.
will be invalid.
Repeat the above command to add multiple DBR entries.

To delete the specified IPv6 DBR entry, in the VRouter configuration mode, use the following
command:
no ipv6 route ipv6-address/M { null0 | ipv6-address | vrouter vrouter-name | interface-name
[ipv6-address]}
Configuring an IPv6 SBR Entry

To add an IPv6 SBR entry, in the VRouter configuration mode, use the following command:
Chapter 7 IPv6 858

ipv6 route source ipv6-address/M { null0 | ipv6-address | interface-name | vrouter vrouter-
name } [distance-value] [name name] [weight weight-value] [descriptiondescription ] track track-
name
l ipv6-address/M – Specifies the segment of the source address.
l null0– Specifies the Null0 interface.
l A.B.C.D | interface-name | vrouter vrouter-name – Specifies the next hop which can be a
gateway address (ipv6-address) , VRouter（vrouter vrouter-name）or an interface (interface-
name).
will be invalid.
Repeat the above command to add multiple SBR entries.

To delete the specified IPv6 SBR entry, in the VRouter configuration mode, use the following
command:
no ipv6 route source ipv6-address/M { null0 | ipv6-address | interface-name | vrouter vrouter-
name}
Configuring an IPv6 SIBR Entry

To add an IPv6 SIBR entry, in the VRouter configuration mode, use the following command:
859 Chapter 7 IPv6

ipv6 route source in-interface interface-name ipv6-address/M { null0 | ipv6-address | interface-
name| vrouter vrouter-name } [distance-value] [name name] [weight weight-value]
[descriptiondescription ] [track track-name
l interface-name – Specifies the ingress interface of the routing entry.
l ipv6-address | interface-name | vrouter vrouter-name – Specifies the next hop which can be
a gateway address (ipv6-address) , VRouter（vrouter vrouter-name） or an interface (inter-
face-name).
l weight-value – Specifies the weight of traffic forwarding in load balance. The value range is
will be invalid.
Repeat the above command to add multiple SIBR entries.

To delete the specified IPv6 SIBR entry, in the VRouter configuration mode, use the following
command:
no ipv6 route source in-interface interface-name ipv6-address/M { null0 | ipv6-address | inter-
face-name | vrouter vrouter-name }
Chapter 7 IPv6 860

Configuring an IPv6 DIBR Entry
To add an IPv6 DIBR entry, in the VRouter configuration mode, use the following command:
ipv6 route in-interfaceinterface-name ipv6-address/M { null0 | ipv6-address | interface-name|
vrouter vrouter-name } [distance-value] [name name] [weight weight-value] [track track-name]
l interface-name – Specifies the ingress interface of the routing entry.
l ipv6-address | interface-name | vrouter vrouter-name – Specifies the next hop which can be
a gateway address (ipv6-address) , VRouter（vrouter vrouter-name） or an interface (inter-
face-name).
will be invalid.
Repeat the above command to add multiple DIBR entries.

To delete the specified IPv6 DIBR entry, in the VRouter configuration mode, use the following
command:
861 Chapter 7 IPv6

no ipv6 route in-interface interface-name ipv6-address/M { null0 | ipv6-address | interface-name
| vrouter vrouter-name }
Viewing IPv6 Routing Information

To view IPv6 routing information, in any mode, use the following commands:
l To view DBR information: show ipv6 route static [vrouter vr-name]
l To view SBR information: show ipv6 route source [vrouter vr-name]
l To view SIBR information: show ipv6 route source in-interface interface-name
l To view connected route information: show ipv6 route connected [vrouter vr-name]
l To view routing information of the specified destination address: show ipv6 route ipv6-
address/[M] [vrouter vr-name]
l To view IPv6 routes statistics: show ipv6 route summary [vrouter vr-name]
l To view IPv6 FIB information: show ipv6 fib [source | source in-interface interface-name |
ipv6-address/[M] | summary] [vrouter vr-name]
Configuring RIPng
RIPng (RIP next generation) is an extension to the RIP-2 in IPv4. Most concepts of RIP are
applicable to RIPng.
Compared with RIP, RIPng modifies following items:
l UDP port: Uses the UDP port 521 to send and receive routing information.
l Multicast address: Uses FF02::9 as the multicast address of the RIPng router in the local-link
address range.
l Prefix length: The destination address uses prefix length of 128 bits.
l Next-hop address: Use the 128 bits IPv6 address.
Chapter 7 IPv6 862

l Source address: Uses the link-local address FE80::/10 as the source address to send RIPng
routing information update packets.
RIPng configuration includes basic options, redistribute, passive IF, network and distance.
Besides, you also need to configure RIP parameters for different interfaces, including split hori-
zon and poison reverse.
Basic Options
The basic options of RIPng configuration include metric, distance, information originate and
timer (update interval, invalid time, and flush time). You can configure RIPng protocol for dif-
ferent VRouter respectively. The basic options of RIPng must be configured in the RIPng routing
configuration mode. To enter the RIPng routing configuration mode, in the global configuration
ipv6 router rip (enters the RIPng routing configuration mode, and at the same time enables the
RIPng function on the device. Each RIPng process is individual and you can create one RIPng
process in a VRouter.)
To disable the RIPng function, in the VRouter configuration mode, use the command no ipv6
router rip.
Specifying a Default Metric
RIPng measures the distance to the destination network by counting the number of hops. This dis-
tance is known as metric. The metric from a router to a directly connected network is 1, and incre-
ments by 1 for every additional router between them. The maximum metric is 15, and the
network with metric larger than 15 is not reachable. The default metric will take effect when the
route is redistributed. To specify the default metric, in the RIPng routing configuration mode, use
l value – Specifies the default metric value. The value range is 1 to 15. If no value is specified,
the value of 1 will be used.
863 Chapter 7 IPv6

To restore the metric value to 1, in the RIPng routing configuration mode, use the command no
default-metric.
Specifying a Default Distance
To specify the default distance for RIPng, in the RIPng routing configuration mode, use the fol-
lowing command:
distance distance-value
l distance-value – Specifies the default administration distance value. The value range is 1 to
255. If no value is specified, the value of 120 will be used.
To restore to the distance value of 120, in the RIPng routing configuration mode, use the com-
mand no distance.
Specifying a Timer
The timers you can configure for RIPng include update interval, invalid time, holddown time and
flush time, as described below:
l Update interval: Specifies the interval at which all RIPng routes will be sent to all the neigh-
bors. The default value is 30 seconds.
l Invalid time: If a route has not been updated for the invalid time, its metric will be set to 16,
indicating an unreachable route. The default value is 180 seconds.
l Flush time: StoneOS will keep on sending the unreachable routes (metric set to 16) to other
routers during the flush time. If the route still has not been updated after the flush time ends,
it will be deleted from the RIPng information database. The default value is 240 seconds.
To modify the above three timers, in the RIPng routing configuration mode, use the following
command:
timers basic interval-time invalid-time flush-time
Chapter 7 IPv6 864

l interval-time – Specifies the update interval time. The value range is 0 to 16777215 seconds.
l invalid-time – Specifies the invalid time. The value range is 1 to 16777215 seconds. The
l flush-time – Specifies the flush time. The value range is 1 to 16777215 seconds. The default
value is 120.
To restore to the default timer value, in the RIPng routing configuration mode, use the command
no timers basic.
You can specify if the default route will be redistributed to other routers with RIPng enabled. By
default RIPng will not redistribute the default route. To configure the default information ori-
ginate, in the RIPng routing configuration mode, use the following commands:
l Redistribute: default-information originate
l Do not redistribute: no default-information originate
RIPng allows you to introduce information from other routing protocols (IPv6 BGP, connected,
static, OSPFv3 and IS-IS) and redistribute the information. To configure the redistribute metric,
in the RIP routing configuration mode, use the following commands:
redistribute {bgp | connected | static | ospf | isis} [metric value]
l bgp | connected | static | ospf – Specifies the protocol type: IPv6 BGP (bgp), connected
route (connected), static route (static) , OSPFv3 (OSPF) or IS-IS (isis).
l metric value – Specifies a metric value for the redistribute. The value range is 1 to 15. If the
value is not specified, the system will use the default metric configured by the command
default-metric value.
865 Chapter 7 IPv6

To cancel the redistribute of the specified protocol, in the RIPng routing configuration mode, use
the command no redistribute {bgp | connected | static | ospfv3 | isis}.
Configuring a Network
You can configure some networks so that only the interfaces within the specified networks can
receive and send RIPng update. To configure a network, in the RIPng routing configuration
network {interface-name | X:X:X:X::X/M}
l interface-name – Specified the interface name. This interface is located at the network that
you want to specify.
l X:X:X:X::X/M – Specifies the IPv6 address of the network.
Repeat the above command to configure more networks.

To delete the specified network, in the RIPng routing configuration mode, use the command no
network {interface-name | X:X:X:X::X/M}.
known as a passive interface. To configure a passive interface, in the RIPng routing configuration
passive-interface interface-name
l interface-name – Specifies the interface as a passive interface.
Repeat the above command to configure multiple passive interfaces.

To cancel the specified passive interface, in the RIP routing configuration mode, use the com-
Chapter 7 IPv6 866

Configuring Split Horizon
When using split horizon, routes learned from an interface will not be sent from the same inter-
face, in order to avoid routing loop and assure correct broadcasting to some extent. To enable or
disable split horizon, in the interface configuration mode, use the following commands:
l Enable: ipv6 rip split-horizon
l Disable: no ipv6 rip split-horizon
Configuring Poison Reverse
When using poison reverse, RIPng will send the poison messages to all neighbor routers, includ-
ing the router whose sends the poison message, and will not obey the split horizon rule. This
poison message advertise the invalid route. To configure the poison reverser function , use the fol-
lowing command in the interface configuration mode:
l Enable: ipv6 rip poison-reverse
l Disable: no ipv6 rip poison-reverse
Viewing RIPng Information
To view the RIPng information, in any mode, use the following command:
show ipv6 rip
To view the RIPng route information, in any mode, use the following command:
show ip route rip [vrouter vrouter-name]
l vrouter-name - Shows the RIP router information of the specified VRouter.
When a Hillstone device is running RIPng, it will own a RIPng route database which can store all
routing entries for all the reachable networks. The routing entry information includes destination
address, next hop, metric, source, and timer information. To view the RIPng database inform-
ation, in any mode, use the following command:
show ipv6 rip database [vrouter vrouter-name]
867 Chapter 7 IPv6

l vrouter vrouter-name – Shows the RIPng information of the specified VRouter.
Configuring OSPFv3
OSPFv3 is the third version of Open Shortest Path First and it mainly provides the support of
IPv6.
The similarities between OSPFv3 and OSPFv2 are as follows:
l Both protocols use 32 bits Router ID and Area ID
l Both protocols use the Hello packets, DD (database description) packets, LSR (link state
request) packets, LSU (link state update) packets, and LSAck (link state acknowledgment)
packets.
l Both protocols use the same mechanisms of finding neighbors and establishing adjacencies.
l Both protocols use the same mechanisms of LSA flooding and aging
The differences between OSPFv3 and OSPFv2 are as follows:
l OSPFv3 runs on a per-link basis and OSPFv2 is on a per-IP-subnet basis.
l OSPFv3 supports multiple instances per link.
l OSPFv3 identifies neighbors by Router ID, and OSPFv2 identifies neighbors by IP address.
You can configure the OSPFv3 protocol for each VRouter respectively. Configuring OSPFv3
includes the following options:
l Configuring a Router ID
l Configuring the virtual link for an area
l Configuring the default metric
l Configuring the default administrative distance
Chapter 7 IPv6 868

l Configuring the interface area and instance
l Configuring a passive interface
l Configuring the timer for an interface
l Configuring the router priority for an interface
l Configuring the link cost for an interface
l Configure the MTU check for an interface
l Disabling or Enabling OSPFv3
l Configure the network type for an interface
l Configuring encryption and authentication for an area
l Configuring encryption and authentication on an interface
The basic options of OSPFv3 protocol must be configured in the OSPFv3 routing mode. To
enter the OSPFv3 routing mode, in the global configuration mode, use the following commands:
ipv6 router ospf [process-id] (enters the OSPFv3 routing configuration mode, and at the same
time enables OSPFv3 on the device.)
l process-id - Specifies the OSPFv3 process ID. If not specified, process 1 will be used by
default. Each OSPFv3 process is individual, and has its own link state database and the related
OSPFv3 routing table. Each VRouter supports up to four OSPFv3 processes, and multiple
processes maintain a routing table together. Each OSPFv3 process can redistribute OSPFv3
routes from other OSPFv3 processes, as well as routes from other IPv6 routing protocols
(static, connected, IPv6BGP, RIPng and ISISv6).
When specifying multiple OSPFv3 processes, note the following matters:
869 Chapter 7 IPv6

l When multiple OSPFv3 processes generate routes with the same destination network, if their
administrative distances and metrics are the same, the process that generates the route first
will be prioritized. Besides, ECMP is not supported across multiple OSPFv3 processes.
l When other routing protocols attempt to redistribute OSPFv3 routes, only the routing inform-
ation of process 1 will be redistributed.
To disable OSPFv3, in the VRouter configuration mode, use the command no ipv6 router ospf.
Configuring a Router ID
Each router running OSPFv3 protocol must be labeled with a Router ID. The Router ID is the
unique identifier of an individual router in the whole OSPFv3 domain, represented in the form of
an IP address. To configure a Router ID for the Hillstone device that is running OSPFv3 pro-
tocol, in the OSPF routing mode, use the following command:
router-id A.B.C.D [local]
l A.B.C.D – Specifies the Router ID used by OSPFv3 protocol, in form of an IP address.
l local - Specifies the Router ID as a local configuration. This kind of configuration is applic-
able to HA Peer mode, and is not synchronized to HA configuration. By default the router ID
Enabling Encryption and Authentication for an Area and on an Interface
OSPFv3 can use IPsec Authentication Header (AH) and IPSec Encapsulating Security Payload
(ESP) header capabilities to achieve encryption and authentication between neighbor devices.
You can enable encryption and authentication for an OSPFv3 area and on an interface within the
OSPFv3 area.
l When you need to protect all OSPFv3 packets in an area, you can enable encryption and
authentication for this area. In this case, all devices in this area needs to be configured the
same encryption and authentication policy, including the authentication method, SIP value,
Chapter 7 IPv6 870

authentication algorithm, authentication key, etc.
l When you need to protect OSPFv3 packets of a specified interface within an area, you can
enable encryption and authentication on this interface. In this case, the interface of the dir-
ectly connected neighbor needs to be configured with the same encryption and authentication
policy, including the authentication method, SIP value, authentication algorithm, authen-
tication key, etc.
Take note of the following rules for the Cryptographic Authentication function of the OSPFv3
route:
l If the Cryptographic Authentication function is enabled in an area and disabled for all inter-
faces in this area, the encryption and authentication policy of the area is applied to these inter-
faces.
l If the Cryptographic Authentication function is enabled for both an interface and the area
where the interface belongs and the authentication types of the interface and the area are dif-
ferent and the authentication method of the interface is neither AH NULL nor ESP NULL,
the encryption and authentication policy of the interface takes effect.
l If the Cryptographic Authentication function is enabled for the area where the interface
belongs and the authentication types of the interface and the area are different and the authen-
tication method of the interface is NULL, the encryption and authentication policy of the area
is applied to the interface. For example, if the area where the interface belongs is configured
with AH authentication and the interface is configured with ESP NULL, the encryption and
authentication policy of this area is applied to this interface.
871 Chapter 7 IPv6

l If the Cryptographic Authentication function is enabled for the area where the interface
belongs and the authentication types of the interface and the area are the same but the authen-
tication method of the interface is NULL, no encryption and no authentication is performed
on packets on this interface. For example, if the area where the interface belongs is configured
with ESP authentication and the interface is configured with ESP NULL, no encryption and
no authentication are performed on packets on this interface.
l Both the interface and the area where the interface belongs can be configured with one authen-
tication method.
Enabling AH Authentication for an Area
To enable AH authentication for an area, use the following command in OSPFv3 routing mode:
area { id | A.B.C.D } authentication ipsec spispi-id {md5 | sha1} authentication-key
l id | A.B.C.D– Specifies the area ID of OSPFv3, which can be a 32-bit digital number, or an
IP address.
l spi-id – Specifies the Security Parameter Index (SPI) value. Valid values: 256 to
4294967295. The receiver authenticates received packets by using the SPI value.
l authentication-key – Specifies the authentication key in the hexadecimal string format in the
OSPFv3 area. The authentication algorithms include MD5 and SHA1.
In OSPFv3 routing mode, use the no area { id | A.B.C.D } authentication ipsec spispi-id com-
mand to disable AH authentication for a specified area.
Enabling AH Authentication on an Interface
To enable AH authentication on an interface, use the following command in interface con-

figuration mode:
ipv6 ospf authentication {ipsec spispi-id {md5 | sha1} authentication-key | null}
Chapter 7 IPv6 872

l spi-id – Specifies the SPI value. Valid values: 256 to 4294967295. The receiver authen-
ticates received packets by using the SPI value.
l authentication-key – Specifies the authentication key of the corresponding authentication

algorithm in the hexadecimal string format. The authentication algorithms include MD5 and
SHA1.
l null – Specifies that no AH authentication is enabled on the interface., which is applicable to

the scenario where AH authentication is enabled for an area but is disabled for packets of the
interface within this area.
In interface configuration mode, use the no ipv6 ospf authentication {ipsec spispi-id | null} com-
mand to cancel the configuration.
Enabling ESP Authentication for an Area
To enable ESP authentication for an area, use the following command in OSPFv3 routing mode:
area { id | A.B.C.D } encryption ipsec spispi-idesp {3desencryption-key | aes-cbc {128 | 192 |
256} encryption-key | desencryption-key | null} {md5 | sha1} authentication-key
l id | A.B.C.D– Specifies the area ID of OSPFv3, which can be a 32-bit digital number, or an
IP address.
l encryption-key – Specifies the encryption key of the corresponding encryption algorithm in

the hexadecimal string format. The encryption algorithms include DES, 3DES, AES-128,
AES-192, and AES-256. null indicates that no encryption algorithm is specified and ESP
provides only the authentication function.
l authentication-key – Specifies the authentication key of the corresponding authentication

algorithm in the hexadecimal string format. The authentication algorithms include MD5 and
SHA1.
873 Chapter 7 IPv6

In OSPFv3 routing mode, use the no area { id | A.B.C.D } encryption ipsec spispi-id command
to disable ESP encryption and authentication of a specified area.
Enabling ESP Authentication on an Interface
To enable ESP authentication on an interface, use the following command in interface con-
figuration mode:
ipv6 ospf encryption { ipsec spispi-idesp {3desencryption-key | aes-cbc {128 | 192 | 256}
encryption-key | desencryption-key | null} {md5 | sha1} authentication-key | null}
l encryption-key – Specifies the encryption key of the corresponding encryption algorithm in

the hexadecimal string format. The encryption algorithms include DES, 3DES, AES-128,
AES-192, and AES-256. null indicates that no encryption algorithm is specified and ESP
provides only the authentication function.
l null – Specifies that no ESP authentication is enabled on the interface., which is applicable
to the scenario where ESP authentication is enabled for an area but is disabled for packets of
the interface within this area.
In interface configuration mode, use the no ipv6 ospf encryption {ipsec spispi-id | null} com-
mand to cancel the configuration.
Configuring the Virtual Link for an Area
Virtual link is used to connect the discontinuous backbone areas, so that they can maintain logical
continuity. To configure virtual link parameters and its timer parameters, in the OSPFv3 routing
area { id | A.B.C.D } virtual-link A.B.C.D
Chapter 7 IPv6 874

l id | A.B.C.D – Specifies an area ID that requires virtual link, in form of a 32-bit digital num-
l A.B.C.D – Specifies the Router ID that is used as a virtual link router.
Configuring the Default Metric
The default metric configured here will take effect if the redistributed route has no configured
metric. To specify the default metric for OSPFv3, in the OSPFv3 routing configuration mode,
l value – Specifies the default metric value. The value range is 1 to 16777214.
To restore to the original metric value, in the OSPFv3 routing configuration mode, use the com-
mand no default-metric.
Configuring the Default Administrative Distance
You can configure the default administrative distance according to the route type. To configure
the default administrative distance, in the OSPFv3 routing configuration mode, use the following
command:
distance {distance-value | ospf [intra-area distance-value | inter-area distance-value | external
distance-value}
l distance-value – You can configure the default administrative distance according to the route
type. To configure the default administrative distance, in the OSPFv3 routing configuration
l intra-area distance-value – Specifies the administrative distance value of the intra-area route.
The default value is 110 and the value ranges from 1 to 255.
l inter-area distance-value – Specifies the administrative distance value of the inter-area route.
875 Chapter 7 IPv6

l external distance-value – Specifies the administrative distance value of the external route.
To restore to the value of 110, in the OSPFv3 routing configuration mode, use the command no
distance ospf.
You can specify if the default route will be redistributed to other routers. To configure the default
information originate, in the OSPFv3 routing configuration mode, use the following command:
default-information originate [always] [type {1｜2}] [metric value]
l always – When using always, OSPFv3 of this router unconditionally generates and redis-
tributes the default route. If there is no default route in the current router, it will generate a
route whose next hop is the router itself. Without using always, the router will not redis-
tribute the default route if it has no one.
l type {1｜2} – Specifies the type of the external route associated with the default route that
is sent to OSPFv3 routing area. 1 refers to type1 external route, 2 refers to type2 external
route.
l metric value – Specifies the metric value for the default route that will be sent. If no default
metric value is specified by this command or by the command default-metric value, then
OSPFv3 will use the value of 20. The value range is 0 to16777214.
To restore to the value of 20, in the OSPFv3 routing configuration mode, use the command no
default-information originate.
Configuring the Interface Area and Instance
To specify the area and instance that the interface belongs to, in the OSPFv3 routing con-
ipv6 ospf process-id area { A.B.C.D | id} {instance id}
Chapter 7 IPv6 876

l process-id– Specifies the ID of the OSPFv3 process that the interface belongs to. The
default value is 1.
l area { A.B.C.D | id} – Specifies the area ID that the interface belongs to. The area ID is in
form of a 32-bit digital number, or an IP address.
l instance id – Specifies the instance ID that the interface belongs to. To establish the neigh-
bor relationship, interfaces must belong to the same instance. The value ranges from 0 to 255.
To cancel the area and instance configuration, in the OSPFv3 routing configuration mode, use the
command no ipv6 ospf area { A.B.C.D | id}.
OSPFv3 allows you to introduce information from other routing protocols (IPv6 BGP, con-
nected, static , IS-IS and RIPng) and redistribute the information. You can set the metric and type
of the external route for the redistribute. To configure the redistribute, in the OSPFv3 routing
redistribute {bgp | connected | static | isis | ripng | ospfv3 process-id} [type {1 | 2}] [metric
value]
l bgp | connected | static | isis | ripng – Specifies the protocol type which can be IPv6 BGP
(bgp), connected route (connected), static route (static) or OSPFv3 (OSPF).
l ospfv3 process-id - Specifies the process ID of the redistributed OSPFv3 route.
l type {1｜2} – Specifies the type of the external route. 1 refers to type1 external route, 2
refers type2 external route.
l metric value – Specifies a metric value for the redistribute. The value range is 0 to
16777214. If the value is not specified, the system will use the default OSPFv3 metric con-
figured by the command default-metric value.
877 Chapter 7 IPv6

Repeat the above command to redistribute a different type of routes.To cancel the redistribute of
specified route, in the OSPF routing configuration mode, use the command
no redistribute {bgp | connected | static | isis | rip}.
Configuring a Passive Interface
known as a passive interface. To configure a passive interface, in the interface configuration
ipv6 ospf passive
Repeat the above command to configure more passive interfaces.
To cancel the specified passive interface, in the interface configuration mode, use the command
no ipv6 ospf passive.
Configuring the Timer for an Interface
There are four interface timers: the interval for sending Hello packets, the dead interval of adja-
cent routers, the interval for retransmitting LSA, and the transmit delay for updating packets.
To specify the interval for sending Hello packets for an interface, in the interface configuration
ipv6 ospf hello-interval interval
l interval – Specifies the interval for sending Hello packets for an interface. The value range is
1 to 65535 seconds. The default value is 10. If the OSPFv3 interface chooses the point-to-
multipoint network type, the default value is 30.
To restore to the default interval, in the interface configuration mode, use the command no ipv6
ospf hello-interval.
If a router has not received the Hello packet from its peer for a certain period, it will determine
the peering router is dead. This period is known as the dead interval between the two adjacent
routers. To configure the dead interval for an interface, in the interface configuration mode, use
ipv6 ospf dead-interval interval
Chapter 7 IPv6 878

l interval – Specifies the dead interval of adjacent routes for an interface. The value range is 1
to 65535 seconds. The default value is 40 (4 times of sending the Hello packets). If the
OSPFv3 interface chooses the point-to-multipoint network type, the default value is 120.
To restore to the default dead interval, in the interface configuration mode, use the command no
ipv6 ospf dead-interval.
To specify the LSA retransmit interval for an interface, in the interface configuration mode, use
ipv6 ospf retransmit-interval interval
l interval – Specifies the LSA retransmit interval for an interface. The value range is 3 to
65535 seconds. The default value is 5.
To restore to the default retransmit interval, in the interface configuration mode, use the com-
mand no ipv6 ospf retransmit-interval.
ipv6 ospf transmit-delay interval
l interval – Specifies the transmit delay for updating packet for an interface. The value range is
To restore to the default transmit delay, in the interface configuration mode, use the command no
ipv6 ospf transmit-delay.
Configuring the Router Priority for an Interface
The router priority is used to determine which router will act as the designated router. The des-
ignated router will receive the link information of all the other routers in the network, and send
the received link information. To specify the router priority for an interface, in the interface con-
ipv6 ospf priority level
l level – Specifies the router priority. The value range is 0 to 255. The default value is 1. The
router with priority set to 0 will not be selected as the designated router. If two routers within
879 Chapter 7 IPv6

a network can both be selected as the designated router, the router with higher priority will be
selected; if the priority level is the same, the one with higher Router ID will be selected.
To restore to the default priority, in the interface configuration mode, use the command no ipv6
ospf priority.
Configuring the Link Cost for an Interface
You can use one of the following methods to configure the link cost for an interface:
l Specify the cost directly
l Specify the bandwidth reference value and OSPFv3 computes the cost automatically based on
the bandwidth reference value
To specify the cost directly, use the following command in the interface configuration mode:
ipv6 ospf cost cost-value
l cost-value – Specifies a cost value. The value range is 0 to 16777214.
To cancel the configuration, use no ipv6 ospf cost.

To compute the cost according to the specified bandwidth reference value, specify the bandwidth
of the interface in the OSPFv3 configuration mode:
auto-cost reference-bandwidth bandwidth
l bandwidth – Specifies the bandwidth reference value. The unit is Mbps, and the default
value is 100. The value ranges from 1 to 4294967. The cost equals to the value of dividing
interface bandwidth by the bandwidth reference value.
To restore the bandwidth reference value to the default value, use no auto-cost reference-band-
width.
Configuring the MTU Check for an Interface
OSPFv3 uses DBD packets to check whether the interface MTU set is matched or not between
the neighbors. If the MTU set is not matched, the neighbors cannot establish the adjacency. You
Chapter 7 IPv6 880

can modify the MTU set to solve this issue. For the interfaces whose MTU set cannot be mod-
ified, you can ignore the MTU check.
To ignore the MTU check, use the following command in the interface configuration mode:
ipv6 ospf mtu-ignore
Use the no form to restore the MTU check:
no ipv6 ospf mtu-ignore
Configuring the Network Type for an Interface
In OSPFv3, the network types of an interface have the following options: broadcast, point-to-
point, and point-to-multipoint. By default, the network type of an interface is broadcast. To con-
figure the network type of an interface, in the interface configuration mode, use the following
command:
ip v6 o sp f n etwo rk {p o in t-to -p o in t | p o in t-to -multip o in t}
l point-to-point – Specifies the network type of an interface as the point-to-point type.

type.
n o ip v6 o sp f n etwo rk
Disabling or Enabling OSPFv3
Disable OSPFv3 protocol on interface, in the interface configuration mode, use ipv6 ospf shut-
down.
Enable OSPFv3 protocol on interface, in the interface configuration mode, use no ipv6 ospf shut-
down.
881 Chapter 7 IPv6

Viewing OSPFv3 Information
To view the OSPFv3 routing information of the Hillstone device, in any mode, use the following
command:
show ipv6 ospf [vrouter vrouter-name] [process process-id]
l vrouter-name - Shows the OSPF route information of the specified VRouter name. If the
VRouter is not specified, system will only show the protocol information of the trust-vr.
l process process-id - Shows the protocol information of the OSPFv3 with the specified pro-
cess ID. If the process ID is not specified, system will show the protocol information of all
OSPFv3 processes in the VRouter.
To view the OSPFv3 protocol’s database information of the Hillstone device, in any mode, use
show ipv6 ospf database
show ipv6 ospf database {inter-router | external | network | router | inter-prefix | link | intra-
prefix} [A.B.C.D] [{adv-router A.B.C.D} | self-originate] [vrouter vrouter-name] [process pro-
cess-id]
l inter-router – Shows the LSAs originated by ABRs and these LSAs are flooded throughout
the LSA's associated area. Each inter-router LSA describes a route to ASBR.
l external – Shows the LSAs originate by ASBRs and these LSAs are flooded throughout the
AS (except Stub and NSSA areas). Each external LSA describes a route to another AS.
l network – Shows the LSAs of the network. These LSAs are originated for broadcast and
NBMA networks by the designated router. This LSA contains the list of routers connected to
the network, and is flooded throughout a single area only.
l router – Shows the LSAs of the router. These LSAs are originated by all routers. This LSA
describes the collected states of the router's interfaces to an area, and is flooded throughout a
single area only.
Chapter 7 IPv6 882

l inter-prefix – Shows the LSAs originated by ABRs and these LSAs are flooded throughout
the LSA's associated area. Each inter-prefix LSA describes a route with IPv6 address prefix to
a destination outside the area, yet still inside the AS (an inter-area route).
l link – Shows the LSAs originated by a router. This link LSA is originated for each link and it
has link-local flooding scope. Each link LSA describes the IPv6 address prefix of the link and
link-local address of the router.
l intra-prefix - Shows the LSAs that contains IPv6 prefix information on a router, stub area or
transit area information, and it has area flooding scope. The intra-prefix LSAs were introduced
because router LSAs and network LSAs contain no address information now.
l A.B.C.D - Shows the IP address of link status ID.
l adv-router A.B.C.D – Shows the LSAs of the specified router.
l self-originate - Only shows self-originated LSAs (from local router).
l vrouter-name - Specifies the VRouter name. If the VRouter is not specified, system will only
show the database information of all OSPFv3 processes in the trust-vr.
l process process-id - Shows the database information of the OSPFv3 with the specified pro-
cess ID. If the process ID is not specified, system will show the database information of all
OSPFv3 processes in the VRouter.
To view the OSPF interface information, in any mode, use the following command:
show ipv6 ospf interface [interface-name] [vrouter vrouter-name] [process process-id]
To view the OSPF neighbor information, in any mode, use the following command:
show ip ospf neighbor [A.B.C.D | detail][vrouter vrouter-name] [process process-id]
To view the OSPF border router information, in any mode, use the following command:
show ipv6 ospf border-routers [A.B.C.D][vrouter vrouter-name] [process process-id]
show ip ospf route [X:X:X:X::X/M [vrouter vrouter-name] [process process-id]
883 Chapter 7 IPv6

To view the OSPFv3 virtual links information, in any mode, use the following command:
show ip ospf virtual-links [vrouter vrouter-name] [process process-id]
Configuring IPv6 BGP

BGP-4 was designed to carry only IPv4 routing information, and other network layer protocols
such as IPv6 are not supported. To support multiple network layer protocols, IETF extended
BGP-4 by introducing multiprotocol BGP (MP-BGP). MP-BGP for IPv6 is called IPv6 BGP.
IPv6 BGP uses the extension attribute of BGP to achieve the goal of using BGP in IPv6 network
and it has the same messaging and routing mechanisms as BGP.
To configure the following items, see “Configuring BGP” of “Routing”.
l Configuring a peer/peer group
l Configuring equal cost multipath routing
l Configuring a timer
l Configuring MD5 authentication
l Disabling a peer/peer group
l Configuring EBGP multihop
l Configuring description
l Configuring a peer timer
This section introduces the following configurations:
l Configuring IPv6 unicast route
l Activating a connection
l Sending community path attributes to a peer/peer group
l Specifying Upper Limit of Prefixes
Chapter 7 IPv6 884

Entering the IPv6 Unicast Routing Configuration Mode
To configure the settings of IPv6 unicast route, you must enter into the IPv6 unicast routing con-
figuration mode. Execute the following command in the BGP instance configuration mode:
address-family ipv6 unicast
Configuring IPv6 Unicast Route Redistribute
IPv6 BGP supports IPv6 unicast route redistribute. It allows users to introduce information from
other routing protocols (connected, IS-IS, static, OSPFv3 and RIPng) and redistribute the inform-
ation. To configure the redistribute metric, in the IPv6 unicast routing configuration mode, use
redistribute {ospf | isis| connected | static | rip} [metric value]
l ospf | isis| connected | static | rip – Specifies the protocol type which can be connected
route (connected), IS-IS (isis), static route (static), RIPng (rip) or OSPFv3 (ospf).
l metric value – Specifies the redistribute metric value. The value range is 0 to 4294967295.

To cancel the redistribute of the specified protocol, in the IPv6 unicast routing configuration
no redistribute {ospf | isis| connected | static | rip}
Activating a BGP Connection
By default, the IPv6 BGP connection between the configured BGP peer or peer group and the
device is activated. You can de-activate or re-activate the IPv6 BGP connection. To activate the
IPv6 BGP connection, in the IPv6 unicast routing configuration mode, use the following com-
mand:
neighbor {X:X:X:X::X | A.B.C.D | peer-group} activate
885 Chapter 7 IPv6

l X:X:X:X::X | A.B.C.D | peer-group – Specifies the IPv4/IPv6 address of the peer or the
name of the peer group.
To de-activate the IPv6 BGP connection to the specified BGP peer or peer group, in the IPv6
unicast routing configuration mode, use the following command:
no neighbor {X:X:X:X::X | A.B.C.D | peer-group} activate
Sending Community Path Attributes to a Peer/Peer Group
To configure the upper limit of prefixes that can be received from IPv6 peer/peer group, use the
following command in the IPv6 unicast routing configuration mode:
neighbor {X:X:X:X::X | A.B.C.D | peer-group} send-community {standard | extended | both}
l {X:X:X:X::X | A.B.C.D | peer-group} – Specifies the IPv4/IPv6 address of the peer or the
l standard | extended | both – Specifies the type of the communities path attributes. There
are three types: standard means the standard communities path attributes, extended means the
extended communities path attributes, and both means both of the communities path attrib-
utes and extended communities path attributes.

no neighbor {X:X:X:X::X | A.B.C.D | peer-group} send-community
Specifying Upper Limit of Prefixes
To configure the upper limit of prefixes that can be received from IPv6 peer/peer group, use the
following command in the IPv6 unicast routing configuration mode:
neighbor {X:X:X:X::X | A.B.C.D | peer-group} maximum-prefix maximum [threshold] [restart
restart-interval] [warning-only]
l {X:X:X:X::X | A.B.C.D | peer-group} – Specifies the IPv4/IPv6 address of the peer or the
Chapter 7 IPv6 886

l maximum - Specifies the upper limit of prefixes that can be received from IPv6 peer/peer
group.
l threshold – Specifies the threshold that will trigger the generation of log information. The
default value is 75, and it ranges from 1 to 100.
l restart restart-interval – After the received prefixes reaches the threshold, the connection to
the peer will be disconnected and the connection will be re-established after the specified
interval here. The unit is minute and the value ranges from 1 to 65535.
l warning-only – After the received prefixes reaches the threshold, the system generates the
corresponding log information.
Use the no form to cancel the above configurations:

no neighbor {X:X:X:X::X | A.B.C.D | peer-group} maximum-prefix
Viewing BGP Routing Information
To view the routing information of the entire IPv6 BGP routing table, in any mode, use the fol-
lowing command:
show ip bgp ipv6 unicast {X:X:X:X::X/Mask | vrouter vrouter-name}
l X:X:X:X::X/Mask – Shows the IPv6 BGP routing information of the specified network.
l vrouter-name - Shows the IPv6 BGP routing information of the specified VRouter.
To view the status parameters of all BGP connections, including the prefix, path, attribute, etc.,
show ip bgp ipv6 unicast summary [vrouter vrouter-name]
l vrouter-name - Shows the IPv6 BGP routing information of the specified VRouter.
To view the BGP peer status, in any mode, use the following command:
show ip bgp ipv6 unicast neighbor [ X:X:X:X::X | A.B.C.D ] [vrouter vrouter-name]
887 Chapter 7 IPv6

l X:X:X:X::X | A.B.C.D – Shows the BGP peer status of the specified IPv4/IPv6 address.
l vrouter-name - Shows the IPv6 IPv6 BGP routing information of the specified VRouter.
Configuring IPv6 Policy-based Route

Policy-based Route (PBR) is designed to select a router and forward data based on the source IP
address, destination IP address and service type of a packet, and specify the next hop of the pack-
ets which match the policy. System supports to configure PBR rules using IPv6 address.
To configure the following items, see Policy-based Route in StoneOS_CLI_User_Guide_Rout-
ing:
l Editing a PBR Rule
l Enabling/Disabling a PBR Rule
l Moving a PBR Rule
l Applying a PBR Rule
Creating a PBR Policy
To create a PBR policy, in the global configuration mode, use the following command:
pbr-policy name
l name – Specifies the name of the PBR policy. The length is 1 to 31 characters. If the policy
exists, the system will directly enter the PBR policy configuration mode.
To delete the specified PBR policy, use the command no pbr-policy name.
Creating a IPv6 PBR Rule
To create a IPv6 PBR rule, in the PBR policy configuration mode, use the following command:
match-v6 [id rule-id] [before rule-id | after rule-id | top] src-addr dst-addr service-name [applic-
ation-name] nexthop {interface-name | A.B.C.D | vrouter vrouter-name | vsys vsys-name}
[weight value] [track track-object-name]
Chapter 7 IPv6 888

l id rule-id – Specifies the ID of the new PBR rule. The value range is 1 to 255. If no ID is
specified, the system will automatically assign an ID. The rule ID must be unique in its cor-
responding PBR policy.
l before rule-id | after rule-id | top – Specifies the position of the PBR rule. The new PBR
rule can be located before a rule (before rule-id), after a rule (after rule-id) or at the top of all
the rules (top ). By default, the system will put the new rule at the end of all the rules.
l src-addr – Specifies the source address which should be an entry defined in the address
book. The address should be IPv6 address.
l dst-addr – Specify the destination address which should be an entry defined in the address
book. The address should be IPv6 address.
l service-name – Specifies the name of the service. service-name should be the service
defined in the service book.
l application-name – Specifies the name of the application. application-name should be the

application defined in the application book.
l nexthop {interface-name | A.B.C.D | vrouter vrouter-name | vsys vsys-name} – Specifies

the next hop. interface-name is the name of egress interface, or local-address. A.B.C.D is the
IP address of the next hop, vrouter vrouter-name is a VRouter, and vsys vsys-name is the
name of VSYS.
l weight value – Specifies the weight for the next hop. The value range is 1 to 255. The
default value is 1. If a PBR rule is configured with multiple next hops, the system will dis-
tribute the traffic in proportion to the corresponding weight.
l track track-object-name – Specifies the track object for the next hop. If the track object
fails, the PBR rule will fail as well. For more information about track object, see “Con-
figuring a Track Object” in “System Management”.
To delete the specified rule, in the PBR policy configuration mode, use the following command:
889 Chapter 7 IPv6

no match-v6 id rule-id
In addition, you can also use the following command in PBR policy configuration mode to create
a PBR rule ID, and then in the PBR policy rules configuration mode, further configure other rel-
evant parameters of the PBR rule:
match-v6 [id rule-id] [ before rule-id | after rule-id | top]
l id id – Specifies the ID of the new PBR rule. If no ID is specified, the system will auto-
matically assign an ID. The rule ID must be unique in the whole system. However, the PBR
rule ID is not related to the matching sequence.
l top | before rule-id | after rule-id – Specifies the position of the PBR rule. The new PBR
rule can be located before a rule (before rule-id), after a rule (after rule-id) or at the top of all
the rules (top ). By default, the system will put the newly created rule at the end of all the
rules.
Configuring IPv6 IS-IS

The IS-IS routing protocol (Intermediate System-to-Intermediate System intra-domain routing
information exchange protocol) supports multiple network protocols, including IPv6. The IS-IS
routing protocol that supports IPv6 is named IPv6 IS-IS routing protocol. In the IPv6 network
environment, you can configure the IPv6 IS-IS routing protocol to realize the connectivity
between IPv6 networks.
To configure the following items, see Configuring IS-IS in StoneOS_CLI_User_Guide_Routing:
l Configuring the router type
l Configuring the interface type
l Configuring the network as point-to-point type
l Configuring the NET address
l Configuring the metric style
l Configuring the parameters for Hello packets
Chapter 7 IPv6 890

l Configuring the priority for DIS election
l Configuring the passive interface
l Configuring the parameters for LSP packets
l Configuring the hostname mappings
l Configuring the authentication methods
l Configuring the interface authentication
l Enabling IPv6 IS-IS at interfaces
l Configuring the interface metric
l Entering into the IPv6 unicast routing configuration mode
l Configuring the default route advertisement
l Configuring the administrative distance
l Configuring the overload bit
l Configuring the SPF calculation interval
l Configuring Multiple-Topology routing
l Viewing IPv6 IS-IS information
Enabling IPv6 IS-IS at interfaces
By default, the IPv6 IS-IS function is disabled at the interface. After creating an IS-IS process at
the current router, proceed to enable the IPv6 IS-IS function at the interface. Use the following
command in the interface configuration mode:
isis ipv6 enable
891 Chapter 7 IPv6

Use the no isis ipv6 enablecommand to disable the IPv6 IS-IS function at the interface.
Configuring the Interface Metric
The metric is used to calculate the cost to the destination network via the selected link. To con-
figure the metric of the link where the interface locates in IPv6 network, use the following com-
mand in the interface configuration mode:
isis ipv6 metric value [level-1 | level-2]
l value – Configure the metric value of the link that the interface locates. The value ranges
from 1 to 16777214 and the default value is 10.
l level-1 | level-2 – Use level-1 to configure the metric value for Level-1 routes. Use level-2
to configure the metric value for Level-2 routes. Without specifying level-1 or level-2, the
metric value is effective for both Level-1 and Level-2 routes.
Use the no isis ipv6 metric command to restore the metric value to the default one.
Entering into the IPv6 Unicast Routing Configuration Mode
To configure the settings for IPv6 IS-IS unicast route, you must enter into the IPv6 unicast rout-
ing configuration mode. Execute the following commands to enter into this configuration mode:
ip vrouter vrouter-name – In the global configuration mode, execute this command to enter into
the VRouter configuration mode.
router isis – Enter into the IS-IS routing configuration mode and create the IS-IS process. The
IS-IS processes in each VRouter are independent.
address-family ipv6 unicast - Enter into the IPv6 unicast routing configuration mode.
Configuring the Default Route Advertisement
The default IPv6 route in the introduced routing information will not be used by the routers. To
advertise the default IPv6 route in the routing domain, in the IS-IS IPv6 unicast routing con-
default-information originate
Chapter 7 IPv6 892

If there is a default route in the router with the above command configured, the IS-IS process in
this router will advertise this route via Level-2 LSPs.
To cancel the default IPv6 route advertisement, use the no default-information originate com-
mand.
Configuring the Administrative Distance
To configure the administrative distance of the IPv6 IS-IS route, use the following command in
the IS-IS IPv6 unicast routing configuration mode:
distance distance-value
l distance-value – Specify the administrative distance. The value ranges from 1 to 255. The
To restore the value to the default one, use the no distance command.
IPv6 IS-IS allows you to introduce routing information from other routing protocols (connected,
static, OSPFv3, IPv6 BGP and RIPng) and redistribute the information. To configure the redis-
tribute and the corresponding metric, in the IS-IS IPv6 unicast routing configuration mode, use
redistribute {connected | static | ospf | bgp | rip} [level-1 | level-1-2 | level-2] [metric value]
[metric-type {external | internal}]
l connected | static | ospf | bgp | rip – Specifies the protocol type which can be connected,
static, OSPF(OSPFv3), bgp(IPv6 BGP), or rip(RIPng).
l level-1 | level-1-2 | level-2 – Specifies the level for the introduced route, including the
level-1 route (level-1), level-2 route (level-2), and both levels (level-1-2).
l metric value – Specifies a metric value for the introduced route. The value range is 0 to
4294967296. The default value is 0. When the metric type of the router is narrow, the metric
value of the introduced route cannot exceed 63.
893 Chapter 7 IPv6

l metric-type {external | internal} – If you select the external metric type (external), the met-
ric value will be the sum of the value configured in metric value and 64. If you select the
internal metric type (internal), the metric value will be the one you configured in the metric
value command. The default option is internal.
To cancel the redistribute configurations, use the no redistribute {connected | static | ospf | bgp
| rip} [level-1 | level-1-2 | level-2] command.
Configuring the Overload Bit
If a router is lack of resources, its LSDB might be inaccurate or incomplete. You can configure
the overload bit for this router, which will suppress the advertisement of the introduced routes.
The routes introduced from other routing protocol will not be advertised. And this reduces the
number of packets that are forwarded via this router. However, the packets whose destination is
the directly connected network of this router or the packets whose destination is within the same
routing domain, can be forwarded to this router as before. To configure the overload bit for the
router, use the following command in the IS-IS IPv6 unicast routing configuration mode:
set-overload-bit suppress external
To cancel the overload bit configuration, use the command no set-overload-bit.
Configuring the SPF Calculation Interval
If the LSDB changes, the router will re-calculate the SPF. To configure the SPF calculation inter-
val for IPv6 IS-IS, use the following command in the IPv6 IS-IS unicast routing configuration
mode:
spf-interval value [level-1 | level-2]
l value – Specify the SPF calculation interval. The value ranges from 1 to 120. The default
l level-1 | level-2 – Enter level-1 to specify the SPF calculation interval for level-1 SPFs only,
and enter level-2 to specify the SPF generation interval for level-2 SPFs only. If you enter no
parameter, the configured interval value will be used for both level-1 SPFs and level-2 SPFs.
Chapter 7 IPv6 894

Use the no spf-intervalcommand to restore the value to the default one.
Configuring Multiple-Topology Routing
When using IPv6 IS-IS, the device supports both unique topology routing and multiple-topology
routing. When using unique topology routing, the device calculates the mixed routing for both
IPv4 topo and IPv6 topo.
When using multiple-topology routing, the device will perform the SFP calculation for IPv4 topo
and IPv6 topo individually, and generate the routing information individually.
By default, the system uses the unique topology routing. To enable the multiple-topology routing,
first change the metric type to wide in the IS-IS routing configuration mode by using the metric-
style wide command. Then perform the following command in the IS-IS IPv6 unicast routing con-
figuration mode:
multi-topology
To disable the multiple-topology routing, use the command no multi-topology.
Viewing IPv6 IS-IS Information
To show the routing information of the IPv6 IS-IS, use the following command in any mode:
show isis ipv6 route
To show the IS-IS process and corresponding information, use the following command in any
mode:
show isis [vrouter vrouter-name]
l vrouter-name - Show the information of the specified vrouter.
To show the link state database, use the following command in any mode:
show isis database [detail] [vrouter vrouter-name]
l detail – Show the detailed information.
l vrouter-name - Show the information of the specified vrouter.
To show the IS-IS interface information, use the following command in any mode:
895 Chapter 7 IPv6

show isis interface [interface-name]
Configuring IPv6 Static Multicast Routing

By default the IPv6 multicast route is disabled. To enable or disable the IPv6 multicast route, in
the VRouter configuration mode, use the following commands:
l Enable: ipv6 multicast-routing
l Disable: no ipv6 multicast-routing
Configuring an IPv6 Static Multicast Route Entry
To create an IPv6 static multicast route entry, in the VRouter configuration mode, use the fol-
lowing command:
ip v6 mro ute X.X.X.X::X X.X.X.X::X [iif interface-name ] [eif interface-name ]
l X.X.X.X::X X.X.X.X::X - Specifies the multicast source address and multicast address. The
first X.X.X.X::X is the IPv6 address of the multicast source, and the second X.X.X.X::X is
the IPv6 multicast address.
l iif interface-name - Specifies an ingress interface. You can specify up to two ingress interfaces.
l eif interface-name - Specifies an egress interface. You can specify up to four egress interfaces.
To delete the specified IPv6 static multicast route entry, in the VRouter configuration mode, use
n o ip v6 mro ute X.X.X.X::X X.X.X.X::X
Specifying an Ingress/Egress Interface
You can configure an ingress or egress interface for the existing IPv6 static multicast route entry.
Each multicast route entry can have up to two ingress interfaces, and up to 32 egress interfaces.
The options of ingress and egress interface must be configured in the IPv6 static multicast route
configuration mode. To enter the IPv6 static multicast route configuration mode, in the VRouter
ip v6 mro ute X.X.X.X::X X.X.X.X::X
Chapter 7 IPv6 896

l X.X.X.X::X X.X.X.X::X - Specifies the multicast source address and multicast address. The
first X.X.X.X::X is the IPv6 address of the multicast source, and the second X.X.X.X::X is
the IPv6 multicast address.
To specify an ingress and egress interface for the existing IPv6 static multicast routing entry, in
the IPv6 static multicast route configuration mode, use the following command:
l Specify an ingress interface: iif interface-name
l Specify an egress interface: eif interface-name
Repeat the above command to configure multiple ingress or egress interfaces.

To delete the configured ingress or egress interface for the existing IPv6 static multicast routing
entry, in the VRouter configuration mode, use the command no ipv6 mroute X.X.X.X::X
X.X.X.X::X {[iif interface-name] [eif interface-name]}. Or in the IPv6 static multicast route con-
l Delete an ingress interface: no iif interface-name
l Delete an egress interface: no eif interface-name
Viewing IPv6 Multicast Route Information
To view the IPv6 multicast route information, in any mode, use the following command:
sh o w ip v6 mro ute [ X.X.X.X::X X.X.X.X::X | summary] [vro uter vr-name ]
l show ipv6 mroute - Shows all the IPv6 multicast route information.
l X.X.X.X::X X.X.X.X::X - Shows the multicast route information of the specified multicast
source address and multicast address. The first X.X.X.X::X is the IPv6 address of the mul-
ticast source, and the second X.X.X.X::X is the IPv6 multicast address.
l summary - Shows the summary of IPv6 multicast route.
l vrouter vr-name - Shows the IPv6 multicast route information of the specified VRouter.
897 Chapter 7 IPv6

Viewing IPv6 Multicast FIB Information
To view the IPv6 multicast FIB information, in any mode, use the following command:
sh o w ip v6 mfib [ X.X.X.X::X X.X.X.X::X | summary] [vro uter vr-name ]
l show ipv6 mfib- Shows all the IPv6 multicast FIB information.
l X.X.X.X::X X.X.X.X::X - Shows the multicast FIB information of the specified multicast
source address and multicast address. The first X.X.X.X::X is the IPv6 address of the mul-
ticast source, and the second X.X.X.X::X is the IPv6 multicast address.
l summary - Shows the summary of IPv6 multicast FIB.
l vrouter vr-name - Shows the IPv6 multicast FIB information of the specified VRouter.
Configuring IPv6 BFD

BFD (Bidirectional Forwarding Detection) is a unified detection mechanism for the entire net-
work, which is used to fast detect and monitor the forwarding and connection status of the link
and the IP route. To enhance the network performance, the protocol neighbor must have the abil-
ity to detect the communication failures quickly. Thus, the backup communication can be estab-
lished to restore the communication in time.
BFD creates sessions between two routers for monitoring the bidirectional forwarding path
between these two routers, which provides services for the upper level protocol, for example,
routing protocol. BFD does not have the discovering mechanism and upper level protocol will
notify BFD to create sessions with specifies objects. If no BFD packets are received from the
peer during the detection period after creating sessions, BFD will notify the upper-level service
and the upper-level service will execute the corresponding operations.
In the current StoneOS, BFD can integrate with IPv4 static route, IPv6 static route, OSPF route,
OSPFv3 route, and BGP route. Thus, StoneOS can realize the detection of the forwarding and
connection status on the link that runs IPv4 static route, IPv6 static route, OSPF route, OSPFv3
route, and BGP route.
To configure the following items, see Configuring BFD in StoneOS_CLI_User_Guide_Routing:
Chapter 7 IPv6 898

l Configuring the BFD detection methods
l Configuring the BFD session parameters
l Enabling/Disabling the Echo function
l Specifying the interval of receiving Echo packets
l Configuring BFD multi-hop detection
l Configuring the source IP address of the Echo packets
l Integrating BFD with the IPv6 static route
l Integrating BFD with the OSPFv3 route
l Viewing IPv6 BFD session information
Configuring the Source IP Address of the Echo Packets
A large number of ICMP redirection packets sent from the peer leads to the network congestion.
To avoid the network congestion, you can configure the source IP address of the Echo packets.
To configure the source IPv6 address, use the following command in the global configuration
mode:
b fd ech o -so urce-ip v6 echo-src-address
l echo-src-address – Specifies the source IPv6 addresses of the BFD Echo packets.
To delete the configured source IPv6 address, use the following command in the global con-
figuration mode: no bfd echo-source-ipv6.
Integrating BFD with the IPv6 Static Route
To integrate BFD with the IPv6 static route and enable the BFD detection function for the spe-
cified next hop, use the following command in the VRoute configuration mode:
ip v6 ro ute ipv6-address/M interface-name nexthop-ipv6-address b fd
899 Chapter 7 IPv6

l ipv6-address/M – Specifies the network address of the IPv6 static route.
l interface-name nexthop-ipv6-address – Specifies the IPv6 address of the next-hop interface.

The address type is Link-local.
l bfd – Enables the BFD detection function for the specified next hop.
To cancel the integration, use the following command in the VRouter configuration mode:
no ipv6 route ipv6-address/M interface-name nexthop-ipv6-address bfd
Integrating BFD with the OSPFv3 Route
By integrating BFD with the OSPFv3 route, the system realizes the quick link detection which
has higher performance than the Hello detection mechanism of the OSPFv3 protocol. With the
integration, OSPFv3 protocol improves its convergence performance.
To integrate BFD with the OSPFv3 rout and enable the BFD detection function on the specified
interfaces that corresponds to the OSPFv3 route, use the following command in the interface con-
figuration mode:
ip v6 o sp f b fd
n o ip v6 o sp f b fd
Viewing IPv6 BFD Session Information
To view the IPv6 BFD session information, use the following command in any mode:
sh o w b fd sessio n [in terface interface-name | n eigh b o r X:X:X:X::X | detail ]
l interface interface-name - Show the information of the BFD sessions of the specified inter-
face.
l X:X:X:X::X – Specify IPv6 address of the neighbor router. The address type is Link-local.
l detail – Show the detailed information of the BFD sessions of all routers.
Chapter 7 IPv6 900

Configuring IPv6 DHCP
DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appro-
priate IPv6 addresses and related network parameters for subnets automatically, thus reducing
requirement on network administration. Besides, DHCP can avoid address conflict to assure the
re-allocation of idle resources.
Hillstone devices support IPv6 DHCP client, DHCP server and DHCP relay proxy.
l DHCP client: A Hillstone device's interface can be configured as a DHCP client and obtain
IP addresses from the DHCP server.
l DHCP server: A Hillstone device's interface can be configured as a DHCP server and allocate
IP addresses chosen from the configured address pool for the connected hosts.
l DHCP relay proxy: A Hillstone device's interface can be configured as a DHCP relay proxy to
obtain DHCP information from the DHCP server and forward the information to connected
hosts.
Hillstone devices are designed with all the above three DHCP functions, but an individual inter-
face can be only configured with one of the above functions.
Configuring a DHCP Client

You can configure an interface of the device as the DHCP client that obtains IPv6 address from
the DHCP server. The DHCP client should be configured in the interface configuration mode.
The configuration includes:
l Obtaining an IPv6 address via DHCP
l Releasing and renewing the IPv6 address
Obtaining an IPv6 address via DHCP
To enable the interface to obtain an IPv6 address via DHCP, in the interface configuration mode,
ipv6 address dhcp [rapid-commit]
901 Chapter 7 IPv6

l ipv6 address dhcp – Enable the interface to obtain an IP address via DHCP.
l rapid-commit – Specifying this option can help fast get IPv6 address from the server. You
need to enable both of the DHCP client and the server's Rapid-commit function.
To cancel the configuration, in the interface configuration mode, use the command no ipv6
address dhcp.
Releasing and Renewing the IPv6 Address
The interface that has obtained a dynamic IPv6 address via DHCP can release and renew its IPv6
address. To release and renew the IPv6 address, in the interface configuration mode, use the fol-
lowing commands:
l Release: dhcpv6-client ip release
l Renew: dhcpv6-client ip renew
To view the DHCP IPv6 address information allocated to an interface, in the interface con-
show dhcpv6-client interface interface-name
Configuring a DHCP Server

The Hillstone devices can act as a DHCP server to allocate IP addresses for the DHCP clients in
the subnets. The DHCP server should to be configured in the DHCP server configuration mode.
To enter the DHCP server configuration mode, in the global configuration mode, use the fol-
lowing command:
dhcpv6-server pool pool-name
l pool-name – Specifies the name of the DHCP address pool.
After executing the above command, the system will create a new DHCP address pool and enter
the DHCP server configuration mode of the address pool; if the specified address pool exists, the
system will directly go to the DHCP server configuration mode.
Chapter 7 IPv6 902

To delete the specified address pool, in the global configuration mode, use the command no
dhcpv6-server pool pool-name.
The DHCP server functions you can configure include:
l Basic configuration of the DHCP address pool
l Binding the address pool to an interface
Basic Configuration of the DHCP Address Pool
This section describes how to configure DHCP address pool.
Configuring an IP Range
You need to specify the IP range used for external allocation. To specify the IP range of the
address pool, in the DHCP server configuration mode, use the following command:
address prefix ipv6-address/prefix-length [lifetime {valid-lifetime | infinite}|{preferred-lifetime
| infinite}]
l ipv6-address/prefix-length – Specifies the IPv6 address prefix and prefix length.
l valid-lifetime – Specifies the lifetime of the address.
l infinite – If specified the parameter, the address will be valid permanently.
l preferred-lifetime – Specifies the preferred lifetime for the IPv6 address. The preferred life-
time should not be larger than the valid lifetime.
address prefix.
Configuring Domain Name for the DHCP Client
To configure domain name for the DHCP client, in the DHCP server configuration mode, use the
following commands:
domain domain-name
903 Chapter 7 IPv6

l domain-name – Specifies the domain name.
To cancel the configured domain name, in the DHCP server configuration mode, use the com-
mand no domain.
Configuring DNS Servers for the DHCP Client
To configure DNS servers for the DHCP client, in the DHCP server configuration mode, use the
following commands:
dns-server ipv6-address [ipv6-address1 ] [ipv6-address2 ]
l ipv6-address1 – Specifies the IP address of the primary DNS server.
l ipv6-address2 – Specifies the IP address of the alternative DNS server.
To cancel the configured DNS, WINS server and domain name, in the DHCP server con-
figuration mode, use the command no dns-server.
Binding the Address Pool to an Interface
If the address pool is bound to an interface, the interface will run DHCP server based on the con-
figuration parameters of the address pool. To bind the address pool to an interface, in the interface
dhcpv6-server enable pool pool-name [rapid-commit] [preference preference]
l pool-name – Specifies the address pool defined in the system.
l rapid-commit – Specifying this option can help fast get IPv6 address from the server. You
need to enable both of the DHCP client and the server's Rapid-commit function.
l preference preference – Specifies the priority of the DHCP server. The range should be from
0 to 255. The bigger the value is, the higher the priority is.
To disable the DHCP server on the interface, in the interface configuration mode, use the com-
mand no dhcpv6-server enable.
Chapter 7 IPv6 904

Configuring a DHCP Relay Proxy
The Hillstone device can act as a DHCP relay proxy to receive requests from a DHCP client and
send requests to the DHCP server, and then obtain DHCP information from the server and return
it to the client. The DHCP relay proxy should be configured in the interface configuration mode.
l Specifying the IP address of the DHCP server
l Enabling DHCP relay proxy on an interface
Enabling DHCP Relay Proxy on an Interface
To enable DHCP relay proxy on an interface, in the interface configuration mode, use the fol-
lowing command:
dhcpv6-relay enable
To disable the specified DHCP relay proxy, in the interface configuration mode, use the com-
mand no dhcpv6-relay enable.
Specifying the IP Address of the DHCP Server
To specify the IP address of the DHCP server, in the interface configuration mode, use the fol-
lowing command:
dhcpv6-relay server ipv6-address [interface interface-name]
l ip-address – Specifies the IP address of the DHCP server.
l interface interface-name – If the DHCP server is specified as link-local address, you need to
specify the egress interface name.
To cancel the specified IP address, in the interface configuration mode, use the command no
dhcpv6-relay server ipv6-address [interface interface-name].
Viewing DHCP Configuration Information

In any mode, use the following command to view DHCP configuration information:
905 Chapter 7 IPv6

l show dhcpv6 duid: Shows device’s IPv6 UID information.
l show dhcpv6 interface: Shows all the interfaces information which enabling DHCP IPv6.
l show dhcpv6-client interface interface-name: Shows the interface information which enabling
DHCP client IPv6.
l show dhcpv6-server binding pool-name: Shows the binding relationship between DHCP
server and client.
l show dhcpv6-server pool pool-name: Shows the address pool information of the DHCP
server.
Configuring IPv6 DNS

StoneOS supports IPv6 DNS for the translation between domain names and IPv6 addresses. IPv6
introduces new DNS records to resolve IPv6 addresses and translate domain names to IPv6
addresses.
Notes: This section only describes IPv6-related configurations. For more inform-
ation about DNS and its configurations, see “DNS” of “Firewall”.
Configuring a IPv6 DNS Proxy Rule

The configuration of IPv6 DNS proxy rule includes:
l Creating a DNS proxy rule
l Configuring the Filtering Condition of a DNS Proxy rule
l Specifying the Action of a DNS Proxy Rule
l Configuring DNS Proxy Servers
l Modifying/Deleting the Descriptions of a Proxy Rule
l Enabling/Disabling a DNS Proxy Rule
Chapter 7 IPv6 906

Tip: This section only describes the configuration of DNS proxy filtering con-
dition for IPv6 (IPv6 DNS source address, IPv6 DNS destination address) and
IPv6 DNS proxy server configuration. Other configurations are the same as the
IPv4 DNS proxy configuration. For details, see Configuring a DNS Proxy in Fire-
wall in the StoneOS_CLI_User_Guide_Firewall.
Specifying IPv6 Source Address
You can specify the source address of DNS request in the rule to filter the DNS request message.
It is permissible to specify multiple source address filtering conditions. To add or delete the
source address of DNS request, in DNS proxy rule configuration mode, use the following com-
mand:
l Add the IPv6 source address of the address entry type ：src-addr { ipv6-addr-name | ipv6-
any}
l Delete the IPv6 source address of the address entry type: no src-addr { ipv6-addr-name |
ipv6-any}
l Add the IPv6 source address of the IP member type: src-ip ipv6-address/netmask
l Delete the IPv6 source address of the IP member type: no src-ipipv6-address/netmask
l Add the IPv6 source address of the IP range type:src-range min-ipv6-address max-ipv6-
address
l Delete the IPv6 source address of the IP range type :no src-rangemin-ipv6-address min-ipv6-
address
Specifying IPv6 Destination Address
You can specify the IPv6 destination address of DNS request in the rule to filter the DNS request
message. It is permissible to specify multiple destination address filtering conditions.To add or
907 Chapter 7 IPv6

delete the destination address of request, in DNS proxy rule configuration mode, use the fol-
lowing command:
l Add the IPv6 destination address of the address entry type: dst-addr { ipv6-addr-name |
ipv6-any }
l Delete the IPv6 destination address of the address entry type:no dst-addr { ipv6-addr-name |
ipv6-any }
l Add the IPv6 destination address of the IP member type: dst-ipipv6-address/netmask
l Delete the IPv6 destinaion address of the IP member type:no dst-ip ipv6-address/netmask
l Add the IPv6 destination address of the IP range type:dst-rangemin-ipv6-address max-ipv6-

address
l Delete the IPv6 destination address of the IP range type: no dst-rangemin-ipv6-address max-
ipv6-address
Configuring IPv6 DNS Proxy Servers
When the action of the proxy rule is specified as proxy, you need to configure the DNS proxy
servers. You can specify up to six DNS server and you can configure the interface and preferred
properties for the DNS server as needed. When you configure multiple DNS servers, the DNS
server with preferred property will be selected for domain name resolution. If no preferred server
is specified, the system will query whether there are DNS servers that have specified the egress
interface; If so, select these DNS server in a round robin; Except for the two DNS servers, which
means that you only have a regular DNS server, then select this kind of DNS servers in a round
robin.To add a DNS proxy server, in the DNS proxy rule configuration mode, use the following
command:
name-serverserver-ipv6-address [vroutervrouter-name] [egress-interface interface-name][preferred]
l server-ipv6-address – Specifies the IPv6 address of the DNS proxy.
l vrouter-name – Specifies a VRouter for the DNS proxy.
Chapter 7 IPv6 908

l interface-name – Specifies the outgoing interface for sending DNS proxy requests.
l preferred – Specifies the DNS proxy 4dserver as the preferred server, and a DNS proxy rule
can only specify one server as the preferred server.
To delete the DNS proxy server, in the DNS proxy rule configuration mode, use the command no
name-serverserver-ipv6-address [vrouter vrouter-name]
Configuring IPv6 DNS Servers

IPv6 DNS servers are used for domain name resolution. To configure IPv6 DNS servers, in the
ipv6 name-server ipv6-address1 [ipv6-address2 ] ... [ipv6-address6 ] [vrouter vr-name]
l ipv6-address1 – Specifies the IPv6 address of DNS server. You can configure up to six
DNS servers by one or multiple commands, i.e., running command ipv6 name-server
2002:ae3:1111:2222::1 2001:0db8::3 and running commands ipv6 name-server
2002:ae3:1111:2222::1 and ipv6 name-server 2001:0db8::3make no difference.
l vrouter vr-name – Specifies the VRouter the IPv6 DNS server belongs to.
To cancel the specified IPv6 DNS servers, in the global configuration mode, use the command no
ipv6 name-server ipv6-address1 [ipv6-address2 ] ... [ipv6-address6 ] [vrouter vr-name].
Configuring an IPv6 DNS Proxy Server List

IPv6 DNS proxy server list contains mapping entries for domain names and corresponding IPv6
DNS servers. The list contains up to six mapping entries. To add a mapping entry to the IPv6
DNS proxy server list, in the global configuration mode, use the following command:
ipv6 dns-proxy domain {domain-suffix | any} name-server {use-system | ipv6-address1 [ipv6-
address2 ] ... [ipv6-address6 ]} [vrouter vr-name]
l domain-suffix | any – Specifies the suffix of domain name that is used to match the domain
names in IPv6 DNS requests. any indicates any suffix.
909 Chapter 7 IPv6

l name-server {use-system | server-ip1 [server-ip2 ] ... [server-ip6 ]} – Specifies IPv6 addresses
for DNS servers. The servers can either be device’s built-in IPv6 DNS server (use-system)
or specified IPv6 addresses (ipv6-address1 [ipv6-address2 ] … [ipv6-address6 ]). You can spe-
cify up to six IP addresses for IPv6 DNS servers.
l vrouter vr-name – Specifies the VRouter the IPv6 DNS server belongs to.
To delete the specified mapping entry, in the global configuration mode, use the command no
ipv6 dns-proxy domain {domain-suffix | any} [vrouter vr-name].
For example, to add a mapping entry whose suffix is com and IP address of IPv6 DNS server is
2010::1, use the following command:
hostname(config)# ipv6 dns-proxy domain com name-server 2010::1
Enabling/Disabling IPv6 DNS Proxy

The IPv6 DNS proxy on interfaces is disabled by default. To enable IPv6 DNS proxy on an inter-
face, in the interface configuration mode, use the following command:
dns-proxy
To disable DNS proxy, in the interface configuration mode, use the command no dns-proxy.
Adding a Static IPv6 DNS Mapping Entry

To add a static IPv6 DNS mapping entry to the cache manually, in the global configuration mode,
ipv6 host host-name {ipv6-address1 [ipv6-address2 ] ... [ipv6-address8 ]} [vrouter vr-name]
l host-name – Specifies the hostname. The length is 1 to 255 characters.
l {ipv6-address1 [ipv6-address2 ] ... [ipv6-address8 ]} – Specifies the IPv6 addresses of the

host. You can specify up to eight IPv6 addresses.
l vrouter vr-name – Specifies the VRouter the host belongs to.
To delete the specified static IPv6 DNS mapping entry, in the global configuration mode, use the
command no ipv6 host host-name [vrouter vr-name].
Chapter 7 IPv6 910

Clearing a Dynamic IPv6 DNS Mapping Entry
To clear a dynamic IPv6 DNS mapping entry manually, in the execution mode, use the following
command:
clear ipv6 host [host-name [vrouter vr-name] ]
l host-name – Clears IPv6 DNS mapping entries of the specified host.
This command is used to clear the specified or all the dynamic IPv6 DNS mapping entries. To
clear static IPv6 DNS mapping entries that are configured manually, in the global configuration
mode, use the command no ipv6 host host-name [vrouter vr-name].
Viewing IPv6 DNS Mapping Entries

To view IPv6 DNS mapping entries, in any mode, use the following command:
show ipv6 host [host-name] [vrouter vr-name]
l host-name – Shows IPv6 DNS mapping entries of the specified host.
Viewing IPv6 DNS Configuration

To view IPv6 DNS configuration, in any mode, use the following command:
show ipv6 dns
Configuring PMTU
When an IPv6 node sends large amount of data to another node, the data is transferred in form of
a series of IPv6 packets. If possible, the size of these packets should not exceed the size limit for
packets that requires fragmentation in the path from the source node to the destination node. This
size is known as path MTU (PMTU) which equals to the smallest MTU of each hop in the path.
IPv6 defines a standard mechanism that is used to discover PMTU in any path. StoneOS supports
this PMTU discovery mechanism.
911 Chapter 7 IPv6

By default the PMTU discovery mechanism in StoneOS is disabled. To enable or disable the
PMTU discovery mechanism, in the flow configuration mode, use the following commands:
l Enable: ipv6 pmtu enable
l Disable: no ipv6 pmtu enable
Tip: To enter the flow configuration mode, in the global configuration mode, use
the command flow.
With PMTU enabled, the system will generate a PMTU entry to record the destination address,
interface, PMTU value and aging out time after receiving an ICMPv6 Packet Too Big error. If any
session to the destination address specified by the PMTU entry is established within the aging out
time, the system will refresh the aging out time, i.e., restart counting; if no session matches to the
PMTU entry within the aging out time, the entry will be aged out and deleted. You can specify an
appropriate aging out time for the PMTU entry as needed.
To specify an aging out time, in the flow configuration mode, use the following command:
ipv6 pmtu ageout-time time
l time – Specifies the aging out time. The value range is 10 to 600 seconds. The default value
is 300.
To restore to the default aging out time, in the flow configuration mode, use the following com-
mand:
no ipv6 pmtu ageout-time
You can also clear a PMTU entry immediately as needed. To clear a PMTU entry, in any mode,
use the following command (if no optional parameter is specified, the command will clear all the
existing PMTU entries):
clear ipv6 pmtu [dst-ip ipv6-address interface interface-name]
l ipv6-address – Specifies the IPv6 address of the PMTU entry that will be deleted.
l interface-name – Specifies the interface of the PMTU entry that will be deleted.
Chapter 7 IPv6 912

To view PMTU entry information, in any mode, use the following command (if no optional para-
meter is specified, the command will show the information of all the existing PMTU entries):
show ipv6 pmtu [dst-ip ipv6-address interface interface-name]
l ipv6-address – Shows the PMTU entry of the specified IPv6 address.
l interface-name – Shows the PMTU entry of the specified interface.
To view the status of PMTU, e.g., if the function is enabled, or the aging out time, in any mode,
show ipv6 pmtu status
Configuring User-defined Application

Besides the predefined applications, you can also create your own user-defined applications based
on IPv6 address. By configuring the customized application signature rules, StoneOS can identify
and manage the IPv6 traffic that crosses into the device, thus identifying the type of the IPv6
traffic.
The configurations of IPv6 User-defined Application includes:
l Configuring IPv6 source address
l Configuring IPv6 destination address
Tip: This section only describes IPv6-related configurations. For more inform-
ation about User-defined Application and its configurations, see “Service and
Application” of “Firewall”.
Creating/Deleting the User-defined Applications

To create a user-defined application and add this newly-created one to the application book, use
application application-name
913 Chapter 7 IPv6

l application-name– Specifies the name of the user-defined application. You can specify up to
31 characters. This name must be unique in the entire system.
After executing this command, the system enters the application configuration mode.
To delete the user-defined application, use the following command:
no application application-name
Enabling the User-defined Application Signature Configuration Mode

To enable the user-defined application signature configuration mode, use the following command
app-signature
Enabling the Application Signature Rule Configuration Mode

In the user-defined application signature configuration mode, use the following command to cre-
ate a user-defined application signature rule and enter the application signature rule configuration
mode. If the specified ID already exists, the system will enter the application signature rule con-
figuration mode.
sign ature [id id ]
l id – Specify the ID of user-defined application signature rule. If the ID is not specified, sys-
tem will create a user-defined application signature rule and specify the ID automatically.
To delete this user-defined application signature rule, use the following command in the applic-
n o sign ature id id
Configuring IPv6 Source Address

To specify the IPv6 source address for the user-defined application signature, use the following
command in the application signature rule configuration mode:
src-ipv6 ipv6-address
l ipv6-address – Specifies the IPv6 source address for the user-defined application signature.
Chapter 7 IPv6 914

Configuring IPv6 Destination Address
To specify the IPv6 destination address for the user-defined application signature, use the fol-
lowing command in the application signature rule configuration mode:
dst-ipv6 ipv6-address
l ipv6-address – Specifies the IPv6 destination address for the user-defined application sig-
nature.
Configuring a User-defined ICMPv6 Application Rule

To add an ICMPv6 application rule, in the application signature rule configuration mode, use the
following command:
protocol icmpv6 typetype-value [code min-code [max-code]]
see Appendix 1: ICMPv6 Type and Code. The default value is Any, which indicates all the
ICMPv6 type values.
l code min-code [max-code] – Specifies the minimum code value (min-code) and maximum
code value (max-code) for ICMPv6. The value range is 0 to 255. If the code value is not spe-
cified, by default the system will use the code value that corresponds to the Type value
(defined in RFC); if the maximum code value is not specified, by default the system will use
the minimum code value as the maximum code value.
To delete the specified ICMPv6 application rule, in the application signature rule configuration
no protocol
Configuring an IPv6 Policy Rule

Policy is a basic function of network security devices. Network traffic is controlled by policy
rules. StoneOS supports both IPv4 and IPv6 policy rules. The basic components of a policy rule
915 Chapter 7 IPv6

include addresses (source and destination address), service and action. This section describes
IPv6 configuration of the above components.
Configuring an IPv6 Address Entry

StoneOS address book supports both IPv4 and IPv6 address entries. IPv4 address entries only
contain members of IPv4 addresses, IPv4 segments, IPv4 hosts and other IPv4 address entries;
IPv6 address entries only contain members of IPv6 addresses, IPv6 segments and other IPv6
address entries. The address book contains a default address entry named ipv6-any that contains
all the IPv6 addresses; the address entry named Any contains all the IPv4 addresses.
Tip: This section only describes the configuration of IPv6-related policy rules.
For more information about policy rule configurations, see “Policy”.
To create an address entry and enter the address entry configuration mode, in the global con-
address address-entry ipv6
If the specified address entry already exists, the system will directly enter the address entry con-
figuration mode. To add an IPv6 address to the address entry or delete an IPv6 address from the
address entry, in the address entry configuration mode, use the following commands:
ip ipv6-address/M
no ip ipv6-address/M
To add an IPv6 address range to the address entry or delete an IPv6 address range from the
address entry, in the address entry configuration mode, use the following commands:
range min-ipv6-address max-ipv6-address
no range min-ipv6-address max-ipv6-address
When creating an IPv6 address entry, keep in mind that:
Chapter 7 IPv6 916

l An IPv6 address entry cannot nest an IPv4 address entry, and vice versa;
l The first 64 bits of an IPv6 address range must be identical. For example, the address range
from 2005::1 to 2006::1 is not permitted, while the address range from 2005::1 to 2005::1000
is permitted;
l The current version does not support hosts with IPv6 addresses.
Configuring an IPv6 Service

StoneOS includes some new predefined services in the service book to support IPv6 service;
besides it also supports IPv6 ports for some network applications. To view all the supported pre-
defined services and service groups, use the command show service predefined and show ser-
vgroup predefined respectively. A service group can contain both IPv4 and IPv6 services. You
can also create a user-defined IPv6 service (ICMPv6) as needed.
Tip: For more information about the configuration of IPv4 service book, see
“Application and Service” of “Firewall”.
For more information about how to create a user-defined ICMPv6 service, see the section below:
To create a user-defined service and enter the user-defined service configuration mode, in the
If the specified service already exists, the system will directly enter the user-defined service con-
figuration mode.
To add an ICMPv6 service, in the user-defined configuration mode, use the following command:
icmpv6 type type-value [code min-code [max-code]]
see Appendix 1: ICMPv6 Type and Code. The default value is Any, which indicates all the
ICMPv6 type values.
917 Chapter 7 IPv6

l code min-code [max-code] – Specifies the minimum code value (min-code) and maximum
code value (max-code) for ICMPv6. The value range is 0 to 6 and Any (any ICMPv6 code
value). If the code value is not specified, by default the system will use the code value that
corresponds to the Type value (defined in RFC); if the maximum code value is not specified,
by default the system will use the minimum code value as the maximum code value.
To delete the specified ICMPv6 service, in the user-defined configuration mode, use the fol-
lowing command:
no icmpv6 type type-value [code min-code [max-code]][timeout timeout-value]
Configuring an Action for IPv6 Policy Rule

IPv4 policy rules support the following five actions: deny, permit, fromtunnel, tunnel and
webauth; in the current version IPv6 policy rules only support two basic actions: deny and per-
mit.
Configuring an IPv6 Policy Rule

When configuring a policy rule, you must specify the same type of source address and destination
address, i.e., if the source address is an IPv6 address, the destination address must be an IPv6
address.
To configure an IPv6 policy rule, in the policy configuration mode (to enter the policy con-
figuration mode, in the global configuration mode, use the command policy-global), use the fol-
lowing command:
rule [id id] [top | before id | after id] from {src-addr | ipv6-address} to {dst-addr | ipv6-address}
service service-name [application app-name]{permit | deny}
l id id – Specifies the ID of the policy rule. If not specified, the system will automatically
assign an ID to the policy rule. The ID must be unique in the entire system.
l top | before id | after id – Specifies the location of the policy rule. The location can be top
| before id | after id. By default, the newly-created policy rule is located at the end of all the
rules.
Chapter 7 IPv6 918

l from src-addr – Specifies the source address of the policy rule. src-addr can be an IPv6
address, an IPv6 address entry defined in the address book, or ipv6-any.
l to dst-addr – Specifies the destination address of the policy rule. dst-addr can be an IPv6
address, an IPv6 address entry defined in the address book, or ipv6-any.
l service service-name – Specifies the service name of the policy rule. service-name is the ser-
vice defined in the service book.
l permit | deny – Specifies the action of the policy rule. permitmeans system will permit the
traffic to pass through. deny means system will deny the traffic.
Besides you can also use the following command in the policy configuration mode to create a
policy rule ID and enter the policy rule configuration mode for further configurations:
rule {id id | {top | before id | after id}}
l id id – Specifies the ID of the policy rule. If the policy exists, the system will directly enter
the policy configuration mode. If not specified, the system will automatically assign an ID to
the policy rule. The ID must be unique in the entire system. The policy rule ID is not related
to the matching sequence of the policy rule.
l top | before id | after id – Specifies the location of the policy rule. The location can be top
| before id | after id. By default, the newly-created policy rule is located at the end of all the
rules.
Editing an IPv6 Policy Rule

You can edit improper parameters for the policy rule in the policy rule configuration mode. To
enter the policy rule configuration mode via CLI, in the global configuration mode, use the fol-
lowing commands:
l rule {id id |{top | before id | after id}}
l rule id id(The command applies to the case that ID is existing. To delete the rule, use the
command no rule id id.)
919 Chapter 7 IPv6

After entering the policy rule configuration mode, to edit the policy rule, use the following com-
mands:
l To add the source address of the IP member type: src-ip ipv6-address/M
l To delete the source address of the IP member type: no src-ip ip-address/M
l To add the source address of the IP range type: src-range min-ipv6-address [max-ipv6-address]
l To delete the source address of the IP range type: no src-range min-ipv6-address [max-ipv6-
address]
l To add the destination address of the IP member type: dst-ip ipv6-address/M
l To delete the destination address of the IP member type: no dst-ip ipv6-address/M
l To add the destination address of the IP range type: dst-range min-ipv6-address [max-ipv6-
address]
l To delete the destination address of the IP range type: no dst-range min-ipv6-address [max-
ipv6-address]
Configuring Access Control for an IPv6 Policy

The combination of the ACL Profile and policy rule allows the Hillstone devices to access control
over the IPv6 message based on an IPv6 policy, such as IPv6 extended header, source / des-
tination MAC address etc.
To configure the access control function, take the following three steps:
1. Configure a ACL profile, which contains access control rules.
2. Configure an access control rule, which is used to specify the IPv6 extended message, rule
type, and control action required to be controlled.
3. Binding the ACL profile to a policy rule. Only after the configured ACL profile is bound to
a policy rule can access control function on the device.
Chapter 7 IPv6 920

Configuring an ACL Profile
The ACL profile needs to be configured in the ACL profile configuration mode. To enter the
ACL profile configuration mode, in the global configuration mode, use the following command:
acl-profile acl-profile-name
l acl-profile-name – Specifies the name of the ACL profile. After executing the command, the
system will create a ACL profile with the specified name, and enter the ACL profile con-
figuration mode; if the specified name exists, the system will directly enter the ACL profile
configuration mode. You can specify up to 64 ACL profiles.
To delete the specified ACL Profile, in the global configuration mode, use the command no acl-
profile acl-profile-name.
Configuring an Access Control Rule
To configure an access control rule, in the ACL Profile configuration mode, use the following
command:
sequence id {drop |pass} [both |forward |backward] [src-mac src-mac-address] [dst-mac dst-
mac-address][dscp dscp-value] [flow-label flow-label-value [end-flow-label-value]] [ext-header [ah]
[fragment][esp][hop][none][dest [dest-value1 [dest-value2 |home-address]]][mobility [mobility-
value1 [mobility-value2 ]|bind-refresh | bind-ack |bink-err | bind-update | cot | coti| hot
|hoti]][routing [routing-value1 [routing-value2 ]] [no-recommended-order | recommended-order]]
[single-ext-header { ah | dest | esp |fragment | hop | mobility | routing} number{equal |
greater-than | less-than} number] [ log ]
l id – Specifies the ID of the access control rule. .The range is 1 to 32.
l drop | pass – Specifies the action for the access control rule, drop or pass.
l both |forward |backward – Specifies the traffic direction of the access control rule.
l src-mac src-mac-address – Specifies the source MAC address of the access control rule.
l dst-mac dst-mac-address – Specifies the destination MAC address of the access control rule.
921 Chapter 7 IPv6

l dscp dscp-value – Specifies the DSCP value, the range is 0 to 63.
l flow-label flow-label-value [end-flow-label-value] – Specifies the IPv6 flow label or flow

label range, the range is 0 to 1048575.
l [ext-header [ah][fragment][esp][hop][none][dest [dest-value1 [dest-value2 |home-address]]]

[mobility [mobility-value1 [mobility-value2 ]|bind-refresh | bind-ack |bink-err | bind-update
| cot | coti| hot |hoti]][routing [routing-value1 [routing-value2 ]][no-recommended-order |
recommended-order] ] – Specifies the IPv6 extended header and parameter values.
l [no-recommended-order | recommended-order] - Specify whether the access control rule

restricts the IPv6 message extension header to be arranged in recommended order-
."recommend-order" means that the extension headers should be arranged in order. "no-recom-
mended-order" means that the extension headers are arranged in non order, that is, out of
order. If the restriction requirements are met, the system will process according to the action
of the rule.
l [single-ext-header {ah | dest | esp |fragment | hop | mobility | routing} number{equal |

greater-than | less-than} number] - Specify the number limit of single headers contained in
IPv6 messages for the access control rule.
l log - System will log when the messages matching the access control rules.
To delete the specified access control rule, in the ACL Profile configuration mode, use the com-
mand no sequence id.
Configuring the Default Action
When there is no access control rule is hit, the system will take the specified default access con-
trol action. To configure the default action, in the ACL Profile configuration mode, use the fol-
lowing command:
default-action {drop |pass}
l drop | pass – Specifies the default action for the access control rule, drop or pass.
Chapter 7 IPv6 922

To delete the default action, in the ACL Profile configuration mode, use the command no
default-action.
Binding the ACL Profile to a Policy Rule
The configured ACL profiles will not take effect until being bound to a policy rule. To bind an
ACL Profile to a policy rule, in the policy configuration mode, use the following command:
acl acl-profile-name
l acl-profile-name – Specifies the name of the ACL profile that will be bound.
To cancel the binding,, in the ACL Profile configuration mode, use the command no acl.
Viewing ACL Profile Information
To view the ACL profile configuration, in any mode, use the following command:
show acl-profile [acl-profile-name]
l acl-profile-name – Shows the configuration of the specified ACL profile. If this parameter is
not specifies, the command will show the configurations of all the ACL profiles.
Configuring IPv6 ALG

Compared with IPv4 ALG, the system supports IPv6 ALG for the following protocols: FTP,
TFTP, HTTP, RSH, SIP, MSRPC, RTSP, SQLNetV2 and SUNRPC. Besides, you can also spe-
cify IPv6 addresses for the IPs that are not restricted by the URL filter. When configuring an
ALG-related policy rule, make sure the rule references IPv6 addresses, for example, rule from
ipv6-any service to ipv6-any ftp permit.
Notes: The ALG function of FTP, TFTP, HTTP, RSH, SIP, MSRPC, RTSP,
SQLNetV2 and SUNRPC is enabled by default, while the ALG function of FTPS is
disabled by default.
923 Chapter 7 IPv6

NDP Protection
NDP is a key IPv6 protocol, but it is not designed with any authentication mechanism, resulting
in untrusted network nodes and attacks against the protocol. The main attacks include:
l Address spoofing: Attackers modify the MAC address of victim host by RS (Router Soli-
citation)/NS(Neighbor Solicitation)/NA(Neighbor Advertisement)/RA(Router Advert-
isement)/Redirect packets, or modify the MAC address of gateway by RS/NS/NA/RA
packets, resulting in communication errors between the victim host and network.
l DAD attack: When the victim host performs DAD query, attackers interfere with the process
by NS or NA packets, resulting in DAD failure and inability to obtain the IP address on the
victim host.
l RA spoofing: Attackers launch spoofing attacks by forging RA packets, resulting in network

configuration error on the victim host.
l Flooding: Attackers send huge amount of NS/RS/NA/RA packets to flood the ND table
entries on the gateway.
l Redirection: Attackers use link layer address as the source address and send redirection pack-
ets to the victim host; when the victim host receives the erroneous redirection message, its
routing table will be modified.
StoneOS provides a series of NDP protection measures for the above attacks to assure the secur-
ity of IPv6 network, including:
l IP-MAC binding
l NDP learning
l NDP inspection
l NDP spoofing defense (NDP reverse query, IP number per MAC check, unsolicited NA pack-
Chapter 7 IPv6 924

ets rate)
l NDP spoofing statistics
You can adopt different protection measures for different network applications. For example, to
implement Layer 2 NDP protection, you can enable NDP inspection (configuring an NDP packet
rate limit, configuring a trusted interface, denying RA packets); to implement Layer 3 protection,
you can disable NDP learning or dynamic entry learning, enable ND reverse query, or enable one-
click binding to convert dynamic IP-MAC entries to static entries.
The following section describes the configuration and usage of the above protection measures.
IP-MAC Binding
To reinforce network security control, the device supports IP-MAC binding. The binding inform-
ation can be obtained statically or dynamically: the information learned via NDP is known as
dynamic binding information, and the information manually configured is known as static binding
information. To simplify the configuration of static IP-MAC binding, you can convert the
dynamic binding information to static binding information by one-click binding. Both the static
and dynamic binding information is stored in the IPv6 ND cache table.
Adding a Static IP-MAC Binding Entry
To add a static IP-MAC binding entry to the cache table, in the global configuration mode, use
ipv6 neighbor ipv6-address interface-name mac-address
l ipv6-address – Specifies the IPv6 address of the static binding entry.
l interface-name – Specifies the interface of the static binding entry.
l mac-address – Specifies the MAC address of the static binding entry.
To delete the specified static IP-MAC binding entry, in the global configuration mode, use the fol-
lowing command:
no ipv6 neighbor {all | ipv6-address interface-name}
925 Chapter 7 IPv6

One-click Binding
One-click binding allows you to convert dynamic IP-MAC binding entries that are obtained via
NDP learning to static binding entries when all the hosts in the Intranet can visit Internet. To con-
figure one-click binding, in the execution mode, use the following command:
exec ipv6 nd-dynamic-to-static [vrouter vr-name]
l vr-name – Specifies the VRouter on which the function is implemented. The default value is
the default VR trust-vr.
The above command will convert all the dynamic IP-MAC binding entries in the system to static
binding entries.
Permitting Static IP-MAC Binding Hosts Only
By default the system allows hosts that are dynamically learned via NDP to visit Internet. To only
allow hosts in the static IP-MAC binding entries to visit Internet, in the interface configuration
ipv6 nd-disable-dynamic-entry
To disable the function, in the interface configuration mode, use the following command:
no ipv6 nd-disable-dynamic-entry
Viewing IP-MAC Binding Information
To view IP-MAC binding information, in any mode, use the following command (if no parameter
is specified, the command will show all the static and dynamic IP-MAC binding entries in the sys-
tem):
show ipv6 neighbor [generic | interface interface-name | slot slot-num | static | vrouter vr-name
| ipv6-address]
l generic – Shows IP-MAC binding entry statistics.
l interface interface-name – Shows IP-MAC binding entries of the specified interface.
Chapter 7 IPv6 926

l slot slot-num – Shows IP-MAC binding entries of the specified slot. Only for some devices
(X6150, X6180, X7180, X10800).
l vrouter vr-name – Shows IP-MAC binding entries of the specified VRouter.
l static– Shows IP-MAC binding entries.
l ipv6-address – Shows IP-MAC binding information of the specified IPv6 address.
Clearing Dynamic IP-MAC Binding Information
To clear dynamic IP-MAC binding information, in any mode, use the following command (if not
parameter is specified, the command will clear all the dynamic IP-MAC binding information in the
system):
clear ipv6 neighbor [ipv6-address]
l ipv6-address – Clears IP-MAC binding information of the specified IP address.
NDP Learning
Hillstone devices obtain IP-MAC binding information in the Intranet via ND learning, and add
the binding information to the ND table. By default NDP learning is enabled, i.e., the device will
keep on NDP learning and add all the learned IP-MAC binding information to the ND table. If
any IP or MAC address changes during NDP learning, the device will update the IP-MAC binding
information and add it to the ND table. With NDP learning disabled, the system will only allow
hosts whose IP addresses are in the ND table to forward packets.
To configure NDP learning, in the interface configuration mode, use the following command:
l Enable: ipv6 nd-learning
l Disable: no ipv6 nd-learning
NDP Learning Limit
After the NDP learning function is enabled, when a user host that connects to the interface ini-
tiates NDP attacks, ND entry resources may be exhausted, making other interfaces unable to
927 Chapter 7 IPv6

perform NDP learning. To avoid this issue, the system allows you to enable NDP learning limit
and specify the maximum number of ND entries that can be learned on the interface. After a limit
is specified, the interface can no longer perform NDP learning when the maximum number of ND
entries is reached.
To enable the NDP learning limit function and specify the limit, in interface configuration mode,
ipv6 nd-learning-limit number
l number - Specifies the maximum number of IP-MAC bindings that can be learned on the inter-
face. Valid values: 1 to capacity. The capacity varies based on device platforms.
In interface configuration mode, use the no ipv6 nd-learning-limit command to disable the NDP
learning limit function.
NDP Inspection
Hillstone devices support NDP inspection on interfaces. With this function enabled, the system
will check all the NDP packets passing through the specified interface, and compare the IP
addresses of the NDP packets with the static binding entries in the ND cache table:
l If the IP address is in the ND cache table, and the MAC address and interface of the packet
are also consistent with the binding entry, then the system will forward the NDP packet;
l If the IP address is in the ND cache table, but the MAC address or interface of the packet is
not consistent with the binding entry, then the system will drop the NDP packet;
l If the IP address is not in the ND cache table, then the system will drop or forward the packet
according to the configuration (ipv6 nd-inspection {drop | forward}).
Enabling/Disabling NDP Inspection
The BGroup and VSwitch interfaces of StoneOS support NDP inspection. This function is dis-
abled by default. To enable NDP inspection on a BGroup or VSwitch interface, in the BGroup or
VSwitch interface configuration mode, use the following command:
ipv6 nd-inspection {drop | forward}
Chapter 7 IPv6 928

l drop – Drops NDP packets whose IP addresses are not in the ND cache table.
l forward – Forwards NDP packets whose IP addresses are not in the ND cache table.
To disable NDP inspection, in the BGroup or VSwitch interface configuration mode, use the fol-
lowing command:
no ipv6 nd-inspection
Configuring a Trusted Interface
You can configure a physical interface in BGroup or VSwitch as the trusted interface. Packets
passing through the trusted interface are exempt from NDP inspection. By default all the inter-
faces on the device are untrusted. To configure a trusted interface, in the interface configuration
ipv6 nd-inspection trust
To cancel the specified trusted interface, in the interface configuration mode, use the following
command:
no ipv6 nd-inspection trust
Denying RA Packets
To prevent interfaces from sending RA packets arbitrarily, you can specify to deny RA packets on
some specific interfaces (physical interfaces only). Such a measure can prevent against RA attacks
and improve LAN security effectively. To deny RA packets on an interface, in the interface con-
ipv6 nd-inspection deny-ra
To cancel the above restriction, in the interface configuration mode, use the following command:
no ipv6 nd-inspection deny-ra
Configuring an NDP Packet Rate Limit
To configure an NDP packet rate limit, in the interface (physical interface only) configuration
929 Chapter 7 IPv6

ipv6 nd-inspection rate-limit number
l number – Specifies the number of NDP packets that are allowed per second. If the number
of NDP packets received per second exceeds the value, the system will drop excessive NDP
packets. The value range is 0 to 10000. The default value is 0, i.e., no rate limit.
To cancel the specified rate limit, in the interface configuration mode, use the following com-
mand:
no ipv6 nd-inspection rate-limit
Viewing NDP Inspection Configuration
To view the NDP inspection configuration, in any mode, use the following command:
show ipv6 nd-inspection configuration
Configuring NDP Spoofing Defense

NDP spoofing defense is designed to protect Intranet from NDP spoofing attacks. To configure
NDP spoofing defense, in the security zone configuration mode, use the following command:
ad ipv6 nd-spoofing {reverse-query | ip-number-per-mac number [action [drop | alarm]] | unso-
licited-na-send-rate number}
l reverse-query – Enables reverse query. When the system receives an NDP request, it will
log the IP address and reply with another NDP request; and then the system will check if any
packet with a different MAC address will be returned, or if the MAC address of the returned
packet is the same as that of the NDP request packet. To disable the function, use the com-
mand no ad ipv6 nd-spoofing reverse-query.
l ip-number-per-mac number – Specifies whether to check the IP number per MAC in NDP
table. If the parameter is set to 0 (the default value), the system will not check the IP number;
if set to a value other than 0, the system will check the IP number, and if the IP number per
MAC is larger than the parameter value, the system will take the action specified by action
[drop | alarm]. The available actions include drop (give an alarm and drop the ARP packets)
Chapter 7 IPv6 930

and alarm (give an alarm but still allow the packets to pass through). The value range is 0 to
1024. To restore to the default value, use the command no ad ipv6 nd-spoofing ip-number-
per-mac.
l unsolicited-na-send-rate number – Specifies whether to send gratuitous NA packet(s). If the

parameter is set to 0 (the default value), the system will not send any gratuitous NA packet; if
set to a value other than 0, the system will send gratuitous NA packet(s), and the number sent
per second is the specified parameter value. The value range is 0 to 10. To restore to the
default value, use the command no ad ipv6 nd-spoofing unsolicited-na-send-rate.
Viewing NDP Spoofing Statistics
After configuring NDP spoofing defense, to view attack statistics, use the following command:
show ipv6 nd-spoofing-statistics
NDP Spoofing Prevention

With NDP learning, NDP inspection and NDP spoofing defense configured, StoneOS is able to
prevent against NDP attacks efficiently. Besides, the system also supports statistics on NDP
spoofing attacks. To view NDP spoofing attack statistics, in any mode, use the following com-
mand:
show ipv6 nd-spoofing-statistics [number]
l number – Shows statistics of the top number records.
To clear NDP spoofing attack statistics, in any mode, use the following command:
clear ipv6 nd-spoofing-statistics
Attack Defense
The system supports IPv6 attack defense functions listed in Table below. For more details and
configuration, see “Attack Defense” of “Threat Prevention”.
931 Chapter 7 IPv6

Attack defense Configuration (in the security zone configuration mode)
Huge ICMP ad huge-icmp-pak [threshold number | action {alarm | drop}]

packet defense
IP sweeping ad ip-sweep [threshold value| action {alarm | drop}]

defense
L3 IP spoofing ad ip-spoofing
defense
ICMP Flood ad icmp-flood [threshold number | action {alarm | drop}]

defense
UDP Flood ad udp-flood [threshold number | action {alarm | drop}]

defense
SYN Flood ad syn-flood [source-threshold number | destination-threshold number

defense | action {alarm | drop} | destination [ip-based | port-based [address-
book address-book-name | ip-address/netmask ]]]
SYN-Proxy ad syn-proxy [min-proxy-rate number | max-proxy-rate number |

SYN-Cookie proxy-timeout number | cookie]
Teardrop ad tear-drop
defense
IP fragment ad ip-fragment [action {alarm | drop}]

defense
Ping of Death ad ping-of-death

defense
Port scan ad port-scan [threshold value | action {alarm | drop}]

defense
TCP anomaly ad tcp-anomaly [action {alarm | drop}]

defense
Chapter 7 IPv6 932

Attack defense Configuration (in the security zone configuration mode)
TCP Split Hand- ad tcp-split-handshake [action {alarm | drop}]

shake defense
IP Option ad ip-option [action {alarm | drop}]

defense
DNS Query ad dns-query-flood [recursion] [source-thresholdnumber] [destination-

Flood defense thresholdnumber | action {alarm | drop}]
DNS Reply ad dns-reply-flood [ source-threshold number ] [ destination-threshold

Flood defense number | action { alarm | drop }]
Land attack ad land-attack [action {alarm | drop}]

defense
Configuring an IPv6 6to4 Tunnel

At the time of writing IPv4 networks are still mainstream networks, while IPv6 networks are com-
paratively isolated. Tunnel technique is designed for the communication between isolated IPv6
networks via IPv4 networks. StoneOS supports processing of IPv6 packets, and inter-com-
munication between IPv4 and IPv6 via tunnel technique. The current version supports manual
and automatic 6to4 tunnel.
l Manual 6to4 tunnel: Provides one-to-one connection. The end point of the tunnel is manually
configured.
l Automatic 6to4 tunnel: An automatic one-to-many tunnel that is used to connect multiple
isolated IPv6 networks via IPv4 networks. Hillstone devices can either be used as 6to4
routes or 6to4 relay routers, specifically relying on network environment.
The configuration of 6to4 tunnel includes:
l Creating a tunnel
l Specifying an egress interface
933 Chapter 7 IPv6

l Specifying a destination address for the manual tunnel
l Specifying IPv6 6to4 Subtunnel Limit
l Binding a tunnel to the tunnel interface
Creating a Tunnel
To create an IPv6 6to4 tunnel, in the global configuration mode, use the following command:
tunnel ip6in4 tunnel-name {manual | 6to4}
l tunnel-name – Specifies the name of IPv6 6to4 tunnel.
l manual | 6to4 – Specifies a tunnel type which can be a manual 6to4 tunnel (manual) or auto-
matic 6to4 tunnel (6to4).
After executing the above command, the system will create an IPv6 6to4 tunnel with the spe-
cified name and enter the tunnel configuration mode; if the specified name already exists, the sys-
tem will directly enter the tunnel configuration mode.
To delete the specified IPv6 6to4 tunnel, in the global configuration mode, use the following
command:
no tunnel ip6in4 tunnel-name {manual | 6to4}
Specifying an Egress Interface

To specify an egress interface for the tunnel, in the tunnel configuration mode, use the following
command:
l interface-name– Specifies the name of egress interface which can be a physical interface or
logical interface (except for tunnel interface).
To cancel the specified egress interface, in the tunnel configuration mode, use the following com-
mand:
no interface
Chapter 7 IPv6 934

Specifying a Destination Address for the Manual Tunnel
The destination address of automatic 6to4 tunnel can be obtained automatically by the IPv4
address embedded in the compatible IPv6 address. Therefore, you need not to specify the des-
tination for the automatic 6to4 tunnel. To specify a destination address for the manual IPv6 6to4
tunnel, in the tunnel configuration mode, use the following command:
destination ipv4-address
l ipv4-address – Specifies a destination address (must be an IPv4 address) for the manual tun-
nel.
To cancel the specified destination address, in the tunnel configuration mode, use the following
command:
no destination
Specifying IPv6 6to4 Subtunnel Limit

Different types of devices support a maximum of 6to4 manual tunnels and 6to4 automatic tun-
nels, but each interface of the device can be configured with a maximum of 6to4 tunnels. Each
tunnel can have a maximum of 1200 sub-tunnels. To specify the subtunnel number of a 6to4 tun-
nel, under tunnel configuration mode, use the following command:
subtunnel-limit maximum
l maximum – Specify the subtunnel number of a 6to4 tunnel. The rang is 1 to 1200, and the
Under tunnel configuration mode, use the command to resume the default value:
no subtunnel-limit
Binding a Tunnel to the Tunnel Interface

To bind an IPv6 6to4 tunnel to the tunnel interface, in the tunnel configuration mode (to enter
the tunnel configuration mode, in the global configuration mode, use the command interface tun-
nelX), use the following command:
tunnel ip6in4 ipv6-tunnel-name
935 Chapter 7 IPv6

l ipv6-tunnel-name – Specifies the name of IPv6 6to4 tunnel.
To cancel the binding between the IPv6 6to4 tunnel and tunnel interface, in the tunnel con-
no tunnel ip6in4 ipv6-tunnel-name
Viewing IPv6 6to4 Tunnel Configuration

To view IPv6 6to4 tunnel configuration, in any mode, use the following command:
show ip6in4 {manual-tunnel | 6to4-tunnel}
Configuring an IPv6 4to6 Tunnel

At the time of writing IPv4 networks are still mainstream networks, while the application of IPv6
networks keeps growing. To solve the problems caused by wide deployment of IPv6 networks,
StoneOS supports IPv6 4to6 tunnel technique to enable communication between isolated IPv4
networks via IPv6 networks.
The current version only supports manual 4to6 tunnel. Manual 4to6 tunnel enables one-to-one
connection. Its end point is manually configured.
The configuration of manual 4to6 tunnel includes:
l Creating a tunnel
l Specifying a source address/interface for the tunnel
l Specifying a destination address for the tunnel
l Binding a tunnel to the tunnel interface
Creating a Tunnel
To create an IPv6 4to6 tunnel, in the global configuration mode, use the following command
tunnel ip4in6 tunnel-name manual
Chapter 7 IPv6 936

After executing the above command, the system will create an IPv6 4to6 tunnel with the spe-
cified name and enter the tunnel configuration mode; if the specified name already exists, the sys-
tem will directly enter the tunnel configuration mode.
To delete the specified IPv6 4to6 tunnel, in the global configuration mode, use the following
command:
no tunnel ip4in6 tunnel-name manual
Specifying the Source Address/Interface

To specify the egress interface and source address of IPv6 4to6 tunnels, under tunnel con-
interface interface-name source ipv6-address
l interface-name – Specify the egress interface for the tunnel.
l ipv6-address – Specfiy source address of IPv6 4to6 tunnel. This address should be an IPv6
address.
Under tunnel configuration mode, use the command to delete egress interface and source address:
no interface
Specifying a Destination Address for the Tunnel

To specify a destination address for the IPv6 4to6 tunnel, in the tunnel configuration mode, use
destination ipv6-address
l ipv6-address – Specifies a destination address (must be an IPv6 address) for the IPv6 4to6
tunnel.
To cancel the specified destination address, in the tunnel configuration mode, use the following
command:
no destination
937 Chapter 7 IPv6

Binding a Tunnel to the Tunnel Interface
To bind an IPv6 4to6 tunnel to the tunnel interface, in the tunnel configuration mode (to enter
the tunnel configuration mode, in the global configuration mode, use the command interface tun-
nelX), use the following command:
tunnel ip4in6 tunnel-name
To cancel the binding between the IPv6 4to6 tunnel and tunnel interface, in the tunnel con-
no tunnel ip4in6 tunnel-name
Viewing IPv6 4to6 Tunnel Configuration

To view IPv6 4to6 tunnel configuration, in any mode, use the following command:
show ip4in6 manual-tunnel
Chapter 7 IPv6 938

Configuring an ISATAP Tunnel
ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is a auto tunnel technology of IPv6
point-to-multipoint. It's mainly used for the dual-stack host in the IPv4 networks to visit IPv6
networks. With the technology, the dual-stack host can obtain the terminal of tunnel auto-
matically via the embedded IPv4 address in the destination address of IPv6 packets.
When ISATAP tunnel is built, both the destination address of IPv6 packets and IPv6 address of
the tunnel interface need the special ISATAP address. The ISATAP address contains the IPv6
prefix and ISATAP interface identifier. The formats of ISATAP address are as follows:
l If the IPv4 address is globally unique, the u bit is 1, otherwise, it is 0.
l The g bit means an IEEE (Institute of Electrical and Electronic Engineers) group or indi-
vidual ID, which is 0 all the time.
For example, the prefix of IPv6 is 2001:DB8:1234:5678::/64 and the IPv4 address needs to be
embedded is 10.173.129.8, which can be identified as 0AAD:8108 (hexadecimal), the ISATAP
address is 2001:DB8:1234:5678:0000:5EFE: 0AAD:8108.
The configuration of ISATAP tunnel includes:
l Creating an ISATAP Tunnel
l Specifying ISATAP Subtunnel Limit
l Specifying an Egress Interface of ISATAP Tunnel
l Binding an ISATAP Tunnel to the Tunnel Interface
939 Chapter 7 IPv6

Creating an ISATAP Tunnel
To create an ISATAP tunnel, in the global configuration mode, use the following command. After
the command is executed, system will create an ISATAP tunnel with the specified name and
enter the ISATAP tunnel configuration mode; if the specified name already exists, system will dir-
ectly enter the ISATAP tunnel configuration mode.
tunnel ip6in4 tunnel-name isatap
l tunnel-name – Specifies the name of ISATAP tunnel.
l isatap– Specifies a tunnel type as ISATAP tunnel.
To delete the specified ISATAP tunnel, in the global configuration mode, use the following com-
mand:
no tunnel ip6in4 tunnel-nameisatap
Specifying ISATAP Subtunnel Limit

At most 10 ISATAP tunnels can be built in system and each interface can only have one ISATAP
tunnel. Each tunnel can have a maximum of 1200 sub-tunnels. To specify the number of sub-
tunnels for an ISATAP tunnel, in theISATAP tunnel configuration mode, use the following com-
mand:
subtunnel-limitmaximum
l maximum – Specify the number of subtunnels for an ISATAP tunnel. The range is 1 to
1200, and the default value is 200.
In the ISATAP tunnel configuration mode, use the command to restore to the default number of
subtunnels:
no subtunnel-limit
Specifying an Egress Interface of ISATAP Tunnel

To specify an egress interface for the ISATAP tunnel, in the ISATAP tunnel configuration mode,
use the following command
Chapter 7 IPv6 940

l interface-name – Specifies the name of egress interface, which can be a physical interface or
logical interface (except tunnel interface).
To cancel the specified egress interface, in the ISATAP tunnel configuration mode, use the fol-
lowing command:
no interface
Binding an ISATAP Tunnel to the Tunnel Interface

To bind an ISATAP tunnel to the tunnel interface, in the ISATAP tunnel configuration mode
(use the command interface tunnelX to enter the tunnel configuration mode in the global con-
figuration mode), use the following command:
tunnel ip6in4 ipv6-tunnel-name
l ipv6-tunnel-name – Specifies the name of ISATAP tunnel.
To cancel the binding between the ISATAP tunnel and tunnel interface, in the tunnel con-
no tunnel ip6in4 ipv6-tunnel-name
Viewing ISATAP Tunnel Configuration

To view the ISATAP tunnel configuration, in any mode, use the following command:
show ip6in4isatap-tunnel
Configuring DS-lite
StoneOS supports DS-lite technology. DS-lite integrates with IPv4-in-IPv6 tunnel with NAT.
The IPv4 client uses the B4 (Base Bridge Broadband) device and the AFTP (Address Family
Transition Router) device to create a tunnel in the IPv6 network. And then it uses this tunnel to
communicate with the resource in the IPv4 network. In the end of this tunnel, the AFTR device
uses NAT to translate the private IPv4 address.
941 Chapter 7 IPv6

Hillstone device can act as the AFTR device to support DS-lite and NAT. Configuring DS-lite
includes the following sections:
l Create a DS-lite tunnel
l Specify an interface and IP address for the DS-lite tunnel
l Specify the maximum number of the sub tunnels
When using DS-lite, you must also configure the corresponding NAT settings.
Creating a DS-lite Tunnel

Each device can have at most 10 DS-lite tunnels. To create a DS-lite tunnel, use the following
command in the global configuration mode. After executing this command, StoneOS creates the
DS-lite tunnel and enters the DS-lite tunnel configuration mode. If the name already exists,
StoneOS will enter the DS-lite tunnel configuration mode directly.
tunnel ip4in6 tunne-name ds-lite
l tunnel-name – Enter the name of the DS-lite tunnel.
To delete a tunnel, use the following command in the global configuration mode:
no tunnel ip4in6 tunnel-name ds-lite
Specifying an Interface and IP Address for the DS-lite Tunnel

To specify an interface and IP address for the DS-lite tunnel, use the following command in the
DS-lite tunnel configuration mode:
interface interface-name src-ip X:X:X:X::X
l interface-name - Specify the egress interface for the DS-lite.
l X:X:X:X::X – Specify the IPv6 address owned by this egress interface.
To cancel the above settings, use the no interface command in the DS-lite tunnel configuration
mode.
Chapter 7 IPv6 942

Specifying the Maximum Number of Sub Tunnels
When a B4 device accesses the DS-lite tunnel, AFTR will dynamically create a sub tunnel. To spe-
cify the maximum number of sub tunnels, use the following command in the DS-lite tunnel con-
figuration mode:
subtunnel-limit value
l value – Specify the maximum number of sub tunnels that AFTR can create. The default
value is 200. The value ranges from 1 to 1200.
Use the no form to restore the value to the default one.
Viewing DS-lite Tunnel Information

To view the configuration information of the DS-lite tunnel, use the following command in any
mode:
show ip4in6 ds-lite-tunnel
Configuring NAT-PT
IPv6 can solve the problem of increasingly exhausted IP addresses, and will replace IPv4 to
become the core of next generation Internet. However, it’s not possible to upgrade the existing
IPv4 networks to IPv6 networks overnight; for quite a long time, IPv6 and IPv4 networks will
co-exist and communicate with each other.
NAT-PT (Network Address Translation - Protocol Translation) is a transitional mechanism that is
designed for the inter-communication between pure IPv6 and IPv4 networks. NAT-PT adopts
NAT for the translation between IPv4 and IPv6 addresses, and adopts PT for the translation of
protocols (including network layer protocols, transport layer protocols and application layer pro-
tocols) on the basis of semantically equivalent rules. Powered by NAT-PT, you can implement
the inter-communication between IPv6 and IPv4 networks without any change to the existing
IPv4 networks. Figure below shows an illustration of intercommunication between a pure IPv6
and IPv4 network via a Hillstone device with NAT-PT enabled.
943 Chapter 7 IPv6

Notes: NAT-PT on the current firmware version supports translation of IP, TCP,
UDP and ICMP protocols, and supports FTP-ALG, TFTP-ALG and HTTP-ALG
controls.
Configuring a NAT-PT Rule

NAT-PT rules are created based on VRouters. You can create, move and delete SNAT/DNAT
rules in the VRouter configuration mode.
command:
ip vrouter vrouter-name
l vrouter-name – Specifies the name of VRouter.
Creating an SNAT Rule
SNAT rules are used to specify whether to implement NAT-PT on the source IPv6/IPv4 address
of the matched traffic. If NAT-PT is implemented, you also need to specify the translated IP
address and translation mode. To configure an SNAT rule for NAT-PT, in the VRouter con-
snatrule [idid] [before id | after id | top] from src-addresstodst-address [eifegress-interface |
evrvrouter-name] trans-to {addressbook trans-to-address | eif-ip| eif-ipv6} mode {static |
dynamicip | dynamicport [sticky] [fixed-block start start-port end end-port size port-block-size] }
[log] [group group-id ][description description]
Chapter 7 IPv6 944

l id id – Specifies the ID of the SNAT rule. Each SNAT rule has a unique ID. If the ID is not
specified, the system will automatically assign one. If the specified SNAT ID exists, the ori-
ginal rule will be overwritten.
l before id | after id | top – Specifies the position of the rule. The position can be before id,
after id, top. If the position is not specified, the rule would be located at the end of all the
SNAT rules. By default, the newly-created SNAT rule is located at the end of all the rules.
l from src-address to dst-address [eif egress-interface | evr vrouter-name] – Specifies con-

ditions of the rule that the traffic should be matched. The conditions include:
l from src-address - Specifies the source IP address of the traffic. src-address should be
an IPv4 address, IPv6 address or an address entry in the address book.
l to dst-address - Specifies the destination IP address of the traffic. dst-address should be

an IPv4 address, IPv6 address or an address entry in the address book.
l eif egress-interface | evr vrouter-name - Specifies the egress interface (eif egress-inter-
face) or the next-hop VRouter (evr vrouter-name) of the traffic.
l addressbook trans-to-address | eif-ip | eif-ipv6– Specifies the translated IP address. It can

be an IPv4 or IPv6 address, an address entry in the address book, the IP address of the egress
interface (eif-ip), or the IPv6 address of the egress interface (eif-ipv6). When you configure
the NAT46, system does not support to specifies the eif-ip. When you configure the NAT64,
system does not support to specifies the eif-ipv6..
l mode {static | dynamicip | dynamicport [sticky] [fixed-block start start-port end end-port
size port-block-size] } – Specifies the translation mode. StoneOS supports three modes for
the translation between IPv4 and IPv6 addresses: static, dynamicip and dynamicport. For
more details, see the table below:
945 Chapter 7 IPv6

l static - Static mode means one-to-one translation. This mode requires the translated
address entry (trans-to-address) contains the same number of IP addresses as that of the
source address entry (src-address).
l dynamicip - Dynamic IP mode means many-to-many translation. This mode translates

the source address to a specific IP address. Each source address will be mapped to a
unique IP address, until all specified addresses are occupied.
l dynamicport - Namely NAPT-PT (Network Address Port Translation - Protocol Trans-

lation). Multiple source addresses will be translated to one specified IP address in an
address entry. If Sticky is not enabled, the system will select an IP address in the
address entry, when port resources of the first address are exhausted, the second
address will be used. If Sticky is enabled, all sessions from an IP address will be
mapped to the same fixed IP address. When configuring the SNAT rule of NAT64, you
can specify the static port block mapping mode by configuring [fixed-block start start-
port end end-port size port-block-size. The static port block mapping mode means each
source IP address corresponds to a fixed port block of the mapped IP. start start-port
end end-port specifies the start port and end port of the available port range. The value
range is 1024 to 65535. size port-block-size specifies the size of the port block. The
value range is 64 to 64512, and the value must be the integer multiple of 64.
l log – Enables the log function for this SNAT rule (Generating a log when the traffic is
l group group-id - Specifies the HA group the SNAT rule belongs to. If the parameter is not
specified, the SNAT rule being created will belong to HA group0.
For example, the following example achieves the interface-based NAT of ethernet0/0 in the
untrust zone:
hostname(config-vrouter)# snatrule from ipv6-any to ipv6-any eif ethernet0/0

trans-to eif-ip mode dynamicport
rule id=1
Chapter 7 IPv6 946

To configure an SNAT rule that disables NAT-PT, in the VRouter configuration mode, use the
following command:
snatrule [id id] [before id | after id | top] from src-address to dst-address [eif egress-interface |
evr vrouter-name] no-trans [group group-id]
Moving an SNAT Rule
Each SNAT rule is labeled with a unique ID. When traffic flows into the Hillstone device, the
device will query for SNAT rules in the list by turns, and then implement NAT-PT on the source
IP of the traffic according to the first matched rule. However, the rule ID is not related to the
matching sequence during the query. The sequence displayed by the command show snat is the
query sequence for the matching. You can move an SNAT rule to modify the matching sequence.
To move an SNAT rule, in the VRouter configuration mode, use the following command:
snatrule move id {before id | after id| top | bottom}
l id – Specifies the ID of the SNAT rule that will be moved.
l before id – Moves the SNAT rule before the specified ID.
l after id – Moves the SNAT rule after the specified ID.
l top – Moves the SNAT rule to the top of the SNAT rule list.
l bottom – Moves the SNAT rule to the bottom of the SNAT rule list.
Deleting an SNAT Rule
To delete the SNAT rule with the specified ID, in the VRouter configuration mode, use the fol-
lowing command:
no snatrule id id
Viewing SNAT Configuration Information
To view the SNAT configuration information, in any mode, use the following command:
show snat [id id] [vrouter vrouter-name]
947 Chapter 7 IPv6

l id id – Shows the SNAT rule information of the specified ID.
l vrouter vrouter-name – Shows the SNAT configuration information of the specified

VRouter.
When the SNAT translation mode is set to dynamicport, to view the usage of port resources in
the source address pool, in any mode, use the following command:
show snat resource [vrouter vrouter-name]
l vrouter vrouter-name – Shows the port usage of SNAT source address pool of the specified
VRouter.
DNAT rules are used to specify whether to implement NAT-PT on the destination IPv6/IPv4
address of the matched traffic. To configure a DNAT rule for NAT-PT, in the VRouter con-
dnatrule [id id] [before id | after id | top] from src-address to dst-address [service service-name]
trans-to trans-to-address [port port] [load-balance] [track-tcp port] [track-ping] [log] [group group-
id] [description description]
DNAT rules. By default, the newly-created DNAT rule is located at the end of all the rules.
When traffic flows into the Hillstone device, the device will query for DNAT rules in the list
by turns, and then implement NAT on the destination IP of the traffic according to the first
matched rule.
Chapter 7 IPv6 948

l from src-address – Specifies the source IP address of the traffic. src-address should be
an IPv4 or IPv6 address, or an address entry in the address book.
l to dst-address – Specifies the destination IP address of the traffic. dst-address should

be an IPv4 or IPv6 address, or an address entry in the address book.
l service service-name – Specifies the service type of the traffic. If the port number
needs to be translated together (specified by port port), the specified service can only
l trans-to trans-to-address – Specifies the translated IP address. trans-to-address should be an

IPv4 or IPv6 address, or an address entry in the address book. The number of this translated
IP address must be the same as that of the destination IP address of the traffic (specified by to
dst-address).
l port port – Specifies port number of the internal network server.
l load-balance – Enables load balancing for this DNAT rule, i.e., balances the traffic to dif-
ferent servers in the internal network.
l track-tcp port – If this parameter is configured and the port number of the internal network
server is specified, the system will send TCP packets to the internal network server to mon-
itor if the specified TCP port is reachable.
l track-ping – If this parameter is configured, the system will send ping packets to the internal
network server to monitor if the server is reachable.
matched to this DNAT rule).
949 Chapter 7 IPv6

l group group-id - Specifies the HA group that the DNAT rule belongs to. If the parameter is
For example, the following command will translate the IP address of the request from addr1 to
the IP address of addr2, but will not translate the port number:
hostname(config-vrouter)# dnatrule from ipv6-any to addr1 service any trans-to

addr2
rule id=1
To configure a DNAT rule that disables NAT-PT, in the VRouter configuration mode, use the fol-
lowing command:
no-trans [group group-id]
Moving a DNAT Rule
Each DNAT rule is labeled with a unique ID. When traffic flowing into the Hillstone device, the
device will query for DNAT rules by turns, and then implement NAT on the source IP of the
traffic according to the first matched rule. However, the rule ID is not related to the matching
sequence during the query. The sequence displayed by the command show dnat is the query
sequence for the matching. You can move a DNAT rule to modify the matching sequence. To
move a DNAT rule, in the VRouter configuration mode, use the following command:
dnatrule move id {before id | after id| top | bottom}
l id – Specifies the ID of the DNAT rule that will be moved.
l before id – Moves the DNAT rule before the specified ID.
l after id – Moves the DNAT rule after the specified ID.
l top – Moves the DNAT rule to the top of the DNAT rule list.
l bottom – Moves the DNAT rule to the bottom of the DNAT rule list.
Chapter 7 IPv6 950

Deleting a DNAT Rule
To delete the DNAT rule with the specified ID, in the VRouter configuration mode, use the fol-
lowing command:
no dnatrule id id
Viewing DNAT Configuration Information
To view the DNAT configuration information, in any mode, use the following command:
show dnat [id id] [vrouter vrouter-name]
l id id – Shows the DNAT rule information of the specified ID.
l vrouter vrouter-name – Shows the DNAT configuration information of the specified

VRouter.
To show the information of the DNAT rule with load balancing configured, in any mode, use the
following command:
show dnat server [ip-address] [vrouter vrouter-name] [tcp-port port] [ping]
l ip-address – Shows status of the internal network server of the specified IP address.
l vrouter vrouter-name – Shows status of the internal network server of the specified
VRouter.
l tcp-port port – Shows status of the internal network server of the specified port number.
l ping – Shows ping monitor status of the internal network server.
Configuring DNS64 and NAT64

DNS64 and NAT64 are transitional mechanisms for the intercommunication between IPv6-only
and IPv4-only networks. These mechanisms are designed to support IPv6 clients’ request for
network resources on IPv4 servers, and addresses most of the deficiencies of NAT-PT in the
intercommunication between IPv6 and IPv4 networks.
If the IPv6 client host receives the DNS query request, it will use DNS64 to resolve the AAAA
record (IPv6 address) in the DNS query information. If the resolution is successful, the IPv6
951 Chapter 7 IPv6

address is directly returned to the client. If the resolution fails, it will use DNS64 to resolve the A
record (IPv4 address) in the DNS query information, and return the A record (IPv4 address) to
the AAAA record (IPv6 address) to the client.
NAT64 works with DNS64, NAT64 is mainly used for the address translation from IPv6 to IPv4
addresses. During source address translation, NAT64 translates source IPv6 addresses to source
IPv4 addresses via the IPv4 address pool; during destination address translation, NAT64 directly
extracts destination IPv4 addresses from the IPv6 addresses returned by DNS64.
DNS64 and NAT64 on Hillstone devices are implemented by combining IPv6 DNS proxy rules
and configuring DNS64 functionality and NAT64 rules. NAT64 rules include SNAT and DNAT
rules. The configuration of SNAT rules is the same as that of SNAT rules in NAT-PT. For more
information, see “Creating an SNAT Rule” of “Firewall”.
Enabling/Disabling DNS64
After configuring the IPv6 DNS proxy rules, you can enable or disable the DNS64. By default,
the DNS64 function is disabled. In DNS proxy rule configuration mode, use the following com-
mand:
l Enable: dns64 enable (After executing this command, system will enter the DNS64 con-
figuration mode.)
l Disable: no dns64 enable
Notes: The DNS64 function is only supported in IPv6 DNS proxy rules and is not
supported in IPv4 DNS proxy rules.
Configuring DNS64 Server

The DNS64 server is used to resolve the A record (IPv4 address) in the DNS query information.
Each IPv6 DNS proxy rule can specify up to 6 DNS64 servers. To configure the DNS64 server,
in the DNS64 configuration mode, use the following command:
server server-ip [vroutervrouter-name]
Chapter 7 IPv6 952

l server-ip – Specifies the IP address of DNS64 server, this IP address can only be an IPv4
address.
l vrouter-name – Specifies a VRouter for the DNS64 server.
To delete the DNS64 server, in the DNS64 configuration mode, use the commandno
serverserver-ip [vroutervrouter-name].
Configuring DNS64 Prefix

You need to specify the DNS64 prefix to synthesize the A record (IPv4 address) into an AAAA
record (IPv6 address). The synthesized IPv6 address is in the form of "DNS64 prefix + IPv4
address". By default, the DNS64 prefix is "64:ff9b:: /96". To specify the DNS64 prefix and prefix
length, in the DNS64 configuration mode, use the following command:
prefix ipv6-address/Mask
l ipv6-address – Specifies the DNS64 prefix address.
l Mask – Specifies the prefix length, the range is 1 to 96.
To delete the DNS64 prefix configuration, in the DNS64 configuration mode, use the
commandno prefixipv6-address/Mask .
Creating a DNS64 Rule

Only be available on some firmwares. To create a DNS64 rule, in the global configuration mode,
ipv6 dns64-proxy id id prefix ipv6-address/Mask [source {ipv6-address/Mask | address-entry-
v6 } | trans-mapped-ip {ipv4-address/Mask | address-entry-v4 }]
l id id – Specifies the ID of the DNS64 rule. The value range is 1 to 16. Each DNS64 rule has
a unique ID. If the specified DNS64 ID exists, the original rule will be overwritten.
l prefix ipv6-address/Mask – Specifies the IPv6 prefix and length of the prefix. DNS64 uses
the prefix to translate IPv4 addresses to IPv6 addresses. The value range of prefix length is 0
to 96.
953 Chapter 7 IPv6

l source {ipv6-address/Mask | address-entry-v6 } – Specifies the source IP address of traffic
which can be an IPv6 address or an IPv6 address entry in the address book.
l trans-mapped-ip {ipv4-address/Mask | address-entry-v4 } – Specifies the response address

of IPv4 DNS server which can be an IPv4 address or an IPv4 address entry in the address
book.
To delete the specified DNS64 rule, in the global configuration mode, use the following com-
mand:
no ipv6 dns64-proxy id id

To create a DNAT rule, in the VRouter configuration mode, use the following command:
v4-mapped [log] [group group-id]
DNAT rules. By default, the newly-created DNAT rule is located at the end of all the rules.
When traffic flows into the Hillstone device, the device will query for DNAT rules in the list
by turns, and then implement NAT on the destination IP of the traffic according to the first
matched rule.
l from src-address – Specifies the source IP address of the traffic. src-address should be
an IPv6 address, or an IPv6 address entry in the address book.
Chapter 7 IPv6 954

l to dst-address – Specifies the destination IP address of the traffic. src-address should
be an IPv6 address, or an IPv6 address entry in the address book.
l service-name – Specifies the service type of the traffic. The specified service can only
l v4-mapped – Extracts the destination IPv4 address from the destination IPv6 address of the
packet directly.
matched to this DNAT rule).
l group group-id - Specifies the HA group that the DNAT rule belongs to. If the parameter is
To delete the specified DNAT rule, in the VRouter configuration mode, use the following com-
mand:
no dnatrule id id
Configuring a IPv6 Track Object

To configure a track object, in the global configuration mode, use the following command:
track track-object-name [local]
l track-object-name – Specifies a name for the track object. The length of it can be 1 to 31
characters.
l local –If you enter this parameter, the system will not synchronize configuration of this track
with the backup device. Without entering this parameter, this configuration will not be syn-
This command creates the track object and leads you into the track object configuration mode; if
the object exists, you will enter its configuration mode directly.
To delete the specified track object, use the following command:
955 Chapter 7 IPv6

no track track-object-name
You are allowed to track your object by using five protocols of ICMP, HTTP, DNS, NDP and
TCP. Besides, the object also can be tracked by counting the traffic information of specified inter-
face.
Track by IPv6 ICMP Packets

mand:
icmp 6 { ipv6-address | h o st host-name } in terface interface-name [in terval value ]
[th resh o ld value ] [src-in terface interface-name [p rio r-used-srcip ]] [weigh t value ]
l ipv6-address | host host-name – Specifies the IPv6 address or host name of the tracked
object. The length of the host name can be 1 to 63 characters.
l interface interface-name – Specifies the egress interface sending Ping packets.
l intervalvalue – Specifies the interval of sending Ping packets . The value range is 1 to 255
l thresholdvalue – Specifies the number which determines the tracking fails. If the system
does not receive response packets of the number specified here, it determines that the track-
ing has failed, namely, the destination is unreachable. The value range is 1 to 255. The default
value is 3.
l src-interfaceinterface-name – Specifies the source interface of Ping packets.
l prior-used-srcip ipv6-address – If the secondary IP is specified for the source interface and
specifies the IP to be prior-used-srcip, system will use the IP to send track packets priorly. If
the parameter is not specified, system will use default IP of the source interface to send track
packets.
l weight value –pecifies how important this entry failure is to the judgment of tracking failure.
Chapter 7 IPv6 956

n o icmp 6 { ipv6-address | h o st host-name } in terface interface-name [delay]
Track by IPv6 HTTP Packets

To track an object using HTTP packets, in the track object configuration mode, use the following
command:
h ttp ip v6 { ipv6-address | h o st host-name } in terface interface-name [in terval value ]
[th resh o ld value ] [src-in terface interface-name ] [weigh t value ]
l ipv6-address | host host-name – Specifies the IPv6 address or host name of the track object.
The length of the host name can be 1 to 63 characters.
l interface interface-name – Specifies the egress interface of sending HTTP test packets.
l interval value – Specifies the interval of sending HTTP packets. The value range is 1 to 255
l threshold value – Specifies the number which concludes the tracking fails. If the system
does not receive response packets of the number specified here, it concludes that the tracking
has failed. The value range is 1 to 255. The default value is 1.
l src-interface interface-name – Specifies the source interface of the HTTP packets.
l weight value – Specifies how important this entry failure is to the judgment of tracking fail-
Repeat the command to configure more HTTP tracking entries.

n o h ttp ip v6 { ipv6-address | h o st host-name } in terface interface-name
957 Chapter 7 IPv6

Track by IPv6 DNS Packets
To track an object using DNS packets, in the track object configuration mode, use the following
command:
dn s ip v6 ipv6-address in terface interface-name [in terval value ] [th resh o ld value ] [weigh t value ]
[src-in terface interface-name ]
ipv6-address – Specifies the IPv6 address of track object.
l interfaceinterface-name – Specifies the egress interface of sending DNS test packets.
l intervalvalue – Specifies the interval of sending DNS packets. The value range is 1 to 255
l thresholdvalue – Specifies the threshold number which concludes the tracking fails. If the
system does not receive response packets of the number specified here, it concludes that the
l weightvalue – Specifies how important this entry failure is to the judgment of tracking fail-
l src-interfaceinterface-name – Specifies the source interface of DNS test packets.
Repeat the command to configure more DNS tracking entries.

n o dn s ip v6 ipv6-address in terface interface-name
Track by NDP Packets

To track an object using NDP packets, in the track object configuration mode, use the following
command:
n dp ipv6-address in terface interface-name [in terval value ] [th resh o ld value ] [weigh t value ]
l ipv6-address – Specifies the IPv6 address of track object.
l interface interface-name – Specifies the egress interface of sending NDP test packets.
Chapter 7 IPv6 958

l intervalvalue – Specifies the interval of sending NDP packets. The value range is 1 to 255

no ndp ipv6-address interface interface-name
Track by IPv6 TCP Packets

To track an object using TCP packets, in the track object configuration mode, use the following
command:
tcp ip v6 {{ipv6-addres | h o st host-name } p o rt port-number in terface interface-name
[in terval value ] [th resh o ld value ] [src-in terface interface-name ] [weigh t value ]
l ipv6-address | hosthost-name – Specifies the IPv6 address or host name of track object. The
l portport-number –Specifies the destination port of the track object. The value range is 0 to
65535.
l interfaceinterface-name – Specifies the egress interface for sending TCP test packets.
l intervalvalue – Specifies the interval of sending TCP packets. The value range is 1 to 255
959 Chapter 7 IPv6

l src-interfaceinterface-name – Specifies the source interface of TCP test packets.
Repeat the command to configure more TCP tracking entries. For one single track object, you can-
not configure both the HTTP track on the host and TCP track on port 80 simultaneously.
n o tcp ip v6 { ipv6-address | h o st host-name } p o rt port-number in terface interface-name
IPv6 Configuration Examples

This section describes several configuration examples of IPv6, including:
l Example 1: IPv6 transparent mode configuration
l Example 2: IPv6 routing mode configuration
l Example 3: Manual IPv6 tunnel configuration
l Example 4: IPv6 6to4 tunnel configuration
l Example 5: IPv6 SNMP configuration example
l Example 6: IPv6 NAT-PT configuration example
Example 1: IPv6 Transparent Mode Configuration

Hillstone device is deployed in the transparent mode. Ethernet0/0 belongs to the l2-trust zone,
and is connected to the Intranet; ethernet0/1 belongs to the l2-untrust zone; both l2-trust and l2-
untrust belong to VSwitch1. The goal is to allow the hosts in the Intranet to visit Internet, and
allow hosts in the Internet to visit the HTTP server in the Intranet. The network topology is
shown below.
Chapter 7 IPv6 960

Step 1: Configure interfaces:

hostname(config-if-eth0/0)# zone l2-trust
hostname(config-if-eth0/1)# zone l2-untrust

hostname(config-i f-eth0/1)# exit
hostname(config)# interface vswitchif1
hostname(config-if-vsw1)# zone trust
hostname(config-if-vsw1)# ipv6 enable
hostname(config-if-vsw1)# ipv6 address 2005::2/64
hostname(config-if-vsw1)# exit
hostname(config)#
961 Chapter 7 IPv6

Step 2: Configure an address entry:
hostname(config)# address http-server ipv6

hostname(config-addr)# ip 2005::1/64
hostname(config)#
Step 3: Configure policy rules:
hostname(config-policy-rule)# src-zo n e l2-trust
hostname(config-policy-rule)# dst-zo n e l2-un trust
hostname(config-policy-rule)# src-addr ip v6-an y
hostname(config-policy-rule)# dst-addr ip v6-an y
hostname(config-policy-rule)# src-zo n e l2-un trust
hostname(config-policy-rule)# dst-zo n e l2-trust
hostname(config-policy-rule)# dst-addr h ttp -server
hostname(config)#
Chapter 7 IPv6 962

Example 2: IPv6 Routing Mode Configuration
Hillstone device is deployed in the routing mode. Ethernet0/0 belongs to the trust zone, and is
connected to the Intranet; ethernet0/1 belongs to the untrust zone, and is connected to the Inter-
net. The public address provided by the ISP is 2006::1/64. The goal is to allow the PC in the
Intranet to visit Internet. The network topology is shown below.


hostname(config-if-eth0/0)# ipv6 enable
hostname(config-if-eth0/0)# ipv6 address 2005::1/64
963 Chapter 7 IPv6

hostname(config-if-eth0/1)# ipv6 address 2006::2/64
hostname(config)#
Step 2: Configure a default router:

hostname(config-vrouter)# ipv6 route ::/0 2006::1
hostname(config)#
Step 3: Configure a policy rule:
hostname(config-policy-rule)# src-zone trust
hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# src-addr 2005::2/64

hostname(config-policy-rule)# dst-addr ipv6-any
hostname(config-policy-rule)# service any
hostname(config-policy-rule)# action permit
hostname(config)#
Chapter 7 IPv6 964

Example 3: Manual IPv6 Tunnel Configuration
PC1 and PC2 use IPv6 addresses and belong to different subnets. The goal is to allow the inter-
communication between PC1 and PC2 via a manual IPv6 tunnel. The network topology is shown
below.

Device A
hostname(config-if-eth0/0)# ipv6 address
27a6::210:ea1:71ff:fe00/64
965 Chapter 7 IPv6

hostname(config)#
Device B
32f1::250:af:34ff:fe00/64

hostname(config)#
Step 2: Configure tunnels:
Device A
hostname(config)# tunnel ip6in4 test-tunnelA manual
hostname(config-ip6in4-manual)# interface ethernet0/1
hostname(config-ip6in4-manual)# destination 100.100.10.2
hostname(config-ip6in4-manual)# exit
hostname(config)#
Device B
Chapter 7 IPv6 966

hostname(config)# tunnel ip6in4 test-tunnelB manual
hostname(config-ip6in4-manual)# interface ethernet0/1
hostname(config-ip6in4-manual)# destination 100.100.10.1
hostname(config-ip6in4-manual)# exit
hostname(config)#
Step 3: Bind the manual IPv6 tunnel to tunnel interfaces:
Device A
hostname(config)# interface tunnel1
hostname(config-if-tun1)# zone untrust
hostname(config-if-tun1)# ipv6 enable
hostname(config-if-tun1)# tunnel ip6in4 test-tunnelA
hostname(config-if-tun1)# exit
hostname(config)#
Device B
hostname(config)# interface tunnel1
hostname(config-if-tun1)# zone untrust
hostname(config-if-tun1)# ipv6 enable
hostname(config-if-tun1)# tunnel ip6in4 test-tunnelB

hostname(config)#
Step 4: Configure policy rules:
Device A
967 Chapter 7 IPv6

hostname(config-policy-rule)# dst-zone untrust
hostname(config-policy-rule)# src-addr ipv6-any
hostname(config)#
Device B
hostname(config-policy-rule)# src-zone untrust
hostname(config-policy-rule)# dst-zone trust
hostname(config-policy-rule)# src-addr ipv6-any

hostname(config)#
Step 5: Configure routes:
Device A
hostname(config-vrouter)# ipv6 route 32f1::/64 tunnel1
hostname(config)#
Device B
Chapter 7 IPv6 968

hostname(config-vrouter)# ipv6 route 27a6::/64 tunnel1
hostname(config)#
Example 4: IPv6 6to4 Tunnel Configuration

PC1, PC2 and PC3 are IPv6 hosts, among which PC1 and PC2 use 6to4 addresses, while PC3
uses a general IPv6 address. The goal is to configure 6to4 tunnels on Device A, Device B and
Device C for the intercommunication among PC1, PC2 and PC3. The network topology is shown
below.
969 Chapter 7 IPv6

Device A
2002:202:201::1/48
hostname(config)#
Device B

2002:202:202::1/48
hostname(config)#
Device C
Chapter 7 IPv6 970

hostname(config-if-eth0/0)# ipv6 address 310a::1/16
hostname(config)#
Step 2: Configure tunnels:
Device A
hostname(config)# tunnel ip6in4 test-tunnelA 6to4
hostname(config-ip6in4-6to4)# interface ethernet0/1
hostname(config-ip6in4-6to4)# exit
hostname(config)#
Device B
hostname(config)# tunnel ip6in4 test-tunnelB 6to4
hostname(config)#
Device C
hostname(config)# tunnel ip6in4 test-tunnelC 6to4
hostname(config)#
Step 3: Bind the 6to4 tunnels to tunnel interfaces:
971 Chapter 7 IPv6

Device A
hostname(config)# in terface tun n el1
hostname(config-if-tun1)# zo n e un trust
hostname(config-if-tun1)# ip v6 en ab le
hostname(config-if-tun1)# tun n el ip 6in 4 test-tun n elA
hostname(config)#
Device B
hostname(config-if-tun1)# tun n el ip 6in 4 test-tun n elB
hostname(config)#
Device C
hostname(config-if-tun1)# tun n el ip 6in 4 test-tun n elC
hostname(config)#
Step 4: Configure a policy rule (on all the three devices):
Device A、Device B、Device C
Chapter 7 IPv6 972

hostname(config-policy-rule)# dst-addr ip v6-an y
hostname(config)#
Step 5: Configure routes:
Device A
hostname(config-vrouter)# ipv6 route 2002:202:202::/48
tunnel1
hostname(config-vrouter)# ipv6 route 310a::/16 tunnel1
2002:202:203::1
hostname(config)#
Device B
hostname(config-vrouter)# ipv6 route 2002:202:201::/48
tunnel1
hostname(config-vrouter)# ipv6 route 310a::/16 tunnel1
2002:202:203::1
hostname(config)#
Device C
hostname(config-vrouter)# ipv6 route 2002::/16 tunnel1
973 Chapter 7 IPv6

hostname(config)#
Example 5: IPv6 SNMP Configuration

This section describes the following two IPv6 SNMP configuration examples:
l Viewing IPv6 MIB information via an IPv4 network
l Viewing IPv6 MIB information via an Ipv6 network
Viewing IPv6 MIB Information via an IPv4 Network
The host address is 1.1.12/24; the host is connected to etherenet0/0 that belongs to the untrust
zone with address of 1.1.1.1/24. Take the following steps:
Step 1: Configure an interface:
hostname(config)#
Step 2: Configure SNMP (only required configuration is listed):
hostname(config)# snmp-server manager

hostname(config)# snmp-server host 1.1.1.2 community pub-
lic ro
Finishing the above configuration, you can view IPv6-related MIB information via a MIB browser
on the management host.
Chapter 7 IPv6 974

Viewing IPv6 MIB Information via an Ipv6 Network
The host address is 2008::2/64; the host is connected to etherenet0/0 that belongs to the untrust
zone with address of 2008::1/24. Take the following steps:
Step 1: Configure an interface:
hostname(config-if-eth0/0)# ip v6 address 2008::1/64
hostname(config)#
Step 2: Configure SNMP (only required configuration is listed):
hostname(config)# snmp-server manager

hostname(config)# snmp-server ipv6-host 2008::2 com-
munity public ro
Finishing the above configuration, you can view IPv6-related MIB information via a MIB brower
on the management host.
Example 6: IPv6 NAT-PT Configuration

IPv6 and IPv4 networks are connected via a Hillstone device. The goal for NAT-PT con-
figuration is:
l Requirement 1: The host in the IPv6 network can initiate access to the host in the IPv4 net-
work, while the host in the IPv4 network cannot initiate access the host in the IPv6 network;
l Requirement 2: The host in the IPv4 network can initiate access to the host in the IPv6 net-
work, while the host in the IPv6 network cannot initiate access the host in the IPv4 network.
The network topology is shown below:
975 Chapter 7 IPv6

Requirement 1
The host in the IPv6 network can initiate access to the host in the IPv4 network, while the host
in the IPv4 network cannot initiate access the host in the IPv6 network. Assume the situation
below: for the host in the IPv6 network, the mapping IPv6 address of the host in the IPv4 net-
work is 2003::2.
hostname(config)#
Step 2: Configure NAT-PT rules:
Chapter 7 IPv6 976

hostname(config-vrouter)# sn atrule fro m ip v6-an y to 2003::2 service an y tran s-to eif-
ip mo de dyn amicp o rt
rule ID=1
hostname(config-vrouter)# dn atrule fro m ip v6-an y to 2003::2 service an y tran s-to

192.168.1.2
rule ID=1
hostname(config)#
hostname(config-policy-rule)# dst-zone trust
hostname(config-policy-rule)# src-addr 2001::2/64
hostname(config-policy-rule)# dst-addr 2003::2/128

hostname(config)#
Requirement 2
The host in the IPv4 network can initiate access to the host in the IPv6 network, while the host
in the IPv6 network cannot initiate access the host in the IPv4 network. Assume the situation
below: for the host in the IPv4 network, the mapping IPv4 address of the host in the IPv6 net-
work is 192.168.2.2.
977 Chapter 7 IPv6

hostname(config)#
Step 2: Configure NAT-PT rules:
hostname(config-vrouter)# sn atrule fro m an y to 192.168.2.2 service an y tran s-to

2001::2 mo de dyn amicp o rt
rule ID=2
hostname(config-vrouter)# dn atrule fro m an y to 192.168.2.2 service an y tran s-to

2001::3
rule ID=2
hostname(config)#
hostname(config-policy-rule)# src-addr 192.168.1.2/24
Chapter 7 IPv6 978

hostname(config-policy-rule)# dst-addr 192.168.2.2/32
hostname(config)#
Example 7：IPv6 DNS64 and NAT64 Configuration

IPv6 and IPv4 networks are connected via a Hillstone device. The goal is to allow the host in the
IPv6 network to initiate access to the host in the IPv4 network by configuring DNS64 and
NAT64 on the device. The network topology is shown below:

Step 1: Configure DNS rule and enable the DNS64 function:
hostname(config)# dns-proxy rule

hostname(config-dns-proxy-rule)# ingress-interface eth-
ernet0/1
hostname(config-dns-proxy-rule)# src-addr 2005::2006/64
hostname(config-dns-proxy-rule)# dst-addr IPv6-any
hostname(config-dns-proxy-rule)# domain any
hostname(config-dns-proxy-rule)# action proxy
979 Chapter 7 IPv6

hostname(config-dns-proxy-rule)# name-server 192.168.1.1
hostname(config-dns-proxy-rule)# dns64 enable
hostname(config-dns-proxy-dns64)# prefix 64:ff9b:: /96
hostname(config-dns-proxy-dns64)# server 192.168.1.1
hostname(config-dns-proxy-dns64)# exit
hostname(config)#
Step 2: Configure the NAT64.
hostname(config-vrouter)# sn atrule fro m 2005::2009 to 64:ff9b :: /96 tran s-to eif-ip

mo de dyn amicp o rt
rule ID=1
hostname(config-vrouter)# dn atrule fro m 2005::2009 to 64:ff9b :: /96 v4-map p ed
rule ID=1
hostname(config)#
Chapter 7 IPv6 980

Appendix 1: ICMPv6 Type and Code
ICMPv6 Type ICMPv6 Code Reference
1 Destination Unreach- 0 - no route to destination [RFC4443]

able 1 - communication with destination administratively [RFC4443]
prohibited
2 - beyond scope of source address [RFC4443]
3 - address unreachable [RFC4443]
4 - port unreachable [RFC4443]
5 - source address failed ingress/egress policy [RFC4443]
6 - reject route to destination [RFC4443]
2 Packet Too Big 0 [RFC4443]
3 Time Exceeded 0 - hop limit exceeded in transit [RFC4443]
1 - fragment reassembly time exceeded [RFC4443]
4 Parameter Problem 0 - erroneous header field encountered [RFC4443]
1 - unrecognized Next Header type encountered [RFC4443]
2 - unrecognized IPv6 option encountered [RFC4443]
5-99 Unallocated Error 0 [RFC4443]

message
100 Private exper- - [RFC4443]

imentation

imentation
102-126 Unallocated 0 [RFC4443]
981 Chapter 7 IPv6

Error message
127 Reserved for expan- - [RFC4443]

sion of ICMPv6 error mes-
sages
128 Echo Request 0 [RFC4443]
129 Echo Reply 0 [RFC4443]
130 Multicast Listener 0 [RFC2710]

Query

Report

Done
133 Router Solicitation 0 [RFC4861]
134 Router Advert- 0 [RFC4861]

isement
135 Neighbor Solicitation 0 [RFC4861]
136 Neighbor Advert- 0 [RFC4861]

isement
137 Redirect Message 0 [RFC4861]
138 Router Renumbering 0 - Router Renumbering Command [Crawford]
[RFC2894]
1 - Router Renumbering Result [Crawford]
Chapter 7 IPv6 982

[RFC2894]
255 - Sequence Number Reset [Crawford]
[RFC2894]
139 ICMP Node Inform- 0 - The Data field contains an IPv6 address which is [RFC4620]
ation Query the Subject of this Query
1 - The Data field contains a name which is the Sub- [RFC4620]

ject of this Query, or is empty, as in the case of a
NOOP.
2 - The Data field contains an IPv4 address which is [RFC4620]

the Subject of this Query.
140 ICMP Node Inform- 0 - A successful reply. The Reply Data field may or [RFC4620]
ation Response may not be empty.
1 - The Responder refuses to supply the answer. The [RFC4620]

Reply Data field will be empty.
2 - The Qtype of the Query is unknown to the [RFC4620]

Responder. The Reply Data field will be empty.
141 Inverse Neighbor Dis- 0 [RFC3122]

covery Solicitation Mes-
sage
142 Inverse Neighbor Dis- 0 [RFC3122]

covery Advertisement
Message
983 Chapter 7 IPv6

143 Version 2 Multicast - [RFC3810]

Listener Report
144 Home Agent Address 0 [RFC3775]

Discovery Request Mes-
sage
145 Home Agent Address 0 [RFC3775]

Discovery Reply Message
146 Mobile Prefix Soli- 0 [RFC3775]

citation
147 Mobile Prefix Advert- 0 [RFC3775]

isement
148 Certification Path - [RFC3971]

Solicitation Message
149 Certification Path - [RFC3971]

Advertisement Message
150 ICMP messages util- - [RFC4065]

ized by experimental
mobility protocols such as
Seamoby
151 Multicast Router - [RFC4286]

Advertisement
152 Multicast Router Soli- - [RFC4286]

citation
153 Multicast Router Ter- - [RFC4286]

mination
Chapter 7 IPv6 984

154 FMIPv6 Messages - [RFC5268]

imentation

imentation
255 Reserved for expan- - [RFC4443]

sion of ICMPv6 inform-
ational messages
985 Chapter 7 IPv6

Chapter 8 User Authentication
l Authentication, Authorization and Accounting describes the AAA function: Authentication,

Authorization and Accounting.
l User Identification describesdescribes various methods of user identification, which is used to

authenticate users who access the Internet via the device.
l 802.1X Authentication describes the function of 802.1X authentication. 802.1X is a standard

defined by IEEE for Port-based Network Access Control.
l PKI describes the function of Public Key Infrastructure, which provides public key encryp-
tion and digital signature service.

Authentication, Authorization and Accounting
Overview
AAA is the abbreviation for Authentication, Authorization and Accounting. Details are as fol-
lows:
l Authentication: Authenticates users’ identities.
l Authorization: Grants certain privileges according to the configuration.
l Accounting: Records the fees users should pay for their network resource usage.
Hillstone devices support the following authentication methods:
l Local authentication: Configures user information (including username, password and prop-
erties) on Hillstone devices. Local authentication is fast, and can reduce operation cost, but
the amount of information that will be stored is limited by the hardware of the device. By
default, Hillstone devices use local authentication.
l External authentication: Hillstone devices also support external authentication over RADIUS,
AD, LDAP and TACACS+ protocol. User information is stored in an external RADIUS, AD,
LDAP or TACACS+ server, and Hillstone devices authenticate users by the external server.
Hillstone devices support the following authorization methods:
l Local authorization: Authorizes user privileges according to the configurations of Hillstone

devices.
l Authorization after external authentication: RADIUS/LDAP/AD/TACACS+ authentication

is mapped to an authorization.
Hillstone devices support the following accounting methods:
987 Chapter 8 User Authentication

l None accounting: No accounting required.
l External accounting: Performs Accounting for authenticated users via a RADIUS server.
External Authentication Procedure

When a user has established a connection from a terminal to a Hillstone device and gained access
or management privilege, the Hillstone device can authenticate the user via the configured
RADIUS or LDAP server. The figure below shows the external authentication procedure:
As shown above, the procedure is:
1. The user sends username and password to the Hillstone device.
2. The Hillstone device receives the username and password, and sends an authentication
request to the RADIUS/LDAP/AD/TACACS+server.
3. If the request is legal, the RADIUS/LDAP/AD/TACACS+ server performs authen-

tication. If passed, the RADIUS/LDAP/AD/TACACS+server returns the user information
to the Hillstone device, otherwise returns denial information. The security between the Hill-
stone device and RADIUSTACACS+ server is guaranteed by the shared secret (secret key
or cipher text).
Configuring an AAA Server

The configurations of an AAA server include:
l Creating an AAA server
l Configuring a local authentication server
l Configuring a RADIUS authentication server

l Configuring an Active-Directory authentication server
l Configuring a TACACS+ authentication server
l Configuring an LDAP authentication server
l Configuring a RADIUS accounting server
l Specifying an authentication server for the system administrator
l Configuring the Brute-force Cracking Defense
Creating an AAA Server
AAA configurations need to be done in the AAA service configuration mode. To create an AAA
server, in the global configuration mode, use the following command:
aaa-server aaa-server-name [typ e] {lo cal | radius | active-directo ry | ldap | tacacs+}
l aaa-server-name – Specifies the name of the AAA server. The length is 1 to 31 characters
and is case sensitive.
l type {local | radius | active-directory | ldap | tacacs+} – Specifies the type of the AAA
server to be created. It can be a local server (local), RADIUS server (radius), Active-
Directory server (active-directory), LDAP server (ldap) or TACACS+ server
(tacacs+).
After executing this command, the system will create an AAA server with the specified name, and
enter the AAA server configuration mode. If the specified name exists, the system will directly
enter the AAA server configuration mode.
To delete the specified AAA server, in the global configuration mode, use the following com-
mand：
n o aaa-server aaa-server-name

Configuring a Local Authentication Server
To enter the local server configuration mode, in the global configuration mode, use the command
aaa-server aaa-server-name type local. The local authentication server configuration includes:
l Configuring the password control
l Specifying user name format
l Configuring a role mapping rule
l Configuring a user blacklist
l Configuring a backup authentication server
Configuring the Password Control
To prevent account security problem, you can configure the password control function. The con-
figuration of the password control function must be performed in the password control con-
figuration mode. To enter the password control configuration mode, in the local server
password-control
The password control function include:
l Allowing Password Change by Local Users
l Configuring the Password Validity and Password Expiry Warning
l Configuring the History Password Check
l Configuring the Password Complexity
l Enabling/disabling Forced Password Change for First Login

Allowing Password Change by Local Users
Local users can change their password on the login page after successful authentication. For con-
figuration, prefer to "User Authentication > User Identification > Web Authentication > Allow-
ing Password Change by Local Users".
By default, the local user is not allowed to change its password, but you can configure the device
to enable password changing right for local users if they pass SSL VPN authentication. For con-
figuration, prefer to "VPN > SSL VPN> Configuring SSL VPN Server > Allowing Password
Change by Local Users".
Configuring Change Password after First Login
By default , the function is disabled. Configure Change Password after First Login function, in the
password control mode, use the following command:
first-login-check [ mode { compatibility | enforcement }]
l compatibility –Specifies the compatible mode for the Change Password after First Login
function: ①If this function does not apply to the SSL VPN client, users can log in to the SSL
VPN client for the first time without changing the password.②If this function applies to the
SSL VPN client, users need to change the login password immediately after logging in to the
SSL VPN client for the first time.
l enforcement –Specifies the enforce mode for the Change Password after First Login func-
tion. Users need to change the login password immediately after logging in to the SSL VPN cli-
ent for the first time.
Notes:
l In case the Enforce Mode is configured, the SSL VPN client cannot be used
if this function does not apply to the SSL VPN client. You are advised to

upgrade the SSL VPN client or switch to the compatible mode.
l The SSL VPN client versions that allow you to change the password upon
the first login are as follows: SSL VPN Windows client 1.4.9.1274 or later
version, Linux 1.4.0 or later version, Android 4.5 or later version, and iOS
2.0.6 or later version.
l Change Password after First Login function does not apply to SSL VPN Win-
dows client(non-administrator) version 1.5.x.
Configuring the Password Validity and Password Expiry Warning
You can configure the password validity and the days how long users will be reminded of pass-
word expiry before it expires.
To configure the password validity and password expiry warning, in the password control mode,
agingaging-day [alert-before-expirealert-day]
l aging-day – Specifies the valid period of password. The value range is 1 to 365 days. The
l alert-day–Specifies the days to remind the user to change the password before the password
expires. The value range is 1 to 30 days. The default value is 7.
To cancel the settings of password validity and password expiry warning, use the no aging com-
mand.
Configuring the History Password Check
When the history password check function is enabled, system will verify the newly changed pass-
word with verifying the historical passwords, ensuring the new password is different from the his-
tory passwords.

To configure the history password check function, in the password control mode, use the fol-
lowing command:
history-check count
l count – Configure the newly changed passwords is different from the passwords set in the
recent specified times. The value range is 1 to 5. The default value is 3.
To cancel the history password check configuration, use the no history-check command.
Configuring the Password Complexity
The lower the complexity of the password, the more likely it is to be cracked, such as including
the username and short password length. For security reasons, you can enable the password com-
plexity configuration and configure the password complexity requirements to ensure that the
user's password has high complexity.
To enable password complexity configuration, in the password control mode, use the following
command:
co mp lexity en ab le
To disable this function, use theno complexity enablecommand.

To configure the password complexity, in the password control mode, use the following com-
mand:
complexity {capital - lettersletters | small-letterslength | min - lengthlength | no-include -user-
name | non-alphanumeric-letterslength |numeric-characterslength}
l capital - lettersletters - Specifies the minimum length of uppercase letters contained in the
password. The range is 0-16. The default value is 0.
l small-letterslength - Specifies the minimum length of lowercase letters contained in the pass-
word. The range is 0-16. The default value is 0.
l min - lengthlength - Specify the minimum password length, the range is 1-16, the default
value is 1.

l no-include -username - Specifies the password cannot contain a username.
l non-alphanumeric-letterslength- Specifies the minimum length of the password containing

special characters (that is, non-numeric characters), the range is 0-16, and the default value is
0.
l numeric-characterslength - Specifies the minimum length of the number contained in the pass-
word. The range is 0-16. The default value is 0.
To restore the default value, use the no complexity {capital - letters | small-letters | min - length
| no-include -username | non-alphanumeric-letters |numeric-characters }command.
Specifying User Name Format
During user authentication, the system will extract the user name based on the configured authen-
tication user name format. If the desired format is not available, the system will directly use the
original user name for authentication.
To specify the authentication user name format, in the local server configuration mode, use the
following command:
extract-username-format authenticate { [domain\username ] [username@domain] }
To delete configuration of the authentication user name format, in the local server configuration
no extract-username-format authenticate { [domain\username ] [username@domain] }
While implementing policy control based on user name or user group, the system will search the
group to which a user name belongs from the organization units locally stored.
To specify the user name format supported when searching for the user group, in the local server
extract-username-format search-usergroup { [domain\username ] [username@domain] }
To delete configuration of the user name format for searching groups, in the local server con-
no extract-username-format search-usergroup { [domain\username ] [username@domain] }

Configuring a Role Mapping Rule
After specifying a role mapping rule, the system will assign a role for users who have been authen-
ticated by the server according to the specified role mapping rule. To configure a role mapping
rule for the server, in the local server configuration mode, use the following command:
l rule-name – Specifies the name of the existing role mapping rule.
To cancel the specified role mapping rule configuration, in the local server configuration mode,
n o ro le-map p in g-rule
Configuring a User Blacklist
After configuring a user blacklist for the local server, the system will not allow blacklist users who
are authenticated by the server to access any network resource. To configure a user blacklist, in
the local server configuration mode, use the following command:
user-b lack-list usern ame user-name
l user-name – Specifies the username of blacklist user. The value range is 1 to 63 characters.
To delete a user from the blacklist, in the local server configuration mode, use the following com-
mand:
n o user-b lack-list usern ame user-name
Configuring a Backup Authentication Server
After configuring a backup authentication server for the local server, the backup authentication
server will take over the authentication task when the primary server malfunctions or authen-
tication fails on the primary server. The backup authentication server can be any existing local,
Active-Directory, RADIUS or LDAP server defined in the system. To configure a backup authen-
tication server, in the local server configuration mode, use the following command:
b ackup -aaa-server aaa-server-name
l aaa-server-name – Specifies an AAA server defined in the system.

To cancel the specified backup authentication server, in the local server configuration mode, use
n o b ackup -aaa-server
Notes:
l The backup authentication server and primary server should belong to the
same VSYS. For more information about VSYS, see Virtual System.
l The backup authentication server should not nest another backup authen-
tication server.
l Before deleting an AAA server, make sure the server is not specified as a
backup authentication server.
Configuring the Brute-force Cracking Defense
To prevent illegal users from obtaining user name and password via brute-forth cracking, you can
configure the brute-force cracking defense by locking out user or IP, i.e., within the specified
period, if the failed attempts reached the specified times, the user or IP will be locked for a while.
The Brute-force Cracking Defense configuration includes:
l Enabling/Disabling the Brute-force Cracking Defense
l Configuring the number of attempts
l Configuring the lock time
Enabling/Disabling the Brute-force Cracking Defense
By default, the Brute-force Cracking Defense function is disabled. To enable this function, in the
local server configuration mode, use the following command:
l Enable: lockout {ip | user} enable
l Disable: lockout {ip | user} disable

Configuring the Number of Attempts
The number of attempts, that is, the allowed times of login failure within the specified time. To
configure the number of attempts, in the local server configuration mode, use the following com-
mand:
lockout {ip | user} failed-attemptsnumber intervalinterval
l failed-attemptsnumber – Specifies the allowed times of login failure. For lockout user, the
range is 1 to 32, the default value is 5. For lockout IP, the range is 1 to 2048, the default
value is 64.
l interval interval – Specifies the allowed time of login. The range is 1 to 180 and the default
value is 60 seconds.
Configuring the Lockout Time
If the failed attempts reached the specified times in the specified time, the user or IP will be
locked out for a while. To configure the lockout time, in the local server configuration mode, use
lockout {ip | user} lockout-time time
l lockout-timetime – Specifies the lockout time. The range is 30 to 180. The default value is
600 seconds for lockout user, and 60 seconds for lockout IP.
Viewing the Lockout Information
To view the information of locked user or IP, in any mode, use the following command:
sh o w aaa-server aaa-server-name lo cko ut {user [ username ] | ip [ ip-address vr_id number ]}
l aaa-server-name - Specifies the name of AAA server.
l user [username] - View the information of the locked user of the specified name.
l ip [ip-addressvr_idnumber] - View the information of the locked IP of the specified IP

address and VRouter ID.

Unlocking the User / IP
To unlock and delete the user or IP, in any mode, use the following command:
exec aaa aaa-server aaa-server-name lo cko ut delete {user [ username ] | ip [ ip-address vr_id num-
ber ]}
l aaa-server-name - Specify the name of the AAA server.
l user [username] - Unlock the user of the specified name.
l ip [ip-addressvr_idnumber] - Unlock the IP of the specified IP address and VRouter ID.
Configuring a RADIUS Authentication Server
To enter the RADIUS server configuration mode, in the global configuration mode, use the com-
mand aaa-server aaa-server-name type radius.
The RADIUS authentication server configuration includes:
l Configuring LOCAL NAS IP for RADIUS Authentication
l Configuring the IP address or domain name of the primary server
l Configuring the IP address or domain name of the backup server 1
l Configuring the port number
l Configuring the secret
l Configuring the retry times
l Configuring the timeout
l Specifying a role mapping rule

l Enabling / Disabling the authentication policy
l Adding authentication policy to aggregate policy
Configuring LOCAL NAS IP for RADIUS Authentication
When the Radius server is used to authenticate users, you can specify the LOCAL NAS (Network
Access Server) IP address as needed. To specify the LOCAL NAS IP address, in the Radius
local-nas-ip ip-address
l ip-address – Specifies the LOCAL NAS IP address (At present, the system only supports
IPv4 addresses). This way, the source IP address of Radius authentication packets and
accounting packets, as well as the nas-ip-address of the authentication packets are all
changed to this specified IP address, ensuring that packets returned by the Radius server
are received by the current device in the complex network environment. The LOCAL NAS
IP should be the same as the interface IP of the device. Otherwise, Radius authentication
packets or accounting packets may not be properly sent.
To delete the LOCAL NAS IP address, in the Radius server configuration mode, use the fol-
lowing command:
no local-nas-ip ip-address
Notes:
l In the HA environment, the configuration of the LOCAL NAS IP address is
not synchronized to the backup device. Therefore, you need to configure it
in both primary and backup devices.
l It should be ensured that there are reachable routes between the current
device and the Radius server.

Configuring the IP Address, Domain Name, or VRouter of the Primary Server
To configure the IP address, domain name, or VRouter of the primary authentication server, in
the RADIUS server configuration mode, use the following command:
h o st { ip-address | host-name }[vro uter vrouter-name ]
l ip-address | host-name – Specifies the IP address ( IPv4 or IPv6 ) or domain name of the
primary authentication server.
l vrouter vrouter-name – Specifies the VRouter that the primary server belongs to. The
default Vrouter is trust-vr.
To delete the above configurations of the primary authentication server, in the RADIUS server
configuration mode, use the command:
n o h o st
Configuring the IP Address, Domain Name, or VRouter of the Backup Server 1
This configuration is optional. Backup server must be of the same type of primary server. When
the authentication does not pass primary server’s check, the backup server 1 and 2 will start
checking its credentials consecuritvely. To configure the IP address, domain name, or VRouter of
the backup authentication server 1, in the RADIUS server configuration mode, use the following
command:
b ackup 1 { ip-address | host-name }[vro uter vrouter-name ]
backup server 1.
l vrouter vrouter-name – Specifies the VRouter that the back server 1 belongs to. The default
Vrouter is trust-vr.
To delete the IP address or domain name configuration of the backup authentication server 1, in
the RADIUS server configuration mode, use the command:
n o b ackup 1

This configuration is optional. Backup server must be of the same type of main server. When the
authentication does not pass main server’s check, the backup server 1 and 2 will start checking
its credentials consecuritvely.To configure the IP address or domain name of the backup authen-
tication server 2, in the RADIUS server configuration mode, use the following command:
backup server 2.
l vrouter vrouter-name – Specifies the VRouter that the back server 2 belongs to. The default
Vrouter is trust-vr.
the RADIUS server configuration mode, use the command:
n o b ackup 2
Configuring the Port Number
To configure the port number of the RADIUS server, in the RADIUS server configuration mode,
p o rt port-number
l port-number – Specifies the port number of the RADIUS server. The value ranges from
To restore the default value of the port number, in the RADIUS server configuration mode, use
the command:
n o p o rt
Configuring the Secret
To configure the secret of the RADIUS server, in the RADIUS server configuration mode, use
secret secret

l secret – Specifies the secret string of the RADIUS server. The length is 1 to 31 characters.
To cancel the secret configuration of the RADIUS server, in the RADIUS server configuration
mode, use the command
n o secret
Configuring the Retry Times
If the security device does not receive the response packets from the AAA server, it will resend
the authentication packets. Retry times refers to the times for the authentication packets resent to
the AAA server. To configure the retry times, in the RADIUS server configuration mode, use the
following command:
retries times
l times – Specifies a number of retry times for the authentication packets sent to the AAA
server. The value range is 1 to 10. The default value is 3.
To restore to the default value, in the RADIUS server configuration mode, use the command:
n o retries
Configuring the Timeout
If the security device does not receive response packets from the AAA server when the server
response time ends, the device will resend the authentication packets. To configure the timeout,
in the RADIUS server configuration mode, use the following command:
timeo ut time-value
l time-value – Specifies the response timeout for the server. The value range is 1 to 30
To restore to the default timeout, in the RADIUS server configuration mode, use the command:
n o timeo ut

To specify the authentication user name format, in the RADIUS server configuration mode, use
To delete configuration of the authentication user name format, in the RADIUS server con-
To specify the user name format supported when searching for the user group, in the RADIUS
To delete configuration of the user name format for searching groups, in the RADIUS server con-
Specifying a Role Mapping Rule
After specifying the role mapping rule, the system will assign a role for users who have been
authenticated by the server according to the specified role mapping rule. To configure a role map-
ping rule, in the RADIUS server configuration mode, use the following command:
l rule-name – Specifies the name of the existing role mapping rule.
To cancel the role mapping rule configuration, in the RADIUS server configuration mode, use the
command:

RADIUS server configuration mode, use the following command:
configure the number of attempts, in the RADIUS server configuration mode, use the following
command:
value is 64.

locked out for a while. To configure the lockout time, in the RADIUS server configuration mode,

ber ]}

After configuring a user blacklist for the RADIUS server, the system will not allow blacklist users
who are authenticated by the server to access any network resource. To configure a user blacklist,
in the RADIUS server configuration mode, use the following command:
To delete a user from the blacklist, in the RADIUS server configuration mode, use the following
command:
no user-black-list username user-name
After configuring a backup authentication server for the RADIUS server, the backup authen-
tication server will take over the authentication task when the primary server malfunctions or
authentication fails on the primary server. The backup authentication server can be different from
main server. It can be any existing local, Active-Directory, RADIUS or LDAP server defined in
the system. To configure a backup authentication server, in the RADIUS server configuration
To cancel the specified backup authentication server, in the RADIUS server configuration mode,
Notes:

tication server.
l If a RADIUS server is configured with backup server 1 (backup1), backup

server 2 (backup2) and backup authentication server (backup-aaa-server),
when user's authentication request is not responded on the primary server,
the system will re-authenticate the user on backup server 1 or backup server
2, and if user's authentication request is not responded on backup server 1 or
backup server 2, the system will re-authenticate the user on the backup
authentication server; when user's authentication failed on the primary server,
backup server 1 or backup server 2, the system will re-authenticate the user
on the backup authentication server.
Enabling / Disabling the Authentication Policy
When a user is authenticated by the Radius server, when the user is authenticated successfully,
the Radius server will create a security policy for the authenticated user that includes the des-
tination network segment, destination port, protocol, and behavior. This policy is called an author-
ization policy. System supports two authorization policies: "Authorization Policy During
Authentication" and "Dynamic Authorization Policy". You can enable the authorization policy
function to enable to obtain the authorization policy from the Radius server and add it to the sys-
tem's policy list to make it effective. When the authenticated user is disconnected, the author-
ization policy will be deleted automatically.
By default, the authentication policy is disabled. To enable or disable the authentication policy, in
the RADIUS server configuration mode, use the following command:
l Enable: authorization-policy enable
l Disable: authorization-policy disable

Notes: If you need to obtain the dynamic authorization policy, please configure the
radius dynamic authorization function first. For the configuration of radius dynamic
authorization function, refer to "Radius Dynamic Authorization" on Page 1056.
Adding Authentication Policy to Aggregate Policy
After the authorization policy of the Radius server is enabled, you add the obtained authorization
policy to the aggregation policy that has been created, and arrange it as the member of aggregation
policy at the end of aggregation policy, which is more convenient for the user to manage the
authorization policy uniformly. If it is not added to the aggregation policy, the authorization
policy will be added to the end of the system policy list by default.
To add the authentication Policy to an aggregate policy, in the RADIUS server configuration
authorization-policy associated-aggregate-rulerule-name
l rule-name- Specifies the aggregate policy name.
To cancel the configuration, in the RADIUS server configuration mode, use the following com-
mand:
no authorization-policy associated-aggregate-rule
Importing Dictionary
When a third party wants to customize some attributes, they can use a dictionary file to include its
self-defined fields. The dictionary file of Hillstone Networks is “dictionary.hillstone”. The
RADIUS server administrator adds dictionary.hillstone file into its server by editing the master
RADIUS dictionary.
dictionary.hillstone contains the following attributes:
Attribute Description
Hillstone-user-type User Type.

admin type=16
PnPVPN=4

all=31
Users other than types listed here do not need this checking.
Hillstone-user-vsys-id vSYS ID value.

For admin type user, this attribute is mandatory.
Currently, ID can only equals to 0.
Hillstone-user-login-type Admin login type.

telnet＝2
SSH＝4
CONSOLE＝1
HTTP＝8
HTTPS＝16
all＝31
For cominations of two or more protocols, the value is the
sum of each value (e.g. telnet+SSH＝6).
Hillstone-user-role-name Admin role type.

admin= Administrator
operator= Operator
auditor= Auditor
admin-read-only= Administrator-read-only
role-name= Custom administrator role
Hillstone-user-policy-dst- The start IP address of the access scope.

ip-begin Only IPv4 address is supported.
Hillstone-user-policy-dst- The end IP address of the access scope.

ip-end Only IPv4 address is supported.
Hillstone-User-Data-Fil- Radius server sends policy rules to authenticated users

ter through this attribute.

The attribute format is:

rulenumber {permit|deny} [ dstip-address ] [ protocol [ dst-
portport ] ]
l number: Number of the policy in the Radius server
l permit|deny: Policy rule action.permitmeans access

is allowed, deny means access denied .
l dstip-address: Destination address. Can be configured

multiple, please use spaces to separate
l protocol: Protocol type, which can be specified as TCP

or UDP.
l dst-portport ]: Destination port number. Can be con-

figured multiple, please use spaces to separate them.
Configuring an Active-Directory Authentication Server
To enter the Active-Directory server configuration mode, in the global configuration mode, use
the command aaa-server aaa-server-name type active-directory.
The Active-Directory authentication server configuration includes:
l Configuring the authentication or synchronization method
l Refreshing the connection with the server

l Specifying the Base-DN
l Specifying the Synchronization Base-DN
l Specifying the Synchronization Object
l Specifying the Authentication Base-DN
l Specifying the login DN
l Specifying sAMAccountName
l Specifying the login password
l Enabling/Disabling the SSL Encrypted Connection
l Configuring automatic user information synchronization
l Configuring user filter
l Configuring synchronization mode of user information
l Configuring the User-Groups under Base-DN Synchronization
Configuring the IP Address, Domain Name, and VRouter of the Primary Server
To configure the IP address, domain name, or VRouter of the primary authentication server, in
the Active-Directory server configuration mode, use the following command:

l ip-address | host-name – Specifies the IP address ( IPv4 or IPv6 )or domain name of the
default VRouter is trust-vr.
To delete the IP address or domain name configuration of the primary authentication server, in
the Active-Directory server configuration mode, use the command:
n o h o st
Configuring the IP Address, Domain Name, VRouter of the Backup Server 1
checking its credentials consecuritvely. To configure the IP address or domain name of the
backup authentication server 1, in the Active-Directory server configuration mode, use the fol-
lowing command:
backup authentication server 1.
l vrouter vrouter-name – Specifies the VRouter that the backup server 1 belongs to. The
n o b ackup 1
Configuring the IP Address or Domain Name of the Backup Server 2
checking its credentials consecuritvely. To configure the IP address or domain name of the
backup authentication server 2, in the Active-Directory server configuration mode, use the fol-
lowing command:

l vrouter vrouter-name – Specifies the VRouter that the backup server 2 belongs to. The
n o b ackup 2
To configure the port number of the Active-Directory server, in the Active-Directory server con-
p o rt port-number
l port-number – Specifies the port number of the Active-Directory server. The value range is
To restore to the default port number, in the Active-Directory server configuration mode, use the
command:
n o p o rt
Configuring the Authentication or Synchronization Method
Plain text and MD5 method can be configured to authenticate or synchronize user between the
Active-Directory server and the system. To configure the authentication or synchronization
method, in the Active-Directory server configuration mode, use the following command:
auth -meth o d {p lain | digest-md5}
l plain – Specifies the authentication or synchronization method to be plain text.
l digest-md5 – Specifies the authentication or synchronization method to be MD5. The

default method is MD5.

To restore to the default authentication or synchronization method, in the Active-Directory
server configuration mode, use the command:
n o auth -meth o d
Notes: If the sAMAccountName is not configured after you specify the MD5
method, the plain method will be used in the process of synchronizing user from
the server, and the MD5 method will be used in the process of authenticating user.
Specifying the Base-DN
Base-DN is the starting point at which your search will begin when the AD server receives an
authentication request. To specify the Base-DN, in the Active-Directory server configuration
b ase-dn string
l string – Specifies the Base-DN for the Active-Directory server, such as dc = hillstonenet.
To cancel the Base-DN configuration, in the Active-Directory server configuration mode, use the
command:
n o b ase-dn
Specifying the Synchronization Base-DN
Synchronization Base-DN is the starting point at which the system synchronizes users and user
groups from the Active-Directory server. All users and user groups in the Base-DN will be syn-
chronized to the local when you specify the Synchronization Base-DN. To specify the Syn-
chronization Base-DN, in the Active-Directory server configuration mode, use the following
command:
sync-base-dnstring
l string - Specifies the starting point at which the system synchronizes users and user groups
from the Active-Directory server, such as OU=test, dc = com.
You can repeatedly execute the command to configure multiple paths to be synchronized.

To delete a specified Synchronization Base-DN configuration, in the Active-Directory server con-
no sync-base-dn string
Specifying the Synchronization Object
When the Synchronization Base-DN is specified, all users and groups in the Synchronization
Base-DN will be synchronized to the local. If no Synchronization Base-DN is specified, all users
and groups in the Base-DN will be synchronized to the local. After you specify that the Syn-
chronization Object is users or groups, the system filters the information synchronized to the
local and retains the information of the specified object. To specify the Synchronization Object,
in the Active-Directory server configuration mode, use the following command:
sync-object {user | group}
l user –Specifies the Synchronization Object as users. System will retain user information
only.
l group–Specifies the Synchronization Object as groups. System will retain group inform-
ation only.
To cancel the Synchronization Object configuration, in the Active-Directory server configuration

mode, use the command no sync-object {user | group}.
Specifying the Authentication Base-DN
Base-DN is the starting point at which your search will begin when the AD server receives an
authentication request. All users in the Base-DN (including those directly under the user group)
will be allowed to pass the authentication when you specify the Authentication Base-DN. To spe-
cify the Authentication Base-DN, in the Active-Directory server configuration mode, use the fol-
lowing command:
auth-base-dnstring
l string - Specifies the Authentication Base-DN for the Active-Directory server, such as
OU=A, dc = hillstonenet.
To cancel the Authentication Base-DN configuration, in the Active-Directory server con-

figuration mode, use the command no auth-base-dn.

Specifying the Login DN
If plain text method is configured to authenticate or synchronize user, the system will send the
login DN and the login password to the server to be authenticated, in order to connect to the
server for user authentication or synchronization. The login DN is typically a user account with
query privilege predefined by the Active-Directory server. To specify the login DN, in the Act-
ive-Directory server configuration mode, use the following command:
lo gin -dn string
l string – Specify the login DN for the Active-Directory server, which is a string of 1 to 255
characters and is not case sensitive.
To cancel the login DN configuration, in the Active-Directory server configuration mode, use the
command:
n o lo gin -dn
Specifying sAMAccountName
If MD5 method is configured to authenticate or synchronize user, the system will send the
sAMAccountName and the login password to the server to be authenticated, in order to connect
to the server for user authentication or synchronization. To specify the sAMAccountName, in the
Active-Directory server configuration mode, use the following command:
lo gin -dn sAMAcco un tName string
l string – Specifies the sAMAccountName, which is a string of 1 to 63 characters and is case

sensitive.
To cancel the sAMAccountName configuration, in the Active-Directory server configuration

mode, use the command:
n o lo gin -dn sAMAcco un tName
Specifying the Login Password
The login password here should correspond to the password for Login DN. To configure the
login password, in the Active-Directory server configuration mode, use the following command:
lo gin -p asswo rd string

l string – Specifies the login password for the Active-Directory server.
To cancel the password configuration, in the Active-Directory server configuration mode, use the
command:
n o lo gin -p asswo rd
Enabling/Disabling the SSL Encrypted Connection
With the SSL encrypted connection function enabled, the system connects to the Active Dir-
ectory authentication server through SSL, thus ensuring the security of data transmission between
the system and the Active Directory authentication server. To enable/disable the SSL encrypted
connection, in the Active-Directory server configuration mode, use the following command:
connect-through-SSL {enable | disable}
l enable | disable - Enable (enable) or (disable) the SSL encrypted connection function.
To specify the authentication user name format, in the Active-Directory server configuration
To delete configuration of the authentication user name format, in the Active-Directory server
To specify the user name format supported when searching for the user group, in the Active-Dir-
ectory server configuration mode, use the following command:

To delete configuration of the user name format for searching groups, in the Active-Directory
authenticated by the server according to the specified role mapping rule. To configure role map-
ping rules, in the Active-Directory server configuration mode, use the following command:
l rule-name – Specifies the name of the existing mapping rule.
To cancel the role mapping rule configuration, in the Active-Directory server configuration mode,
use the command:
After configuring a user blacklist for the Active-Directory server, the system will not allow black-
list users who are authenticated by the server to access any network resource. To configure a user
blacklist, in the Active-Directory server configuration mode, use the following command:
To delete a user from the blacklist, in the Active-Directory server configuration mode, use the fol-
lowing command:

l Viewing the Lockout Information
l Unlocking the User / IP
Active-Directory server configuration mode, use the following command:
configure the number of attempts, in the Active-Directory server configuration mode, use the fol-
lowing command:
value is 64.

locked out for a while. To configure the lockout time, in the Active-Directory server con-

ber ]}

User Synchronization
User synchronization specifies that the system will synchronize user information on the con-
figured Active-Directory server to the local. By default, the system will synchronize user inform-
ation every 30 minutes.
Enable or Disable User Synchronization
Before synchronizing user information, you need to enable synchronization function. By default,
it is enabled. To enable or disable user synchronization function, in the Active-Directory con-
l Enable user synchronization: sync enable
l Disable user synchronization: sync disable
Configuring User Synchronization
System supports two synchronization modes: manual synchronization and automatic syn-
chronization.
Manul Synchronization
In the Active-Directory configuration mode, use the following command to update the con-
nections with Active-Directory server and manually synchronize user information:
man ual-syn c
After executing the command, system will synchronize information immediately. If reconfigure
the command during synchronization process, the system will clear the existed user information
and resynchronize.
Automatic Synchronization
To configure the automatic synchronization, in the Active-Directory server configuration mode,

auto -syn c {p erio dically interval | daily HH:MM | o n ce}

l interval – Specifies the time interval of automatic synchronization. The value range is 30 to
1440 minutes. The default value is 30.
l HH:MM – Specifies the time when the user information is synchronized everyday. HH and
MM indicates hour and minute respectively.
l once – If this parameter is specified, the system will synchronize automatically when the con-
figuration of Active-Directory server is modified. After executing this command , the system
will synchronize user information immediately.
By default, the system will synchronize the user information on the authentication server to the
local every 30 minutes. To restore the automatic synchronization mode to default, in the Active-
Directory server configuration mode, use the following command:
n o auto -syn c
Configuring User Filter
After configuring user filters, the system can only synchronize and authenticate users that are
match the filters on the authentication server. You must enter AAA server configuration mode
before configuring user filter.
To enter the Active-Directory server configuration mode, in the global configuration mode, use
the command:
aaa-server aaa-server-name type active-directory
To configure user-filter, in the Active-Directory server configuration mode, use the following
command:
user-filter filter-string
l filter-string – Specifies the user filters. The length is 0 to 120 characters. For example, when
you configure an Active-Directory server, if the filter-string is configured to “mem-
berOf=CN=Admin, DC=test, DC=com”, which indicates that the system only can syn-
chronize or authenticate user whose DN is “memberOf=CN=Admin,DC=test,DC=com”.
The commonly used operators are as follows:

Operator Meaning
= Equals a value.
& and
| or
！ not
* Wildcard. It represents zero or more characters.
～= fuzzy query
>= Be equal or greater than a specified value in lexicographical order.
<= Be equal or less than a specified value in lexicographical order.
Notes:
l The hillstone system supports all the operators that Active-Directory server
supports.
l If the entered format does not comply with the rules of the Active-Directory
server, the system may fail to synchronize or authenticate users from the
server.
In the Active-Directory server configuration mode, use no user-filter to cancel the above con-
figuration.
Configuring Synchronization Mode of User Information
Two synchronization modes can be selected to synchronize organization structure and user
information to local from Active-Directory server: OU-based and Group-based, so that you can
configure above two types of user group in security policy rules. By default, user information will
be synchronized to the local based on Group.
To configure the synchronization mode of user information, in the Active-Directory server con-

syn c-typ e {o u | gro up }
l ou – Synchronizes user information to the local based on OU.
l group – Synchronizes user information to the local based on Group.
If the OU mode is selected, you can configure the maximum depth of OU to be synchronized. In
the Active-Directory server configuration mode, use the following command:
syn c-o u-dep th depth-value
l depth-value – Specifies the maximum depth of OU to be synchronized. The value range is 1

to 12, and the default value is 12. OU structure that exceeds the maximum depth will not be
synchronized, but users that exceed the maximum depth will be synchronized to the specified
deepest OU where they belong to. If the total characters of the OU name for each level(includ-
ing the “OU=” string and punctuation) is more than 128, OU information that exceeds the
length will not be synchronized to the local.
After configuring a backup authentication server for the Active-Directory server, the backup
authentication server will take over the authentication task when the primary server malfunctions
or authentication fails on the primary server. The backup authentication server can be any existing
local, Active-Directory, RADIUS or LDAP server defined in the system. To configure a backup
authentication server, in the Active-Directory server configuration mode, use the following com-
mand:
To cancel the specified backup authentication server, in the Active-Directory server configuration

Notes:
tication server.
l If an Active-Directory server is configured with backup server 1 (backup1),

backup server 2 (backup2) and backup authentication server (backup-aaa-
server), when user's authentication request is not responded on the primary
server, the system will re-authenticate the user on backup server 1 or backup
server 2, and if user's authentication request is not responded on backup
server 1 or backup server 2, the system will re-authenticate the user on the
backup authentication server; when user's authentication failed on the
primary server, backup server 1 or backup server 2, the system will re-authen-
ticate the user on the backup authentication server.
Configuring the User-Groups under Base-DN Synchronization
When you sync the users and user-groups from Active-Directory server, you can enable or disable
the user-groups under Base-DN Synchronization as need. In the Active-Directory server con-
l Enable: sync-group-under-basedn enable
l Disable: no sync-group-under-basedn enable

Configuring an LDAP Authentication Server
To enter the LDAP server configuration mode, in the global configuration mode, use the com-
mand aaa-server aaa-server-name type ldap.
The LDAP authentication server configuration includes:
l Configuring the authentication or synchronization method
l Refreshing the connection with the Server
l Specifying the Base-DN
l Specifying the Synchronization Base-DN
l Specifying the Synchronization Object
l Specifying the login DN
l Specifying Authid
l Specifying the login password
l Enabling/Disabling the SSL Encrypted Connection
l Specifying the name attribute
l Specifying the Group-class
l Specifying the member attribute

l Configuring automatic user information synchronization
l Configuring user filter
l Configuring synchronization mode of user information
Configuring the IP Address, Domain Name, or VRouter of the Primary Server
To configure the IP address or domain name of the primary authentication server, in the LDAP
l ip-address | host-name – Specifies the IP address ( IPv4 or IPv6 )or domain name of the
To cancel the IP address or domain name configuration of the primary authentication server, in
the LDAP server configuration mode, use the command:
n o h o st
checking its credentials consecuritvely.To configure the IP address or domain name of the backup
authentication server 1, in the LDAP server configuration mode, use the following command:

l vrouter vrouter-name – Specifies the VRouter that the backup server belongs to. The default
VRouter is trust-vr.
To cancel the IP address or domain name configuration of the backup authentication server 1, in
the LDAP server configuration mode, use the command:
n o b ackup 1
Configuring the IP Address, Domain Name, VRouter of the Backup Server 2
authentication server 2, in the LDAP server configuration mode, use the following command:
the LDAP server configuration mode, use the command
n o b ackup 2
To configure the port number of the LDAP server, in the LDAP server configuration mode, use
p o rt port-number

l port-number – Specifies the port number of the LDAP server. The value range is 1 to
To restore to the default value, in the LDAP server configuration mode, use the command:
n o p o rt
Configuring the Authentication or Synchronization Method
Plain text and MD5 method can be configured to authenticate or synchronize user between the
LDAP server and the system. To configure the authentication or synchronization method, in the
LDAP server configuration mode, use the following command:
auth -meth o d {p lain | digest-md5}
l plain – Specifies the authentication or synchronization method to be plain text.
l digest-md5 – Specifies the authentication or synchronization method to be MD5. The

default method is MD5.
To restore to the default authentication or synchronization method, in the LDAP server con-
figuration mode, use the command:
n o auth -meth o d
Notes: If the Authid is not configured after you specify the MD5 method, the plain
method will be used in the process of synchronizing user from the server, and the
MD5 method will be used in the process of authenticating user.
Specifying the Base-DN
Base-DN is the starting point at which your search will begin when the LDAP server receives an
authentication request. To specify the Base-DN, in the LDAP server configuration mode, use the
following command:
b ase-dn string
l string – Specifies the Base-DN for the LDAP server, such as dc = hillstonenet.
To cancel the Base-DN configuration, in the LDAP server configuration mode, use the command:

n o b ase-dn
Specifying the Synchronization Base-DN
When the LDAP server receives an authentication request, it will begin search directories from
the Base-DN. If Synchronization Base-DN is specified, all users and groups in the Base-DN will
be synchronized to the local. To specify the Synchronization Base-DN, in the LDAP server con-
sync-base-dn string
l string - Specifies the Synchronization Base-DN for the LDAP server, such as OU=A, dc =
hillstonenet, dc=com.
To cancel the Synchronization Base-DN configuration, in the LDAP server configuration mode,
use the command no sync-base-dn.
Specifying the Synchronization Object
If the Synchronization Base-DN is specified, only users and groups in the Synchronization Base-
DN directory will be synchronized to the local. If no Synchronization Base-DN is specified, users
and groups in the Base-DN will be synchronized to the local. After you specify that the Syn-
chronization Object is users or groups, the system filters the information synchronized to the
local and retains the information of the specified object. To specify the Synchronization Object.,
in the LDAP server configuration mode, use the following command:
sync-object {user | group}
l user –Specifies the Synchronization Object as users. System will retain user information
only.
l group–Specifies the Synchronization Object as groups. System will retain group inform-
ation only.
Specifying the Authentication Base-DN
When the LDAP server receives an authentication request, it will begin search directories from
the Base-DN. All users in the Base-DN (including those directly under the user group) will be

allowed to pass the authentication when you specify the Authentication Base-DN. To specify the
Authentication Base-DN, in the LDAP server configuration mode, use the following command:
auth-base-dn string
l string - Specifies the Authentication Base-DN for the LDAP server, such as OU=A, dc = hill-
stonenet, dc=com.
To delete the Authentication Base-DN configuration, in the LDAP server configuration mode,
use the command no auth-base-dn.
Specifying the Login DN
If plain text method is configured to authenticate or synchronize user, the system will send the
login DN and the login password to the server to be authenticated, in order to connect to the
server for user authentication or synchronization. The login DN is typically a user account with
query privilege predefined by the LDAP server. To specify the login DN, in the LDAP server con-
lo gin -dn string
l string – Specify the login DN for the LDAP server, which is a string of 1 to 255 characters
and is not case sensitive.
To cancel the login DN configuration, in the LDAP server configuration mode, use the com-
mand:
n o lo gin -dn
Specifying Authid
If MD5 method is configured to authenticate or synchronize user, the system will send the
Authid and the login password to the server to be authenticated, in order to connect to the server
for user authentication or synchronization. To specify the Authid, in the LDAP server con-
lo gin -dn auth id string
l string – Specifies the Authid, which is a string of 1 to 63 characters and is case sensitive.
To cancel the Authid configuration, in the LDAP server configuration mode, use the command:

n o lo gin -dn Auth id
Configuring the Login Password
The login password here should correspond to the password for Login DN. To configure the
login password, in the LDAP server configuration mode, use the following command:
lo gin -p asswo rd string
l string – Specifies the login password for the LDAP server.
To cancel the password configuration, in the LDAP server configuration mode, use the command:
n o lo gin -p asswo rd
Enabling/Disabling the SSL Encrypted Connection
With the SSL encrypted connection function enabled, the system connects to the LDAP authen-
tication server through SSL, thus ensuring the security of data transmission between the system
and the LDAP authentication server. To enable/disable the SSL encrypted connection, in the
connect-through-SSL {enable | disable}
l enable | disable - Enable (enable) or (disable) the SSL encrypted connection function.
Specifying the Name Attribute
The name attribute is a string that uniquely identifies name in the LDAP server. To specify the
name attribute, in the LDAP server configuration mode, use the following command:
n amin g-attrib ute string
l string – Specifies the name attribute. The length is 1 to 63 characters. The string is usually
uid (User ID) or cn (Common Name). The default name attribute is uid.
n o n amin g-attrib ute

Specifying the Name Attribute
The name attribute is a string that uniquely identifies group name in the LDAP server. To specify
the group name attribute, in the LDAP server configuration mode, use the following command:
gro up -n amin g-attrib ute string
l string – Specifies the group name attribute. The length is 1 to 63 characters. The string is
usually uid (User ID) or cn (Common Name). The default name attribute is uid.
n o gro up -n amin g-attrib ute
Specifying the Group-class
To specify the ObjectClass of the Group-class, in the LDAP server configuration mode, use the
following command:
gro up -class string
l string – Specifies the Group-class. The length is 1 to 63 characters. The default value is
groupOfUniqueNames.
n o gro up -class
Specifying the Member Attribute
To specify the member attribute of the Group-class, in the LDAP server configuration mode, use
memb er-attrib ute string
l string – Specifies the member attribute. The length is 1 to 63 characters. The default value is
uniqueMember.
To restore the default value, in the LDAP server configuration mode, use the command:
no member-attribute

To specify the authentication user name format, in the LDAP server configuration mode, use the
following command:
To delete configuration of the authentication user name format, in the LDAP server configuration
To specify the user name format supported when searching for the user group, in the LDAP
To delete configuration of the user name format for searching groups, in the LDAP server con-
authenticated by the server according to the specified role mapping rule. To configure role map-
ping rules, in the LDAP server configuration mode, use the following command:
l rule-name – Specifies the name of the existing mapping rule.
To cancel the role mapping rule configuration, in the LDAP server configuration mode, use the
command

After configuring a user blacklist for the LDAP server, the system will not allow blacklist users
who are authenticated by the server to access any network resource. To configure a user blacklist,
in the LDAP server configuration mode, use the following command:
To delete a user from the blacklist, in the LDAP server configuration mode, use the following
command:

configure the number of attempts, in the LDAP server configuration mode, use the following
command:
value is 64.
locked out for a while. To configure the lockout time, in the LDAP server configuration mode,

ber ]}
User Synchronization
User synchronization specifies that the system will synchronize user information on the con-
figured LDAP server to the local. By default, the system will synchronize user information every
30 minutes.
Enable or Disable User Synchronization
Before synchronizing user information, you need to enable synchronization function. By default,
it is enabled. To enable or disable user synchronization function, in the LDAP configuration
l Enable user synchronization: sync enable
l Disable user synchronization: sync disable
Configuring User Synchronization
System supports two synchronization modes: manual synchronization and automatic syn-
chronization.
Manul Synchronization

In the LDAP configuration mode, use the following command to update the connections with
LDAP server and manually synchronize user information:
man ual-syn c
After executing the command, system will synchronize information immediately. If reconfigure
the command during synchronization process, the system will clear the existed user information
and resynchronize.
Automatic Synchronization
To configure the automatic synchronization, in the LDAP server configuration mode, use the fol-
lowing command:
auto -syn c {p erio dically interval | daily HH:MM | o n ce}
l interval – Specifies the time interval of automatic synchronization. The value range is 30 to
1440 minutes. The default value is 30.
l HH:MM – Specifies the time when the user information is synchronized everyday. HH and
MM indicates hour and minute respectively.
l once – If this parameter is specified, the system will synchronize automatically when the con-
figuration of LDAP server is modified. After executing this command , the system will syn-
chronize user information immediately.
By default, the system will synchronize the user information on the authentication server to the
local every 30 minutes. To restore the automatic synchronization mode to default, in the LDAP
n o auto -syn c
Configuring User Filter
After configuring user filters, the system can only synchronize and authenticate users that are
match the filters on the authentication server. You must enter AAA server configuration mode
before configuring user filter.
To enter the LDAP server configuration mode, in the global configuration mode, use the com-
mand:

aaa-server aaa-server-name type ldap
To configure user-filter, in the LDAP server configuration mode, use the following command:
user-filter filter-string
l filter-string – Specifies the user filters. The length is 0 to 120 characters. For example, when
you configure a LDAP server, if the filter-string is configured to “(|(object-
class=inetOrgperson)(objectclass=person))”, which means that the system only can syn-
chronize or authenticate users which are defined as inetOrgperson or person.
The commonly used operators are as follows:
Operator Meaning
= equals a value
& and
| or
！ not
* Wildcard. It represents zero or more characters.
～= fuzzy query
>= Be equal or greater than a specified value in lexicographical order.
<= Be equal or less than a specified value in lexicographical order.
Notes:
l The hillstone system supports all the operators that LDAP server supports.
l If the entered format does not comply with the rules of the LDAP server, the
system may fail to synchronize or authenticate users from the server.
In the LDAP server configuration mode, use no user-filter to cancel the above configuration.

Configuring Synchronization Mode of User Information
Two synchronization modes can be selected to synchronize organization structure and user
information to local from LDAP server: OU-based and Group-based, so that you can configure
above two types of user group in security policy rules. By default, user information will be syn-
chronized to the local based on Group.
To configure the synchronization mode of user information, in the LDAP server configuration
syn c-typ e {o u | gro up }
l ou – Synchronizes user information to the local based on OU.
l group – Synchronizes user information to the local based on Group.
If the OU mode is selected, you can configure the maximum depth of OU to be synchronized. In
the LDAP server configuration mode, use the following command:
syn c-o u-dep th depth-value
l depth-value – Specifies the maximum depth of OU to be synchronized. The value range is 1

to 12, and the default value is 12. OU structure that exceeds the maximum depth will not be
synchronized, but users that exceed the maximum depth will be synchronized to the specified
deepest OU where they belong to. If the total characters of the OU name for each level(includ-
ing the “OU=” string and punctuation) is more than 128, OU information that exceeds the
length will not be synchronized to the local.
Configuring a Backup AAA Server
After configuring a backup authentication server for the LDAP server, the backup authentication
server will take over the authentication task when the primary server malfunctions or authen-
tication fails on the primary server. The backup authentication server can be any existing local,
Active-Directory, RADIUS or LDAP server defined in the system. To configure a backup authen-
tication server, in the LDAP server configuration mode, use the following command:

To cancel the specified backup authentication server, in the LDAP server configuration mode,
Notes:
tication server.
l If an LDAP server is configured with backup server 1 (backup1),

backup server 2 (backup2) and backup authentication server
(backup-aaa-server), when user’s authentication request is not
responded on the primary server, the system will re-authenticate the user
in the following order: backup server 1 -> backup server 2 -> backup
authentication server; when user’s authentication failed on the primary
server, the system will re-authenticate the user in the following order:
backup server 1 -> backup server 2 -> backup authentication server.
Configuring TACACS+ Authentication Server
Unser global mode, use the command aaa-server aaa-server-name type tacacs+ to enter
TACACS+ server configuration mode.
Configuration of TACACS+ server includes:
l Configuring IP or Domain Name of Primary Authentication Server
l Configuring IP or Domain Name of Backup Server 1
l Configuring IP or Domain Name of Backup Server 2

l Configuring Port of TACACS+ Server
l Configuring Secret of TACACS+ Server
l Specifying User Name Format
l Configuring Role Mapping Rule
Configuring IP or Domain Name of Primary Authentication Server
To configure the IP address or domain name of TACACS+ authentication server, under

TACACS+ server configuration mode, use the command below:
l ip-address | host-name – Specify the IP address or domain name of the current primary
TACACS+ server.
l vrouter vrouter-name – Specify the VRouter which the current TACACS+ server belongs
to. The default VR is trust-vr.
Under TACACS+ server configuration mode, use the no command to delete its IP or domain
name configuraiton :
n o h o st
Configuring IP Address or Domain Name of Backup Server 1
authentication server 1, in the TACACS+ server configuration mode, use the following com-
mand:

l ip-address | host-name – Specifies the IP address or domain name of the backup authen-
tication server 1.
the TACACS+ server configuration mode, use the command:
n o b ackup 1
Configuring IP Address or Domain Name of Backup Server 2
authentication server 1, in the TACACS+ server configuration mode, use the following com-
mand:
l ip-address | host-name – Specifies the IP address or domain name of the backup authen-
tication server 2.
the TACACS+ server configuration mode, use the command:
n o b ackup 2
Configuring Port Number of TACACS+ Server
To configure the port number of the TACACS+ server, in its TACACS+ server configuration
p o rt port-number
l port-number – Specifies the port number of the LDAP server. The default value is 49.

To restore to the default value, in the TACACS+ server configuration mode, use the command:
n o p o rt
Configuring Secret of TACACS+ Server
To configure the secret of TACACS+ server, under TACACS+ server configuration mode, use
the command below:
secret secret
l secret – Specifies the secret string of TACACS+ server. The range is 1 to 31 characters.
To delete secret, under TACACS+ server configuration mode, use the no command:
n o secret
To specify the authentication user name format, in the TACACS+ server configuration mode, use
To delete configuration of the authentication user name format, in the TACACS+ server con-
To specify the user name format supported when searching for the user group, in the TACACS+
To delete configuration of the user name format for searching groups, in the TACACS+ server

Specifying Role Mapping Rule
The role mapping rule can allocate a role for the authenticated users in this server.
To assign a role mapping rule to users in TACACS+ server, under TACACS+ server con-
figuration mode, use the command below:
l rule-name – Enter an existing role mapping rule name.
To cancel this rule, under TACACS+ server configuration mode, use the command:
Configuring TACACS+ Server
TACACS+ server should also be configured if it wants to communicate with StoneOS system.
The configuration is to add some user defined attributes.
You should make the following changes in TACACS+ server:
l For tac_plus in Linux: add hillstone attributes, seet the table below:
l For Cisco acs 4.2 and above:add new server with name “hillstone” and edit the service
attributes to include hillstone characters, see table below:
user-type User type.

admin type=16
all=31
Other types of user do not need this value.
user-vsys-id vSYS ID value.

Admin user must have this attribute. Now, only ID=0 is
supported.
user-admin-privilege Read and Write privilege.

Read and write=4294967295

Only read=0
user-admin-role Administrator role privilege.

admin＝Permission for reading, executing and writing. This
role has the authority over all features. You can view the
current or historical configuration information.
operator＝Permission for reading, executing and writing.
You have the authority over all features except modify the
Administrator's configuration, view the current or historical
configuration information , but no permission for check the
log information.
auditor＝You can only operate on the log information,
including view, export and clear.
admin-read-only＝ Permission for reading and executing.
You can view the current or historical configuration inform-
ation.
Note: This attribute property is higher than user-admin-
privilege. If the two attributes are configured at the same
time, the user-admin-role will take effect. You are sug-
gested to use user-admin-role directly.
user-login-type Admin login type.

telnet＝2
SSH＝4
CONSOLE＝1
HTTP＝8
HTTPS＝16
all＝31
If you want a combination, the value should the total of
selected types (e.g. telnet+SSH＝6).

user-group This attribute is optional. It defines the user group of the spe-
cified user. User group is for user group based policy control.
TACACS+ server configuration mode, use the following command:
configure the number of attempts, in the TACACS+ server configuration mode, use the following
command:

value is 64.
locked out for a while. To configure the lockout time, in the TACACS+ server configuration

ber ]}

Configuring a RADIUS Accounting Server
Hillstone devices support accounting for authenticated users via a RADIUS server. To enter the
RADIUS server configuration mode, in the global configuration mode, use the command aaa-
server aaa-server-name type radius.
The RADIUS accounting server configuration includes:
l Enabling/Disabling the accounting function
l Configuring the IP address or domain name of the primary/backup server
l Configuring the Secret
l Enabling/Disabling the Offline Management of Accounting User
l Configuring the Extended Password Encryption Algorithm of SM4
Enabling/Disabling the Accounting Function
To enable/disable the accounting function of the RADIUS server, in the RADIUS server con-
l Enable: accounting enable
l Disable: no accounting enable
After enabling the accounting function, you can continue to configure other parameters.

Configuring the IP Address or Domain Name of the Primary/Backup Server
To configure the IP address or domain name of the primary or backup accounting server, in the
RADIUS server configuration mode, use the following command:
acco un tin g {h o st { ip-address | host-name } | b ackup 1 { ip-address | host-name } | b ackup 2
{ ip-address | host-name }}
l host {ip-address | host-name} – Specifies the IP address or domain name of the primary
server.
l backup1 {ip-address | host-name} – Specifies the IP address or domain name of the backup
server 1.
l backup2 {ip-address | host-name} – Specifies the IP address or domain name of the backup
server 2.
To cancel the IP address or domain name configuration of the primary or backup server, in the
RADIUS server configuration mode, use the command:
n o acco un tin g {h o st | b ackup 1 | b ackup 2}
To configure the port number of the accounting server, in the RADIUS server configuration
acco un tin g p o rt port-number
l port-number – Specifies the port number of the accounting server. The value range is 1024
To restore to the default value of the port number, in the RADIUS server configuration mode,
use the command:
n o acco un tin g p o rt

Configuring the Secret
To configure the secret of the accounting server, in the RADIUS server configuration mode, use
acco un tin g secret secret
l secret – Specifies the secret string of the accounting server. The length is 1 to 31 characters.
To cancel the secret configuration of the accounting server, in the RADIUS server configuration
mode, use the command:
n o acco un tin g secret
Enabling/Disabling the Offline Management of Accounting User
After the offline management of accouting user is enabled, the system will disconnect from the
specified offline user and stop charging according to the offline user information on the Radius
server (including the name of the offline user, the IP address of the offline user, the accounting
ID). By default, the function is disabled.
To enable the offline management of accouting user, in the RADIUS server configuration mode,
un so licited-message en ab le
To disable the offline management of accouting user, in the RADIUS server configuration mode,
n o un so licited-message en ab le
Configuring the Extended Password Encryption Algorithm of SM4
The Radius server supports encrypted storage and encrypted transmission of passwords using the
extended password encryption algorithm of SM4. To configure the SM4 extended password
encryption algorithm for the Radius server, you need to use the relevant commands in the exten-
ded-option configuration mode.
To enter the extended-option configuration mode, in the RADIUS server configuration mode,
extend-option

To configure the SM4 extended password encryption algorithm for the Radius server, in the exten-
ded-option configuration mode, use the following command:
encryption-algorithm SM4
l SM4- Specifies the SM4 extended password encryption algorithm. SM4 is not case sensitive.
To delete the specified extended password encryption algorithm of SM4, use command no encryp-
tion-algorithm.
Configuring Authentication and Authorization for the Server
After configuring the AAA authentication server, you need to specify one server as the authen-
tication server for the system administrator. By default, the StoneOS system uses the local server
as the authentication server, which cannot be deleted.
Configuring Authentication and Authorization for the Server
To Configure authentication and authorization for the server, in the global configuration mode,
admin auth o rizatio n -mo de {lo cal | aaa-server server-name [disab le-retry-lo cal]}
l local - Specifies the local server as the authorization server.
l aaa-server server-name [disable-retry-local] - Specifies the external server as the authorization

server.
l server-name - Specifies the name of the authentication server. It can be a RADIUS

server (radius) or a TACACS+ server (tacacs+).
l disable-retry-local - Disables the function of the local password retry. By default, if the
configured external authentication server is not reachable or the server returns the noti-
fication of the password error to StoneOS, the StoneOS system will use the local server
as the authentication server. You can disable the function of the local password retry,
that is, disable local server authentication. If the specified external server returns the
notification of the password error to StoneOS, the local server cannot be used for

administrator authentication. The server unreachable is not affected by the con-
figuration of disable-retry-local command.
To restore to the default authentication server, in the global configuration mode, use the com-
mand no admin authorization-mode.
You can, according to your own needs, preferentially use the local server for authentication for
administrators who access through the Console mode. If the local server is unreachable or the
authentication server is unavailable, the StoneOS system uses the default Radius server for admin-
istrator authentication. To specify the local server as the authentication server for administrators
who access through the Console mode, in the global configuration mode, use the following com-
mand:
admin co n so le lo cal-auth -p rio r
To disable local server authentication, use the command no admin console local-auth-prior.
Viewing the Authorization Information of the Authentication Server
To view the authorization information of the authentication server, in any mode, use the fol-
lowing command:
sh o w admin auth o rizatio n -mo de
Viewing Local Server Authentication Enabled Status
To view the local server authentication enabled status, in any mode, use the following command:
sh o w admin co n so le lo cal-auth -p rio r
Configuring the Authentication Server for the administrator
If you select the local server authorization, you need to configure the administrator and authen-
tication information. To configure the authentication server, use the following command in the
administrator role configuration mode:
authentication-server {local | aaa-server server-name [retry-local]}

l local - Specifies the local server as the authentication server.
l aaa-serverserver-name [retry-local] - Specifies the external server as the authentication server.
l server-name -Specifies the name of the authentication server. It can be a RADIUS

server (radius), an Active-Directory server (active-directory), an LDAP
server (ldap) or TACACS+ server (tacacs+).
l retry-local - Enables the function of the local password retry. If the external server is
unreachable and the local password retry is enabled, the StoneOS system will use the
local server as the authentication server. the local server is used for system admin-
istrator authentication. If the function of the local password retry is disabled, the local
server cannot be used for administrator authentication. If the external server returnsthe
notification of the password error to StoneOS, direct authentication fails, regardless of
whether retry-local is configured.
Viewing and Debugging AAA
To view the configuration information of AAA server, in any mode, use the following command:
sh o w aaa-server [ server-name ]
To view the user blacklist information, in any mode, use the following command:
sh o w user-b lack-list
To view the debug information of AAA, in any mode, use the following command:
deb ug aaa [acco un tin g | auth en ticatio n | auth o rizatio n | in tern al | radius | ldap | user]
l accounting - Shows debug information for accounting.
l authentication - Shows debug information for authentication.
l authorization - Shows debug information for authorization.
l internal - Shows debug information when local users access to the device via local authen-
tication.

l radius - Shows debug information for the RADIUS authentication.
l ldap - Shows debug information for the LDAP (including Active-Directory server and LDAP
server) authentication.
l user – Shows debug information when the local user attributes change.

Radius Dynamic Authorization
The Radius dynamic authorization function, includes:
l When the user is authenticated successfully, the Radius server can send a Radius CoA
(Change of Authorization) request message to the authority of the authenticated user to the
device. The device automatically generates the security policy rule for the user. When the user
goes offline, the device delete this user's security policy rule automatically
l When the SCVPN user is authenticated successfully, the Radius server can send a Radius DM
(Disconnect Messages) request message to send the accounting user information (including
the user name, user IP address, user accounting ID, etc.) to the device, and the device can dis-
connect the specified scvpn authentication user and end the accounting.
Enabling / Disabling Radius dynamic authorization
By default, the Radius dynamic authorization is disabled. To enable or disable the Radius dynamic
authorization, in the global configuration mode, use the following command:
l Enable: radius-server dynamic-authorization enable
l Disable: no radius-server dynamic-authorization enable
Notes: If you need to use the Radius dynamic authorization function, first enable
and configure the Radius accounting server. For the configuration, refer to "Con-
figuring a RADIUS Accounting Server" on Page 1049.
Configuring a Radius Dynamic Authorization Server
To configure a Radius dynamic authorization server, in the global configuration mode, user the fol-
lowing command:
radius-server dyn amic-auth o rizatio n {server-ip ip-address [destin atio n -ip destination-ip ]}
{secret key-string }

l server-ip ip-address- Specifies the IP address (IPv4 or IPv6) of the Radius dynamic author-
ization server.
l destination-ip destination-ip - Specifies the destination IP address of the authorization

request. This option is optional.
l secret key-string - Specifies the secret string of the Radius dynamic authorization server. The
length is 1 to 31 characters.
To delete the configuration of the Radius dynamic authorization server, in the global con-
figuration mode, user the following command:
no radius-server dynamic-authorizationserver-ipip-address
To configure the port number of the Radius dynamic authorization server, in the global con-
figuration mode, user the following command:
radius-server dyn amic-auth o rizatio n p o rt port-number
l port-number- Specifies the port number of the Radius dynamic authorization server. The
To restore to the default value of the port number, in the global configuration mode, user the fol-
lowing command:
no radius-server dynamic-authorization port
Viewing Radius Dynamic Authorization Server Configurations
To view the Radius dynamic authorization server configuration, in any mode, use the following
command:
show radius-server dynamic-authorization

Radius Snooping
The Remote Authentication Dial-In Up Service (RADIUS) is a protocol that is used for the com-
munication between NAS and AAA server. The RADIUS packet monitoring function analyzes
the RADIUS packets that are mirrored to the device and the device will automatically obtain the
mappings between the usernames of the authenticated users and the IP addresses. Then the sys-
tem generates user authentication information and adds it to the authenticated user list to control
and audit user traffic.
Entering the Radius Snooping Configuration Mode
To enter the Radius Snooping configuration mode, use the following command in the global con-
figuration mode:
user-sso server radius-snooping default
Enabling the Radius Snooping Function
By default, the Radius Snooping function is disabled. To enable this function, use the following
command in the Radius Snooping configuration mode:
l Enable: enable
Specifying the AAA Server
To specify the AAA server referenced by system, use the following command in the Radius
Snooping configuration mode:
aaa-server aaa-server-name
l aaa-server-name – Specifies the name of the AAA server. The Local, AD or LDAP server is
available to select on the AAA server. You’re suggested to directly select the configured
authentication AD server. After selecting the AAA server, system can query the

corresponding user group and role of the online user on the referenced AAA server, so as to
achieve the policy control based on the user group and role.
To cancel the above configurations, use the following command in the Radius Snooping con-
figuration mode:
n o aaa-server
If the device does not receive the mirrored RADIUS packets within the specified time period, it
will delete the mappings between the usernames and the IP addresses. To specify the time period,
namely the idle time, use the following command in the Radius Snooping configuration mode:
idle-timeo ut timeout
l timeout – Specifies the idle time (in minutes). The value ranges from 1 to 1440.
By default, system will not delete the user authentication information if there is no traffic. To
restore the idle time to the default value, use the following command in the Radius Snooping con-
figuration mode:
n o idle-timeo ut
Specifying the Force Timeout Time
To specify the forced logout time, in the Radius Snooping configuration mode, use the following
command:
fo rce-timeo ut time
l time - Specified the forced logout time. When the online time of a user exceeds the con-
figured force timeout time, system will kick out the user and force the user to log out. The
range is 0 (the function is disabled) to 1440 minutes, and the default value is 600 minutes.
To restore the configured force timeout time to default, in the Radius Snooping configuration
n o fo rce-timeo ut

Configuring the Heartbeat Timeout Value
When authentication is successful, the system will automatically reconfirm login information
before the configured timeout value ends in order to maintain the login status. If configuring the
idle time at the same time, you will log off from the system at the smaller value. To configure the
heartbeat timeout value, in the Radius Snooping configuration mode, use the following command:
h eartb eat-timeo ut { interval | disab le}
l interval – Specifies the heartbeat timeout value. The value range is 3 to 1440 minutes. The
default value is 5 minutes.
l disable – Disables the heartbeat timeout function.
To restore to the default heartbeat timeout value, in the Radius Snooping configuration mode, use
the command:
n o h eartb eat-timeo ut
Configuring the Username Filter
With the Username Filter function, the system excludes usernames ended with a specific string
and generates user authentication information only for usernames that are not excluded by the
"not end with" filter condition.
To configure username filter, in the Radius Snooping configuration mode, use the following
command:
username-filter not-end-with filter-string
l not-end-with filter-string - The "not end with" filter condition indicates that usernames ended
with a specific string are excluded. The system generates user authentication information only
for usernames not excluded by the "not end with" filter condition. The value range of the
string is from 1 to 15 characters.
To delete username filter configuration, in the Radius Snooping configuration mode, use the fol-
lowing command:

no username-filter not-end-with
Viewing the Radius Snooping Configuration Information
To view the Radius Snooping configuration information, in any mode, use the following com-
mand:
sh o w user-sso server radius-sn o o p in g default
This example shows how to use the external RADIUS authentication server to authenticate Tel-
net users. Specific requirements and configurations are described as below.
Requirement
The goal is to authenticate the Telnet users via RADIUS server. IP address of the RADIUS
authentication server is 202.10.1.2, and there is no back-up server. The retry time is the default
value 3. The response timeout is the default value 3. Port 1812 is used for RADIUS authen-
tication. The figure below shows the networking topology.
Configuration Steps
Step 1: Configure the interface

hostname(config-if-eth0/0)# man age teln et
Step 2: Enter the AAA server configuration mode
hostname(config-aaa-server)# aaa-server rad typ e radius
Step 3: Configure the RADIUS authentication server
hostname(config-aaa-server)# p o rt 1645
hostname(config-aaa-server)# secret testin g123
Step 4: Specify the authentication server for the system
hostname(config)# admin auth-server rad
Step 5: Verify the results of the configuration
hostname(config)# sh o w aaa-server rad
===================================================-
===========
aaa-server: radius
type: radius
role-mapping-rule :
backup-aaa-server :
server address: 202.10.1.2(trust-vr)
first backup :

second backup :
radius setting:
port: 1812 secret: a3UfKjOGP80IGeggG9kuvDJ7I8Ye
retries 3 time(s), timeout 3 second(s).
accounting: enable (optional)
accounting setting:
port: 2000 secret: hq8DNiGMUL4Pq2A9tf1422uLRWcF
server address: 202.10.1.2(trust-vr)
first backup :
second backup :
===================================================-
===========

User Identification
Overview
System supports various methods of user identification, which is used to authenticate users who
access the Internet via the device.
Web Authentication
After the Web authentication (WebAuth) is configured, when you open a browser to access the
Internet, the page will redirect to the WebAuth login page. According to different authentication
modes, you need to provide corresponded authentication information. With the successful Web
authentication, system will allocate the role for IP address according to the policy configuration,
which provides a role-based access control method.
If you use HTTPS request to trigger WebAuth, it only supports unilateral SSL proxy. System will
enable the SSL connection during the authentication. After the authentication is completed, SSL
proxy will be invalid. The client and server communicate directly without SSL encryption.
In addition, system supports customizing WebAuth page. For more information, refer to Cus-
tomizing WebAuth Login Pages.
Entering the WebAuth Configuration Mode
To enter the WebAuth configuration mode, in the global configuration mode, use the following
command:
web auth
Enabling/Disabling WebAuth
By default, the WebAuth is disabled. To enable the WebAuth function, in the WebAuth con-
enable
To disable the WebAuth function, in the WebAuth configuration mode, use the following com-
mand:

disab le
Configuring the WebAuth Mode
The WebAuth includes the following four modes:
l Password Authentication: Using username and password during the Web authentication.
l SMS Authentication: Using SMS during the Web authentication. In the login page, you need
to enter the mobile number and the received SMS verification code. If the SMS verification
code is correct, you can pass the authentication.
l NTLM Authentication: System obtains the login user information of the local PC terminal
automatically , and then verifies the identity of the user.
Web authentication mode can be divided into the single authentication mode and combined
authentication mode.
Notes: NTLM authentication mode only supports the Active Directory servers
deployed in Windows Server 2008 or older versions.
Configuring the Single Authentication Mode
To configure the single authentication mode, in the WebAuth configuration mode, use the fol-
lowing command:
mo de { p asswo rd | sms | n tlm}
l password – Specifies the password authentication mode as the authentication mode.
l sms – Specifies the SMS authentication mode as the authentication mode.
l ntlm – Specifies the NTLM authentication mode as the authentication mode.

Configuring the Combined Authentication Mode
You can specify the combined authentications used in the Web authentication login page, that is,
the combined authentication mode.
l System can integrate the password authentication with the SMS authentication, as shown in
the figure：Password Authentication or SMS Authentication.
To configure the combined authentication mode, in the WebAuth configuration mode, use the fol-
lowing command:
mo dep asswo rd-sms
l password-sms – Specifies the password authentication or the SMS authentication as the

authentication mode in the Web authentication login page.
To restore to the default password authentication mode, in the WebAuth configuration mode, use
n o mo de

Configuring the Protocol Type of Authentication
System supports HTTP and HTTPS. HTTP mode is faster, and HTTPS mode is more secure. To
configure the protocol type, in the WebAuth configuration mode, use the following command:
p ro to co l {h ttp | h ttp s}
l http | https – Specifies the protocol type, HTTP or HTTPS.
To restore to the default HTTP protocol type, in the WebAuth configuration mode, use the fol-
lowing command:
n o p ro to co l
Specifying the WebAuth Global Default Configuration of Interface
After the WebAuth function is enabled, the WebAuth function of all interfaces is disabled by
default. To specify the Webauth global default configuration of the interface, in the WebAuth con-
in terface glo b al-default {en ab le | disab le}
l enable – Specifies that the WebAuth function of all interfaces is enabled by default.
l disable – Specifies that the WebAuth function of all interfaces is disabled by default .
Tip: For more information about configuring the WebAuth of interface, refer to
Enabling/Disabling the WebAuth of Interface.
To configure the HTTP or HTTPS port number for the authentication server, in the WebAuth
h ttp -p o rt port-number

l port-number – Specifies the HTTP port number. The value range is 1 to 65535. The default
value is 8181.
h ttp s-p o rt port-number
l port-number – Specifies the HTTPS port number. The value range is 1 to 65535. The
To restore to the default value of the HTTP or HTTPS port number, in the WebAuth con-
n o h ttp -p o rt
n o h ttp s-p o rt
Notes: HTTP port number and HTTPS port number should be different.
Specifying HTTP Proxy Server Port
After enabling the Web authentication, the device will authenticate the HTTP request whose des-
tination port is 80. When the HTTP traffic of accessing network needs to have a proxy by the
HTTP proxy server, you need to specify the HTTP proxy server port in the device. Then, the
device can authenticate the HTTP request sent to the proxy server.
To specify the HTTP proxy server port, in the WebAuth configuration mode, use the following
command:
p ro xy-p o rt port-number
l port-number – Specify the port that the HTTP proxy server used for the HTTP request
proxy. The value ranges from 1 to 65535.
Use the no proxy-port command to cancel the HTTP proxy server port settings. The device will
authenticate the HTTP request whose destination port is 80.
After enabling the Web authentication function and specifying the HTTP proxy server port, each
user must add the IP address of the device to the Exceptions list in the Proxy Settings in the Web
browser. With this operation, the Web authentication can be performed.

Configuring the HTTPS Trust Domain
To configure the HTTPS trust domain name, in the WebAuth configuration mode, use the fol-
lowing command:
https-trust-domain trust-domain-name
l trust-domain-name – Specifies the name of the HTTPS trust domain. Before executing this
command, this new PKI trust domain must have been added into system, and you should
make sure that the local certificate purchased from the certificate authority has been imported
into it. By default, HTTPS trust domain is trust_domain_default, which will result in the
untrusted certificate warning.
To restore to the default HTTPS trust domain trust_domain_default, in the WebAuth con-
no https-trust-domain
Specifying the Address Type
By default, the address type of authentication user is IP address. To specify the address type of
authentication user, in the WebAuth configuration mode, use the following command:
address-typ e {ip | mac}
l ip – Specifies IP address as the address type of authentication user.
l mac – Specifies MAC address as the address type of authentication user. The device needs
to be deployed in the same Layer 2 network environment with the client. Otherwise, system
will fail to get the MAC address of the client or get the incorrect MAC address.
To restore to the default address type, in the WebAuth configuration mode, use the following
command:
no address-type

Configuring Multi-logon Function
By default, the multi-logon function is disabled. If it is enabled, you can log into multiple clients
using the same username simultaneously. To enable the multi-logon function, in the WebAuth
multi-lo go n
After executing this command, the multi-logon function is enabled, and the number of clients
using one username is limited. To specify the number of clients, in the WebAuth configuration
multi-lo go n number
l number – Specifies how many times the same username can be logged in simultaneously.
The value range is 2 to 1000 times.
To disable this function, in the WebAuth configuration mode, use the command:
n o multi-lo go n
Configuring Auto-kickout Function
The auto-kickout function means that only one user is allowed to login on one client. When the
same user logs in again, according to the configuration, system will kick out the registered user or
prevent the same user from logging in again.
Kicking out the registered user, that is, the system will disconnect the original connection and use
the new logon information to replace the original logon information. To kick out the registered
user, in the WebAuth configuration mode, use the following commands:
auto -kicko ut
To prevent the same user from logging in again, in the WebAuth configuration mode, use the fol-
lowing commands:
n o auto -kicko ut

Enabling/Disabling Proactive WebAuth
You can enable the proactive WebAuth under L3 interface of device. After enabling, you can
access the Web authentication address initiate authentication request, and then fill in the correct
user name and password in the authentication login page. The Web authentication address con-
sists of the IP address of the interface and the port number of the HTTP/HTTPS of the authen-
tication server. For example the IP address of the interface is 192.168.3.1, authentication server
HTTP/HTTPS port numbe is respectively configured as 8182/44434. When the authentication
server is configured for HTTP authentication mode, Web address is: http:// 192.168.3.1:8182;
when the authentication server is configured for HTTPS mode, the Web address for the https://
192.168.3.1:44434 certification.
To enable proactive WebAuth, in the interface configuration mode, use the following command:
web auth aaa-server aaa-server-name
l aaa-server-name – Specifies the name of the configured AAA server.
To disable the proactive WebAuth function, in the interface configuration mode, use the fol-
lowing command:
n o web auth aaa-server
Notes:
l When enable proactive WebAuth in L3 interface, you need to ensure that the
system's WebAuth function is enabled, otherwise it will not work.
l If the HTTP/HTTPS port of the authentication server is respectively con-

figured as the protocol’s default port 80/443, the port number of the
authentication address can be omitted.
l The proactive WebAuth function only supports the mode of password and
SMS authentication. If the system is configured with NTLM authentication

mode, the proactive WebAuth function will take effect in the mode of pass-
word authentication.
Enabling/Disabling the WebAuth of Interface
After the WebAuth function is enabled, the WebAuth function of all interfaces is disabled by
default. To enable the WebAuth function of the specified interface, in the interface configuration
web auth en ab le
To disable the WebAuth function of the specified interface, in the interface configuration mode,
web auth disab le
To specify that the interface uses the global default configuration of WebAuth, in the interface
web auth glo b al-default
Tip:
l It is recommended to use the command after the WebAuth is enabled, oth-
erwise the configuration is invalid.
l For more information about WebAuth global default configuration, see Spe-
cifying the WebAuth Global Default Configuration of Interface.
Configuring the WebAuth Domain Name
In passive WebAuth, you will be prompted to check the identity on the authentication page if you
visit a service. In this case, if the Web authentication address is configured with a domain name
(that is, configure the domain name for the IP address of the interface), the URL of the Web

authentication page shows this domain name instead of the IP address of the interface. Enable
Web authentication before configuring the WebAuth domain name.
To configure a domain name for the Web authentication address, in the interface configuration
webauth domain domain-name
l domain-name - Specifies the domain name of the Web authentication address. The value range
is from 1 to 255 characters.
To delete the domain name configuration of the Web authentication address, in the interface con-
no webauth domain
Disconnecting a User
You can disconnect a specific user from a WebAuth system by CLI. To disconnect a user, in any
exec user-map p in g web auth {n tlm | p asswo rd | sms } kicko ut {{ip ip-address | mac mac-
address } vro uter vrouter | usern ame username { auth -server auth-server-name }}
l ip-address – Specifies the IP address of the WebAuth user.
l mac-address – Specifies the MAC address of the WebAuth user.
l vrouter – Specifies the VRouter of the WebAuth user.
l username – Specifies the name of the WebAuth user.
l auth-server-name – Specifies the authentication server name of the WebAuth user.
Notes: You need to specify the VRouter or the authentication server to avoid dis-
connecting too many users with the same name from the WebAuth system.

Local users can change their password on the login page after successful authentication. By
default, this function is disabled. To enable or disable password change by local users, in the local
sever configuration mode, in the password control mode, use the following commands:
l Enable: allow-pwd-change
l Disable: no allow-pwd-change
To change the login password, local users can take the following steps:
1. Enter the correct username and password on the WebAuth login page, and then click Login.
2. After successful login, click Modify on the login page. See the figure below:

3. In the password change dialog, type the correct old password into the Old password box,
type the new password into the New password box, and then type the new password again
into the Confirm New password box to make confirmation.
4. Click OK to save your settings.
Configuring a Policy Rule for WebAuth
You should configure corresponding policy rules to make WebAuth take effect. To configure
WebAuth parameters for a policy rule, in the policy rule configuration mode, use the following
commands:

Specify the role: role unknown
Specify the action and authentication server for WebAuth:
actio n web auth aaa-server-name
l aaa-server-name – Specifies the authentication server which is a configured AAA authen-

tication server in the system.
Tip: For information about how to configure a policy rule, see Policy.
Customizing WebAuth Login Pages
The system supports the customizing WebAuth login page function. After WebAuth is enabled,
the default login page is shown as the figure below:

Customizing the Login Page
You can customize the WebAuth login page by downloading the zip file and modifying the con-
tents. To import the modified zip file you need to the system, in the execution mode, use the fol-
lowing command:
imp o rt custo mize web auth fro m { ftp server ip-address [vro uter vrouter-name ] [user user-
name password password ] | tftp server ip-address [vro uter vrouter-name ]} file-name
l ftp server ip-address [vrouter vrouter-name] [user user-name password password] – Specify
to get the zip file from the FTP server, and configure the IP address, VRouter, username and
password of the server. If the username and password are not specified, you will login anonym-
ously by default.
l tftp server ip-address [vrouter vrouter-name] – Specify to get the zip file from the TFTP
server, and configure the IP address and VRouter of the server.
l file-name – Specify the name of the zip file.
To restore to the default WebAuth login page, in any mode, use the following command:
exec custo mize web auth default
Notes:
l After upgrading the previous version to the 5.5R6 version, the WebAuth
login page you already specified will be invalid and restored to the default
page. You should re-download the template after the version upgrade and cus-
tomize the login page.
l After upgrading the system version, you should re-download the template,
modify the source file, and then upload the custom page compression pack-
age. If the uploaded package version is not consistent with the current system
version, the function of the custom login page will not be used normally.

l The zip file should comply with the following requirements: the file format
should be zip; the maximum number of the file in the zip file is 50; the upper
limit of the zip file is 1M; the zip file should contain “index.html”.
l System can only save one file of the default template page and the cus-
tomized page. When you upload the new customized page file, the old file
will be covered. It is suggested to back up the old file.
l When you modify the zip file, see “readme_cn.md” file or “readme_
en.md” file.
Exporting the Login Page
To export the default modified zip file, in the execution mode, use the following command:
exp o rt web auth default-p age to {ftp server ip-address [vro uter vrouter-name ] [user user-
name p asswo rd password ] | tftp server ip-address [vro uter vrouter-name ]} file-name
l ftp server ip-address [vrouter vrouter-name] [user user-name password password] – Specify
to export the zip file to the FTP server, and configure the IP address, VRouter, username and
password of the server. If the username and password are not specified, you will login anonym-
ously by default.
l tftp server ip-address [vrouter vrouter-name] – Specify to export the zip file to the TFTP
server, and configure the IP address and VRouter of the server.
l file-name – Specify the name of the zip file.
Password Authentication
To enable password authentication, in the WebAuth configuration mode, use the following com-
mand:
mo de p asswo rd

Configuring the Re-auth Interval
System can re-authenticate a user after a successful authentication. By default, the re-authen-
tication function is inactive. To configure the re-authenticate interval, in the WebAuth con-
p asswo rd reauth -in terval { time | disab le}
l time – Specifies the interval to re-authenticate a user. The value range is 10 to 60*24
minutes.
l disable – Disables the re-auth function.
To restore to the default value, in the global configuration mode, use the command:
n o p asswo rd reauth -in terval
Configuring the Redirect URL Function
The redirect URL function redirects the client to the specified URL after successful authen-
tication. You need to turn off the pop-up blocker of your web browser to ensure this function can
work properly. To configure the redirect URL function, in the WebAuth configuration mode, use
p asswo rd p o p up -url url
l url – Specifies the redirect URL. The length is 1 to 127 characters. The format of URL
should be "http://www.abc.com" or "https://www.abc.com".
To delete the redirect URL configuration, in the WebAuth configuration mode, use the com-
mand:
n o p asswo rd p o p up -url
Notes:
l You can specify the username and password in the URL address. When the

specified redirect URL is the application system page with the authentication
needed in the intranet, you do not need the repeat authentication and can
access the application system.
l The corresponding keywords are $USER, $PWD, or $HASHPWD. Generally,

you can select one keyword between $PWD and $HASHPWD. The formart
of the URL is “URL”+”username=$USER&password=$PWD”.
l When entering the redirect URL in CLI, add double quotations to the URL
address if the URL address contains question mark. For example,
“http://192.10.5.201/oa/-
login.do?username=$USER&password=$HASHPWD”
Configuring the Forced Timeout Value
If the forced timeout function is enabled, users must re-login after the configured interval ends.
By default, the forced re-login function is disabled. To configure the forced timeout value, in the
WebAuth configuration mode, use the following command:
p asswo rd fo rce-timeo ut { timeout-value | disab le}
l timeout-value - Specifies the forced timeout value. The value range is 10 to 60*24*100
minutes.
l disable – Disables the forced timeout function, that is , system does not force the user to
login again.
To restore to the default value, in the WebAuth configuration mode, use the command:
n o p asswo rd fo rce-timeo ut
Configuring the Idle Timeout Value
If there is no traffic during a specified time period after the successful authentication, the system
will disconnect the connection. By default, the system will not disconnect the connection if there

is no traffic after the successful authentication. To specify the idle timeout value, namely the idle
time, use the following command in the WebAuth configuration mode:
p asswo rd idle-timeo ut { timeout | disab le}
l timeout – Specifies the idle timeout value (in minutes). The value range is 1 to 60*24
minutes.
l disable – Disables the idle timeout function, which indicates that system will not disconnect
the connection if there is no traffic after the successful authentication.
To restore to the default value, in the WebAuth configuration mode, use the following command:
n o p asswo rd idle-timeo ut
Notes:
l If you pass the web authentication by using the mobile phones running on
iOS or Android, enable this function and specify the idle time. Then the
mobile phones can keep online when they generate traffic.
l Some Hillstone devices (SG-6000-X6150, SG-6000-X6180, SG-6000-

X7180 and SG-6000-X10800) does not support the configuration of idle
time.
Configuring the Heartbeat Timeout Value
When authentication is successful, the system will automatically refresh the login page before the
configured timeout value ends in order to maintain the login status. If configuring the idle time at
the same time,you will log off from the system at the smaller value.To configure the heartbeat
timeout value, in the WebAuth configuration mode, use the following command:
p asswo rd h eartb eat-timeo ut { interval | disab le}

l interval – Specifies the heartbeat timeout value. The value range is 1 to 60*24*100 minutes.
The default value is 10 minutes.
l disable – Disables the heartbeat timeout function.
To restore to the default heartbeat timeout value, in the global configuration mode, use the com-
mand:
n o p asswo rd h eartb eat-timeo ut
SMS Authentication
Besides using username and password during the Web authentication, the system support SMS
authentication method. After enabling the SMS authentication function, the HTTP request will
be redirected to the Web authentication login page. In the login page, the user needs to enter the
mobile phone number and the received SMS code. If the SMS code is correct, the user can pass
the authentication.
To enable SMS authentication, in the WebAuth configuration mode, use the following command:
mo de sms
Configuring the Forced Timeout Value
After passing the SMS authentication successfully, the user will be re-authenticated after the
timeout value reaches. To configure the timeout value, in the WebAuth configuration mode, use
sms fo rce-timeo ut { timeout-value | disab le}
l timeout-value – Specifies the forced timeout value. The value range is 10 to 60*24*100
minutes. The default value is 60 minutes.
authenticate again.
n o sms fo rce-timeo ut

will disconnect the connection. By default, system will not disconnect the connection if there is
no traffic after the successful authentication. To specify the idle timeout value, in the WebAuth
sms idle-timeo ut { timeout | disab le}
l timeout – Specifies the idle timeout value (in minutes). The value range is 1 to 60*24
minutes.
To restore to the default value, in the WebAuth configuration mode, use the following command:
n o sms idle-timeo ut
Configuring the Verification Code Interval
When using SMS authentication, users need to use the SMS verification code received by the
mobile phone, and the verification code will be invalid after the timeout value reaches. After the
timeout value reaches, if the verification code is not used, you needs to get the new SMS veri-
fication code again, in the global configuration mode, use the following command:
webauth sms-verify-code-timeouttimeout-value
l timeout-value – Specifies the verification code interval, the range is 1 to 10 minutes. The
default value is 1 minute.
In the global configuration mode, use the following command to restore the timeout value to the
default one.
no webauth sms-verify-code-timeout
Specifying the Sender Name or Sign Name
If the protocol type of the SMS Gateway is SGIP or USM , users can specify a message sender
name to display in the message content. If the protocol type of the SMS Gateway is

ALIYUNSMS, the sign name must be entered in this field and will be displayed in the message
content, users must specify the sign name applied in the SMS of Alibaba Cloud to display in the
message content. To specify the sender name or sign name, in the WebAuth configuration mode,
webauth sms-sender-namesender-name
l sender-name – Specifies the sender name or sign name. The range is 1 to 63.
In the WebAuth configuration mode, use the following command to delete the sender name or
sign name:
no webauth sms-sender-name
Notes: Due to the limitation of UMS enterprise information platform, when the the
SMS gateway authentication is enabled, the sender name will be displayed on the
name of the UMS enterprise information platform.
Configuring the Verification Code Length
To specify the length of the SMS verification code, in the WebAuth configuration mode, use the
following command:
sms verification-code-length length
l length - Specifies the length of the SMS verification code. The range is 4 to 8 characters. The
default value is 6.
In the WebAuth configuration mode, use the no sms verification-code-length command to

restore the default value.
Specifying the Template Code
If the protocol type of the SMS Gateway is ALIYUNSMS, users must specify the code of the
SMS template applied in the SMS of Alibaba Cloud. To specify the template code, in the
sms templatecode word

l word – Specifies the template code. The range is 1 to 30 characters. This parameter should
be the same with the template code applied in the SMS of Alibaba Cloud.
In the WebAuth configuration mode, use the following command to cancel the specified template
code:
no sms templatecode
Specifying SMS Modem to Send SMS
To specify SMS modem to send SMS, in the WebAuth configuration mode, use the following
command:
sms agent modem
Specifying SMS Gateway to Send SMS
To specify SMS gateway to send SMS, in the WebAuth configuration mode, use the following
command:
sms agent gateway sp-name
l sp-name – Specifies the SP instance name which should be a created SP. The range is 1 to
31.
NTLM Authentication
To enable NTLM, in the WebAuth configuration mode, use the following command:
mo de n tlm
Notes:
l For IE, you need to enable automatic logon with current username and pass-
word in order to complete the WebAuth automatically.

l For non-IE browsers, you need to type the username and password in the
prompt each time you try to access network resources.
Configuring Forced Timeout Value
Authentication will only take effect within a limited time range after you have been authenticated
by the Active Directory server; after timeout, you still need to type valid username and password
in the WebAuth page to continue to access network resources. To configure the timeout, in the
n tlm fo rce-timeo ut { timeout-value | disab le}
l timeout-value - Specifies the forced timeout value. The value range is 10 to 60*24*100
minutes.
login again.
n o n tlm fo rce-timeo ut
Using the Compatibility Mode
Since the NTLM function only supports users using Windows OS, you can use the compatibility
mode to ensure that all users using different OSs can execute the authentication. The com-
patibility mode will use the password WebAuth when the following situation appears: you have
enabled the NTLM function and users fail in the authentication. By default, the system will not
take any action if users fail in the authentication. To use the compatibility mode, use the fol-
lowing command in the WebAuth configuration mode:
n tlm fallb ack-to -web fo rm
To restore to the defaut value, in the WebAuth configuration mode, use the following command:
n o n tlm fallb ack-to -web fo rm

will disconnect the connection. By default, system will not disconnect the connection if there is
no traffic after the successful authentication. To specify the idle timeout value, use the following
command in the WebAuth configuration mode:
n tlm idle-timeo ut { timeout | disab le}
l timeout – Specifies the idle timeout value (in minutes). The value ranges from 1 to 60*24
minutes.
To restore to the defaut value, in the WebAuth configuration mode, use the following command:
n o n tlm idle-timeo ut
Viewing the WebAuth Configuration Information
To view the current WebAuth configuration information, in any mode, use the following com-
mand:
sh o w web auth
To view all the WebAuth configuration information, in any mode, use the following command:
sh o w web auth detail
Viewing the Online User Information
To view the online WebAuth user information, in any mode, use the following commands:
sh o w auth -user {web auth -n tlm | web auth -p asswo rd | web auth -sms }[in terface interface-
name | vro uter vrouter-name ]
sh o w user-map p in g web auth { n tlm | p asswo rd | sms }[ip ip-address | mac mac-address ]
[vro uter vrouter-name ]

Single Sign-On
When the user authenticates successfully for one time, system will obtain the user's authen-
tication information. Then the user can access the Internet without authentication later.
SSO can be realized through multiple methods, which are independent from each other, and they
all can achieve the "no-sign-on"(don't need to enter user name and password) authentication.
Configuring AD Scripting for SSO
With the Single Sign-on (SSO) agent function enabled, users will automatic pass the authen-
tication after they pass the Active-Directory authentication.
To use the AD Scripting function, you should firstly add the script program named Login-
script.exe, which is provided by Hillstone, to the logon/logout script of the Active-Directory
server.
Notes: For the information of how to add the script program “Loginscript.exe”
into the Active-Directory server, refer to Example of Configuring AD Agent for
SSO.
Entering the AD Scripting Configuration Mode
To enter the AD-Scripting configuration mode, use the following command in the global con-
figuration mode:
user-sso server ad-scrip tin g default
Enabling the AD Scripting Function
By default, the AD Scripting function is disabled. To enable this function, use the following com-
mand in the AD-Scripting configuration mode:
enable
To disable the function, use the following command:
no enable

To specify the AAA server referenced by system, use the following command in the sso-agent
configuration mode:
l aaa-server-name – Specifies the name of the AAA server. The Local, AD or LDAP server is
available to select on the AAA server. You’re suggested to directly select the configured
authentication AD server. After selecting the AAA server, system can query the cor-
responding user group and role of the online user on the referenced AAA server, so as to
To cancel the above configurations, use the following command in the AD-Scripting con-
figuration mode:
n o aaa-server
If there is no traffic during a specified time period after the successful authentication, system will
delete the user authentication information. To specify the time period, namely the idle time, use
the following command in the AD Scripting configuration mode:
idle-timeo ut timeout
l timeout – Specifies the idle time (in minutes). The value ranges from 1 to 1440.
By default, system will not delete the user authentication information if there is no traffic. To
restore the idle time to the default value, use the following command in the global configuration
mode:
n o idle-timeo ut
Notes: Some Hillstone devices (SG-6000-X6150, SG-6000-X6180, SG-6000-

X7180 and SG-6000-X10800) does not support the configuration of idle time. .

Configuring Simultaneously Online Settings
By default, if a user logs on again after hi or her successful logon, the system will disconnect the
original connection and use the new logon information to replace the original logon information.
Thus, users with the same credentials cannot be online simultaneously. If you want users with the
same credentials to be online simultaneously, you can use the following commands in the AD-
Scripting configuration mode:
no auto-kickout
To restore the settings to the default, use the following command in the AD-Scripting con-
figuration mode:
auto-kickout
Viewing Configuration Information
To view the configuration information of the AD Scripting function, use the following command
in any mode:
sh o w user-sso server ad-scrip tin g default
Viewing the User Mapping Information
To view the mapping information between user name and IP of AD Scripting, in any mode, use
sh o w user-map p in g user-sso ad-scrip tin g default
Viewing the Authenticated User Table
The user authentication information are stored in the authenticated user table. To view the user
authentication information, use the following command in any mode:
sh o w auth -user ad-scrip tin g
Deleting the User Mapping Information
To delete the user mapping information of the specified IP, in any mode, use the following com-
mand:
exec user-map p p in g user-sso ad-scrip tin g kicko ut ip ip-address vro uter vrouter-name

Configuring SSO Radius for SSO
Receiving Radius Accounting Packets
The device can receive the accounting packets that based on the Radius standard protocol, and
then perform the following actions according to the content of the packets:
l Generate user authentication information and add them to the authenticated user table.
l Reset the timeout value of the authenticated user.
l Delete the authenticated user from the table.
To enable the function above, take the following steps:

To enter the SSO-Radius configuration mode, in the global configuration mode, use the following
command:
user-sso server sso -radius default
In the SSO-Radius configuration mode, use the following command:

en ab le
To disable the function, in the SSO-Radius configuration mode, use the following command:
no enable
Note: After enabling SSO Radius, you should wait at least 20 seconds before disabling it, and vice
versa.
Specify the AAA server that user belongs to. To specify the AAA server, in the SSO-Radius con-
l aaa-server-name – Specifies the name of the AAA server. You can select Local, AD or
LDAP server on the AAA server. After selecting the AAA server, system can query the cor-

responding user group and role information of the online user on the referenced AAA server,
so as to realize the policy control based on the user group and role.
To delete the AAA server, in the SSO-Radius configuration mode, use the following command:
n o aaa-server
Specifying the Port Number for Receiving Radius Packets
To specify the port number for receiving Radius packets (Don’t configure port in non-root
VSYS), in the SSO-Radius configuration mode, use the following command:
p o rt port
l port – Specifies the port number. The range is 1 to 65535. The default port is 1813.
Use the no port command to restore the port number to default.
Configuring the Radius Client
Specify the IP address of the Radius client. You can specify up to 8 clients. To specify the IP
address of the Radius clients and enter the Radius client configuration mode, in the SSO-Radius
clien t {an y | A.B.C.D | X:X:X:X::X }
l any – Receive the packets sent from any Radius client.
l A.B.C.D – Receive the packets sent from the Radius Client with specified IP address.
l X:X:X:X::X –Receive the packets sent from the Radius client with specified IPv6 address.
This specification is valid only when the system version is the IPv6 version.
To delete the configured Radius client, in the global configuration mode, use the no client {any |
A.B.C.D| X:X:X:X::X} command.
Configuring the Shared Secret
System will verify the packet by the shared secret key, and parse the packet after verifying suc-
cessfully. If system fails to verify the packet, the packet will be dropped. The packet can be

verified successfully only when SSO Radius client is configured the same shared secret key with
system or both of them aren't configured a shared secret key.. To configure the shared secret key,
in the Radius client configuration mode, use the following command:
sh ared-secret key-value
l key-value – Specifies the shared secret key. The length range is from 1 to 31 characters.
To delete the shared secret key, use the no shared-secret command.
Configuring the Heartbeat Timeout
Heartbeat timeout is used to configure the effective time for user authentication information of
Radius packets in the device. If there’s no update or delete packet of the user during the heart-
beat timeout, the device will delete the user authentication information.
To configure the heartbeat timeout, in the Radius client configuration mode, use the following
command:
h eartb eat-timeo ut timeout
l timeout– Specifies the timeout value. The unit is minute. The range is from 0-1440. The
default value is 30. 0 means it will never timeout.
To restore the heartbeat timeout to default, in the Radius client configuration mode, use the no
heartbeat-timeout command.
To disable the heartbeat timeout, in the Radius client configuration mode, use the heartbeat-
timeout disable command.
Configuring Idle Timeout
Idle timeout refers to the longest time during which the authenticated user keeps his/her authen-
ticated state in non-traffic state. When the configured idle timeout is exceeded, system will delete
the authentication information of the user.
To specify the idle timeout, in the SSO Radius client mode, use the following command:
idle-timeo ut time

l time– Specify the idle timeout. The unit is minute. The range is from 0-1440. The default
value is 0. If it is specified as 0, this function will be disabled, which means the authenticated
user will not be kicked out in non-traffic state.
To restore the idle timeout to the default value, in the SSO Radius client mode, use the no idle-
timeoutcommand.
To disable the idle timeout, in the SSO Radius client mode, use the idle-timeout disablecom-
mand.
Configuring Forced Timeout
When the online time of a user exceeds the configured force timeout time, system will force the
user to log out.
To specify the forced timeout, in the SSO Radius client mode, use the following command:
l time - Specify the forced timeout time. The range is 0 to 144000 minutes, and the default
value is 600 minutes. If it is specified as 0, this function will be disabled.
To restore the forced timeout to the default value, in the SSO Radius client mode, use the no
force-timeoutcommand.
To disable the forced timeout, in the SSO Radius client mode, use the force-timeout disablecom-
mand.
Viewing the SSO Radius Configuration Information
To view the SSO Radius configuration information, in any mode, use the following command:
sh o w user-sso server sso -radius default
To view the mapping information between the user name and IP of SSO Radius, in any mode, use
sh o w user-map p in g user-sso sso -radius default

Viewing the Authentication User Table
The user authentication information generated by the device is saved in the authentication user
table. In any mode, use the following command:
sh o w auth -user sso -radius
mand:
exec user-map p p in g user-sso sso -radius kicko ut ip ip-address vro uter vrouter-name
SSO via Agile Controller
When Agile Controller is enabled, the system can receive packets sent by the Agile Controller
server. The packets are sent when users log in to or log out of the server or when users update
their information. To realize SSO, the system obtains user authentication information, updates
online user information, and manages the user's login and logout according to the packets.
Entering the Agile Controller Configuration Mode
To enter the Agile Controller configuration mode, in the global configuration mode, use the fol-
lowing command:
user-sso server agile-co n tro ller default
Enabling/Disabling Agile Controller
By default, Agile Controller is disabled. To enable or disable Agile Controller, in the Agile Con-
troller configuration mode, use the following command:
l To enable: enable
l To disable: no enable

Specifying the Port for StoneOS to Receive Agile Controller Packets
To specify the port for StoneOS to receive packets from the Agile Controller server (Port cannot
be configured in non-root VSYS), in the Agile Controller configuration mode, use the following
command:
lo cal-p o rt port
l port - Specifies the port number. The range is 1024 to 65535. The default port number is
8001.
In the Agile Controller configuration mode, use no local-port command to restore to the default
port.
Specify the AAA Server that the user belongs to. To specify the AAA server, in the Agile Con-
troller configuration mode, use the following command:
l aaa-server-name - Specifies the name of the AAA server. You can select the configured Local,
AD, or LDAP server. After selecting the AAA server, the system can query the user group
and role information associated with the username of the online user on the referenced AAA
server, to realize the policy control based on the user group and role.
In the Agile Controller configuration mode, use no aaa-server command to cancel the specified
AAA server.
Specifying Query Address Range
To specify the address range of the source IP to be queried when the system actively queries the
information of the online user associated with the source IP from the Agile Controller server, in
the Agile Controller configuration mode, use the following command:
sync-address address-entry

l address-entry - Specifies the address range of the source IP (the configured address entry) to
be queried.
In the Agile Controller configuration mode, use the no sync-address command to cancel the spe-
cified query address range of the source IP.
Specifying the Query Rate
To specify the query rate when the system actively queries the information of the online user asso-
ciated with the source IP from the Agile Controller server, in the Agile Controller configuration
sync-rate number
l number - Specifies the rate at which query packets are sent. The range is 5-40 times/second.
In the Agile Controller configuration mode, use no sync-rate command to restore to the default
query rate.
Specifying the Query Interval
To specify the query interval when the system actively queries the information of the online user
associated with the source IP from the Agile Controller server, in the Agile Controller con-
ip-sync-interval time
l time - Specifies the query interval between each source IP. The range is 1-100 seconds. The
default value is 20 seconds
In the Agile Controller configuration mode, use no ip-sync-interval command to restore to the
default query interval.
Specifying the Maximum IPs Queried Each Time
To specify the maximum source IPs contained in a query packet when the system actively queries
the information of the online user associated with the source IP from the Agile Controller server,
in the Agile Controller configuration mode, use the following command:
max-ip-per-packet number

l number - Specifies the maximum source IPs contained in a query packet. The range is 1-50.
In the Agile Controller configuration mode, use no max-ip-per-packet command to restore to the
default value.
Specifying Forced Timeout
To specify the timeout after which access for the authenticated user is forcibly terminated, in the
Agile Controller configuration mode, use the following command:
l time - Specifies the timeout. The range is 5 to 1440 minutes. The default timeout is 600
minutes.
In the Agile Controller configuration mode, use no force-timeout command to restore to the
default timeout.
Configuring an Agile Controller Client
To configure an Agile Controller client, you need to enter the configuration mode of the Agile
Controller client. In the Agile Controller configuration mode, use the following command:
access-agile-co n tro ller name
l name - Specifies the name of the Agile Controller server.
In the Agile Controller configuration mode, use the no access-agile-controllername command to

cancel the specified Agile Controller client.
Specifying the IP Address of the Agile Controller Server
To specify the IP address of the Agile Controller server, in the configuration mode of the Agile
Controller client, use the following command:
host ip-address [vrouter vr-name]

l ip-address - Specifies the IP address of the Agile Controller server.
l vrouter vr-name - Specifies the virtual router that the specified Agile Controller server
belongs to. If the VRouter is not specified, the system uses trust-vr by default.
In the configuration mode of the Agile Controller client, use the no host command to cancel the
specified IP address of the Agile Controller server.
Configuring the Shared Key
The system verifies the encrypted communication packets sent by the Agile Controller server by
using the shared key. The system parses the packets only when the verification is successful.
Otherwise, the system drops the packets. The Agile Controller client should be configured with
the same shared key as the Agile Controller server. Otherwise, the packets cannot be successfully
verified. To configure the shared key, in the configuration mode of the Agile Controller client,
sh ared-secret key-value
l key-value - Specifies the shared key. The range is 1-31 characters.
To clear the shared key, in the configuration mode of the Agile Controller client, use the no
shared-secret command.
Configuring the Encryption Algorithm
To specify the encryption algorithm applied in the communication between the system and the
Agile Controller server, in the configuration mode of the Agile Controller client, use the fol-
lowing command:
encryption [3des | aes128 ]
l 3des | aes128 - Specifies the encryption algorithm applied in the communication between the
system and the Agile Controller server. If this option is not specified, the system uses the
AES128 algorithm by default.
In the configuration mode of the Agile Controller client, use the no encryption command to
restore to the default encryption algorithm.

Enabling/Disabling Active Query
When Active Query is enabled, the system will actively query the information of the online users
from the Agile Controller server. By default, Active Query is disabled. To enable or disable Act-
ive Query, in the configuration mode of the Agile Controller client, use the following command:
l To enable: sync enable
l To disable: no sync enable
Displaying Configuration Information of the Agile Controller
To display configuration information of the Agile Controller, in any mode, use the following com-
mand:
sh o w user-sso server agile-co n tro ller default
Configuring AD Polling for SSO
Creating an AD Polling Profile
To create an AD Polling profile and enter the AD-Polling configuration mode, in the global con-
user-sso client ad-polling profile-name
l profile-name - Specifies the name of the AD Polling profile to be created. After executing the
command, system will create an AD Polling profile with the specified name and enter the AD
Polling configuration mode; if the specified name has existed, system will enter the AD
Polling configuration mode directly.
To delete the specified AD Polling profile, in the global configuration mode, use the following
command:
n o user-sso clien t ad-p o llin g name

Enabling / Disabling the AD Polling Function
After enabling the AD Polling function, the system will regularly query the AD server to obtain
the online user information and probe the terminal PCs to verify whether the users are still online.
To enable the AD Polling function, in the AD-Polling configuration mode, use the following com-
mand:
en ab le
To disable the AD Polling function, in the AD-Polling configuration mode, use the following
command:
n o en ab le
Specifying the Authentication Server
To specify the authentication AD server in the domain, in the AD-Polling configuration mode,
h o st ip-address
l ip-address - Specifies the IP address of the authentication AD server in the domain.You can
only specify AD server. After specifying the authentication AD server, when the domain user
logs in the AD server, the AD server will generate on the server. The length is 1 to 31 char-
acters.
To delete the authentication servers in the domain, in the AD-Polling configuration mode, use
n o h o st
To specify the AAA server referenced by system, in the AD-Polling configuration mode, use the
following command:
aaa-server server-name
l server-name - Specifies the name of the referenced AAA server. The Local, AD or LDAP
server is available to select on the AAA server. You’re suggested to directly select the

configured authentication AD server. After selecting the AAA server, system can query the
corresponding user group and role of the online user on the referenced AAA server, so as to
To delete the AAA server, in the AD-Polling configuration mode, use the following command:
n o aaa-server
Specifying the Account
To specify the nameof domain user to log in the AD server, in the AD-Polling configuration
acco un t username
l username – Specifies the name of domain user to log in the AD server. The format is
domain\username, and the range is 1 to 63 characters. The user is required to have permission
to read security log on the AD server, such as the user Administrator whose privilege is
Domain Admins on the AD server.
To delete the account, in the AD-Polling configuration mode, use the following command:
n o acco un t
Specifying the Password
To specify the password corresponding to the domain user name, in the AD-Polling configuration
p asswo rd password
l password - Specifies the password corresponding to the user name. The range is 1 to 31 char-
acters.
To delete the password, in the AD-Polling configuration mode, use the following command:
n o p asswo rd

Specifying the AD Polling Interval
To specify the time interval for regular AD Polling probing, in the AD-Polling configuration
mode, use the following command：
ad-p o llin g-in terval interval
l interval - Specifies the time interval for regular AD Polling probing. System will query the AD
server to obtain the online user information at the interval. The range is 1 to 3600 seconds,
the default value is 2 seconds. You are suggested to configure 2 to 5 seconds to ensure to get
the online user information in real time.
To restore the configured time interval for regular AD Polling probing to default, in the AD-
Polling configuration mode, use the following command:
n o ad-p o llin g-in terval
Specifying the Client Probing Interval
To specify the time interval for the regular client probing, in the AD-Polling configuration mode,
clien t-p ro b in g-in terval time
l time – Specifies the time interval for the regular client probing. System will probe whether
the online user is still online through WMI at set intervals, and system will kick out the user if
cannot be probed. The range is 0 to 1440 minutes, and the default value is 0 minute( the func-
tion is disabled). You are suggested to configure a larger probing interval to save the system
performance, if you have low requirements of the offline users.
To restore the configured client probing interval to default, in the AD-Polling configuration
n o clien t-p ro b in g-in terval
Specifying the Force Timeout Time
To specify the forced logout time, in the AD-Polling configuration mode, use the following com-
mand:

l time - Specified the forced logout time. When the online time of a user exceeds the con-
figured force timeout time, system will kick out the user and force the user to log out. The
range is 0 (the function is disabled) to 144000 minutes, and the default value is 600 minutes.
To restore the configured force timeout time to default, in the AD-Polling configuration mode,
n o fo rce-timeo ut
Viewing the AD Polling Configuration
To view the AD Polling configuration owned or specified by system, including the name, status,
AAA server, client probing interval, etc., in any mode, use the following command:
sh o w user-sso clien t ad-p o llin g [ profile-name ]
l profile-name – Specifes the name of the AD Polling profile. Here shows the configuration
information of specified AD Polling.
To view the mapping information between user name and IP of SSO Monitor, in any mode, use
show user-mapping user-sso ad-polling profile-name
Viewing the Authenticated User Table
The user authentication information are stored in the authenticated user table. To view the user
authentication information, use the following command in any mode:
sh o w auth -user ad-p o llin g
mand:
exec user-map p p in g user-sso ad-p o llin g kicko ut ip ip-address vro uter vrouter-name

Configuring SSO Monitor for SSO
SSO Monitor can synchronize the online status of users stored on external servers to the firewall
based on specified protocol packets, generate authenticated users on the firewall, and update the
username-IP binding relationship of online users in real time. In addition, SSO Monitor can
extract the user group of users from packets so that the users can avoid repetitive login process.
StoneOS does not restrict the form and type of external servers. A server of TCP connection that
can synchronize user information to the firewall over the SSO Monitor protocol can be used as an
external server, such as AD Agent software.
Notes: To use AD Agent software to obtain user information in version earlier than
StoneOS 5.5R10, you can connect the AD agent by using SSO Monitor or con-
figure the security agent in Active-Directory server configuration mode. In
StoneOS 5.5R10 and later, the system no longer supports the security agent func-
tion. When the version is upgraded to StoneOS 5.5R10 or later, the configured
security agent function is automatically converted to the SSO Monitor function to
connect to the AD Agent software configuration. You can run the show user-sso cli-
ent sso-monitor[ profile-name] command to view the configuration. The converted
name of SSO Monitor Profile is the same as that of the AD server.
Creating SSO Monitor Profile
To create SSO Monitor profile and enter the SSO-Monitor configuration mode, in the global con-
user-sso clien t sso -mo n ito r profile-name
l profile-name - Specifies a name of the SSO Monitor profile to be created. After executing the
command, system will create the SSO Monitor profile with the specified name and enter SSO-
Monitor configuration mode; if the profile with the specified name has existed, system will
enter the SSO-Monitor configuration mode directly.
To delete the specified SSO Monitor profile, in the global configuration model, use the following
command:
n o user-sso clien t sso -mo n ito r name

Enabling/Disabling the SSO Monitor Function
After enabling SSO Monitor, the system establishes a connection with the external server over the
SSO-Monitor protocol and obtains the online status of users and information about the user group
of the users (optional). The system will also update the username-IP mapping information of
online users in real time. To enable SSO Monitor function, in the SSO-Monitor configuration
en ab le
To disable SSO Monitor function, in the SSO-Monitor configuration mode, use the following
command:
n o en ab le
Specifying the External Server
The external server needs to be able to send the online status of users to the firewall based on
SSO-Monitor protocol packets. You need to configure at least one external server host1, host2, or
host3. If you configure more than one external server, other external servers except the first one
are used for redundant backup. When an address fails to be connected, the system attempts to con-
nect to another external server. We recommend that you configure host1, host2, and host3 in
sequence.
To specify the external server, run the following commands in SSO-Monitor configuration mode:
host1 ip-address [vrouter vrouter-name]
l ip-address - Specifies the domain name or IP address of the external server, which can be 1 to
31 characters in length.
l vrouter-name - Specifies the name of the virtual router to which the communication interface
between the firewall and external server belongs.
In SSO-Monitor configuration mode, run the following command to delete a specified external
server:
no host {1 | 2 | 3}

Notes: In StoneOS 5.5R10 and later, SSO Monitor can connect to multiple external
servers to implement redundant backup. Therefore, the configured "host x.x.x.x" of
SSO Monitor will be automatically converted to "host1 x.x.x.x" after the system is
upgraded to StoneOS 5.5R10. You can run the show user-sso client sso-monitor[
profile-name command to view the converted configuration. The converted name
of SSO Monitor Profile is the same as that of the AD server.
In the authenticated user architecture of the firewall, all authenticated users and user groups can-
not independently exist and need to be associated with an AAA server. SSO Monitor users are syn-
chronized from the external server. By specifying an AAA server for the firewall, SSO Monitor
users can be associated with this AAA server.
To specify the referenced server by system, in the SSO-Monitor configuration mode, use the fol-
lowing command:
l server-name - Specifies the name of the referenced AAA server. You can select Local, AD or
To delete the AAA server, in the SSO-Monitor configuration mode, use the following command:
n o aaa-server
Specifying the Port
To specify the port number of the third-party authentication server, in the SSO-Monitor con-
p o rt number

l number – Specifies the port number of the third-party authentication server. System will
obtain the authenticated user information through the port number. The default number is
6666. The range is 1024 to 65535.
To restore the port number to default, in the SSO-Monitor configuration mode, use the following
command:
n o p o rt
Specifying the Organization Source
To specify the organization source, in the SSO-Monitor configuration mode, use the following
command:
o rg-so urce [aaa-server | message]
l aaa-server – Specifies the organization source as AAA Server. System uses the user organ-
ization structure of AAA server as the group user belongs to. It’s usually used in the scen-
ario of the third-party authentication server being authenticated by AAA server and the user
organization structure being saved in the AAA server.
l message - Specifies the organization source as Message. System uses the user group of authen-
tication message as the group user belongs to. It’s usually used in the scenario of the third-
party authentication server saving user group.
By default, the organization source is Message. To restore to the default, in the SSO-Monitor con-
n o o rg-so urce
Notes: In the scenario where AD Agent software is used to obtain user information,
if the security agent function is configured, this function will be automatically con-
verted to the SSO Monitor function to connect AD Agent software configuration
after the system is upgraded to StoneOS 5.5R10. The organization source is AAA
server after the conversion. You can run the show user-sso client sso-monitor[ pro-
file-name command to view the converted configuration. The converted name of
SSO Monitor Profile is the same as that of the AD server.

Specifying the Disconnection Timeout
To specify the disconnection timeout, in the SSO-Monitor configuration mode, use the following
command:
disco n n -del-timeo ut timeout
l timeout - Configure the disconnection timeout. When StoneOS disconnects with the third-
party authentication server due to timeout,, system will wait during the disconnection
timeout. If system still fails to connect within the configured time, it will delete online user.
The range is 0 to 1800 seconds. The default value is 300. 0 means the user authentication
information will never time out.
To restore the SSO Monitor disconnection timeout to default, in the SSO-Monitor configuration
n o disco n n -del-timeo ut
Specifying Forced Timeout of SSO Monitor
To control the length of time that authenticated users are online, you can configure forced
timeout period of SSO Monitor to disconnect the users.
To specify forced timeout period of SSO Monitor, use the following command in SSO-Monitor
configuration mode:
fo rce-timeo ut timeout
l timeout - Specifies the forced timeout period. Valid values: 0 to 6000 minutes. Default value:
0, which indicates that authenticate users never times out.
In SSO Monitor configuration mode, use the following command to restore the forced timeout
period of SSO Monitor to the default value:
n o fo rce-timeo ut

Tips: In the scenario where SSO Monitor connects AD Agent, we do not recommend
that the forced timeout period of SSO Monitor is equal to or larger than the user
online duration of AD Agent software.
Viewing the SSO Monitor Configuration
To view the SSO Monitor Configuration owned or specified by system, including name, status,
AAA server and client probing interval, in any mode, use the following command:
sh o w user-sso clien t sso -mo n ito r [ profile-name ]
l profile-name – Specifies the name of the SSO Monitor profile. Here shows the configuration
information of the specified SSO Monitor.
To view the mapping information between user name and IP of SSO Monitor, in any mode, use
sh o w user-map p in g user-sso sso -mo n ito r profile-name
The user authentication information generated by machine is saved in the authentication user
table. To view the authentication user table, in any mode, use the following command:
sh o w auth -user sso -mo n ito r
mand:
exec user-map p p in g user-sso sso -mo n ito r kicko ut ip ip-address vro uter vrouter-name

Configuring TS Agent for SSO
Installing and running Hillstone Terminal Service Agent in the Windows server. After the TS
Agent is configured, when users log in the Windows server using remote desktop services, the
Hillstone Terminal Service Agent will allocate port ranges to users and send the port ranges and
users information to the system. At the same time, the system will create the mappings of traffic
IPs, port ranges and users, and achieve the "no-sign-on" authentication.
The configurations of TS Agent for SSO include:
l Configuring the TS Agent server: Installing and running Hillstone Terminal Service Agent in
Windows server.
l Configuring the TS Agent client: Configuring TS Agent parameters in StoneOS.
Notes: This section mainly describes how to configure TS Agent parameters in

StoneOS and the commands to view information about TS Agent. For installing and
running Hillstone Terminal Service Agent in Windows server, refer to "Example of
Configuring TS Agent for SSO" on Page 1132.
Creating TS Agent Profile
To create TS Agent profile and enter the TS-Agent configuration mode, in the global con-
user-sso clien t ts-agen t profile-name
l profile-name - Specifies a name of the TS Agent profile to be created. After executing the
command, system will create the TS Agent profile with the specified name and enter TS-
Agent configuration mode; if the profile with the specified name has existed, system will enter
the TS-Agent configuration mode directly.
To delete the specified TS Agent profile, in the global configuration model, use the following
command:
n o user-sso clien t ts-agen t profile-name

Enabling / Disabling the TS Agent Function
After enabling TS Agent, StoneOS will establish SSL connection with Hillstone Terminal Service
Agent, as well as obtain user and port range information. System will also update the mapping
information of traffic IPs, port ranges and user names in real time for online users.
To enable TS Agent function, in the TS-Agent configuration mode, use the following command:
en ab le
To disable TS Agent function, in the TS-Agent configuration mode, use the following command:
n o en ab le
Specifying the TS Agent Server
To specify the TS Agent server, in the TS-Agent configuration mode, use the following com-
mand:
h o st { domain-name | ip-address } [vro uter vrouter-name ]
l domain-name | ip-address - Specifies the management address of the TS Agent server. It can
be a domain name, or an IPv4 or IPv6 address.
l vrouter vrouter-name - Specifies the VRouter of the TS Agent server.
To delete the TS Agent server, in the TS-Agent configuration mode, use the following command:
n o h o st
Specifying the TS Agent Port
To specify the port number of the TS Agent server, in the TS-Agent configuration mode, use the
following command:
p o rt port-number
l port-number – Specifies the port number of the TS Agent server. The default number is
5019. The range is 1025 to 65534. This port number must be the same with the listening port
number of Hillstone Terminal Service Agent, otherwise, the TS Agent client and the TS
Agent server cannot communicate with each other.

To restore the port number to default, in the TS-Agent configuration mode, use the following
command:
n o p o rt
To specify the referenced server by system, in the TS-Agent configuration mode, use the fol-
lowing command:
l server-name - Specifies the name of the referenced AAA server. You can select Local, AD or
To delete the AAA server, in the TS-Agent configuration mode, use the following command:
n o aaa-server
Specifying the Disconnection Timeout
To specify the disconnection timeout, in the TS-Agent configuration mode, use the following
command:
disco n n ectio n -timeo ut timeout
l timeout - Configure the disconnection timeout. When StoneOS disconnects with Hillstone
Terminal Service Agent, system will wait during the disconnection timeout. If system still
fails to connect within the configured time, it will delete online user. The range is 0 to 1800
seconds. The default value is 300. 0 means delete the online user immediately.
To restore the TS Agent disconnection timeout to default, in the TS-Agent configuration mode,
n o disco n n ectio n -timeo ut
Specifying the Traffic IP
To specify the traffic IP, in the TS-Agent configuration mode, use the following command:

traffic-ip ip-address
l ip-address - Specifies the traffic IP address, that is the network interface IP address of the TS
Agent server. It cab be an IPv4 or IPv6 address. You can specify up to 4 IP addresses.
To delete the specified traffic IP, in the TS-Agent configuration mode, use the following com-
mand:
no traffic-ip ip-address
Viewing the TS Agent Configuration
To view the TS Agent configuration owned or specified by system, including name, enabling or
disabling status, TS Agent server, AAA server, disconnection timeout and traffic IP, in any mode,
sh o w user-sso clien t ts-agen t [ profile-name ]
l profile-name - Specifies the name of the TS Agent profile. Here shows the configuration
information of the specified TS Agent.
Viewing the TS Agent Status
To view the TS Agent status, including connection status, port range allocated to users, number
of ports per block, maximum number of block per user, keepalive interval and keepalive timeout,
show user-sso client ts-agent profile-name status
To view the user mapping information of TS Agent, in any mode, use the following command:
sh o w user-map p in g user-sso ts-agen t profile-name
The user authentication information generated by device is saved in the authentication user table.
To view the authentication user table, in any mode, use the following command:
sh o w auth -user ts-agen t [p o rt-ran ge range | vro uter vrouter-name ]

To delete the user mapping information of the specified IP address and port range, or the spe-
cified user name, in any mode, use the following command:
exec user-map p p in g user-sso ts-agen t kicko ut {ip ip-address vro uter vrouter-name p o rt-
ran ge range | usern ame user-name auth -server server-name }
Portal Authentication
The portal authentication function identifies and authenticates the users when they want to access
the Internet via the device. After configuring the portal authentication function, the HTTP
requests will be redirected to the specified authentication page of the portal server. In this page,
you can visit free resources. If you want to access the other resources in the Internet, provide
your username and password in this page. After passing the portal authentication succcessfully,
the system will assign a role to the user’s IP address according to the policy configuration. And
assigning a role can control the resource that the IP address can access.
The portal server is configured by the third party and it receives the portal authentication
requests, identifies and authenticates the users, exchanges the authentication information with the
device.
Configuring portal authentication involves the configurations in the following modules:
l Configure interfaces, zones, and role mapping rules.
l Configure the security agent function and the authentication information exchange with the
portal server.
l Create policy rules to define the traffic that will be authenticated, and trigger the portal authen-
tication function.
This section introduces how to define the traffic that will be authenticated, and how the policy
rule triggers the function.

Notes:
l For more information on security agent function, see Configuring the Secur-
ity Agent.
l For more information on the third-party portal authentication server, see the
third-party user guide.
Configuring a Policy Rule that Triggers the Portal Authentication
To trigger the portal authentication function, you must configure the corresponding policy rule.
In the global configuration mode, use the following command:
rule [ro le {U NKNO WN | role-name } | user aaa-server-name user-name | user-gro up aaa-
server-name user-group-name ] fro m src-addr to dst-addr service service-name ap p licatio n
app-name {p ermit | den y | tun n el tunnel-name | fro mtun n el tunnel-name | web auth |
p o rtal-server portal-server-url }
actio n p o rtal-server portal-server-url
l portal-server-url – Use the portal authentication to the traffic that matches the policy rule
and enter the URL of the portal server. The URL can contain up to 63 characters and the
format is http://www.acertainurl.com or https://www.acertainurl.com.
Besides, you must specify the other required information in this command to define the traffic
that will be authenticated. For more information, see Configuring a Policy Rule in Policy.
Example of Configuring WebAuth
Example of Configuring HTTP WebAuth
In this example, WebAuth user access control is demonstrated. It allows only user1 who is authen-
ticated using WebAuth to access the Internet. All other accesses are denied. The WebAuth server
is the local AAA server named local.
Step 1: Configure the user, role and role mapping rule

hostname(config)# aaa-server lo cal
hostname(config-aaa-server)# user-gro up usergro up 1
hostname(config-user-group)# exit
hostname(config-aaa-server)# user user1
hostname(config-user)# p asswo rd h illsto n e1
hostname(config-user)# gro up usergro up 1
hostname(config-user)# exit
hostname(config)# ro le ro le1
hostname(config)# ro le-map p in g-rule ro le-map p in g1
hostname(config-role-mapping)# match user-gro up usergro up 1 ro le ro le1
hostname(config-role-mapping)# exit
hostname(config)#
Step 2: Specify the role mapping rule for the local authentication server
hostname(config-aaa-server)# ro le-map p in g-rule ro le-map p in g1
hostname(config)#
Step 3: Configure interfaces and security zones

hostname(config)#
Step 4: Enable WebAuth function
hostname(config)# web auth
hostname(config-webauth)# enable
hostname(config-webauth)# p ro to cal h ttp
hostname(config-webauth)# exit

vice dn s p ermit
hostname(config-policy)# rule ro le U NKNO WN fro m 192.168.1.1/16 to an y service

an y web auth lo cal
hostname(config)#
hostname(config-policy)# rule ro le ro le1 fro m 192.168.1.1/16 to an y fro m-zo n e trust

to -zo n e un trust service an y p ermit
hostname(config)#
After above configurations, the system will authenticate all HTTP requests (external IP addresses
with reachable route) from 192.168.1.1/16. Users can access the Internet after providing the user-
name user1 and password hillstone1 on the login page.

Example of Configuring NTLM Authentication
This section describes the NTLM Authentication example. After the configuration, you can gain
access to network resources if only you have been authenticated by the Active Directory server.
To configure the NTLM authentation, take the following steps:
Step 1: Configure an AAA server of Active-Directory type
hostname(config)# aaa-server ad typ e active-directro y
hostname(config-aaa-server)# b ase-dn dc=h illsto n en et
hostname(config-aaa-server)# lo gin -dn cn =user,dc=h illsto n en et
hostname(config-aaa-server)# lo gin -p asswo rd admin
hostname(config)#
Step 2: Configure the WebAuth Server
hostname(config-policy)# rule fro m an y to an y service an y web auth ad
hostname(config)#
Step 3: Enable NTLM
hostname(config-webauth)# mo de n tlm
Step 4: Enable automatic logon with current username and password on your web browser (take
IE as an example)

1. In the toolbar of IE, click Tools > Internet Options. In the Internet Options dialog, click
Security > Custom level:

2. In the Security Settings – Internet Zone dialog, scroll to User Authentication, and click
Automatic Logon with current user name and password:
3. Click OK to save the settings. Log off from the system and logon again, and you can gain
access to network resources without WebAuth in IE.
Example of Configuring SSO
Example of Configuring AD Scripting for SSO
This section describes a typical AD Scripting example. After the configuration, you can be authen-
ticated by the device if only you have been authenticated by the Active Directory server.
The following steps only describe configurations related to AAA Server and AD Scripting, and
omit other configurations.

Step 1: Configure an AAA server of Active-Directory type
hostname(config)#
Step 2: Configure the AD Scripting
hostname(config)# user-sso server ad-scrip tin g default
hostname(config-ad-scripting)# en ab le
hostname(config-ad-scripting)# aaa-server ad
hostname(config-ad-scripting)# exit
hostname(config)#
Step 3: In the Active-Directory server, import the logon/logout script
1. On the <AD Scripting> tab of the AD Agent software, click Get AD Scripting to get the
script "Logonscript.exe", and save it under a directory where all AD server users can access.
2. In AD server, go to Start menu, select Mangement Tools> Active Directory User and Com-
puter.

3. In the prompt, right click the domain of SSO, and select Properties, then click <Group
Properties> tab.

4. Double click the group policy of SSO, and in the prompt, select User Con-
figuration>Windows>Script (Logon/Logout).

5. Double click Logon on the right, and click Add in the prompt.
6. In the prompt, click Browse and select the logon script (logonscript.exe), and then enter IP
address of StoneOS for authentication, followed by a space and text Clogon".
7. Click OK.
8. Similarly, import the script into the logout setting, repeat 5-7, and use “logoff” in the
step 6.
Notes: The directory of saving the script must be accessible to all domain users, oth-
erwise, when a user who does not have access will not trigger the script when he
logs in or out.

Example of configuring AD Polling for SSO
This section describes a typical example of configuring the AD Polling for SSO. After the con-
figuration, when the domain user logs in via the AD server, the AD server will generate the login
user information. After enabling the AD Polling function, system will query the AD server reg-
ularly to obtain the user login information and probe the terminal PC to verify whether the online
users are still online, thus getting correct authentication user information to achieve SSO.
To configure the AD Polling for SSO, take the following steps:
Step 1: Configure the AAA server referenced by AD Polling. You can select Local, AD or LADP
server, see Specifying the AAA Server. Take the AD server as an example:
hostname(config)#
Step 2: Enable the AD Polling function and configure the authentication server, AAA server-
,account, password, etc.
hostname(config)# user-sso clien t ad-p o llin g test
hostname(config-ad-polling)# en ab le
hostname(config-ad-polling)# h o st 10.180.201.8
hostname(config-ad-polling)# acco un t adp o ll\admin istrato r
hostname(config-ad-polling)# p asswo rd h illsto n e
hostname(config-ad-polling)# aaa-server ad
hostname(config-ad-polling)# exit
hostname(config)#

Configuration Examples of Using SSO Monitor for SSO
AD Agent software can send user online status within the AD domain to the firewall by using
packets of SSO-Monitor protocol. Therefore, AD Agent software can be used as an external
server that connects SSO Monitor for SSO. In this example, AD Agent software is used to show
you how to implement SSO by connecting SSO Monitor with AD Agent.
Install AD Agent software on a PC within the AD server or domain. When a user in the domain
logs in to the Active-Directory server, AD Agent records the username, IP address, and time
when the user was most recently online, and sends the mapping relationships between usernames
and IP addresses to StoneOS. This avoids users from repeated logins and generates authenticated
users on the firewall. The system can also implements user-based security statistics, log records,
and online behavior auditing by using the obtained mapping relationships between usernames and
IP addresses.
To use SSO Monitor for SSO, take the following steps:
Step 1: Install AD Agent and configure the corresponding parameters. AD Agent can be installed
on an AD server or a PC within the domain. It can run in the Windows and Windows Server envir-
onment. We recommend that you install AD Agent on Windows Server 2008 /2012/2016/2019
or Windows 7/10.
To install the AD Agent to an AD server or a PC in the domain, take the following steps:
1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-adagent to
download an AD Agent software and copy it to a PC or a server within the domain.
2. Double-click ADAgentSetup.exe to open it and follow the installation wizard to install it.
3. Start AD Agent by using one of the following methods:
a. Double-click the AD Agent Configuration Tool shortcut on the desktop.
b. Click Start menu and select All apps > Hillstone AD Agent >AD Agent Con-
figuration Tool.

4. Click the <General> tab.
On the <General> tab, configure these basic options.
Option Description
Agent Port Enter agent port number. AD Agent uses this port to com-
municate with StoneOS. The range is 1025 to 65535. The
default value is 6666. This port must be the same with
the configured monitoring port in StoneOS, otherwise,
the AD Agent and StoneOS cannot communicate with
each other.
AD User Enter user name to log in the AD server. If AD Agent is

Name running on the other PCs of the domain, this user should
have high privilege to query event logs in AD server, such
as the user of Administrator whose privilege is Domain
Admins on AD server.

Option Description
Password Enter the password that matched with the user name. If
the AD Security Agent is running on the device where
the AD server is located, the user name and password can
be empty.
Server Mon-
itor
Enable Secur- Monitor Select to enable the function of monitoring event

ity Log Mon- logs on AD Security Agent. The default query interval is
itor 5 seconds. The function must be enabled if the AD Secur-
ity Agent is required to query user information.
Monitor Fre- Specifies the polling interval for querying the event logs
quency on different AD servers. The default value is 5 seconds.
When finishing the query of a AD server, the AD Agent
will send the updated user information to system.
User online Specifies the online duration of a user after successful

time SSO. After the user expires, it will be forced to log out.
The range is 1 to 99 hours and the default value is 8
hours.
Client Prob-
ing
Enable WMI Select the check box to enable WMI probing.

probing
l To enable WMI to probe the terminal PCs, the ter-
minal PCs must open the RPC service and remote
management. To enable the RPC service, you need

Option Description
to enter the Control Panel > Administrative Tools

> Services and open the Remote Procedure Call
and Remote Procedure Call Locator; to enable the
remote management, you need to run the command
prompt window (cmd) as administrator and enter
the command netsh firewall set service RemoteAd-
min.
l WMI probing is an auxiliary method for security log

monitor. which will probe all IPs in Discovered
Users list. When the probed domain name does not
match with the stored name, the stored name will
be replaced by the probed name.
Probing Fre- Specifies the interval of active probing action. The range
quency is 1 to 99 minutes and the default value is 20 minutes.
5. On the <Discovered Server> tab, click Auto Discover to start automatic scanning the AD
servers in the domain. Besides, you can click Add to input IP address of server to add it
manually.
6. On the <Filtered User> tab, type the user name need to be filtered into the Filtered user
text box. Click Add, and the user will be displayed in the Filtered User list. You can con-
figure 100 filtered users, which are not case sensitive.
7. Click the <Discovered User> tab to view the corresponding relationship between the user
name and user address that has been detected. The user added into the Filtered User list will
not be displayed in the Discovered User list.
8. Click Commit to submit all settings and start AD Agent service in the mean time.

Notes: After you have committed, AD Agent service will be running in the back-
ground all the time. If you want to modify settings, you can edit in the AD Agent
Configuration Tool and click Commit. The new settings can take effect imme-
diately.
Step 2: Configure the AAA server referenced by SSO Monitor.
hostname(config)#
Step 3: Enable and configure SSO Monitor function. Specify the authentication server, the ref-
erenced AAA server, organization source and so on.
hostname(config)# user-sso clien t sso -mo n ito r test
hostname(config-ad-polling)# en ab le
hostname(config-ad-polling)# h o st 10.180.201.8 vro uter trust-vr
hostname(config-ad-polling)# aaa-server ad
hostname(config-ad-polling)# o rg-so urce aaa-server
hostname(config-ad-polling)# p o rt 6666
hostname(config-ad-polling)# exit
hostname(config)#
Configuration Examples of SSO Radius Login
The following is a configuration example for SSO Radius function. After configuring the SSO
Radius function, system can receive the accounting packets that based on the Radius standard

protocol. System will obtain user authentication information, update online user information and
manage user's login and logout according to the packets.
To use SSO Radius for SSO, take the following steps:
Step 1: Configure the AAA server referenced by SSO Radius. You can select the configured
Local, AD or LDAP server. For the configuration method, see Configuring an AAA Server. Here
take AD server as the example.
hostname(config)#
Step 2: Enable SSO Radius function, as well as specify the referenced AAA server, IP address of
the client and so on.
hostname(config)# user-sso server sso -radius default
hostname(config-sso-radius)# en ab le
hostname(config-sso-radius)# aaa-server ad
hostname(config-sso-radius)# clien t 2.2.2.2
hostname(config-sso-radius-client)# exit
hostname(config-sso-radius)# exit
hostname(config)#
Example of Configuring TS Agent for SSO
This section describes a typical TS Agent for SSO example. Installing and running Hillstone Ter-
minal Service Agent in the Windows server. After the TS Agent is configured, when users log in
the Windows server using remote desktop services, the Hillstone Terminal Service Agent will

allocate port ranges to users and send the port ranges and users information to the system. At the
same time, the system will create the mappings of traffic IPs, port ranges and users, and achieve
the "no-sign-on" authentication.
The configurations of TS Agent for SSO include:
l Configuring the TS Agent server: Installing and running Hillstone Terminal Service Agent in
Windows server.
l Configuring the TS Agent client: Configuring TS Agent parameters in StoneOS.
Step 1: Installing and running Hillstone Terminal Service Agent in Windows server
1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-tsagent to
download a Hillstone Terminal Service Agent installation program, and copy it to the Win-
dows server.
Notes:
l Windows Server 2008 R2, Windows Server 2016, and Windows
Server 2019 are currently supported. Windows Server 2008 R2 Ser-
vice Pack 1 and KB3033929 must be installed if Windows Server
2008 R2 is used.
l It's recommended to close the anti-virus software before installing

Hillstone Terminal Service Agent in Windows server.
2. Double-click HSTSAgent.exe to open it and follow the installation wizard to install it.
3. Double-click the Hillstone Terminal Service Agent shortcut, and the Hill-
stone Terminal Service Agent dialog pops up.

4. Click the Agent config tab and configure as below:
l Listening Address IPv4: 0.0.0.0
l Listening Port (1025-65534)：5019
l Heartbeat Interval (1-30s): 5
l Heartbeat Timeout (10-300s): 60
Click Save to save the configurations.
5. Click the Port config tab and configure as below:
l User Allocable Port Range (1025-65534): 20000-39999
l User Port Block Size (20-2000): 200
l User Port Block Max (1-256): 1
l Passthrough when user port exhausted: Select the check box
Click Save to save the configurations.
Step 2: Configuring TS Agent parameters in StoneOS
host-name(config)# user-sso clien t ts-agen t tsagen t1
host-name(config-ts-agent)# h o st 10.1.1.1
host-name(config-ts-agent)# aaa-server lo cal
host-name(config-ts-agent)# traffic-ip 10.1.1.1
host-name(config-ts-agent)# en ab le
host-name(config-ts-agent)# exit
hostname(config)#
Example of Configuring Agile Controller for SSO
This section describes a typical example of configuring the Agile Controller for SSO. After the
configuration, system can get correct authentication user information in the following two ways to

achieve SSO:
l Receiving packets sent by the Agile Controller server. The packets are sent when users log in
to or log out of the server or when users update their information.
l When the traffic flowing through the device matches the configured query address range and
there is no corresponding authenticated user locally, the system will actively query the user
information from the Agile Controller server and update the local user information.
To configure the Agile Controller for SSO, take the following steps:
Step 1: Configure the AAA server referenced by Agile Controller. You can select Local, AD or
LADP server, see Specifying the AAA Server. Take the AD server as an example:
hostname(config)#
Step 2: Enable the Agile Controller function and configure the AAA server, the address range of
the source IP to be queried, the IP address of the Agile Controller server and the shared key.
hostname(config)# user-sso server agile-co n tro ller default
hostname(config-agile-controller)# en ab le
hostname(config-agile-controller)# aaa-server ad
hostname(config-agile-controller)# syn c-address address_b o o k1
hostname(config-agile-controller)# access-agile-co n tro ller test
hostname(config-agile-controller-client)# h o st 1.1.1.1 vro uter trust-vr
hostname(config-agile-controller-client)# sh ared-secret Agileco n @ 123
hostname(config-agile-controller-client)# syn c en ab le

hostname(config-agile-controller-client)# exit
hostname(config-agile-controller)# exit
hostname(config)#
Example of Configuring Portal Authentication

This section describes a typical portal authentication configuration example.
This example allows only user1 who is authenticated using portal authentication to access the
Internet. All other accesses are denied. The authentication server is the portal authentication
server and the URL of the portal server is 192.168.1.2.
Step 1: Configure the role and role mapping rule
hostname(config-role-mapping)# match user-gro up usergro up 1 ro le ro le1
hostname(config)#

hostname(config)#
Step 3: Configure the role mapping rule of the portal authentication server and enable the security
agent function
hostname(config)# aaa-server AD typ e active-directo ry
hostname(config-aaa-server)# b ase-dn “dc=h illsto n e”
hostname(config-aaa-server)# lo gin -dn “user=admin istrato rs”
hostname(config-aaa-server)# lo gin -p asswo rd p asswo rd1
hostname(config-aaa-server)# agen t
hostname(config)#
Step 4: Trigger the portal authentication function via the policy rule
hostname(config-policy-rule)# dst-ip 192.168.2.2/16
hostname(config-policy-rule)# ro le U NKNO WN
hostname(config-policy-rule)# actio n p o rtal-server h ttp ://192.168.2.2/

hostname(config)# rule id 3 fro m an y to an y service an y p ermit
Step 5: Configure a policy rule that allows the access
hostname(config-policy)# rule ro le ro le1 fro m 192.168.1.1/16 to an y service an y p er-

mit
hostname(config)#
After above configurations, the system will authenticate all HTTP. Users can access the Internet
after providing the username user1 and password hillstone1 on the login page.

802.1X Authentication
Overview
802.1X is a standard defined by IEEE for Port-based Network Access Control. It uses Layer 2-
based authentication to verify the legality of the users accessing the network trough LAN. Before
authentication, the security device only allows 802.1X message to pass through the port. And
after authentication, all the normal traffic can pass through.
802.1X Architecture
802.1X authentication architecture includes three components: client, authenticator and authen-
tication server. The figure below shows the diagram of 802.1X authentication architecture.
Only when these three components are presented will 802.1X authentication be completed.
l Client: After you start the client program and enter your username and password, the client
program will send requests for 802.1X authentication to the authenticator. Clients need to sup-
port EAP protocol, and should be running 802.1X client software.
l Authentication Server: The server stores users’ information, verifies whether users have the
right to use network resources, and returns the authentication results to the authenticator.
StoneOS support local authentication server or RADIUS server to implement authentication
and authorization.
l Authenticator (Hillstone device): The authenticator provides a physical interface for clients to
access to LAN. It transmits users’ information to the authentication server or returns it to
the client, and then enables or disables the interface according to the server’s authentication
results. Authenticator acts as an agent between the client and authentication server.

802.1X Authentication Process
Authentication methods of 802.1X include EAP-MD5, EAP-TLS and EAP-PEAP. Different

methods have different authentication processes.
Authenticating by EAP-MD5 Method
Here, take the EAP-MD5 authentication method as the example to introduce the basic 802.1X
authentication process:
1. When you need to visit network, you should start the 802.1X client program, and enter your
username and password to send a connection request. The authentication process starts.
2. After the authenticator receives the connection request from the client, it will ask the client
to send its username.
3. The client responds and sends its username to the authenticator.
4. Authenticator will encapsulate the data received from the client and then deliver it to the
authentication server.
5. Authentication server will check the username it received, comparing with the user’s
information in its own database, and try to find the password of the user. After that, the
server will generate random encrypted characters to encrypt the password, and send it to the
authenticator.
6. Authenticator sends the encrypted characters to the client, and the client will encrypt the
password and transmit it back to the authentication server.
7. Authentication server will compare the encrypted password information with their own
encrypted password information. If they are matched, the authenticator will consider the
user as a legitimate user, and allow the user to access the network through the interface. If
not matched, authenticator will refuse the user to access network and keep the status of the
interface as non-authenticated.

Authenticating by EAP-TLS Method
EAP-TLS is a kind of 802.1X authentication method that client and server can authenticate each
other. Firstly, the server will send its own digital certificate to the client. When the certificate is
authenticated to be valid, the client will send user’s digital certificate to the server. If the cer-
tificate is valid, the server will consider the user as a legitimate user, and allow the user to access
the network. If you have deployed PKI system in your network environment, Hillstone recom-
mends that you configure EAP-TLS authentication method.
To use EAP-TLS method to realize 802.1X authentication, please install 802.1X client software
which supports certificate authentication at the client side and import user’s and CA’s digital
certificates; please set the authentication method to be EAP-TLS at the server side and import
server’s and CA’s digital certificates.
Tip:
l Currently, the system does not support to realize EAP-TLS authentication
via local authentication server.
l The 802.1X client software needs to be compatible with the 802.1X stand-
ard protocol.
Configuring 802.1X Authentication

802.1X authentication configurations include:
l Configuring an 802.1X profile.
l Specifying the 802.1X authentication server. StoneOS support local authentication server and
external authentication server (RADIUS).
l Configuring 802.1X attributes on port.
l Configuring 802.1X authentication global parameters, such as configuring the maximum num-
ber of clients to connect, etc.

Configuring an 802.1X Profile
To create an 802.1X profile, in the global configuration mode, use the following command:
do t1x p ro file profile-name
l profile-name - Specifies the name of 802.1X profile. After executing this command, the sys-
tem will create the 802.1X profile with the specified name, and enter the dot1x configuration
mode. If the profile name you specified already exists, the system will directly enter the dot1x
configuration mode.
To delete the specified 802.1X profile, in the global configuration mode, use the command:
n o do t1x p ro file profile-name
Configuring the Maximum Retry Times
After sending an authentication request to the client and receives a response containing the expec-
ted data, the authenticator transmits the client's response data to the authentication server and
waits for a response. If the authentication server does not answer, the authenticator will resend an
authentication request to the client until receiving a response from the authentication server or
exceeding the allowed maximum retry times. To configure the maximum times of resending the
authentication request, in the dot1x configuration mode, use the following command:
retransmission-count value
l value – Specifies the maximum times of resending authentication request frame. The value
range is 1 to 10 times. The default value is 2.
To restore to the default value, in the dot1x configuration mode, use the command no retrans-
mission-count.
Configuring the Re-auth Period
When the client is authorized to access network, the authenticator can re-authenticate the client.
To configure the re-auth period, in the dot1x configuration mode, use the following command:
reauth -p erio d value

l value – Specify the re-auth period. The value range is 0 to 65535 seconds. The default value
is 3600. If the value is set to0, the re-authentication function is disabled.
To restore the default value, in the dot1x configuration mode, use the command no reauth-
period.
Configuring the Quiet Period
If the authentication fails, the authenticator remains idle for a period of time before go on pro-
cessing the same request from the same client. To configure the authenticator’s quiet period, in
the dot1x configuration mode, use the following command:
quiet-p erio d value
l value – Specifies the value of quiet time. The value range is 0 to 65535 seconds. The default
value is 60. The value of 0 indicates that the system will process the request from the same cli-
ent all the time.
To restore to the default value, in the dot1x configuration mode, use the comman no quiet-
period.
Configuring the Client Timeout
When the authenticator sends a request to ask the client to submit its username, the client need
to responds within a specified period. If client does not respond until timeout, the system will
resend the authentication request message. To specify the client timeout value, in the dot1x con-
tx-p erio d value
l value – Specifies the timeout value. The value range is 1 to 65535 seconds. The default
value is 30.
To restore to the default value, in the dot1x configuration mode, use the command no tx-period.

Configuring the Server Timeout
After sending an authentication request to the client and receives a response containing the expec-
ted data, the authenticator transmits the client's response data to the authentication server and
waits for a response. If the server does not answer the authenticator within a specified time, the
authenticator will resend an authentication request to the client. To specify the authentication
server timeout value, in the dot1x configuration mode, use the following command:
server-timeo ut value
l value – Specifies the response timeout value. The value range is 1 to 65535 seconds. The
To restore to the default value, in the dot1x configuration mode, use the command no server-
timeout.
Specifying the 802.1X Authentication Server
You can specify an AAA server as the 802.1X authentication server. To specify the 802.1X
authentication server, in the dot1x configuration mode, use the following command:
l server-name - Specifies the AAA authentication server name. StoneOS support local authen-
tication server and RADIUS server.
To delete the specified 802.1X authentication server, in the dot1x configuration mode, use the
command:
n o aaa-server server-name
Notes: For information about how to configure the local authentication server and
RADIUS server, see Authentication, Authorization and Accounting.

Configuring 802.1X Attributes on Port
The authenticator provides a port for the client to access LAN, and the port need to be bound to
Layer 2 security zone or VLAN. You can enable the 802.1X authentication function on the port,
and configure attributes according to your need.
Enabling/Disabling 802.1X Authentication
To enable or disable 802.1X authentication, in interface configuration mode, use the following
command:
l Enable the 802.1X authentication: dot1x enable
l Disable the 802.1X authentication: no dot1x enable
After enabling the 802.1X authentication, you can configure 802.1X attributes on the port.
Binding 802.1X Profile to a Port
To bind the created 802.1X profile to a port, in the interface configuration mode, use the fol-
lowing command:
do t1x p ro file profile-name
l profile-name – Specifies the 802.1X profile name.
To cancel the binding, in the interface configuration mode, use the command:
n o do t1x p ro file profile-name
Configuring the Port Access Control Mode
To configure the access control mode on the specified port, in the interface configuration mode,
do t1x p o rt-co n tro l {auto | fo rce-un auth o rized}
l auto - Automatic mode. This is the default setting. In this mode, the authenticator decides
whether the client can access the network according to the results of 802.1X authentication.

l force-unauthorized - Force-unauthorized mode. In this mode, the port is always in unau-
thorized state, and any client attempting to connect will fail.
To restore to default settings, in the interface configuration mode, use the command:
n o do t1x p o rt-co n tro l
Configuring the Port Access Control Method
To configure the method of 802.1X port access control, in the interface configuration mode, use
do t1x co n tro l-mo de {mac | p o rt}
l mac - MAC address-based authentication. All the clients under the port must be authenticated
and then they can access network resources.
l port - Port-based authentication, which is the default setting. For all the clients under a port,
as long as one client is authenticated, other clients can access network without authentication.
To restore the default settings, in interface configuration mode, use the command:
n o do t1x co n tro l-mo de
Configuring 802.1X Global Parameters
The following section describes global parameter configuration for the 802.1X.
Configuring the Maximum User Number
To configure the maximum number of clients that are allowed to connect to the port sim-
ultaneously, in the global configuration mode, use the following command:
do t1x max-user user-number
l user-number – Specifies the maximum user number. The value range is 1 to 1000. The
default value may vary from different platforms.
To restore to the default values, in the global configuration mode, use the command no dot1x
max-user.

Configuring the Timeout of Authenticated Clients
You can configure the authentication timeout value for authenticated clients. If the client does
not respond within the specified time, it need reapply an authentication. To configure the timeout
value, in the global configuration mode, use the following command:
do t1x timeo ut timeout-value
l timeout-value – Specifies the client authentication timeout value. The value range is 180 to
3600*24 seconds. The default value is 300.
To restore to the default value, in the global configuration mode, use the command no dot1x
timeout.
Configuring Multi-logon Function
By default, the multi-logon function is disabled. If it is enabled, you can log into multiple clients
using the same username simultaneously. To enable the multi-logon function, in global con-
do t1x allo w-multi-lo go n
After executing this command, the multi-logon function is enabled, and the number of clients
using one username is limited. To specify the number of clients, in the global configuration mode,
do t1x allo w-multi-lo go n number
l number – Specifies how many times the same username can be logged in simultaneouly. The
value range is 2 to 1000 times.
To disable this function, in the global configuration mode, use the command:
no dot1x allow-multi-logon
Configuring Auto-kickout Function
When the multi-logon function is disabled, if you enable the auto-kickout function, the user who
already logged in will be kicked out by the same user who logs in later. The system will auto-
matically cut the connection to the user who already logged in. If the auto-kickout function is

disabled, the system will prohibit the same user to log in again. To enable or disable the auto-kick-
out function, in the global configuration mode, use the following commands:
l Enable the auto-kickout function: dot1x auto-kickout
l Disable the auto-kickout function: no dot1x auto-kickout
Configuring Manual Kick-out Client
To kick out any client manually, in any mode, use the following command:
exec do t1x kicko ut port-name authenticated-user-mac
l port-name – Specifies the port name the client connects to.
l authenticated-user-mac – Specifies the MAC address of the authenticated client that is

kicked out manually.
Viewing 802.1X Configurations
To view the 802.1X configurations, in any mode, use the following command:
sh o w do t1x [p ro file profile-name | p o rt port-name | statistics [ port-name ]]
l show dot1x - Shows 802.1X global parameters.
l profile profile-name – Shows configurations of the specified 802.1X profile.
l port port-name – Shows the configurations of the specified port and its binding profile’s
information.
l statistics [port-name] – Shows statistics information of the specified port.

PKI
Overview
PKI (Public Key Infrastructure) is a system that provides public key encryption and digital sig-
nature service. PKI is designed to automate secret key and certificate management, and assure the
confidentiality, integrity and non-repudiation of data transmitted over Internet. The certificate of
PKI is managed by a public key by binding the public key with a respective user identity by a trus-
ted third-party, thus authenticating the user over Internet. A PKI system consists of Public Key
Cryptography, CA, RA, Digital Certificate and related PKI storage library.
The following section describes PKI terminology:
l Public Key Cryptography: A technology used to generate a key pair that consists of a public
key and a private key. The public key is widely distributed, while the private key is known
only to the recipient. The two keys in the key pair complement each other, and the data
encrypted by one key can only be decrypted by another key of the key pair.
l CA: A trusted entity that issues digital certificates to individuals, computers or any other entit-
ies. CA accepts requests for certificates and verifies the information provided by the applic-
ants based on certificate management policy. If the information is legal, CA will sign the
certificates with its private key and issue them to the applicants.
l RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the
digital certificate and CRL issued by CA to directory servers in order to provide directory
browsing and query services.
l CRL: Each certificate is designed with expiration. However, CA might revoke a certificate
before the date of expiration due to key leakage, business termination or other reasons. Once a
certificate is revoked, CA will issue a CRL to announce the certificate is invalid, and list the
series number of the invalid certificate.

PKI Function of Hillstone Devices
PKI is used in the following three situations:
l IKE VPN: PKI can be used by IKE VPN tunnel.
l HTTPS/SSH: PKI applies to the situation when a user accesses a Hillstone device over
HTTPS or SSH.
l Sandbox: Support the verification for the trust certification of PE files. Refer to Importing a
Trust Certificate for details.
Configuring PKI
The PKI configuration on Hillstone devices includes:
l Generating and deleting a PKI key pair
l Configuring a PKI trust domain
l Importing a CA certificate
l Generating a certificate request
l Importing a local certificate
l Downloading a CRL
l Importing and exporting a PKI trust domain
l Importing and exporting a local certificate
l Configuring a certificate chain
l Configuring certificate validity check

Generating/Deleting a PKI Key Pair
StoneOS provides a default PKI key pair named Default-Key. To generate a PKI key pair, in the
p ki key gen erate {rsa | dsa | sm2 | ecc} [lab el key-name ] [ ec-gro up { p rime256 | p rime384
| p rime 521 }] [mo dulus size ] [n o co n firm]
l rsa | dsa – Specifies the type of key pair, either RSA or DSA.
l label key-name – Specifies the name of the PKI key. The name must be unique in StoneOS.
l modulus size – Specifies the modulus of the key pair. The options are 1024 (the default
value), 2048, 512 and 768 bits.
l ec-group { prime256 | prime384 | prime 521 }– Specify the elliptic curve group, including
Prime256, Prime384, and Prime521 elliptic curves. The default elliptic curve group is
Prime256.
l noconfirm – Disables prompt message on the key pair. For example, if the name of the key
pair exists in the system, without this parameter configured, the system will prompt whether
to overwrite key pair with the same name; with this parameter configured, the system will not
allow to create a key pair with the same name. In addition, users can use the command pki key
zeroize noconfirm to disable all the prompt information on key pairs.
To delete the existing PKI key, in the global configuration mode, use the following command:
p ki key zero ize {default | lab el key-name } [n o co n firm]
l default | label key-name – Specifies the key that will be deleted. Default indicates the
default-key. Label key-name indicates the key of the specified name.
l noconfirm – Disables prompt message on the key pair.

Configuring a PKI Trust Domain
A PKI trust domain contains all the necessary configuration information that is used to apply for a
PKI local certificate, such as key pair, enrollment type, subject, etc. To configure a PKI trust
domain, you need to enter the PKI trust domain configuration mode. In the global configuration
p ki trust-do main trust-domain-name
l trust-domain-name – Specifies the name of the PKI trust domain. This command creates a
PKI trust domain with the specified name, and leads you into the PKI trust domain con-
figuration mode; if the specified name exists, you will directly enter the PKI trust domain con-
figuration mode.
To delete the specified PKI trust domain, in the global configuration mode, use the command no
pki trust-domain trust-domain-name.
You can perform the following configurations in the PKI trust domain configuration mode:
l Specifying an enrollment type
l Specifying a key pair
l Configure subject content
l Adding the Subject Alternative Name
l Configuring a CRL
Specifying an Enrollment Type
To specify an enrollment type, in the PKI trust domain configuration mode, use the following
command:
en ro llmen t {self | termin al}

l self – Generates a self-signed certificate.
l terminal – Enrolls a certificate from a terminal (by cutting and pasting).
To cancel the enrollment type, in the PKI trust domain configuration mode, use the command no
enrollment.
Notes: There is no default value for this command; therefore, you must use the com-
mand to specify an enrollment type.
Specifying a Key Pair
To specify a key pair, in the PKI trust domain configuration mode, use the following command:
keyp air key-name
l key-name – Specifies the name of the key pair.
To cancel the specified key pair, in the PKI trust domain configuration mode, use the command
no keypair.
Configuring Subject Content
To specify subject content for the PIK trust domain, in the PKI trust domain configuration
l Configure a common name: subject commonName string
l Configure a country (optional): subject country string
Notes: The name of the country can only contain two characters.
l Configure a locality (optional): subject localityName string
l Configure a state or province (optional): subject stateOrProvinceName string

l Configure an organization (optional): subject organization string
l Configure an organization unit (optional): subject organizationUnit string
To cancel the above configurations, in the PKI trust domain configuration mode, use the fol-
lowing commands:
l no subject commonName
l no subject country
l no subject localityName
l no subject stateOrProvinceName
l no subject organization
l no subject organizationUnit
Adding the Subject Alternative Name
You can add both the IP address and domain name to the Subject Alternative Name list.
To add the specified IP address to the Subject Alternative Name list, in the PKI trust domain con-
subject-alt-name ip ip-address
l ip-address - Specifies the IP address to be added to the Subject Alternative Name list. Both
IPv4 and IPv6 addresses are supported.
To remove the specified IP address from the Subject Alternative Name list, in the PKI trust
domain configuration mode, use the following command:
no subject-alt-name ip ip-address
To add the specified domain name to the Subject Alternative Name list, in the PKI trust domain
subject-alt-name dns domain-name

l domain-name - Specifies the domain name to be added to the Subject Alternative Name list.
The value range is from 1 to 255 characters.
To remove the specified domain name from the Subject Alternative Name list, in the PKI trust
domain configuration mode, use the following command:
no subject-alt-name dns domain-name
Configuring a CRL
CRL is used to help you check whether a certificate within its validity period has been revoked by
the CA. To configure a CRL check, in the PKI trust domain configuration mode, use the fol-
lowing command:
crl {n o ch eck | o p tio n al | required}
l nocheck – StoneOS will not check the CRL. This is the default option.
l optional – StoneOS will still accept the peer's authentication even if the CRL is not avail-
able.
l required – StoneOS will not accept the peer’s authentication unless the CRL is available.
In addition, you can configure the URL that is used to retrieve the CRL information. The con-
figuration needs to be performed in the CRL configuration mode. To enter the CRL configuration
mode, in the PKI trust domain configuration mode, use the following command:
crl co n figure
To configure the URL that is used to retrieve CRL information, in the CRL configuration mode,
url index { url-http | url-ldap [usern ame user-name p asswo rd password auth -meth o d auth-
method ]} [vro uter vrouter-name ]
l index – Specifies the URL index. StoneOS supports up to three URLs, and uses them by
turn of URL1, URL2 and URL3.

l url-http – Specifies the HTTP URL that is used to retrieve CRL information. The URL
entered should begin with http:// and the length is 1 to 255 characters.
l url-ldap – Specifies the LDAP URL that is used to retrieve CRL information. The URL
entered should begin with ldap:// and the length is 1 to 255 characters.
l username user-name password password auth-method auth-method – Specifies the username

(username user-name), password (password password) and authentication mode (auth-method
auth-method ) when the system is configured to retrieve CRL information via LDAP. If this
parameter is not configured, the system will retrieve CRL information anonymously by
default.
l username user-name - Specifies the login DN of the LDAP server. The login DN is typ-
ically a user account with query privilege predefined in the LDAP server.
l password password – Specifies the password for login DN.
l auth-method auth-method - Specifies the authentication mode for the LDAP server.
Plain text authentication (plain) is supported.
) when the system is configured to retrieve CRL information via LDAP. If this para-
meter is not configured, the system will retrieve CRL information anonymously by
default.
l vrouter vrouter-name – Specifies the VRouter from which the CRL information is retrieved.
The default value is the default VRouter (trust-vr).
Configuring Online Certificate Status Protocol
The Online Certificate Status Protocol (OCSP), having the same function as CRL, is used to
obtain the revocation status of certificates. Compared with CRL, OCSP can online check the
status of certificates, thus providing more accurate result. You can configure CRL and OCSP sim-
ultaneously. If it fails to validate the certificate using either CRL or OCSP, the system will con-
clude that the certificate cannot be used.

In the PKI trust domain configuration mode, use the following command to make you check the
certificate status using OCSP:
ocsp required
To disable this function, use the following command in the PKI trust domain configuration
mode:
ocsp nocheck
To enter the OCSP configuration mode, use the following command in the PKI trust domain con-
figuration mode:
ocsp configure
In the OCSP configuration mode, you can configure the following settings:
l Specifying the OCSP responder
l Configuring the random number for OCSP requests
l Specifying the invalidity time for OCSP response information
Specifying the OCSP Responder
To specify the OCSP responder, use the following command in the OCSP configuration mode:
url url
l url – Specifies the URL of the OCSP responder. The URL must begin with “http://”.
To cancel the configurations, use the following command:

no url。
Configuring the Random Number for OCSP Requests
When the device sends OCSP requests, you can choose to add the random number to the
requests, which improves the security between the device and the OCSP responder. By default,
the device adds the random number to the requests. To add random number, use the following
command in the OCSP configuration mode:
nonce enable
To cancel the configurations, use the following command:

nonce disable
Specifying the Invalidity Time for OCSP Response Information
StoneOS provides the function of OCSP response information cache, which improves the effi-
ciency of certificate verification. You can specify the invalidity time for the OCSP request inform-
ation that is stored in the cache of the device and the OCSP request information will be deleted
from the cache after the invalidity time reaches. To specify the invalidity time, use the following
command in the OCSP configuration mode:
response-cache-refresh-interval time
l time - Specifies the invalidity time (in minutes) for the OCSP response information that
stored in the cache. The value ranges from 0 to 1440. 0 represents the device will not store
the OCSP response information. And when the device receives the request of certificate veri-
fication, it will send request to the OCSP responder to check the certificate status. When the
specified value is between 1 and 1440, the invalidity time for stored OCSP response inform-
ation is calculated by comparing the time of “current system time + time” with the time
when the OCSP response information will be updated. The invalidity time is the one which is
shorter.
In the OCSP configuration mode, use the following command to cancel the configurations:no
response-cache-refresh-interval
After you cancel the configurations, the invalidity time for OCSP response information is the time
when the OCSP response information will be updated. This is also the default settings.
Importing a CA Certificate
To import a CA certificate, in the global configuration mode, use the following command:
p ki auth en ticate trust-domain-name
l trust-domain-name – Specifies the name of PKI trust domain.

After executing this command, the system will prompt the user to copy the content of the cer-
tificate to the specified location. Press Enter, type a period (.), and then press Enter again. The sys-
tem will begin to import the CA certificate.
If ht enrollment type is to enroll a certificate from the register server, the CA certificate will be
obtained via SCEP.
Importing a Key
To import a key to the PKI trust domain, in the global configuration mode, use the following com-
mand:
p ki key imp o rt {rsa | dsa | sm2} [lab el label-name ]
l rsa – Specifies the RSA key imported to PKI.
l dsa – Specifies the DSA key imported to PKI.
l sm2 – Specifies the SM2 key imported to PKI.
l label-name – Specifies the name of key pair. The name should be the unique in system. If
the parameter is not specified, the default key Default-Key will be selected.
Importing a Key Pair
To import the key pair to the PKI trust domain, in the execution mode, use the following com-
mands:
imp o rt p ki key key-name en c-key sig-key-name fro m {ftp server ip-address [vro uter VR-
name ] [user user-name p asswo rd password ] file-name | tftp server ip-address [vro uter VR-
name ] file-name }
l key-name – Specifies the name of the imported key pair.
l enc-key – Specifies the key type as encryption key.
l sig-key-name – Specifies the signature key pair.

l ftp | tftp – Specifies the uploading method as FTP or TFTP.
l server ip-address – Specifies the IP address of the FTP or TFTP server.
l vrouter VR-name - Specifies the name of VRouter.
l user user-name password password – Specifies the user name and password of the specified
server.
l file-name – Specifies the name of locol encryption key pair file.
Generate a Certificate Request
After completing the PKI trust domain configuration, you need to generate a certificate request
based on the content of the PKI trust domain, and then send the request to the CA server to
enroll the corresponding local certificate. To generate a certificate request, in the global con-
p ki en ro ll trust-domain-name
l trust-domain-name – Specifies the name of the PKI trust domain to generate the cor-
responding certificate request.
Importing a Local Certificate
After obtaining a local certificate from the CA server, you need to import the local certificate to
the device. To import a local certificate, in the global configuration mode, use the following com-
mand:
p ki imp o rt trust-domain-name certificate
l trust-domain-name – Specifies the name of the PKI trust domain where the local certificate
will be imported from.
tem will begin to import the local certificate.

Obtaining a CRL
To obtain the CRL of the PKI trust domain, in the global configuration mode, use the following
command:
p ki crl request trust-domain-name
l trust-domain-name – Specifies the name of PKI trust domain. The system will obtain the cur-
rent CRL based on CRL configuration in the specified PKI trust domain.
Importing/Exporting a PKI Trust Domain
To facilitate configuration, you can export a PKI trust zone's certificate (CA and local certificate)
and the private key for the local certificate in PKSC12 format, and import them on another Hill-
stone device.
Exporting the PKI Trust Domain Information
To export the PKI trust domain information, in the global configuration mode, use the following
command:
p ki exp o rt trust-domain-name p kcs12 pass-phrase
l trust-domain-name – Specifies the name of the PKI trust domain.
l pass-phrase – Specifies the passphrase that is used to decrypt PKCS12 data.
You can also export the PKI trust domain information in form of a file to an FTP server, TFTP
server or USB disk via CLI.
To export the PKI trust domain information to an FTP server, in the execution mode, use the fol-
lowing command:
exp o rt p ki trust-domain-name p kcs12 password to ftp server ip-address [user user-name p ass-
wo rd password [ file-name ] | file-name ]
l pkcs12 password – Specifies the password used to decrypt the private key.

l ip-address – Specifies the IP address of the FTP server.
server.
l file-name – Specifies the name for the exported file.
To export the PKI trust domain information to a TFTP server, in the execution mode, use the fol-
lowing command:
exp o rt p ki trust-domain-name p kcs12 password to tftp server ip-address [ file-name ]
To export the PKI trust domain information to a USB disk, in the execution mode, use the fol-
lowing command:
exp o rt p ki trust-domain-name p kcs12 password to {usb 0 | usb 1} [ file-name ]
Importing the PKI Trust Domain Information
To import the PKI trust domain information, in the global configuration mode, use the following
command:
p ki imp o rt trust-domain-name p kcs12 pass-phrase
l pass-phrase – Specifies the passphrase that is used to decrypt PKCS12 data.
After executing this command, the system will prompt the user to copy the content of the PKI
trust domain to the specified location. Press Enter, type a period (.), and then press Enter again.
The system will begin to import the PKI trust domain.
You can also import the PKI trust domain information in form of a file from an FTP server, TFTP
server or USB disk via CLI.
To import the PKI trust domain information from an FTP server, in the execution mode, use the
following command:
imp o rt p ki trust-do main trust-domain-name p kcs12 password fro m ftp server ip-address
{user user-name p asswo rd password file-name | file-name }

l pkcs12 password – Specifies the password used to decrypt the private key.
l user user-name password password file-name – Specifies the username and password of the
FTP server.
l file-name – Specifies the name of the imported file.
To import the PKI trust domain information from a TFTP server, in the execution mode, use the
following command:
imp o rt p ki trust-do main trust-domain-name p kcs12 password fro m tftp server ip-address file-
name
To import the PKI trust domain information from a USB disk, in the execution mode, use the fol-
lowing command:
imp o rt p ki trust-do main trust-domain-name p kcs12 password fro m {usb 0 | usb 1} file-name
Importing a Trust Certificate
If enabling Sandbox function, when importing a trust certificate of PE file, System will not detect
the PE file. In the global configuration mode, use the following command to import a trust cer-
tificate:
imp o rt p ki trusted-ca {p ackage | sin gle} fro m {ftp server ip-address [vro uter VR-name ] [user
user-name p asswo rd password ] file-name | tftp server ip-address [vro uter VR-name ] file-
name }
l package – Specifies the certificate package that you need to import.
l single – Specifies the single certificate that you need to import.
l ftp | tftp – Specifies the uploading method as FTP or TFTP.
l server ip-address – Specifies the FTP server IP or the TFTP server IP.

l vrouter VR-name - Specifies the VRouter name.
server.
l file-name – Specifies the username and password of the FTP server.
Exporting/Importing a Local Certificate
To facilitate configuration, you can export a PKI trust zone's local certificate, and import it on
another Hillstone device.
Exporting a Local Certificate
To export a local certificate, in the global configuration mode, use the following command:
p ki exp o rt trust-domain-name certificate
tem will begin to export the local certificate.
You can also export the local certificate in form of a file to an FTP server, TFTP server, or USB
disk via CLI.
To export the local certificate to an FTP server, in the execution mode, use the following com-
mand:
exp o rt p ki trust-domain-name cert to ftp server ip-address [user user-name p asswo rd pass-
word [ file-name ] | file-name ]

server.
l file-name – Specifies the name of the exported file.
To export the local certificate to a TFTP server, in the execution mode, use the following com-
mand:
exp o rt p ki trust-domain-name cert to tftp server ip-address [ file-name ]
To export the local certificate to a USB disk, in the execution mode, use the following command:
exp o rt p ki trust-domain-name cert to {usb 0 | usb 1} [ file-name ]
Importing a Local Certificate
To import a local certificate, in the global configuration mode, use the following command:
p ki imp o rt trust-domain-name certificate
tem will begin to import the local certificate.
You can also import the local certificate in form of a file from an FTP server, TFTP server or USB
disk via CLI.
To export the local certificate from an FTP server, in the execution mode, use the following com-
mand:
imp o rt p ki trust-do main trust-domain-name cert fro m ftp server ip-address {user user-name
p asswo rd password file-name | file-name }
l user user-name password password file-name – Specifies the username and password of the
FTP server, and name of the imported file.
l file-name – Specifies the name of the exported file.

To export the local certificate from a TFTP server, in the execution mode, use the following com-
mand:
imp o rt p ki trust-do main trust-domain-name cert fro m tftp server ip-address file-name
To export the local certificate from a USB disk, in the execution mode, use the following com-
mand:
imp o rt p ki trust-do main trust-domain-name cert fro m {usb 0 | usb 1} file-name
Importing Customized Certificate for HTTPS WebAuth
Importing Customized Certificate
When HTTPS mode is selected in Web authentication (WebAuth), the security certificate is usu-
ally not trusted by browser. You will need to click the Continue button to start Web authen-
tication. In order to avoid this situation, you can purchase a local certificate signed by a certificate
authority and import this certificate into a new PKI trust domain. Then you can import the trus-
ted certificate by configuring this feature. The public key of CA certificate in the browser will
authenticate the imported certificate signed by the private key of CA. Therefore, the situation that
security certificate is trusted by browser of client will not occurs any more.
To configure importing customized certificate for HTTPS WebAuth, in the WebAuth con-
h ttp s-trust-do main trust-domain-name
l trust-domain-name – Specifies the name of the HTTPS trust domain. Before executing this
command, this new PKI trust domain must have been added into StoneOS, and you should
make sure that the local certificate purchased from the certificate authority has been imported
into it. By default, HTTPS trust domain is trust_domain_default, which will result in the
untrusted certificate warning.
Notes: Make sure that the trusted CA certificate has been imported into PC’s
browser, , otherwise the browser will still prompt that security certificate is not
being trusted.

In the WebAuth configuration mode, use no https-trust-domain to cancel the above con-
figuration.
Viewing Importing Customized Certificate Information
To view information on imported customized certificate, in any mode, use the following com-
mand:
sh o w web auth
Certificate Expiry Configurations
In order to ensure the validity of the user certificate and to avoid the problems caused by cer-
tificate expiry, the system provides the following solutions:
l For the certificate or CA certificate that will expire soon, the system will generate a log of the
Warning level one week before the date of expiry;
l For the certificate or the CA certificate that have already expired, the system will generate a
log of the Critical level everyday;
l For the self-signed certificate, the system provides a refreshing option to allow you to re-sign
the certificate.
The system defines the validity period of a self-signed certificate is 10 years. To refresh the self-
signed certificate and re-sign the certificate, in the global configuration mode, use following com-
mand:
p ki refresh trust-domain-name
Viewing the PKI Configuration Information
To view the configuration information of key pair, in any mode, use the following command:
sh o w p ki key [lab el key-name ]

l label key-name – Shows the configuration information of the specified key pair. If the para-
meter is not specified, the command will show the configuration information of all the key
pairs in the system.
To view the configuration information of PKI trust domain, in any mode, use the following com-
mand:
sh o w p ki trust-do main [ trust-domain-name ]
l trust-domain-name – Shows the configuration information of the specified PKI trust

domain. If the parameter is not specified, the command will show the configuration inform-
ation of all the PKI trust domains in the system.
Configuring a Certificate Chain
A certificate chain consists of a root CA certificate, any intermediate CA certificates, and a CA-
signed user certificate. Browsers consider that the certificate of the current user is valid and trus-
ted only if each certificate in the certificate chain is valid. A root CA certificate lies in the top
most position of the chain of trust hierarchy. Intermediate certificates branch off root certificates
like branches of trees. They act as middle-men between the protected root certificates and the
server certificates issued out to the public. There will always be at least one intermediate cer-
tificate in a chain, but there can be more than one.
Creating a Certificate Chain
To create a certificate chain, use the following command in global configuration mode:
pki cert-chain cert-chain-name
l cert-chain-name - Specifies the name of the certificate chain, which can be 1 to 31 characters.
After the command is executed, the system generates a certificate chain with the specified
name and enters the certificate chain configuration mode. If the specified name already exists,
the system directly enters the certificate chain configuration mode.
To delete a specified certificate chain, use the following command in global configuration mode:
no pki cert-chaincert-chain

Importing a Certificate Chain
The system allows you to import certificate chain files from servers or by copying the certificate
chain content. A certificate chain can contain at most 6 certificates. These certificates need to be
able to complete a chain but there is no limitation on the order of these certificates.
To import a certificate chain file from the FTP, FTPS, or SFTP server, use the following com-
mand in execution mode:
import pki cert-chain cert-chain-name {pkcs7 | pkcs12-der password | cert-bundle} from {ftp |
ftps | sftp server} ip-address vrouter vrouter-name user user-name password password file-name
l cert-chain-name - Specifies the name of the certificate chain.
l pkcs7 | pkcs12-der password | cert-bundle - Specifies the format of the certificate chain file,
which can be PKCS#7, PKCS#12, or CERT-BUNDLE. The certificate chain file in the
CERT-BUNDLE format is PEM-encoded. For certificate chain files in the PKCS#12 format,
you need to specify the password of the files.
l ip-address - Specifies the address of the FTP, FTPS, or SFTP server.
l vrouter vrouter-name - Specifies the name of the virtual router.
l user user-name password password- Specifies the username and password used to access the
server.
l file-name - Specifies the name of the certificate chain file.
To import a certificate chain file from the TFTP server, use the following command in execution
mode:
import pki cert-chain cert-chain-name {pkcs7 | pkcs12-der password | cert-bundle} from tftp
server ip-address vrouter vrouter-name file-name
To import a certificate chain file by copying the certificate chain content, use the following com-
mand in global configuration mode:
pki import cert-chain cert-chain-name {pkcs7 | cert-bundle}

After the command is executed, copy the certificate chain file content as prompted and enter "."
on a new line to end the input.
Exporting a Certificate Chain
The system allows you to export a certificate chain file to a specified server or display the cer-
tificate chain content on the endpoint.
To export a certificate chain file to a server, use the following command in execution mode:
export pki cert-chain cert-chain-name {pkcs7 | pkcs12-der password } to {ftp | ftps | sftp
server} ip-address vrouter vrouter-name user user-name password password file-name
To export a certificate chain file and display the file content on the endpoint, use the following
command in global configuration mode:
pki export cert-chain cert-chain-name
Viewing Certificate Chain Information
To view configuration information about a specified certificate chain, use the following command
in any mode:
show pki cert-chain cert-chain-name
To view configuration information about all certificate chains, use the following command in any
mode:
show pki cert-chain
To view information about certificates in a specified certificate chain, use the following command
in any mode:
show pki cert-chain cert-chain-namecert subject-name
l cert-chain-name - Specifies the name of the certificate chain.
l subject-name - Specifies the subject name of the certificate.

Configuring Certificate Validity Check
Enabling/Disabling Certificate Validity Check
Certificate validity check is effective for all certificates in the certificate chain and certificates in
the trusted domain. By default, certificate validity check is enabled. To disable certificate validity
check, use the following command in global configuration mode:
pki cert-validity-check disable
To enable certificate validity check, use the following command in global configuration mode:
pki cert-validity-check enable
Configuring Certificate Validity Check
By default, the system sends an alarm per day a week before the certificate expires. When the cer-
tificate expires, the system records an event log at critical level.
To configure check interval of certificate validity and warning days before certificate expiration,
use the following command in global configuration mode:
pki cert-validity-check {interval value | pre-warning-time time}
l interval value - Specifies the check interval of certificate validity. Valid values: 1 to 100, in
hours. Default value: 24.
l pre-warning-time time - Specifies the warning days before certificate expiration. Valid values:
1 to 1000, in hours. Default value: 168.
Viewing Check Configuration and Check Result of Certificate Validity
To view the configuration of certificate validity check, use the following command in any mode:
show pki cert-validity-check
The last check result is displayed in the command output:

l not checked yet: The check is not started.
l valid: The certificate is valid.
l expired: The certificate has expired.
l null cert: The certificate is not imported in the trusted domain or certificate chain because no
certificate exists.
Example for Configuring IKE

This section describes an example of creating a security alliance by IKE. The authentication
policy of IKE adopts PKI certificate system.
Requirement
The goal is to create a secure tunnel between Hillstone Device A and Hillstone Device B. PC1 is
used as the host of Hillstone Device A, whose IP address is 10.1.1.1, and the gateway address is
10.1.1.2; Server1 is used as the server of Hillstone Device B, whose IP address is 192.168.1.1,
and the gateway address is 192.168.1.2. The requirement is: protecting the traffic between the
subnet represented by PC1 (10.1.1.0/24) and the subnet represented by server1
(192.168.1.0/24). The authentication policy adopts PKI certificate system, using security pro-
tocol ESP and encryption algorithm 3DES, and the Hash algorithm is SHA1. The networking
topology is shown in the figure below:

Configuration Steps
Step 1: Configure Hillstone devices' interfaces
Hillstone Device A
hostname(config-if)# zo n e un trust
hostname(config-if-tun1)# zo n e trust
Hillstone Device B

Hillstone Device A

hostname(config)#
Hillstone Device B
hostname(config)#

Step 3: Configure Phase1 proposal
Hillstone Device A
hostname(config)# isakmp p ro p o sal p 1
hostname(config-isakmp-proposal)# auth en ticatio n rsa-sig
hostname(config-isakmp-proposal)# gro up 2
hostname(config-isakmp-proposal)# h ash sh a
hostname(config-isakmp-proposal)# en cryp tio n 3des
hostname(config-isakmp-proposal)# exit
Hillstone Device B
hostname(config-isakmp-proposal)# auth en ticatio n rsa-sig
Step 4: Configure PKI
Hillstone Device A
Generate a key pair
hostname(config)# p ki key gen erate rsa lab el 111 mo dulus 1024
Configure a PKI trust domain

hostname(config)# p ki trust-do main td1
hostname(config-trust-domain)# keyp air 111
hostname(config-trust-domain)# en ro llmen t termin al
hostname(config-trust-domain)# sub ject co mmo n Name aa
hostname(config-trust-domain)# sub ject co un try cn
hostname(config-trust-domain)# sub ject stateO rPro vin ceName b j

hostname(config-trust-domain)# sub ject lo calityName h d
hostname(config-trust-domain)# sub ject o rgan izatio n h illsto n e
hostname(config-trust-domain)# sub ject o rgan izatio n un it rd
hostname(config-trust-domain)# exit
Generate a certificate request and send it to the CA

server to enroll local certificate
hostname(config)# p ki en ro ll td1
Authenticate the CA certificate

hostname(config)# p ki auth en ticate td1
Import a local certificate
hostname(config)# p ki imp o rt td1 certificate
Hillstone Device B
Generate a key pair
hostname(config)# p ki key gen erate rsa lab el 222 mo dulus 1024
Configure a PKI trust domain

hostname(config)# p ki trust-do main td2
hostname(config-trust-domain)# keyp air 222
hostname(config-trust-domain)# sub ject co mmo n Name aa
hostname(config-trust-domain)# sub ject co un try cn
hostname(config-trust-domain)# sub ject stateO rPro vin ceName b j
hostname(config-trust-domain)# sub ject lo calityName h d
hostname(config-trust-domain)# sub ject o rgan izatio n h illsto n e
hostname(config-trust-domain)# sub ject o rgan izatio n un it rd
Generate a certificate request and send it to the CA

server to enroll local certificate

hostname(config)# p ki en ro ll td2
Authenticate the CA certificate

hostname(config)# p ki auth en ticate td2
Import a local certificate

hostname(config)# p ki imp o rt td2 certificate
Step 5: Configure ISAKMP gateways
Hillstone Device A
hostname(config)# isakmp p eer east
hostname(config-isakmp-peer)# in terface eth ern et0/1
hostname(config-isakmp-peer)# isakmp -p ro p o sal p 1
hostname(config-isakmp-peer)# p eer 1.1.1.2
hostname(config-isakmp-peer)# lo cal-id asn 1dn
hostname(config-isakmp-peer)# p eer-id asn 1dn CN=-

b b ,O U =rd,O =h illsto n e,L =h d,ST=b j,C=cn
hostname(config-isakmp-peer)# trust-do main td1
hostname(config-isakmp-peer)# exit
Hillstone Device B
hostname(config-isakmp-peer)# lo cal-id asn 1dn
hostname(config-isakmp-peer)# p eer-id asn 1dn CN=aa,O -

O U =rd,O =h illsto n e,L =h d,ST=b j,C=cn
hostname(config-isakmp-peer)# trust-do main td2

Step 6: Configure Phase2 proposal
Hillstone Device A
hostname(config)# ip sec p ro p o sal p 2
hostname(config-ipsec-proposal)# p ro to co l esp
hostname(config-ipsec-proposal)# h ash sh a
hostname(config-ipsec-proposal)# en cryp tio n 3des
hostname(config-ipsec-proposal)# exit
Hillstone Device B
Step 7: Configure a tunnel named VPN
H illst o n e D e vic e A
hostname(config)# tun n el ip sec vp n auto
hostname(config-tunnel-ipsec-auto)# ip sec-p ro p o sal p 2
hostname(config-tunnel-ipsec-auto)# isakmp -p eer east
hostname(config-tunnel-ipsec-auto)# id lo cal 10.1.1.0/24 remo te 192.168.1.0/24 ser-

vice an y
hostname(config-tunnel-ipsec-auto)# exit
hostname(config-if-tun1)# tun n el ip sec vp n
Hillstone Device B


vice an y
Step 8: Configure routes
Hillstone Device A
hostname(config-vrouter)# ip ro ute 192.168.1.0/24 tun n el1
Hillstone Device B

Chapter 9 VPN
l IPSec Protocol
l SSL VPN
l Dial-up VPN
l PnPVPN
l GRE Protocol
l L2TP Protocol
Chapter 9 VPN 1181

IPsec Protocol
Overview
IPsec is a widely used protocol suite for establishing VPN tunnel. IPsec is not a single protocol,
but a suite of protocols for securing IP communications. It includes Authentication Headers
(AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE) and some authen-
tication methods and encryption algorithms. IPsec protocol defines how to choose the security
protocols and algorithms, as well as the method of exchanging security keys among com-
munication peers, offering the upper layer protocols with network security services including
access control, data source authentication and data encryption, etc.
l Authentication Header (AH): AH is a member of the IPsec protocol suite. AH guarantees con-
nectionless integrity and data source verification of IP packets, and furthermore, it protects
against replay attacks. AH can provide sufficient authentications for IP headers and upper-
layer protocols.
l Encapsulating Security Payload (ESP): ESP is a member of the IPsec protocol suite. ESP
provides encryption for confidential data and implements data integrity check of IPsec ESP
data in order to guarantee confidentiality and integrity. Both ESP and AH can provide service
of confidentiality (encryption), and the key difference between them is the coverage.
l Internet Key Exchange (IKE): IKE is used to negotiate the AH and ESP password algorithm
and put the necessary key of the algorithm to the right place.
Notes: The Russia version does not support the IPsec protocol and the related
IPsec VPN function.
Security Association
IPsec provides encrypted communication between two peers which are known as IPsec ISAKMP
gateways. Security Association (SA) is the basis and essence of IPsec. SA defines some factors of
1182 Chapter 9 VPN

communication peers like the protocols, operational modes, encryption algorithms (DES, 3DES,
AES-128, AES-192 and AES-256), shared keys of data protection in particular flows and the life-
time of SA, etc.
SA is used to process data flow in one direction. Therefore, in a bi-directional communication
between two peers, you need at least two security associations to protect the data flow in both of
the directions.
Establishing a SA
You can establish a SA in two ways: manual and IKE auto negotiation (ISAKMP).
Manually configuring a SA is complicated as all the information will be configured by yourself and
some advanced features of IPsec are not supported (e.g. timed refreshing), but the advantage is
that the manually configured SA can independently fulfill IPsec features without relying on IKE.
This method applies to the condition of a small number of devices, or the environment of static
IP addresses.
IKE auto negotiation method is comparatively simple. You only need to configure information of
IKE negotiation and leave the rest jobs of creating and maintaining a SA to the IKE auto nego-
tiation function. This method is for medium and large dynamic network. Establishing SA by IKE
auto negotiation consists of two phases. The Phase 1 negotiates and creates a communication
channel (ISAKMP SA) and authenticates the channel to provide confidentiality, data integrity and
data source authentication services for further IKE communication; the Phase 2 creates an IPsec
SA using the established ISAKMP. Establishing a SA in two phases can speed up key exchanging.
Phase 1 SA
The Phase 1 SA refers to the Security Association for establishing the channel. The negotiation
procedure is:
1. Parameter configuration, including:
l Authentication method: Pre-shared key or digital signature
l Diffie-Hellman group selection
Chapter 9 VPN 1183

2. Policy negotiation, including:
l Encryption algorithm: DES, 3DES, AES-128, AES-192 or AES-256
l Hash algorithm: MD5, SHA-1 or SHA-2
3. DH exchange. Although it is known as key exchange, actually the two hosts will not
exchange any real key at any time during the communication, and instead they only exchange
the basic element information that is used by the DH algorithm to generate shared key. The
DH exchange can be either open to the public or protected. After exchanging elements for
generating the key, the two hosts of the both ends can generate the identical shared master
key respectively to protect the authentication process hereafter.
4. Authentication. The DH exchange needs to be further authenticated. If the authentication

fails, the communications will not continue. The master key, along with the negotiation
algorithm specified in the Phase 1, will be used for authentication of the communication
entities and communication channel. During this procedure, the entire payload that will be
authenticated, including the entity type, port number and protocol, will be protected by the
previously generated master key to assure the confidentiality and integrity.
Phase 2 SA
The Phase 2 SA, a fast SA, refers to the Security Association established for data transmission.
This phase will negotiate to establish an IPsec SA, and provide IPsec service for data exchange.
The negotiation messages in Phase 2 are protected by the Phase 1 SA, and any message that is not
protected by the Phase 1 SA will be rejected. The Phase 2 negotiation (fast negotiation mode) pro-
cedure is:
1. Policy negotiation. The peers exchange protection requirements:
l IPsec protocol: AH or ESP
l Hash algorithm: MD5, SHA-1, SHA-2 or NULL
1184 Chapter 9 VPN

l Encryption: DES, 3DES, AES-128, AES-192, AES-256 or NULL
l Compression algorithm: DEFLATE
l After the above four requirements reach an agreement, two SAs will be established
and used for inbound and outbound communications respectively.
2. Refreshing or exchanging session key elements.

In this step, the session key for IP packet encryption will be generated through DH
exchange.
3. Submitting the SA to the IPsec driver.

During the Phase 2 negotiation process, if the response is timeout, then the system will auto-
matically retry the Phase 2 SA negotiation.
Hash Algorithm
Both AH and ESP can verify the integrity of IP packets, and determine whether the packets have
been tampered during transmission. The verification algorithm is mainly implemented by the hash
function. The hash function can accept a message input of random length, and produces an output
of fixed length. The output is known as the message digest. IPsec peers will compute the message
digest. If the two digests are identical, the message proves to be complete and not having been
tampered. In general IPsec adopts the following Hash algorithms:
l MD5: Use message input of a random length to produces a 128-bit message digest.
l SHA-1: Use a message with a length less than 264 bits to produce a 160-bit message digest.
The digest of SHA-1 is longer than that of MD5, so it is more secure.
l SHA-2: Consists of SHA-256, SHA-384 and SHA-512. This algorithm can produce a longer
message digest. For SHA-256, a message input with a length less than 264 bits can produce a
256-bit message digest; for SHA-384, a message input with a length less than 2128 bits pro-
duces a 384-bit message digest; for SHA-512, a message input with a length less than 2128
bits produces a 512-bit message digest.
Chapter 9 VPN 1185

Encryption Algorithm
ESP can provide encryption protection for the content of IP packets, and prevent against sniffing
during the transmission. The encryption algorithm is implemented mainly through symmetric key
system which uses the same key to encrypt and decrypt data. StoneOS supports 3 encryption
algorithms:
l DES (Data Encryption Standard): Uses a 56-bit key to encrypt each 64-bit plain text block.
l 3DES (Triple DES): Uses three 56-bit DES keys (168 bits in total) to encrypt plain text.
l AES (Advanced Encryption Standard): StoneOS supports AES algorithms of 128-bit, 192-bit
and 256-bit keys.
Compression Algorithm
IPComp (IP Payload Compression) is a protocol designed to reduce the length of IP datagram.
This protocol compresses the IP datagram payload by different compression algorithms, and
achieves the effect of transmitting data of heavy payload under the conditions of low bandwidth.
The prerequisite for a successful IPComp communication is to establish an IPComp Association
(IPCA) between the two ends of the communication. The association includes all the information
needed for IPComp operation, such as the compression algorithm and the parameters for the com-
pression algorithm. When compressing the network data stream of IPsec by IPComp, you can cre-
ate an IPCA manually or by dynamic negotiation. For the dynamic negotiation approach, ISAKMP
gateway offers all the mechanisms necessary for establishing the IPCA. The IPsec function of Hill-
stone devices provides the following IPComp compression algorithm:
l DEFLATE: A free lossless compression algorithm that can be implemented in IPComp,

adopts LZ77 algorithm and Huffman decoding.
References
The IPsec function of Hillstone devices follows the IPsec protocol specifications defined in
RFC. For more detailed information about IPsec Protocol, see the relevant sections of the RFC
1186 Chapter 9 VPN

documents below:
l Security Architecture for the Internet Protocol: RFC2401/RFC4301
l ESP: RFC2406/RFC4303
l AH: RFC2402/RFC4302
l Encryption algorithm: RFC2410 (Null Encryption), RFC2405 (DES-CBC), RFC2451 (3DES-

CBC) and RFC3602 (AES-CBC)
l Hash algorithm: FIPS180-2 (SHA), RFC2404 (SHA-1), RFC4868 (SHA-2) and RFC2403
(MD5)
l Compression algorithm: RFC2393 (IPComp) and RFC2394 (DEFLATE)
Applying an IPsec VPN

You can apply the configured VPN tunnels to Hillstone devices through the policy-based VPN
and route-based VPN to assure the security of traffic encryption and decryption.
l Policy-based VPN: Applies a configured VPN tunnel in a policy rule, and only permits the
matched traffic to pass through the VPN tunnel.
l Route-based VPN: Bind the configured VPN tunnel to a tunnel interface; when configuring
the static route, you need to specify the tunnel interface as the next-hop route.
Configuring an IPsec VPN

You can configure IPsec VPN in two ways:
l Manual key VPN
l IKE VPN. The system supports both IKEv1 and IKEv2.
Chapter 9 VPN 1187

Improving the Decrypting Performance of IPSec VPN
This feature is only supported for CloudEdge. When more than 2 vCPUs are used, you can enable
the function to improve the decrypting performance of IPSec VPN as needed. After it is enabled,
system will decrypt the packet with multi-core decryption technology, which will also increase
the throughput of device. To improve the decrypting performance of IPSec VPN, in the global
tunnel-core-unbind
In the global configuration mode, use the command no tunnel-core-unbind to restore the default
configuration.
Improving the New Session Processing Performance of IPSec VPN
You can configure the function to improve the new session processing performance of IPSec
VPN as needed. After this function is configured, system will adopt multi-core and multi-pro-
cessor technology for VPN negotiation.
Configuring the Number of CPU Cores Used By the System Data Plane
To improve the new session processing performance of IPSec VPN, you need to configure the
number of CPU cores used by the system data plane first. After the configuration, The number of
VPN processor is the total number of system CPU cores minus the number of CPU cores used by
the system data plane. To configure the number of CPU cores used by the system data plane, in
flow-core-num number
l number - Specifies the number of CPU cores used by the system data plane. The range is
max_core_number/2 to max_core_number, max_core_number is the total number of system
CPU cores. After configuration, the formula is: number of VPN processor = max_core_num-
ber (the total number of system CPU cores) - flow-core-number (the number of CPU cores
used by the system data plane).
1188 Chapter 9 VPN

In the global configuration mode, use the command no flow-core-num to cancel the con-
figuration.
Enabling/Disabling the VPN Multi-Process Function
By default, the VPN multi-process function is disabled. To enable or disable this function, in the
l Enable:cp-multi-cores vpnd
l Disable:no cp-multi-cores vpnd
Notes:
l After configuring the number of CPU cores used by the system data plane or
canceling the number already configured, you must reboot the device to make
the configuration take effect.
l After enabling /disabling the VPN multi-process function, you must reboot
the device to make the configuration take effect.
l You need to configure both "Configuring the Number of CPU Cores Used By
the System Data Plane and "Enable VPN multi-process function", and after
restarting the device, the VPN multi-process function can be fully enabled.
l This function supports IKEv1 VPN, Dial-up VPN, PnPVPN and XAUTH.
l SG-6000-X8180 and devices with less than or equal to two CPU cores do
not support this function.
The asynchronous mode of IPSec
The IPSec asynchronous mode applies to platforms (X8180 and A-series) that integrate hardware
accelerators. IPSec encryption and decryption support asynchronous mode, where data encryption
and decryption are accelerated, and IPSec throughput performance is improved through hardware
accelerators.
Chapter 9 VPN 1189

Enabling/Disabling the asynchronous mode of IPSec
The asynchronous mode of IPSec is enabled by default . In the global configuration mode, use the
following commands to enable or disable this function:
l Enableing IPSec asynchronous mode： no ipsec-async-crypto-disable
l Disableing IPSec asynchronous mode：ipsec-async-crypto-disable
Viewing the Information of the Hardware Accelerator
To view the information and algorithms of the hardware accelerator supported by the system, use
the following command in any mode:
show dp-dpdk-crypto-device
Notes: If the hardware accelerator is occupied by other functions (such as SSL

Proxy), the content of "device Status" changes to "device Status: disable(crypto is
used by other Module)".
View Statistics on Encryption and Decryption Queues
To view statistics for encryption and decryption queues, use the following commands in any
mode:
show ipsec-async-crypto statistic [ tunnel_id ] [clear]
l show ipsec-async-crypto statistic: Displays the statistics of the IPSec encryption and
decryption queues of the device in asynchronous mode.
l tunnel_id：Specifies the tunnel ID number. The system displays the the statistics of the
IPSec encryption and decryption queue of the specified tunnel.
l clear：Displays the statistics of the IPSec encryption and decryption queues of the device
or the specified tunnel, and then clear the statistics.
1190 Chapter 9 VPN

Manual Key VPN
The configuration options of manual key VPN include the operation mode of IPsec protocol,
SPI, protocol type, encryption algorithm, hash algorithm and compression algorithm.
Creating a Manual Key VPN
To create a manual key VPN, in the global configuration mode, use the following command:
tunnel ipsec name manual
l name – Specifies the name of the manual key VPN tunnel that will be created.
After executing the above command, the CLI is in the manual key VPN configuration mode. You
need to configure all the parameters of the manual key VPN in this mode.
To delete the specified manual key VPN, in the global configuration mode, use the following com-
mand:
no tunnel ipsec name manual
Specifying the Encapsulation Mode of IPsec Protocol
To specify the encapsulation mode of IPsec protocol (either transport mode or tunnel mode), in
the manual key VPN configuration mode, use the following command:
mo de {tran sp o rt | tun n el}
l transport – Specifies the encapsulation mode of IPsec protocol as transport.
l tunnel – Specifies the encapsulation mode of IPsec protocol as tunnel. This is the default
mode.
To restore to the default mode, in the manual key VPN configuration mode, use the command no
mode.
Specifying a SPI
SPI (Security Parameter Index) is a unique 32-bit identifier generated by SA and transmitted in
the AH and ESP header. SPI is used to find the corresponding VPN tunnel for decryption. To
specify a SPI, in the manual key VPN configuration mode, use the following command:
Chapter 9 VPN 1191

spi spi-number out-spi-number
l spi-number – Specifies the local SPI.
l out-spi-number – Specifies the remote SPI.
To cancel the SPI, in the manual key VPN configuration mode, use the command no spi.
When configuring an SA, you should configure the parameters of both the inbound and outbound
direction. Furthermore, SA parameters of the two ends of the tunnel should be totally matched.
The local inbound SPI should be the same with the outbound SPI of the other end; the local out-
bound SPI should be the same with the inbound SPI of the other end.
Specifying a Protocol Type
The IPsec protocol types include ESP and AH. To specify the protocol type for the manual key
VPN tunnel, in the manual key VPN configuration mode, use the following command:
protocol {esp | ah}
l esp – Uses ESP. This is the default protocol type.
l ah – Uses AH.
To restore to the default protocol type, in the manual key VPN configuration mode, use the com-
mand no protocol.
Specifying an Encryption Algorithm
To specify an encryption algorithm for the manual key VPN tunnel, in the manual key VPN con-
en cryp tio n {3des | des | aes | aes-192 | aes-256 | n ull}
l 3des – Uses the 3DES encryption. The key length is 192-bit. This is the default algorithm.
l des – Uses the DES encryption. The key length is 64 bits.
l aes – Uses the AES encryption. The key length is 128 bits.
l aes-192 – Uses the 192-bit AES encryption. The key length is 192 bits.
1192 Chapter 9 VPN

l null – No encryption.
To restore to the default encryption algorithm, in the manual key VPN configuration mode, use
the command no encryption.
Specifying a Hash Algorithm
To specify a hash algorithm for the manual key VPN tunnel, in the manual key VPN configuration
hash {md5 | sha | sha256 | sha384 | sha512 | null}
l md5 – Uses the MD5 hash algorithm. The digest length is 128 bits.
l sha – Uses the SHA-1 hash algorithm. The digest length is 160 bits. This is the default hash
algorithm.
l sha256 – Uses the SHA-256 hash algorithm. The digest length is 256 bits.
l sha512 –Uses the SHA-512 hash algorithm. The digest length is 512 bits.
l null – No hash algorithm.
To restore to the default hash algorithm, in the manual key VPN configuration mode, use the com-
mand no hash.
Specifying a Compression Algorithm
By default, the manual key VPN does not use any compression algorithm. To specify a com-
pression algorithm (DEFLATE for the manual key VPN tunnel), in the manual key VPN con-
compression deflate
To cancel the specified compression algorithm, in the manual key VPN configuration mode, use
the command no compression.
Chapter 9 VPN 1193

Specifying a Peer IP Address
To specify a peer IP address, in the manual key VPN configuration mode, use the following com-
mand:
peer ip-address
l ip-address – Specifies the IP address of the peer.
To cancel the specified peer IP address, in the manual key VPN configuration mode, use the com-
mand no peer.
Configuring a Hash Key for the Protocol
You should configure the keys of both ends of the tunnel. The local inbound hash key should be
the same with the peer's outbound hash key, and the local outbound hash key should be the same
with the peer's inbound hash key. To configure a hash key, in the manual key VPN configuration
hash-key inbound hex-number-string outbound hex-number-string
l inbound hex-number-string – Configures the local inbound hash key.
l outbound hex-number-string – Configures the local outbound hash key.
To cancel the specified hash key, in the manual key VPN configuration mode, use the command
no hash-key.
Configuring an Encryption Key for the Protocol
You should configure the keys of both ends of the tunnel. The local inbound encryption key
should be the same with the peer's outbound encryption key, and the local outbound encryption
key should be the same with the peer's inbound encryption key. To configure an encryption key
for the protocol, in the manual key VPN configuration mode, use the following command:
encryption-key inbound hex-number-string outbound hex-number-string
l inbound hex-number-string – Configures the local inbound encryption key.
l outbound hex-number-string – Configures the local outbound encryption key.
1194 Chapter 9 VPN

To cancel the specified encryption key, in the manual key VPN configuration mode, use the com-
mand no encryption-key.
To specify an egress interface, in the manual key VPN configuration mode, use the following com-
mand:
l interface interface-name
l interface-name – Specifies the name of the egress interface.
To cancel the specified egress interface, in the manual key VPN configuration mode, use the com-
mand no interface.
Notes: The egress interface in the non-root VSYS cannot be the VSYS shared inter-
face.
IKEv1 VPN
The configurations of IKEv1 VPN include:
l Configuring a P1 proposal
l Configuring an ISAKMP gateway
l Configuring the smart link
l Configuring a tunnel
Configuring a P1 Proposal
P1 proposal is the IKE security proposal that can be applied to the ISAKMP gateway, and is used
in the Phase 1 SA. The configurations of IKE security proposal include specifying an authen-
tication method, encryption algorithm, hash algorithm and lifetime of SA and DH group.
Chapter 9 VPN 1195

Creating a P1 Proposal
To create a P1 proposal, i.e., an IKE security proposal, in the global configuration mode, use the
following command:
isakmp proposal p1-name
l p1-name – Specifies the name of the P1 proposal that will be created. After executing the
command, the CLI will enter the P1 proposal configuration mode. You can configure para-
meters for P1 proposal in this mode.
To delete the specified P1 proposal, in the global configuration mode, use the command no
isakmp proposal p1-name.
Specifying an Authentication Method
Specify the method of IKE identity authentication. Identity authentication is used to confirm the
identities of both the ends during the communication. There are two methods: pre-shared key
authentication and digital signature authentication. For the pre-shared key authentication, the
authentication string is used as an input to generate a key, and different authentication strings will
definitely generate different keys. In the non-root VSYS, only the pre-share key authentication
mode is supported. To specify the authentication method of IKE security proposal, in the P1 pro-
posal configuration mode, use the following command:
authentication {p re-sh are | rsa-sig | dsa-sig | gm-de }
l pre-share – Uses the pre-shared key authentication. This is the default method.
l rsa-sig – Uses the RSA digital signature authentication.
l dsa-sig – Uses the DSA digital signature authentication. The corresponding Hash algorithm
can only be SHA-1.
l gm-de – Uses the envelope authentication mode. When the authentication mode is selected,
only encryption algorithm SM1 and SM4 are supported and verification algorithm SHA or
SM3 are supported.
1196 Chapter 9 VPN

To restore to the default authentication method, in the P1 proposal configuration mode, use the
command no authentication.
StoneOS provides the following five encryption algorithms: 3DES, DES, 128bit AES, 192-bit
AES and 256-bit AES. To specify the encryption algorithm of IKE security proposal, in the P1
proposal configuration mode, use the following command:
en cryp tio n {3des | des | aes | aes-192 | aes-256 | sm1 | sm4}
l 3des – Uses the 3DES encryption. The key length is 192 bits. This is the default algorithm
for StoneOS.
l sm1 – Uses the SM1 block cipher algorithm. The key length is 128 bits.
l sm4 – Uses the SM4 block cipher algorithm. The key length is 128 bits.
To restore to the default encryption algorithm, in the P1 proposal configuration mode, use the
command no encryption.
StoneOS supports the following hash algorithms: MD5, SHA-1 and SHA-2 (including SHA-256,
SHA-384 and SHA-512). To specify the hash algorithm of IKE security proposal, in the P1 pro-
h ash {md5 | sh a | sh a256 | sh a384 | sh a512 | sm3}
Chapter 9 VPN 1197

algorithm.
l sm3 – Uses the SM3 hash algorithm. The digest length is 256 bits. The algorithm can be
used in the digital signature and verification, generating message verification code and other
application scenarios.
To restore to the default hash algorithm, in the P1 proposal configuration mode, use the com-
mand no hash.
Selecting a DH Group
Diffie-Hellman (DH) is designed to establish a shared secret key. DH group determines the
length of the element generating keys for DH exchange. The strength of keys is partially decided
by the robustness of the DH group. The longer the key element is, the more secure the generated
key will be, and the more difficult it will be to decrypt it. The selection of DH group is important,
because the DH Group is only determined in the Phase 1 SA negotiation, and the Phase 2 nego-
tiation will not re-select a DH group. The two phases use the same DH group; therefore the selec-
tion of DH group will have an impact on the keys generated for all sessions. During negotiation,
the two ISAKMP gateways should select the same DH group, i.e., the length of key element
should be equal. If the DH groups do not match, the negotiation will fail.
To select a DH group, in the P1 proposal configuration mode, use the following command:
group { 1 | 2 | 5 | 14 | 15 | 16 | 18 | 19 | 20 | 21 | 24 }
1198 Chapter 9 VPN

l 1 – Selects DH Group1. The key length is 768 bits（MODP Group）.
l 2 – Selects DH Group2. The key length is 1024 bits（MODP Group）.This is the default
value.
l 19 – Select DH Group 19. The key length is 256 bits (ECP Group).
l 24 – Select DH Group 24. The key length is 2048 bits (MODP Group with 256-bit Prime
Order Subgroup).
To restore the DH group to the default, in the P1 proposal configuration mode, use the command
no group.
When configuring PFS in the P2 proposal, you can also select the DH group.
Specify the Lifetime of SA
The Phase 1 SA is configured with a default lifetime. When the SA lifetime expires, the device
will send an SA P1 deleting message to its peer, notifying that the P1 SA has expired and it
requires a new SA negotiation. To specify the lifetime of SA, in the P1 proposal configuration
lifetime time-value
Chapter 9 VPN 1199

l time-value – Specifies the lifetime of SA Phase1. The value range is 300 to 86400 seconds.
To restore to the default lifetime, in the P1 proposal configuration mode, use the command no
lifetime.
Configuring an ISAKMP Gateway
After creating an ISAKMP gateway, you can configure the IKE negotiation mode, IP address and
type of the ISAKMP gateway, IKE security proposal, pre-shared key, PKI trust zone, local ID,
ISAKMP gateway ID, ISAKMP connection type, NAT traversal, etc.
Creating an ISAKMP Gateway
To create an ISAKMP gateway, in the global configuration mode, use the following command:
isakmp peer peer-name
l peer-name – Specifies the name of the ISAKMP gateway.
After executing the command, the CLI will enter the ISAKMP gateway configuration mode. You
can configure parameters for the ISAKMP gateway in this mode.
To delete the specified ISAKMP gateway, in the global configuration mode, use the command no
isakmp peer peer-name.
Binding an Interface to the ISAKMP Gateway
To bind an interface to the ISAKMP gateway, in the ISAKMP gateway configuration mode, use
To cancel the binding, in the ISAKMP gateway configuration mode, use the command no inter-
face interface-name.
1200 Chapter 9 VPN

Configuring an IKE Negotiation Mode
The IKE negotiation consists of two modes: the main mode and aggressive mode. The aggressive
mode cannot protect identity. You have no choice but use the aggressive mode in the situation
that the IP address of the center device is static and the IP address of client device is dynamic. To
configure the IKE negotiations mode, in the ISAKMP gateway configuration mode, use the fol-
lowing command:
mo de {main | aggressive}
l main – Uses the main mode, and provides ID protection. This is the default mode.
l aggressive– Uses the aggressive mode.
To restore to the default negotiations mode, in the ISAKMP gateway configuration mode, use the
command no mode.
Configuring the Custom IKE Negotiation Port
You can configure a custom UDP port for IKE negotiation, and establish the IPSec connection.
To configure a custom IKE negotiation port, in the ISAKMP gateway configuration mode, use
ipsec-over-udp port port-number
l port-number – Specifie the UDP port number, the range is 1 to 65535. To avoid port num-
ber conflicts, you are advised to use port numbers ranging from 1024 to 65535.
To cancel the configuration, in the ISAKMP gateway configuration mode, use the command no
ipsec-over-udp.
Configuring the Custom IKE Negotiation Port Pool
You can configure a custom port pool for IKE negotiation. When the first packet negotiation over
port 500 or 4500 is failed, the system can use the port in the custom port pool for IKE nego-
tiation and establish an IPSec connection.
Chapter 9 VPN 1201

To configure a custom IKE negotiation port pool, you need to enter the IKE port pool con-
figuration mode. To enter the IKE port pool configuration mode, in the global configuration
ike-port-pool
To delete the custom IKE negotiation port pool, in the global configuration mode, use the com-
mand no ike-port-pool.
To configure a port range for the custom IKE negotiation port pool, in the IKE port pool con-
port-range min min_port max max_port
l min min_port max max_port- Specifies the minimum port number and maximum port num-
ber of the port range. The value range is 1024 to 65535.
Repeat the above commands to configure multiple port ranges. You can configure up to 120 port
ranges.
To delete the specified port range, in the IKE port pool configuration mode, use the command no
port-range min min_port max max_port.
Notes:
l VPN can use the ports in the custom IKE negotiation port pool for IKE
negotiation after the port pool is bound to the ISAKMP gateway. For how to
bind the custom IKE negotiation port pool, see Binding the Custom IKE
Negotiation Port Pool.
l After configuring the custom IKE negotiation port pool function, it is recom-
mended to configure the DPD (Dead Peer Detection) fuction or the VPN
Track function at the same time. If port 500 or 4500 is disabled, the system
will disconnect the old VPN connection and continue to use port 500 or
4500 to initiate the IKE negotiation. If the first packet negotiation fails, the
system will use the port in the custom port pool for IKE negotiation.
1202 Chapter 9 VPN

l If the successfully negotiated VPN port is disabled, the VPN connection will
be disconnected for at least 1 minute between disconnecting the old VPN
connection and renegotiating using the port in the custom port pool.
l It is recommended that you configure the custom IKE negociation port func-
tion and the custom IKE negotiation port pool function separately.
Binding the Custom IKE Negotiation Port Pool
VPN can use the ports in the custom IKE negotiation port pool for IKE negotiation after the
port pool is bound to the ISAKMP gateway.
To bind the custom IKE negotiation port pool, in the ISAKMP gateway configuration mode, use
bind ike-port-pool
To cancel the binding, in the ISAKMP gateway configuration mode, use the command no bind
ike-port-pool.
Specifying the IP Address and Peer Type
You can specify the IP address and address type (static or dynamic) for the peer of the created
ISAKMP gateway. To specify the IP address and the type of the peer, in the ISAKMP gateway
type { dynamic | static }
l dynamic – Specifies the dynamic IP address.
l static – Specifies the static IP address. This is the default option.
To restore to the default type, in the ISAKMP gateway configuration mode, use the command no
type.
peer ip-address
Chapter 9 VPN 1203

l ip-address - Specifies the IP address or the host name of the peer. This parameter is only valid
when the IP address of the peer is static.
To cancel the IP address or the host name, in the ISAKMP gateway configuration mode, use the
command no peer.
Accepting the Peer ID
To make the ISAKMP gateway accept any peer ID without check, in the ISAKMP gateway con-
accept-all-peer-id
To disable the function, use the command no accept-all-peer-id.
Specifying a P1 Proposal
To specify the P1 proposal for the ISAKMP gateway, in ISAKMP the gateway configuration
isakmp -p ro p o sal p 1-p ro p o sal1 [p 1-p ro p o sal2] [p 1-p ro p o sal3] [p 1-p ro p o sal4]
l p1-proposal1 – Specifies the name of the P1 proposal. You can specify up to four P1 pro-
posals for the ISAKMP gateway.
To cancel the specified P1 proposal, in ISAKMP the gateway configuration mode, use the com-
mand no isakmp-proposal.
Configuring a Pre-shared Key
If the pre-shared key authentication method is used, you need to specify a pre-shared key. To spe-
cify the pre-shared key for the ISAKMP gateway, in the ISAKMP gateway configuration mode,
pre-share string
l string – Specifies the content of the pre-shared key.
1204 Chapter 9 VPN

To cancel the specified pre-shared key, in the ISAKMP gateway configuration mode, use the com-
mand no pre-share.
If the digital signature authentication mode is used, you need to specify a PKI trust domain for
the digital signature. To specify the PKI trust domain for the ISAKMP gateway, in the ISAKMP
gateway configuration mode, use the following command:
trust-domain string
l string – Specifies the PKI trust domain.
To cancel the specified PKI trust domain, in the ISAKMP gateway configuration mode, use the
command no trust-domain.
Tip: For more information about how to configure a PKI trust domain, see
“PKI” in the “User Authentication”.
Configuring the Trust Domain of Peer Certificate
The peer certificate is used for encrypting and authenticating data in the negotiation. The initiator
of VPN connection should import the peer certificate first. The command is supported only in
the GM 1.0 version. To configure the trust domain of peer certificate , in the ISAKMP gateway
remote-trust-domain string
l string – Specifies the trust domain for the peer certificate.
To cancel the configuration, use the command no remote-trust-domain.
Configuring the Trust Domain of Encryption Certificate
The encryption certificate is used for encrypting data in the negotiation. The command is sup-
ported only in the GM 1.1 version. To configure the trust domain for the encryption certificate,
Chapter 9 VPN 1205

in the ISAKMP gateway configuration mode, use the following command:
trust-domain-enc string
l string – Specifies the trust domain for the encryption certificate.
To cancel the configuration, use the command no trust-domain-enc.
Configuring the Negotiation Protocol Standard
There are two negotiation protocol standards: IKEv1 and GM standard. By default, IKEv1 is
used in system. To configure the negotiation protocol standard, in the ISAKMP gateway con-
protocol-standard {ikev1 | guomi[v1.0 | v1.1]}
l ikev1 – Specifies the IKEv1 as the negotiation protocol standard.
l guomi[v1.0 | v1.1] – Specifies the GM standard as the negotiation protocol standard. If the
version is specified as v1.0 or v1.1, the versions for the devices in the negotiation should be
the same.
To cancel the configuration, use the command no protocol-standard.
Configuring a Local ID
To configure the local ID, in the ISAKMP gateway configuration mode, use the following com-
mand:
lo cal-id {fqdn string | asn 1dn [ string ] | u-fqdn string | key-id string |ip ip-address }
l fqdn string – Specifies the ID type of FQDN. string is the specific content of the ID.
l asn1dn [string] – Specifies the ID type of Asn1dn. This type is only applicable to the case of
using a certificate. string is the specific content of the ID, but this parameter is optional. If
string is not specified, the system will obtain the ID from the certificate.
1206 Chapter 9 VPN

l u-fqdn string – Specifies the ID type of U-FQDN, i.e., the email address type, such as user-
[email protected].
l key-id string - Specifies the ID that uses the Key ID type. This type is applicable to the
XAUTH function.
l ip ip-address - Specifies the ID type of IP address. string is the specific content of the ID.
To cancel the specified local ID, in the ISAKMP gateway configuration mode, use the command
no local-id.
Configuring a Peer ID
StoneOS supports the ID types of FQDN and Asn1dn. To configure the peer ID, in the
ISAKMP gateway configuration mode, use the following command:
p eer-id {fqdn | asn 1dn | u-fqdn | key-id | ip } string
l fqdn – Specifies the ID type of FQDN. string is the specific content of the ID.
l asn1dn – Specifies the ID type of Asn1dn. This type is only applicable to the case of using a
certificate. string is the specific content of the ID.
l u-fqdn string – Specifies the ID type of U-FQDN, i.e., the email address type, such as user-
[email protected].
l key-id - Specifies the ID using key ID type. The type is only supported for XAUTH function.
l ip - Specifies the ID type of IP address.
To cancel the specified peer ID, in the ISAKMP gateway configuration mode, use the command
no peer-id.
Specifying a Connection Type
The created ISAKMP gateway can be an initiator, responder, or both the initiator and responder.
To specify the connection type, in the ISAKMP gateway configuration mode, use the following
command:
Chapter 9 VPN 1207

co n n ectio n -typ e {b idirectio n al | in itiato r-o n ly | resp o n der-o n ly}
l bidirectional – Specifies the ISAKMP gateway as both the initiator and responder. This is
the default option.
l initiator-only – Specifies the ISAKMP gateway as the initiator only.
l responder-only – Specifies the ISAKMP gateway as the responder only.
To restore to the default connection type, in the ISAKMP gateway configuration mode, use the
command no connection-type.
Enabling NAT Traversal
The NAT traversal function must be enabled when there is a NAT device in the IPsec or IKE
tunnel and the device implements NAT. By default, NAT traversal is disabled. To enable NAT
traversal, in the gateway ISAKMP configuration mode, use the following command:
n at-traversal
To disable NAT traversal, in the gateway ISAKMP configuration mode, use the command no nat-
traversal.
Configuring Auto Routing
For IKEv1 VPN, if the address type for the peer of the created ISAKMP gateway is specified to
be static or dynamic, route entry whose destination IP address is the local ID of the peer and next
hop is tunnel interface will be added to the routing table automatically after you configure auto
routing function and an IPSec SA is created. The auto routing function allows the device to auto-
matically add routing entries from center to branch to avoid complexity of manual routing. When
an IPSec SA is deleted, the corresponding route entry will be deleted from the routing table.
By default the auto routing is disabled. To enable it, in the ISAKMP gateway configuration mode,
generate-route
To disable auto routing, use the command no generate-route.
1208 Chapter 9 VPN

Configuring DPD
DPD (Dead Peer Detection) is used to detect the state of the security tunnel peer. After the
DPD function is enabled, the system will periodically send DPD requests to the peer in a spe-
cified time to detect whether the ISAKMP gateway exists. By default, this function is disabled.
To enable DPD, in the ISAKMP gateway configuration mode, use the following command:
dpd
To configure DPD, in the ISAKMP gateway configuration mode, use the following command:
dpd [ interval seconds ] [ retry times ] { on memand | periodic }
l interval seconds – Specifies the interval of sending DPD requests to the peer. The value
range is 1 to 10 seconds. The default value is 10.
l retry times – Specifies the times of sending DPD requests to the peer. The device will keep
sending discovery requests to the peer until it reaches the specified times of DPD retires. If
the device does not receive response from the peer after the retry times, it will determine that
the peer ISAKMP gateway is down. The value range is 1 to 20 times. The default value is 3.
l periodic–Specify the periodic mode for DPD detection. In this mode, the system con-
tinuously sends DPD requests to the peer at a specified interval. If no response packet is
received from the peer within a DPD detection period, the system determines that the peer
does not exist. DPD detection period=DPD Interval * DPD Retries.
l on memand–Specify the on-demand mode for DPD detection. In this mode, the device does
not send DPD requests if it receives no IPSec traffic. If the device receives IPSec traffic and
needs to forward it, the system queries when the last receipt of the peer IPSec traffic happens.
If the interval is shorter than the DPD detection period, it indicates that the peer ISAKMP
gateway exists. In this case, the device does not send DPD detection requests. If the interval
exceeds the DPD detection period, it indicates that the device needs to send DPD requests
to detect the existence of the peer ISAKMP gateway. If the device does not receive the
Chapter 9 VPN 1209

response packet during the DPD detection period, the system ages SA information in phase 1
and phase 2 and initiates a new IPSec negotiation.
To resort the settings to the default DPD settings, use the command no dpd.
Specifying Description
To specify description for the ISAKMP Gateway, in the ISAKMP gateway configuration mode,
description string
l string – Specifies the description for the ISAKMP gateway.
To delete the description, in the ISAKMP gateway configuration mode, use the command no
description.
Enabling/Disabling ISAKMP SA and IPSec SA Negotiation Separation Mode
The ISAKMP SA and IPSec SA negotiation separation mode is disabled by default. That means
when ISAKM SA times out, if only ISAKMP SA is negotiated and IPSec SA is not, ISAKMP SA
will time out and disconnect after a certain period of time, resulting in IPSec VPN disconnection.
When the ISAKMP SA and IPSec SA negotiation separation mode is enabled, the system allows
negotiation of only ISAKMP SA when it times out. The original IPSec SA will continue to work,
and ISAKMP will not time out because a new IPSec SA is not negotiated.
To enable the ISAKMP SA and IPSec SA negotiation separation mode, in the ISAKMP gateway
phase1-phase2-sa unbind
To disable the ISAKMP SA and IPSec SA negotiation separation mode, in the ISAKMP gateway
phase1-phase2-sa bind
P2 proposal is used in the Phase 2 SA. The configurations of P2 proposal include encryption
algorithm, hash algorithm, compression algorithm and lifetime.
1210 Chapter 9 VPN

To create a P2 proposal, i.e., an IPsec security proposal, in the global configuration mode, use the
following command:
ip sec p ro p o sal p2-name
command, the CLI is in the P2 proposal configuration mode. You can configure parameters
for P2 proposal in this mode.
To delete the specified P2 proposal, in the global configuration mode, use the command no ipsec
proposal p2-name.
The protocol types available to P2 proposal include ESP and AH. To specify a protocol type for
P2 proposal, in the P2 proposal configuration mode, use the following command:
p ro to co l {esp | ah }
l ah – Uses AH.
To restore to the default protocol type, in the P2 proposal configuration mode, use the command
no protocol.
You can specify 1 to 4 encryption algorithms for P2 proposal. To specify the encryption algorithm
for P2 proposal, in the P2 proposal configuration mode, use the following command:
encryption { 3des | des | aes | aes-192 | aes-256 | aes-gcm-128 | aes-gcm-192 | aes-
gcm-256 | sm1 | sm4 | null } [ 3des | des | aes | aes-192 | aes-256 | aes-gcm-128 | aes-
gcm-192 | aes-gcm-256 | sm1 | sm4 | null ] [ 3des | des | aes | aes-192 | aes-256 | aes-
gcm-128 | aes-gcm-192 | aes-gcm-256 | sm1 | sm4 | null ]……
Chapter 9 VPN 1211

l 3des – Uses the 3DES encryption. The key length is 192-bit. This is the default method for
StoneOS.
l aes-gcm-128 – Uses the 128-bit AES-GCM encryption. The key length is 128 bits.
l sm1 – Uses the SM1 block encryption algorithm. The key length is 128 bits.
l sm4 – Uses the SM4 block encryption algorithm. The key length is 128 bits.
l null – No encryption.
You can specify 1 to 3 hash algorithms for P2 proposal. To specify the hash algorithm for P2 pro-
posal, in the P2 proposal configuration mode, use the following command:
h ash { md5 | sha | sha256 | sha384 | sha512 | sm3 | null } [ md5 | sha | sha256 |
sha384 | sha512 | sm3 | null ] [ md5 | sha | sha256 | sha384 | sha512 | sm3 | null ]
algorithm.
1212 Chapter 9 VPN

l sm3 – Uses the SM3 hash algorithm. The digest length is 256 bits.
l null – No hash algorithm.
mand no hash.
Specifying a Compression Algorithm
By default, the P2 proposal does not use any compression algorithm. To specify a compression
algorithm (DEFLATE) for the P2 proposal, in the P2 proposal configuration mode, use the fol-
lowing command:
compression deflate
To cancel the specified compression algorithm, in the P2 proposal configuration mode, use the
command no compression.
Configuring PFS
The PFS (Perfect Forward Security) function is designed to determine how to generate the new
key instead of the time of generating the new key. PFS ensures that no matter what phase it is in,
one key can only be used once, and the element used to generate the key can only be used once.
The element will be discarded after generating a key, and will never be re-used to generate any
other keys. Such a measure will assure that even if a single key is disclosed, the disclosure will
only affect the data that is encrypted by the key, and will not threaten the entire communication.
PFS is based on the DH algorithm. To configure PFS, in the P2 proposal configuration mode, use
group { nopfs | 1 | 2 | 5 | 14 | 15 | 16 | 18 | 19 | 20 | 21 | 24 }
Chapter 9 VPN 1213

l nopfs – Disables PFS. This is the default option.
l 2 – Selects DH Group2. The key length is 1024 bits（MODP Group）.This is the default
value.
l 24 – Select DH Group 24. The key length is 2048 bits (MODP Group with 256-bit Prime
Order Subgroup).
To restore to the default PFS configuration, in the P2 proposal configuration mode, use the com-
mand no group.
Specifying a Lifetime
You can evaluate the lifetime by two standards which are time length and traffic volume. When
the SA lifetime runs out, the SA will get expired and requires a new SA negotiation. To specify
the lifetime for the P2 proposal, in the P2 proposal configuration mode, use the following com-
mands:
lifetime seconds
1214 Chapter 9 VPN

l seconds – Specifies the lifetime of time length type. The value range is 180 to 86400
lifesize kilobytes
l kilobytes – Specifies the lifetime of traffic volume type. The default value is 0.
To cancel the specified lifetime, in the P2 proposal configuration mode, use the following com-
mands:
no lifetime
no lifesize
Configuring the smart link
When there are multiple communication links (ethernet0/1、ethernet0/2、ethernet0/3)

between branches and the headquarter data center, you can configure Smart Link on branch fire-
walls to realize dynamic switch between IPSec links.
Each link has a unique ID. With the Smart Link function, the system select the link by order to
negotiate the IPSec tunnel. All links are arranged from top to bottom. To view the link order, use
the show ipsec smart-link command. In the initial state, the system selects the top link to nego-
tiate an IPSec tunnel. When the IPSec tunnel is established, the system sends detection packets
to detect link quality. If the packet loss rate or latency exceeds the specified threshold, the system
would switch the current link to the next one to establish a new IPSec tunnel.
This section introduces the following smart link configuration:
l Configuring the Smart Link Profile
l Creating a Link
l Configuring the Link Detection Parameters
l Configuring the Threshold of Link Quality Parameters
l Configuring the Threshold of Cycle Switching Times
l Enabling/Disabling Link Detection and Switch
Chapter 9 VPN 1215

l Activating a Link for Negotiation
l Adjusting Link Order
l Configuring Silence Period
Configuring the Smart Link Profile
To configure the smart link profile and go to the smart link profile configuration mode, use the fol-
ipsec smart-link profile profile-name
l profile-name - Specifies the name of the smart link profile. The value is from 1 to 31 char-
acters. If the specified name already exists, you will go to the configuration mode of this smart
link profile.
In the global configuration mode, use the following command to delete the specified smart link
profile:
no ipsec smart-link profile profile-name
Creating a Link
You can configure both IPv4 and IPv6 addresses for the link to negotiate an IPSec tunnel. But
one smart link profile only supports one IP type (either IPv4 or IPv6). Newly created link will be
added to the end of all links. Use the move link command to adjust link sequence.
To create a link, in the smart link profile configuration mode, use the following command:
link id interface interface-name peer ip-address
l id - Specifies the ID of the link. The value range is from 1 to 30.
l interface-name - Specifies the name of the local interface of the link. This interface should be
configured with IP address.
l ip-address - Specifies the peer IP address of the link.
1216 Chapter 9 VPN

To delete the specified link, in the smart link profile configuration mode, use the following com-
mand:
no link id
Configuring the Link Detection Parameters
When an IPSec tunnel is built, the system will send detection packets based on the configured
link detection parameters.
To configure the link detection parameters, in the smart link profile configuration mode, use the
following command:
link-track [source source-ipv4-address destination destination-ip-address] [interval interval-
value] [count count-value]
l source source-ip-address - Specifies the source IP address of the detection packets. Both
IPv4 and IPv6 addresses are supported. If this parameter is not specified, the IP address of
the IPSec tunnel's local interface is used as the source IP address of the detection packets.
l destination destination-ip-address - Specifies the destination IP address of the detection pack-

ets. Both IPv4 and IPv6 addresses are supported. If this parameter is not specified, the IP
address of the IPSec tunnel's peer interface is used as the destination IP address of the detec-
tion packets.
l interval interval-value - Specifies the interval to send detection packets. The value range is
from 1 to 5 seconds. The default value is 3 seconds.
l count count-value - Specifies the total number of detection packets sent in a detection
period. The value range is from 1 to 30. The default value is 10.
To restore to the default link detection parameters, in the smart link profile configuration mode,
use the no link-track command.
Chapter 9 VPN 1217

Configuring the Threshold of Link Quality Parameters
After a detection period, the system calculates the link's latency and packet loss rate, and com-
pares the value to the threshold. The system will switch the current link to the next one if either
parameter exceeds its threshold.
To configure the threshold of link quality parameters, in the smart link profile configuration
link-track-threshold { [delay delay-value] [loss-rate loss-rate] }
l delay delay-value - Specifies the latency threshold of the link The value range is from 100 to
3000 milliseconds. The default value is 500.
l loss-rate loss-rate - Specifies the threshold of the loss rate of the link. The value range is from
1 to 100 percent. The default value is 30.
To delete configured threshold of the link quality parameters, in the smart link profile con-
figuration mode, use the no link-track-threshold command.
Configuring the Threshold of Cycle Switching Times
When all links are switched in turn, it is called a switch cycle. If the cycle switching times exceed
the threshold, the system will no longer detect and switch links and will switch the current link to
the one with the best quality.
To configure the threshold of cycle switching times, in the smart link profile configuration mode,
link-switch-cycles cycle-value
l cycle-value - Specifies the threshold for the cycle switching times. The value range is from 0
to 5. The default value is 5. The value 0 indicates that there is no limit to the cycle switching
times.
In the smart link profile configuration mode, use the no link-switch-cycles command to restore to
the default cycle switching times.
1218 Chapter 9 VPN

Enabling/Disabling Link Detection and Switch
Link detection and switch is enabled by default.

To enable link detection and switch, in smart link profile configuration mode, use the following
command:
smart-link enable
To disable link detection and switch, in smart link profile configuration mode, use the following
command:
smart-link disable
Activating a Link for Negotiation
To activate the specified link for immediate IPSec tunnel negotiation, in smart link profile con-
active link id
l id - Specifies the ID of the existing link.
Adjusting Link Order
Newly created link will be added to the end of all links. To adjust the sequence of the links, in
smart link profile configuration mode, use the following command:
move link id {after | before id}
l id - Specifies the ID of the link whose sequence needs to be adjusted.
l after | before id - Specifies ID of the link before or after which the specified link is placed
after the sequence adjustment.
Configuring Silence Period
If the cycle switching times exceed the threshold, the system will no longer detect and switch
links. The default silence period is 600 seconds. When the silence period expires, the system
starts to detect the quality of active links again.
Chapter 9 VPN 1219

To set the silence period, in smart link profile configuration mode, use the following command:
link-switch-back-time value
l value - Specifies the silence period. The value range is from 600 to 1800 seconds. The default
value is 600.
To restore to the default silence period, use the no link-switch-back-time command.
Configuring a Tunnel
When configuring an IPSec tunnel through IKE, you need to configure the following options: the
protocol type, ISAKMP gateway, IKE security proposal, ID, DF-bit and anti-replay.
Creating an IKE Tunnel
To create an IKE tunnel, in the global configuration mode, use the following command:
tunnel ipsec tunnel-name auto
l tunnel-name - Specifies the name of the IKE tunnel that will be created.
After executing the above command, the CLI will enter the IKE tunnel configuration mode. All
the parameters of the IKE tunnel need to be configured in the IKE tunnel configuration mode.
To delete the specified IKE tunnel, in the global configuration mode, use the command no tunnel
ipsec tunnel-name auto.
Enabling /Disabling an IKE Tunnel
The function is enabled by default. To enable or disable an IKE tunnel, in the IKE tunnel con-
l Enable an IKE tunnel: enable
l Disable an IKE tunnel: disable
1220 Chapter 9 VPN

Specifying the Encapsulation Mode of IPsec Protocol
To specify the encapsulation mode of IPsec protocol for the IKE tunnel (either transport mode
or tunnel mode), in the IKE tunnel configuration mode, use the following command:
mode { transport | tunnel }
l transport – Specifies the encapsulation mode of IPsec as transport.
l tunnel – Specifies the encapsulation mode of IPsec as tunnel. This is the default mode.
To restore to the default mode, in the IKE tunnel configuration mode, use the command no
mode.
Specifying an ISAKMP Gateway
To specify an ISAKMP gateway for the IKE tunnel, in the IKE tunnel configuration mode, use
isakmp-peer peer-name
l peer-name – Specifies the name of the ISAKMP gateway.
To cancel the specified ISAKMP gateway, in the IKE tunnel configuration mode, use the com-
mand no isakmp-peer.
Specifying a Smart Link Profile
To specify a smart link profile for the IKE tunnel, in the IKE tunnel configuration mode, use the
following command:
smart-link-profile profile-name
l profile-name - Specifies the name of the smart link profile.
To cancel the specified smart link profile, use the no smart-link-profile command.
Chapter 9 VPN 1221

To specify a P2 proposal for the IKE tunnel, in the IKE tunnel configuration mode, use the fol-
lowing command:
ipsec-proposal p2-name
l p2-name – Specifies the name of the P2 proposal.
To cancel the specified P2 proposal for the IKE tunnel, in the IKE tunnel configuration mode,
use the command no ipsec-proposal.
Specifying a Phase 2 ID
Users need to specify the IKE phase 2 ID to distribute and limit IPSec VPN traffic. Phase 2 ID
consists of a local network segment, a remote network segment, and the service. During the con-
figuration, you need to configure phase 2 IDS on the local and remote devices. Then, the local
and remote devices negotiate to create an IKE IPSec tunnel. You can specify one or more phase 2
IDs to create one or more IKE IPSec tunnels. The system distributes and limits tunnel traffic
according to the phase 2 ID of each tunnel.
If you do not need to distribute or limit IPSec VPN traffic, you do not need to configure this para-
meter. For details about how to enable IPSec VPN traffic distribution and Limitation function,
see Configuring IPsec VPN Traffic Distribution and Limitation.
To specify a Phase 2 ID for the IKE tunnel, in the IKE tunnel configuration mode, use the fol-
lowing command:
id {auto | local ip-address/mask remote ip-address/mask service service-name}
l auto – Automatically assigns the Phase 2 ID. This is the default option.
l local ip-address/mask – Specifies the IP/ mask of the local network segment in phase 2.
l remote ip-address/mask – Specifies the IP/ mask of the remote network segment(peer
device) in phase 2.
l service service-name – Specifies the service or protocol name of the traffic that can be trans-
mitted by IKE IPSec tunnels in phase 2.
1222 Chapter 9 VPN

You can configure up to 256 phase 2 IDs and use them to establish multiple IKE tunnels.
To restore the settings to the default ones, in the IKE tunnel configuration mode, use the com-
mand no id {auto | local ip-address/mask remote ip-address/mask service service-name}
Notes: By default, the Phase 2 IDs of the local and peer device need to be con-
figured accordingly. If the IDs configured on the two device cannot match, the
negotiation will fail. In this case, if you enable the Accepting All Proxy ID function
on the responder's device, the negotiation succeeds. For details about how to
enable Accepting All Proxy ID function, see Accepting All Proxy ID
Configuring IPsec VPN Traffic Distribution and Limitation
This function is disabled by default. Before configuring, ensure that the phase 2 ID has been con-
figured and phase 2 negotiations has been successful. After this function is enabled, the device fil-
ters the inbound and outbound traffic of the IKE tunnel according to phase 2 ID and then
distributes and limits the inbound and outbound traffic. Traffic that does not match phase 2 IDs
is discarded. Details are as follows:
l Distribution：Based on the configuration of Phase 2 IDs, the traffic distribution function

can distribute the traffic at the IKE tunnel ingress interface when the traffic flow into the
IKE tunnel. If the elements of source IP address, destination IP address, and the type of
the traffic can match the configuration of a certain Phase 2 ID, this kind of traffic will flow
into the corresponding IKE tunnel for encapsulation and sending. If the traffic cannot
match any Phase 2 IDs, it will be dropped.
l Limitation：Based on the configuration of Phase 2 IDs, the traffic limitation function can
limit the traffic at the IKE tunnel egress interface when the traffic flows out of the IKE tun-
nel. After the traffic was de-encapsulated, StoneOS checks the elements of source IP
address, destination IP address, and the type of the traffic to see whether this kind of traffic
matches a certain Phase 2 ID or not. If matched, the traffic will be dealt with. If not
matched, the traffic will be dropped.
To enable the traffic distribution and limitation, use the following command in the IKE tunnel
configuration mode:
check-id
Chapter 9 VPN 1223

Use the no form of the command to cancel this function.
Accepting All Proxy ID
This function needs to be configured on the responder device of IKE tunnel negotiation. After it
is enabled, the responder device will accept the second-phase ID configured by the peer (nego-
tiation initiator) and set its phase 2 ID according to the peer. In this way, the two ends of the IKE
tunnel can successfully negotiate. This function is often used in scenarios where the responder
device cannot perceive or is not interested in the initiator's Phase 2 ID. To enable the accepting
all proxy ID function, in the IKE tunnel configuration mode, use the following command:
accept-all-proxy-id
To disable the function, in the IKE tunnel configuration mode, use the following command:
no accept-all-proxy-id
Notes: When multiple Phase 2 IDs are configured on the responder device (that is,
multiple IKE tunnels are configured), you need to disable this function. Otherwise,
only one tunnel can be negotiated.
Configuring Auto-connection
The device will be triggered to establish SA in two modes: auto and traffic intrigued.
l In the auto mode, the device detects the SA status every 60 seconds and initiates negotiation
request when SA is not established;
l In the traffic intrigued mode, the tunnel sends negotiation requests only when there is traffic
passing through the tunnel.
By default, the traffic intrigued mode is used. To use the auto mode, in the IKE tunnel con-
auto-connect
To restore to the default mode, in the IKE tunnel configuration mode, use the command no auto-
connect.
1224 Chapter 9 VPN

Notes: Auto connection works only when the peer IP is static and the local device
is acting as the initiator.
Configuring DF-bit
You can specify whether to allow the forwarding device to fragment the packets. To configure
DF-bit for the IKE tunnel, in the IKE tunnel configuration mode, use the following command:
df-b it {co p y | clear | set}
l copy – Copies the IP packet DF options from the sender directly. This is the default value.
l clear – Allows the device to fragment packets
l set – Disallows the device to fragment packets.
To restore to the default value, in the IKE tunnel configuration mode, use the command no df-
bit.
Configuring Anti-replay
Anti-replay is used to prevent hackers from attacking the device by resending the sniffed packets,
i.e., the receiver rejects the obsolete or repeated packets. By default, this function is disabled. To
configure anti-replay for the IKE IPsec tunnel, in the IKE IPsec tunnel configuration mode, use
anti-replay {32 | 64 | 128 | 256 | 512}
l 32 – Specifies the anti-replay window as 32.
Chapter 9 VPN 1225

When the network condition is poor, for example, under the condition of serious packet disorder,
choose a larger window.
To disable the function, in the IKE IPsec tunnel configuration mode, use the command no anti-
replay.
Configuring VPN Track and Redundant Backup
Hillstone devices can monitor the connectivity status of the specified VPN tunnel, and also allow
backup or load sharing between two or more VPN tunnels. This function is applicable to both the
route-based VPN and policy-based VPN. The practical implementation environments include:
l Configuring a backup VPN tunnel for the remote peer, at any time only one tunnel is act-
ive. Initially, the main VPN tunnel is active, if disconnection of the main tunnel is detec-
ted, the device will re-transmit the information flow through the backup tunnel;
l Configuring two or more VPN tunnels for the remote peer. All tunnels are active sim-
ultaneously, and load balance the traffic via equal-cost multi-path routing (ECMP). If dis-
connection of any tunnel is detected, the device will re-transmit the information flow
through other tunnels.
The VPN track function tracks the status of the target tunnel by Ping packets. By default, the
function is disabled. To configure the VPN track function, in IKE IPsec tunnel configuration
vp n -track [ A.B.C.D ] [src-ip A.B.C.D ] [in terval time-value ] [th resh o ld value ]
l A.B.C.D – Specifies the IP address of the tracked object. When the peer is a Hillstone
device and the parameter is not specified, the system will use the IP address of the peer by
default. This IP address can not be 0.0.0.0 or 255.255.255.255.
l src-ip A.B.C.D – Specifies the source IP address that sends Ping packets. When the peer
device is a Hillstone device and the parameter is not specified, the system will use the IP
address of egress interface by default. This IP address cannot be 0.0.0.0 or 255.255.255.255.
l interval time-value – Specifies the interval of sending Ping packets. The value range is 1 to
255 seconds. The default value is 10.
1226 Chapter 9 VPN

l threshold value – Specifies the threshold for determining the track failure. If the system did
not receive the specified number of continuous response packets, it will identify a track fail-
ure, i.e., the target tunnel is disconnected. The value range is 1 to 255. The default value is
10.
To disable the VPN track function, in IKE IPsec tunnel configuration mode, use the command
no vpn-track.
The VPN track function can be in active or dead status. To view the VPN track status and con-
figuration information via CLI, use the following commands:
l Show the status of VPN track：show ipsec sa {id}
l Show the configuration of VPN track：show tunnel ipsec {manual | auto} {tunnel-name}
For example:
Chapter 9 VPN 1227

Show the status of VPN track
hostname(config)# sh o w ip sec sa 5
ID: 1
scpu: 0
VPN Name: vpn1
L2tp port: 1
Duration(S): 1375459
Last setup time: 2022-03-08 22:09:53
Last teardown time: 2022-03-09 06:09:54
Tear down reason: a lifetime timeout occurred
Teardowns today: 0
Outbound
Gateway: 1.1.1.2
......
Sending rate(KB/s): 0
Status: Active
Inbound
Gateway: 1.1.1.2
......
Receiving rate(KB/s): 0
Status: Active
VPN track status: alive
Show the configuration of VPN track

hostname(config)# sh o w tun n el ip sec auto vp n 1
Name: vpn1
mode: tunnel
......
vpn-track: enable
tracknotify: enable
1228 Chapter 9 VPN
vpntrack destination 1.1.1.1
vpntrack source ip: 2.2.2.2

Tip: For more examples of VPN track and redundant backup, see Example of
Configuring Route-based VPN Track and Redundant Backup.
Enabling/Disabling Notification of VPN Tunnel Status
By default, the notification of VPN tunnel status is disabled. When the notification is enabled, for
route-based VPN, when system detects disconnection of a VPN tunnel, it will inform the routing
module about the information of the disconnected VPN tunnel and update the tunnel route
information; for policy-based VPN, when system detects disconnection of a VPN tunnel, it will
inform the policy module about the information of the disconnected VPN tunnel and update the
tunnel policy information. You can enable/disable the tunnel state notification function via CLI,
so that the system will not send any tunnel track failure notification. To enable or disable the tun-
nel state notification function, in the IKE IPsec tunnel configuration mode, use the following
command:
l Enable: tunnel-state-notify
l Disable: no tunnel-state-notify
Setting a Commit Bit
You can set a commit bit to avoid packet loss and time difference. However, the commit bit may
slow down the responding speed. To set a commit bit, in the IKE IPsec tunnel configuration
Responder sets a commit bit：responder-set-commit
Responder does not set a commit bit：no responder-set-commit
To specify the description of IKE tunnel, in the IKE IPsec tunnel configuration mode, use the
following command:
description string
Chapter 9 VPN 1229

l string – Specifies the description of the IKE tunnel.
To delete the description, in the IKE IPsec tunnel configuration mode, use the command no
description.
IKEv2 VPN
The configurations of IKEv2 VPN include:
l Configuring an IKEv2 peer
P1 proposal is the IKEv2 security proposal that is used to store the security parameters during the
IKE_SA_INIT exchange, including the encryption algorithm, hash algorithm, PRF (pseudo-ran-
dom function) algorithm, and DH algorithm. A complete IKEv2 security proposal at least
includes a set of parameters, including a encryption algorithm, a authentication method, a PRF
algorithm, and a DH group.
To create a P1 proposal, i.e., an IKEv2 security proposal, in the global configuration mode, use
ikev2 proposal p1-name
1230 Chapter 9 VPN

To delete the specified P1 proposal, in the global configuration mode, use the command no ikev2
proposal p1-name.
StoneOS support the following hash algorithms: MD5, SHA-1, and SHA-2. SHA-2 includes
SHA-256, SHA-384, and SHA-512. You can specify up to four hash algorithms. To specify the
hash algorithm, in the P1 proposal configuration mode, use the following command:
h ash {md5 | sh a | sh a256 | sh a384 | sh a512}
algorithm.
mand no hash.
Specifying a PRF Algorithm
StoneOS support the following PRF algorithms: MD5, SHA-1, and SHA-2. SHA-2 includes
SHA-256, SHA-384, and SHA-512. You can specify up to four PRF algorithms. To specify the
PRF algorithm, in the P1 proposal configuration mode, use the following command:
p rf {md5 | sh a | sh a256 | sh a384 | sh a512}
l md5 – Uses the MD5 algorithm. The digest length is 128 bits.
l sha – Uses the SHA-1 algorithm. The digest length is 160 bits. This is the default hash
algorithm.
l sha256 – Uses the SHA-256 algorithm. The digest length is 256 bits.
Chapter 9 VPN 1231

To restore to the default algorithm, in the P1 proposal configuration mode, use the command no
prf.
StoneOS provides the following five encryption algorithms: 3DES, DES, 128bit AES, 192-bit
AES and 256-bit AES. You can specify up to four algorithms. To specify the encryption algorithm
of IKEv2 security proposal, in the P1 proposal configuration mode, use the following command:
en cryp tio n {3des | aes | aes-192 | aes-256}
l 3des – Uses the 3DES encryption. The key length is 192 bits. This is the default algorithm
for StoneOS.
by the robustness of the DH group. To select a DH group, in the P1 proposal configuration
gro up {1 | 2 | 5 | 14 | 15 |16}
1232 Chapter 9 VPN

l 1 – Selects DH Group1. The key length is 768 bits.
l 2 – Selects DH Group2. The key length is 1024 bits.This is the default value.
no group.
Specifying the Lifetime of SA
The lifetime of IKEv2 SA does not need negotiation and it is determined by individual settings.
The side with a less lifetime will re-negotiate and this can avoid that both sides start the nego-
tiation at the same time. To specify the lifetime of IKEv2 SA for the local side, in the P1 pro-
lifetime time-value
l time-value – Specifies the lifetime of IKEv2 SA. The value range is 180 to 86400 seconds.
To restore to the default lifetime, in the P1 proposal configuration mode, use the command no
lifetime.
Configuring an IKEv2 Peer
After creating an IKEv2 peer, you can configure the IKE negotiation mode, IP address of the
IKEv2 peer, IKE security proposal, local ID, etc.
Creating an IKEv2 Peer
To create an IKEv2 peer, in the global configuration mode, use the following command:
ikev2 peer peer-name
Chapter 9 VPN 1233

l peer-name – Specifies the name of the IKE peer.
After executing the command, the CLI will enter the IKEv2 peer configuration mode. You can
configure parameters for the IKEv2 in this mode.
To delete the specified IKEv2 peer, in the global configuration mode, use the command no ikev2
peer peer-name.
Binding an Interface to the IKE Peer
To bind an interface to the IKEv2 peer, in the IKEv2 pper configuration mode, use the following
command:
To cancel the binding, in the IKEv2 peer configuration mode, use the command no interface.
Specifying the Remote IP Address
You can specify the remote IP address for the IKEv2 peer. To specify the remote IP address, in
the IKEv2 peer configuration mode, use the following command:
match-peer ip-address
l ip-address - Specifies the remote IP address.
To cancel the IP address setting, in the IKEv2 peer configuration mode, use the command no
match-peer.
StoneOS supports the pre-shared key authentication and this is the default authentication method.
To specify the authentication method as pre-shared key, use the following command:
auth psk
1234 Chapter 9 VPN

To specify the P1 proposal for the IKEv2 peer, in IKEv2 peer configuration mode, use the fol-
lowing command:
ikev2-proposal p1-name
l p1-name – Specifies the name of the P1 proposal.
To cancel the specified P1 proposal, in IKEv2 peer configuration mode, use the command no
ikev2-proposal p1-name.
To configure the local ID, in the IKEv2 peer configuration mode, use the following command:
lo cal-id {fqdn string | key-id string |ip ip-address }
l key-id string - Specifies the ID type of Key ID. string is the specific content of the ID.
l ip ip-address - Specifies the ID type of IP address. ip-address is the specific content of the
ID.
To cancel the specified local ID, in the IKEv2 peer configuration mode, use the command no
local-id.
The created IKEv2 peer can be an initiator, responder, or both the initiator and responder. To spe-
cify the connection type, in the IKEv2 peer configuration mode, use the following command:
l bidirectional – Specifies the IKEv2 peer as both the initiator and responder. This is the
default option.
Chapter 9 VPN 1235

l initiator-only – Specifies the IKEv2 peer as the initiator only.
l responder-only – Specifies the IKEv2 peer as the responder only.
To restore to the default connection type, in the IKEv2 peer configuration mode, use the com-
mand no connection-type.
For IKEv2 VPN, when the auto routing is enabled, once an IPSec SA is created, a route entry
whose destination IP address is the destination segment of the secured data traffic and the next
hop is the tunnel interface would be added to the routing table automatically. When an IPSec SA
is deleted, the corresponding route entry will be deleted from the routing table.
By default, the auto routing function is disabled. To enable the function, in the IKEv2 peer con-
gen erate-ro ute
Use the command no generate-route to disable the auto routing function.
Creating a IKEv2 Profile
An IKEv2 profile can store the IKEv2 SA parameters that are not required negotiation, for
example, the peer identity, the pre-shared key, and the information of the secured data traffic. You
need to configure an IKEv2 profile at both responder side and the initiator side. To create an
IKEv2 profile, in the IKEv2 peer configuration mode, use the following command:
ikev2-profile profile-name
l profile-name – Specifies the name of the IKEv2 profile.
After executing this command, the CLI will enter the IKEv2 profile configuration mode. You can
configure the IKEv2 SA parameters that are not required negotiation in this mode.
In the IKEv2 peer configuration mode, use the no ikev2-profile profile-namecommand to delete
the specified profile.
1236 Chapter 9 VPN

Configuring a Remote ID
To configure the remote ID, in the IKEv2 profile configuration mode, use the following com-
mand:
remo te id {fqdn string | key-id string |ip ip-address }
l key-id string - Specifies the ID type of Key ID. string is the specific content of the ID.
l ip ip-address - Specifies the ID type of IP address. ip-address is the specific content of the
ID.
To cancel the specified remote ID, in the IKEv2 profile configuration mode, use the command
no remote id.
If the pre-shared key authentication method is used, you need to specify a pre-shared key. To spe-
cify the pre-shared key, in the IKEv2 profile configuration mode, use the following command:
remote key key-value
l key-value – Specifies the content of the pre-shared key.
To cancel the specified pre-shared key, in the IKEv2 profile configuration mode, use the com-
mand no remote key.
Configuring the Secured Data Traffic
One or more data traffic which are in the IPSec tunnel can be secured by IKEv2. In some situ-
ations, the source and destination addresses of the data traffic encrypted by IPSec tunnel may be
in the different segments. Therefore, you can use the following command to configure one or
more secured data traffic in the IKEv2 Profile. At present, at most 16 secured data traffic can be
configured in an IKEv2 Profile.
To create the secured data traffic, in the IKEv2 profile configuration mode, use the following
command:
Chapter 9 VPN 1237

traffic-selecto r traffic-selector-name
l traffic-selector-name– Specify the name of the secured data traffic.
When the command is executed, CLI enters the secured data traffic mode, and then you can con-
figure the parameters of the secured data traffic, such as local address and remote address.
Use the command no traffic-selectortraffic-selector-name to delete the configured secured data
traffic.
Configuring the Local Address
To configure the local address of the secured data traffic, in the secured data traffic configuration
localA.B.C.D/Mask
l A.B.C.D/Mask – Specify the local address and mask of the secured data traffic.
Use the command no localA.B.C.D/Mask to cancel the configurations.

Configuring the Remote Address
To configure the remote address of the secured data traffic, in the secured data traffic con-
remoteA.B.C.D/Mask
l A.B.C.D/Mask – Specify the remote address and mask of the secured data traffic.
Use the command no remoteA.B.C.D/Mask to cancel the configurations.
P2 proposal is the IPSec security proposal that is used to store the security parameters using by
IPSec, including the security protocol, encryption algorithm, hash algorithm. The configurations
of P2 proposal include protocol type, encryption algorithm, hash algorithm and lifetime.
To create a P2 proposal, i.e., an IPSec security proposal, in the global configuration mode, use the
following command:
ikev2 ipsec-proposal p2-name
1238 Chapter 9 VPN

To delete the specified P2 proposal, in the global configuration mode, use the command no ikev2
ipsec-proposal p2-name.
The protocol type available to P2 proposal is ESP. To specify a protocol type for P2 proposal, in
the P2 proposal configuration mode, use the following command:
protocol esp
You can specify 1 to 4 hash algorithms for P2 proposal. To specify the hash algorithm for P2 pro-
posal, in the P2 proposal configuration mode, use the following command:
h ash {md5 | sh a | sh a256 | sh a384 | sh a512 }
algorithm.
mand no hash.
Chapter 9 VPN 1239

You can specify 1 to 4 encryption algorithms for P2 proposal. To specify the encryption algorithm
for P2 proposal, in the P2 proposal configuration mode, use the following command:
en cryp tio n {3des| des | aes-192 | aes-256 }
l 3des – Uses the 3DES encryption. The key length is 192-bit. This is the default method for
StoneOS.
Configuring PFS
The PFS (Perfect Forward Security) function is designed to determine how to generate the new
key instead of the time of generating the new key. PFS ensures that no matter what phase it is in,
one key can only be used once, and the element used to generate the key can only be used once.
The element will be discarded after generating a key, and will never be re-used to generate any
other keys. Such a measure will assure that even if a single key is disclosed, the disclosure will
only affect the data that is encrypted by the key, and will not threaten the entire communication.
PFS is based on the DH algorithm. To configure PFS, in the P2 proposal configuration mode, use
gro up {n o p fs | 1 | 2 | 5 | 14 | 15 |16}
l nopfs – Disables PFS. This is the default option.
l 2 – Selects DH Group2. The key length is 1024 bits.This is the default value.
1240 Chapter 9 VPN

To restore to the default PFS configuration, in the P2 proposal configuration mode, use the com-
mand no group.
Specifying a Lifetime
You can evaluate the lifetime by the time length. When the IPSec SA lifetime runs out, the SA
will get expired and requires a new SA negotiation. To specify the lifetime for the P2 proposal, in
the P2 proposal configuration mode, use the following commands:
lifetime seconds
l seconds – Specifies the lifetime of time length type. The value range is 180 to 86400
lifesize kilobytes
l kilobytes – Specifies the lifetime of traffic volume type. The value range is 1800 to 4194303
KB. The default value is 1800.
To cancel the specified lifetime, in the P2 proposal configuration mode, use the following com-
mands no lifetime.
When configuring an IPSec tunnel through IKEv2, you need to configure the following options:
the operation mode, IKEv2 peer, IKEv2 security proposal, and auto-connection.
Creating an IKEv2 Tunnel
To create an IKEv2 tunnel, in the global configuration mode, use the following command:
tunnel ipsec tunnel-name ikev2
Chapter 9 VPN 1241

l tunnel-name - Specifies the name of the IKEv2 tunnel that will be created.
After executing the above command, the CLI will enter the IKEv2 tunnel configuration mode.
All the parameters of the IKEv2 tunnel need to be configured in the IKEv2 tunnel configuration
mode.
To delete the specified IKEv2 tunnel, in the global configuration mode, use the command no tun-
nel ipsec tunnel-name ikev2.
Specifying the Operation Mode
The system supports the operation mode of IPsec protocol as transport. This is the default mode.
Specifying an IKEv2 Peer
To specify an IKEv2 peer for the IKEv2 tunnel, in the IKEv2 tunnel configuration mode, use
ikev2-peer peer-name
l peer-name – Specifies the name of the IKEv2 peer.
To cancel the specified IKEv2 peer, in the IKEv2 tunnel configuration mode, use the command
no ikev2-peer.
To specify a P2 proposal for the IKEv2 tunnel, in the IKEv2 tunnel configuration mode, use the
following command:
ipsec-proposal p2-name1 [ p2-name2 ] [ p2-name3 ]
l p2-name – Specifies the name of the P2 proposal. You can specify up to 3 P2 proposals.
To cancel the specified P2 proposal for the IKEv2 tunnel, in the IKEv2 tunnel configuration
mode, use the command no ipsec-proposal.
1242 Chapter 9 VPN

Configuring Auto-connection
The device supports the SA establishment by using the auto-connection mode. In the auto mode,
the device detects the SA status every 60 seconds and initiates negotiation request when SA is
not established. To use the auto mode, in the IKEv2 tunnel configuration mode, use the fol-
lowing command:
auto-connect
To restore to the default mode, in the IKE tunnel configuration mode, use the command no
auto-connect.
Notes: Auto connection works only when the local device is acting as the initiator.
XAUTH
XAUTH, an extension and enhancement to IKE, allows a device to authenticate users who are try-
ing to gain access to IPsec VPN network combined with the authentication server (RADIUS and
local AAA server) configured on the device. XAUTH is now widely used on mobile devices.
When a remote user initiates a request for VPN connection, the XAUTH server on the device
will interrupt the VPN negotiation and prompt the user to type a valid username and password. If
succeeded, the XAUTH server will go on with the subsequent VPN negotiation procedure and
assign IP addresses for legal clients, otherwise it will drop the VPN connection.
If an AXUTH address pool is configured, when a client successfully connects to its server, the
server will go on with the VPN negotiation procedure, take an IP address from the address pool,
and assign the IP address for the legal client. If the XAUTH address pool is not configured, after
the auto routing function is enabled, the device can automatically generate VPN route entries
based on the configured Phase 2 ID of the IKE IPsec tunnel. For more information about the
auto routing, see "VPN > IPsec Protocol > Configuring an IPsec VPN > IKEv1 VPN > Con-
figuring a Tunnel > Configuring Auto Routing". For more information about the phase 2 ID, see
"VPN > IPsec Protocol > Configuring an IPsec VPN > IKEv1 VPN > Configuring a Tunnel >
Specifying a Phase 2 ID".
Chapter 9 VPN 1243

Tip: For more information abount how to configure an authentication server, see
“Authentication”.
The configuration of XAUTH includes:
l Enabling an XAUTH server
l Configuring an XAUTH address pool
l Binding an address pool to the XAUTH server
l Configuring an IP binding rule
l Configuring a WINS/DNS server
Enabling an XAUTH Server
XAUTH server is disabled by default. To enable the XAUTH server, in the ISAKMP con-
xauth server
To disable the XAUTH server, in the ISAKMP configuration mode, use the following command:
no xauth server
Configuring an XAUTH Address Pool
This parameter is optional. XAUTH address pool is used to store IP addresses allocated to clients.
When a client connects to its server, the server will take an IP address from the address pool
according to the client propriety (like DNS server address or WIN server address) and give it to
the client.
To configure an XAUTH address pool, in the global configuration mode, use the following com-
mand:
xauth pool pool-name
1244 Chapter 9 VPN

l pool-name - Specifies a name for the address pool, and enter the XAUTH address pool con-
figuration mode; if the pool with this name exists, you will enter its configuration mode dir-
ectly.
To delete the specified XAUTH address pool, in the global configuration mode, use the following
command:
no xauth pool pool-name
This parameter is optional. To configure the allocatable IP range of an XAUTH address pool, in
the XAUTH address pool configuration mode, use the following command:
address start-ip end-ip netmask mask
l start-ip - Specifies the start IP address.
l end-ip - Specifies the end IP address.
l mask - Specifies the network mask for this IP address range.
To delete the specified IP range of an address pool, in the XAUTH address pool configuration
no address
This parameter is optional. Some addresses in the address pool need to be reserved for other
devices. These reserved IP addresses are not allowed to allocate to XAUTH clients.
To configure the start IP and end IP of reserved IP range, in the XAUTH address pool con-
exclude-address start-ip end-ip
l start-ip - Specifies the start IP for reserved IP range.
l end-ip - Specifies the end IP for reserved IP range.
To delete the reserved address range, in the XAUTH address pool configuration mode, use the fol-
lowing command:
no exclude-address
Chapter 9 VPN 1245

Binding an Address Pool to the XAUTH Server
This parameter is optional. The XAUTH address pool will not take effect until being bound to an
XAUTH server. To bind the specified XAUTH address pool to the XAUTH server, in the
ISAKMP configuration mode, use the following command:
xauth pool-name pool-name
l pool-name - Specifies the name of binding address pool.
To cancel the binding, in the ISAKMP configuration mode, use the following command:
no xauth pool-name
Configuring IP Binding Rules
This parameter is optional. If an XAUTH client needs static IP address, IP-user binding rule can
be applied to meet this requirement. Binding the user of XAUTH client to an IP address in the
address pool can guarantee that this IP address is allocated to the XAUTH client when it reaches
the server. In addition, IP address for an XAUTH client can be defined to an address range by
using IP-role binding which defines an IP range for this role. When a client with the role connects
to the server, it gets one address from the IP addresses bound to this role.
When an XAUTH server allocates IP addresses, it follows the rules below:
1. If the client which needs a static IP has had its IP-user binding configured, the server alloc-
ates the bound IP to it. Note that if such a bound IP address is in use, the client applying
for the address is not allowed to log into the server.
2. If a client uses IP-role binding rule, the server takes an IP address from the bound IP range
and allocates it to the client. Otherwise, the server takes an IP address from the unbound IP
range and allocates it to the client. If IP addresses in the IP range is not available, the user
cannot log into the server.
Notes: IP addresses in the IP-user binding rules and those in the IP-role binding
rules should not conflict with each other.
1246 Chapter 9 VPN

To bind an IP address to a user, in the XAUTH address pool configuration mode, use the fol-
lowing command:
ip-binding user user-name ip ip-address
l user user-name - Specifies the username.
l ip ip-address - Specifies an available IP address in the address pool which will be bound to the
user.
To cancel an IP-user binding, in the XAUTH address pool configuration mode, use the following
command:
no ip-binding user user-name
To bind an IP address to a role, in the XAUTH address pool configuration mode, use the fol-
lowing command:
ip-binding role role-name ip-range start-ip end-ip
l role role-name - Specifies the role name.
l ip-range start-ip end-ip - Specifies the available IP range (start IP address and end IP address)
in the address pool.
To cancel a binding between an IP range and a role, in the XAUTH address pool configuration
no ip-binding role role-name
Changing the Sequence of IP-Role Binding
This parameter is optional. Normally, if a user belongs to multiple roles which bind to different IP
addresses, the system searches for the first rule which matches the user and applies the IP address
under this rule to the user. By default, new rule is at the bottom of the rule list.
To move the position of an IP-role binding rule in the rule list, in the XAUTH address pool con-
move role-name1 {b efo re role-name2 | after role-name2 | to p | b o tto m}
Chapter 9 VPN 1247

l role –name1 – Specifies the role whose binding you want to move.
l before role-name2 – Moves the binding rule before the IP-role binding specified here.
l after role-name2 – Moves the binding rule after the IP-role binding specified here.
l top – Moves the binding rule to the top of the IP-role binding rule list.
l bottom – Moves the binding rule to the bottom of the IP-role binding rule list.
Configuring a WINS/DNS Server
This parameter is optional. To specify a DNS server, in the XAUTH address pool configuration
dns address1 [ address2 ]
l address1 - Specifies the IP address of DNS servers. You can specify up to two addresses.
To cancel the DNS setting, in the XAUTH address pool configuration mode, use the following
command:
no dns
This parameter is optional. To specify a WINS server, in the XAUTH address pool configuration
win s address1 [ address2 ]
l address1 - Specifies the IP address of WINS servers. You can specify up to two addresses.
To cancel the WINS setting, in the XAUTH address pool configuration mode, use the following
command:
no wins
Kicking out an XAUTH Client
The XAUTH server can force to disconnect with a client. To kick out an XAUTH client, in the
execution mode, use the following command:
exec xauth isakmp-peer-name kickout user-name
1248 Chapter 9 VPN

l isakmp-peer-name - Specifies the ISAKMP peer name.
l user-name - Specifies the name of client to be kicked out of the server.
Configuring Tunnel Quota for Non-root VSYS
To configure the tunnel resource quota for non-root VSYS, use the following command in the
VSYS Profile configuration mode:
tunnel-ipsec max max-num reserve reserve-num
l max max-num reserve reserve-num– Specifies the maximum quota （max-num

reserve）and the reserved quota （reserve reserve-num）for the IPsec tunnel numbers of
the VSYS. The maximum quota and the reserved quota differ according to different platforms.
The reserved quota cannot exceed the maximum quota. The maximum quota ranges from 1 to
max , and the default value is max. The minimum reserved quota is 0.
Notes: "Max" indicates the maximum number of IPSec VPN supported by the
device. To view the maximum quota , use the following command in the global con-
figuration mode: show capacity all
To delete the quota, use the following command in the VSYS Profile configuration mode:
notunnel-ipsec max max-num reserve reserve-num
Viewing IPsec Configuration
To view the configuration information of IPsec, in any mode, use the following commands:
Show the configuration information of IKEv1 P1 proposal: show isakmp proposal [p1-name]
Show the configuration information of IKEv2 P1 proposal: show ikev2 proposal [p1-name]
Show the configuration information of IKEv1 ISAKMP gateway: show isakmp peer [peer-name]
Show the configuration information of IKEv2 peer: show ikev2 peer [peer-name]
Show the configuration information of IKEv2 profile: show ikev2 peer [peer-name] profile [pro-
file-name]
Chapter 9 VPN 1249

Show the configuration information of IKEv1 P2 proposal: show ipsec proposal [proposal-name]
Show the configuration information of IKEv2 P2 proposal: show ikev2 proposal [proposal-name]
Show the configuration information of manual key VPN tunnel: show tunnel ipsec manual [tun-
nel-name]
Show the configuration and switch information of smart link: show ipsec smart-link-profile [pro-
file-name]
Show the configuration information of IKEv1 tunnel: show tunnel ipsec auto [tunnel-name]
Show the configuration information of IKEv2 tunnel: show tunnel ipsec ikev2 [tunnel-name]
Show the information of IKEv1 P1 SA: show isakmp sa [peer_ip] [worker worker-id]
l peer_ip - Shows the information of IKEv1 P1 SA with the specified peer IP address.
l worker-id - Shows the information of IKEv1 P1 SA with the specified VPN processor.
Show the information of IKEv2 P1 SA: show ikev2 ike-sa

Show the information of IKEv1 P2 SA: show ipsec sa [id | active | inactive] [workerworker-id]
l id | active | inactive - Shows the P2 SA information of IKEv1 with the specified phase 2 ID
(id), or shows the P2 SA information of the active IKEv1 (active), or shows the P2 SA
information of the inactive IKEv1 (inactive).
l workerworker-id - Shows the information of IKEv1 P2 SA with the specified VPN processor.
Show the information of IKEv2 P2 SA: show ikev2 ipsec-sa [sa-id]

Show the XAUTH address pool information: show xauth pool [pool-name]
Show the XAUTH client information: show xauth client isakmp-peer-name [user user-name]
Show the statistic information of the VPN processor: show vpnd [isakmp-peer-name] statistics
[clear]
l isakmp-peer-name - Shows the statistic information of the VPN processor with the specified
ISAKMP gateway name.
l clear - Clear the statistic information of the VPN processor.
1250 Chapter 9 VPN

Show port range of the custom IKE negotiation port pool: show ike-port-pool
Examples of Configuring IPsec VPN

This section describes two examples of establishing SA by manual key VPN and IKE VPN
respectively, an example of VPN track and redundant backup and an example of XAUTH con-
figuration.
l "Example of Configuring Manual Key VPN" on Page 1252
l "Example of Configuring IKE VPN" on Page 1257
l "Example of Configuring Route-based VPN Track and Redundant Backup" on Page 1264
l "Example of Configuring Policy-based VPN Track and Redundant Backup" on Page 1272
l "Example of Configuring XAUTH" on Page 1280
l "Example of Using IPsec VPN in HA Peer Mode" on Page 1284
Chapter 9 VPN 1251

Example of Configuring Manual Key VPN
The manual key VPN tunnel requires that all the related SA configurations need to be completed
manually. See the example below:
Requirement
There is a tunnel between Hillstone Device A and B. PC1 is a host behind Device A, with the IP
address 188.1.1.2 and gateway 188.1.1.1; Server1 is the server behind Device B, with IP address
10.110.8.210 and gateway 10.110.88.220. The goal of this configuration example is to protect the
communication between the subnet of PC1 (188.1.1.0/24) and the subnet of Server1
(10.110.88.0/24), using the method of route-based VPN. Use ESP as the security protocol,
3DES as encryption algorithm, SHA1 as hash algorithm and DEFLATE as compression algorithm.
The network topology is shown in the following figure.
Configuration Steps
Step 1: Configure interfaces
Device A
1252 Chapter 9 VPN

Device B
h o stn ame(co n fig-if-eth 0/1)# exit
Device A
Device B
Step 3: Configure a tunnel name VPN1
Device A
hostname(config)# tun n el ip sec vp n 1 man ual
hostname(config-tunnel-ipsec-manual)# in terface eth ern et0/1
hostname(config-tunnel-ipsec-manual)# p ro to co l esp
hostname(config-tunnel-ipsec-manual)# p eer 192.168.1.3
Chapter 9 VPN 1253

hostname(config-tunnel-ipsec-manual)# h ash sh a
hostname(config-tunnel-ipsec-manual)# h ash -key in b o un d 1234 o utb o un d 5678
hostname(config-tunnel-ipsec-manual)# en cryp tio n 3des
hostname(config-tunnel-ipsec-manual)# en cryp tio n -key in b o un d 00ff o utb o un d 123a
hostname(config-tunnel-ipsec-manual)# co mp ressio n deflate
hostname(config-tunnel-ipsec-manual)# sp i 6001 6002
hostname(config-tunnel-ipsec-manual)# exit
Device B
hostname(config)# tun n el ip sec vp n 1 man ual
hostname(config-tunnel-ipsec-manual)# in terface eth ern et0/1
hostname(config-tunnel-ipsec-manual)# p ro to co l esp
hostname(config-tunnel-ipsec-manual)# p eer 192.168.1.2
hostname(config-tunnel-ipsec-manual)# h ash sh a
hostname(config-tunnel-ipsec-manual)# h ash -key in b o un d 5678 o utb o un d 1234
hostname(config-tunnel-ipsec-manual)# en cryp tio n 3des
hostname(config-tunnel-ipsec-manual)# en cryp tio n -key in b o un d 123a o utb o un d 00ff
hostname(config-tunnel-ipsec-manual)# co mp ressio n deflate
hostname(config-tunnel-ipsec-manual)# sp i 6002 6001
hostname(config-tunnel-ipsec-manual)# exit
Device A
1254 Chapter 9 VPN

hostname(config-policy-rule)# actio n fro mtun n el vp n 1
hostname(config)#
Device B
hostname(config-policy-rule)# actio n tun n el vp n 1
hostname(config-policy-rule)# actio n fro mtun n el vp n 1
hostname(config)#
Chapter 9 VPN 1255

When the settings above are completed, the security tunnel between Device A and Device B has
been successfully established. Then, the data transmission between the subnet 188.1.1.0/24 and
subnet 10.110.88.0/24 is encrypted.
1256 Chapter 9 VPN

Example of Configuring IKE VPN
This section describes an example of IKE VPN configuration.
Requirement
There is a tunnel between Hillstone Device A and B. PC1 is a host behind Device A, with the IP
address 10.1.1.1 and gateway 10.1.1.2; Server1 is the server behind Device B, with IP address
192.168.1.1 and gateway 192.168.1.2. The goal of this configuration example is to protect the
communication between the subnet of PC1 (10.1.1.0/24) and the subnet of Server1
(192.168.1.0/24), using the method of route-based VPN. Use ESP as the security protocol,
3DES as the encryption algorithm, SHA1 as the hash algorithm and DEFLATE as compression
algorithm.
Configuration Steps
Step 1: Configure the interfaces
Device A
hostname(config-if)# zo n e un trust
Device B
Chapter 9 VPN 1257

S t e p 2: Configure policy rules
Device A
1258 Chapter 9 VPN

hostname(config)#
Device B
Chapter 9 VPN 1259

hostname(config)#
Device A
Device B
Step 4: Configure a P1 proposal
Device A
1260 Chapter 9 VPN

hostname(config-isakmp-proposal)# auth en ticatio n p re-sh are
Device B
Step 5: Configure an ISAKMP gateway
Device A
hostname(config-isakmp-peer)# p re-sh are h ello 1
Device B
hostname(config)# isakmp p eer west
Chapter 9 VPN 1261

Step 6: Configure a P2 proposal
Device A
hostname(config-ipsec-proposal)# co mp ressio n deflate
Device B
hostname(config)# ipsec proposal p2
hostname(config-ipsec-proposal)# co mp ressio n deflate
Step 7: Configure a tunnel name VPN
Device A
hostname(config)# tunnel ipsec vpn auto

vice an y
1262 Chapter 9 VPN

Device B

vice an y
When the settings are completed, the security tunnel between Device A and Device B has been
successfully established. The data transmission between the subnet 10.1.1.0/24 and subnet
192.168.1.0/24 is encrypted.
Chapter 9 VPN 1263

Example of Configuring Route-based VPN Track and Redundant Backup
This section describes a route-based VPN track and redundant backup example.
Requirement
There are two IKE VPN tunnels named VPN1 tunnel and VPN2 tunnel respectively between
Hillstone Device A and Device B. The server is behind Device A, with the IP address of
192.168.100.8, and gateway address of 192.168.100.1; PC is behind Device B, with the IP
address of 172.16.10.8, and gateway address of 172.16.10.1. The requirement is tracking the
VPN status of VPN1 tunnel and VPN2 tunnel. When the main tunnel (VPN1 tunnel) link fails,
traffic will be diverted to the backup tunnel (VPN2 tunnel); when the main tunnel recovers, the
flow will be switched back to the main tunnel. The network topology is shown in the following
figure:
1264 Chapter 9 VPN

Configuration Steps
Step 1: Configure Device A
Co n figure in terfaces:
Co n figure a P1 p ro p o sal:
hostname(config-isakmp-proposal)# h ash md5
hostname(config-isakmp-proposal)# encryption des
Co n figure an ISAKMP gateway:
hostname(config)# isakmp peer gwa-peer-1
Chapter 9 VPN 1265

hostname(config-isakmp-peer)# p re-sh areU 8FdHNEEBz6sNn 5Mvqx3yWuL RWce
hostname(config)# isakmp p eer gwa-p eer-2
hostname(config-isakmp-peer)# p re-sh arei39jn n NiCSh 9rXb 77o GA7Fg7BNQy
hostname(config-ipsec-proposal)# h ash md5
hostname(config-ipsec-proposal)# en cryp tio n des
Co n figure VPN tun n els:
hostname(config)# tun n el ip sec vp n 1-tun n el auto
hostname(config-tunnel-ipsec-auto)# isakmp -p eer gwa-p eer-1
hostname(config-tunnel-ipsec-auto)# vp n -track in terval 3 th resh o ld 9
hostname(config-tunnel-ipsec-auto)# track-even t-n o tify en ab le
1266 Chapter 9 VPN

hostname(config-tunnel-ipsec-auto)# auto -co n n ect
Create tun n el in terfaces an d b in d to th e VPN tun n els:
hostname(config-if-tun1)#
hostname(config-if-tun1)# tun n el ip sec vp n 1-tun n el
hostname(config-if-tun2)# ip address 10.2.2.1/24
Co n figure ro utes:
hostname(config-vrouter)#
hostname(config-vrouter)# ip ro ute 172.16.10.0/24 tun n el2 20
Co n figure p o licy rules:
Chapter 9 VPN 1267

hostname(config)#
Step 2: Configure Device B
Co n figure in terfaces
Co n f ig u re a P 1 p ro p o sal
1268 Chapter 9 VPN

hostname(config-isakmp-proposal)# en cryp tio n des
Co n f ig u re an I S A K M P g at e way
hostname(config)# isakmp p eer gwb -p eer-1
Co n f ig u re a P 2 p ro p o sal
Co n f ig u re VP N t u n n e ls
Chapter 9 VPN 1269

hostname(config-tunnel-ipsec-auto)# isakmp -p eer gwb -p eer-1
Cre at e t u n n e l in t e rf ac e s an d b in d t o t he VP N t u n n e ls
Co n f ig u re ro u t e s
1270 Chapter 9 VPN

Co n f ig u re p o lic y ru le s
hostname(config)#
In this example both the VPN devices are Hillstone devices, so you can use the default source
and destination addresses for VPN track.
Chapter 9 VPN 1271

Example of Configuring Policy-based VPN Track and Redundant Backup
This section describes a policy-based VPN track and redundant backup example.
Requirement
There are two IKE VPN tunnels named VPN1 tunnel and VPN2 tunnel respectively between
Hillstone Device A and Device B. The server is behind Device A, with the IP address of
192.168.100.8, and gateway address of 192.168.100.1; PC is behind Device B, with the IP
address of 172.16.10.8, and gateway address of 172.16.10.1. The requirement is tracking the
VPN status of VPN1 tunnel and VPN2 tunnel. When the main tunnel (VPN1 tunnel) link fails,
traffic will be diverted to the backup tunnel (VPN2 tunnel); when the main tunnel recovers, the
flow will be switched back to the main tunnel. The network topology is shown in the following
figure:
1272 Chapter 9 VPN

Configuration Steps
Step 1: Configure Device A
Co n figure th e ro ute:
Chapter 9 VPN 1273

hostname(config-isakmp-peer)# p re-sh are i39jn n NiCSh 9rXb 77o GA7Fg7BNQy
Co n figure a VPN tun n el:
1274 Chapter 9 VPN

hostname(config-tunnel-ipsec-auto)#auto -co n n ect
hostname(config-policy-rule)# src-ip 192.168.100.8/24
hostname(config-policy-rule)# actio n tun n el vp n 1-tun n el
hostname(config-policy-rule)# actio n fro mtun n el vp n 1-tun n el
Chapter 9 VPN 1275

hostname(config)#
Step 2: Configure Device B
1276 Chapter 9 VPN

Co n figure th e ro ute:
Chapter 9 VPN 1277

Co n figure a VPN tun n el:
hostname(config-tunnel-ipsec-auto)# vp n -track in terval 1th resh o ld 5
hostname(config-tunnel-ipsec-auto)#auto -co n n ect
1278 Chapter 9 VPN

hostname(config)#
In this example both the VPN devices are Hillstone devices, so you can use the default source
and destination addresses for VPN track.
Chapter 9 VPN 1279

Example of Configuring XAUTH
This section describes a typical XAUTH configuration example.
Requirement
Hillstone device is enabled with XAUTH server, and uses the local AAA server for user authen-
tication. When a user is trying to launch a VPN connection and gain access to internal resources
via a mobile phone, the XAUTH server will authenticate the user by a pre-shared key, and permit
the authenticated users to access to internal resources. The network topology is shown in the fol-
lowing figure:
Configuration Steps
Step 1: Configure interfaces, zones and policies
1280 Chapter 9 VPN

hostname(config-if-eth0/7)# ip address 6.6.6.6 255.255.255.0
hostname(config-if-eth0/7)# man age p in g
hostname(config-if-eth0/7)# man age ssh
hostname(config-if-eth0/7)# man age h ttp
hostname(config-if-eth0/6)# ip address 7.7.7.7 255.255.255.0
hostname(config)# rule to p
hostname(config)#
Step 2: Configure an AAA server
hostname(config)# aaa-server lo cal typ e lo cal
hostname(config-aaa-server)# user xauth
hostname(config-user)# p asswo rd test
hostname(config-user)# ike-id key-id xauth
hostname(config-user)# en d
hostname(config)#
Step 3: Configure an XAUTH address pool
hostname(config)# xauth p o o l p o o l
hostname(config-xauth-pool)# address 9.9.9.9 9.9.9.99 n etmask 255.255.255.0
Chapter 9 VPN 1281

hostname(config-xauth-pool)# exit
hostname(config)#
Step 4: Configure an ISAKMP peer
hostname(config)# isakmp p eer xauth
hostname(config-isakmp-peer)# mo de aggresive
hostname(config-isakmp-peer)# typ e usergro up
hostname(config-isakmp-peer)# p sk-sh a-aes128-g2
hostname(config-isakmp-peer)# p re-sh are XhF44BilJO3b/2HFl5lVqXniqeMByq
hostname(config-isakmp-peer)# aaa-server lo cal
hostname(config-isakmp-peer)# lo cal-id key-id xauth
hostname(config-isakmp-peer)# xauth p o o l-n ame p o o l
hostname(config-isakmp-peer)# xauth server
hostname(config-isakmp-peer)# in terfaceeth ern et0/7
hostname(config)#
Step 5: Configure an IKE tunnel and tunnel interface
hostname(config)# tun n el ip sec xauth auto
hostname(config-tunnel-ipsec-auto)# isakmp -p eer xauth
hostname(config-tunnel-ipsec-auto)# esp -sh a-aes128-g0
hostname(config-tunnel-ipsec-auto)# accep t-all-p ro xy-id
hostname(config-if-tun22)# ip address 9.9.9.1 255.255.255.0
hostname(config-if-tun22)# man age teln et
hostname(config-if-tun22)# man age ssh
1282 Chapter 9 VPN

hostname(config-if-tun22)# man age p in g
hostname(config-if-tun22)# man age h ttp
hostname(config-if-tun22)# man age h ttp s
hostname(config-if-tun22)# man age sn mp
hostname(config-if-tun22)# tun n el ip sec xauth
hostname(config)#
After the above steps, the mobile phone user can complete the authentication procedure via the
VPN client bundled with Android or iOS (username auth, password test, IPsec identifier/group
name xauth) and gain access to internal resources.
Chapter 9 VPN 1283

Example of Using IPsec VPN in HA Peer Mode
The HA peer mode supports IPsec VPN. By using an example, this section introduces how to
integrate HA peer mode with IPsec VPN in the asymmetric routing environment. Before con-
figuring the relevant functions, ensure that both Hillstone devices have the same hardware plat-
form, firmware version, and license.
After completing the configurations, both devices are working in the HA peer mode and enable
the IPsec VPN function. The traffic from the PC to the server is via the Device A and is secured
by the IPsec VPN configured in Device A. The backward traffic from the server to the PC is via
the Device B and is secured by the IPsec VPN configured in Device B. If one device or its rel-
evant links are down, the traffic will be forwarded and secured by the other device. The topology
is shown as below:
Configuration Steps
Step 1: Configure HA peer mode
1284 Chapter 9 VPN

Device A
Device B
Step 2: Configure VFI interface, add router and NAT rules
Device A
hostname(config)# in terface eth 0/1:1
hostname(con-if-eth0/1:1)# zo n e un trust
hostname(con-if-eth0/1:1)# ip address192.168.10.1/24
hostname(con-if-eth0/1:1)# exit
hostname(config)# in terface eth 0/0:1
hostname(con-if-eth0/2:1)# zo n e trust
Chapter 9 VPN 1285

hostname(con-if-eth0/2:1)# ip address192.168.20.1/24
hostname(con-if-eth0/2:1)# exit
Step 3: Configure IPsec VPN
Device A
hostname(M0D1)(config)# isakmp p eer p eer1
hostname(M0D1)(config-isakmp-peer)# in terface eth ern et0/1
hostname(M0D1)(config-isakmp-peer)# p eer 192.168.1.2
hostname(M0D1)(config-isakmp-peer)# isakmp -p ro p o sal p sk-md5-des-g2
hostname(M0D1)(config-isakmp-peer)# p re-sh are h illsto n e
hostname(M0D1)(config-isakmp-peer)# exit
hostname(M0D1)(config)# isakmp p eer p eer2
hostname(M0D1)(config-isakmp-peer)# in terface eth ern et0/1:1
hostname(M0D1)(config-isakmp-peer)# p eer 192.168.10.2
hostname(M0D1)(config-isakmp-peer)# isakmp -p ro p o sal p sk-md5-des-g2
hostname(M0D1)(config-isakmp-peer)# p re-sh are h illsto n e
hostname(M0D1)(config-isakmp-peer)# exit
hostname(M0D1)(config)# tun n el ip sec vp n 1 auto
hostname(M0D1)(config-tunnel-ipsec-auto)# isakmp -p eer p eer1
hostname(M0D1)(config-tunnel-ipsec-auto)# ip sec-p ro p o sal esp -md5-des-g2
hostname(M0D1)(config-tunnel-ipsec-auto)# exit
hostname(M0D1)(config)# tun n el ip sec vp n 2 auto
hostname(M0D1)(config-tunnel-ipsec-auto)# isakmp -p eer p eer2
hostname(M0D1)(config-tunnel-ipsec-auto)# ip sec-p ro p o sal esp -md5-des-g2
hostname(M0D1)(config-tunnel-ipsec-auto)# exit
hostname(M0D1)(config)# in t tun n el1
hostname(M0D1)(config-if-tun1)# zo n e vp n
1286 Chapter 9 VPN

hostname(M0D1)(config-if-tun1)# tun n el ip sec vp n 1
h o stn ame(M0D1)(co n fig-if-tun 1)# exit
hostname(M0D1)(config)# in t tun n el1:1
hostname(M0D1)(config-if-tun1)# zo n e vp n
hostname(M0D1)(config-if-tun1)# tun n el ip sec vp n 2
hostname(M0D1)(config-if-tun1)# exit
Device C
hostname(config)# isakmp p eer p eer1
hostname(config-isakmp-peer)# isakmp -p ro p o sal p sk-md5-des-g2
hostname(config-isakmp-peer)# p re-sh are h illsto n e
hostname(config)# isakmp p eer p eer2
hostname(config-isakmp-peer)# isakmp -p ro p o sal psk-md5-des-g2
hostname(config-isakmp-peer)# p re-sh are h illsto n e
hostname(config)# tun n el ip sec vp n 1 auto
hostname(config-tunnel-ipsec-auto)# isakmp -p eer p eer1
hostname(config-tunnel-ipsec-auto)# ip sec-p ro p o sal esp -md5-des-g2
hostname(config-tunnel-ipsec-auto)# isakmp -p eer p eer2
hostname(config-tunnel-ipsec-auto)# ip sec-p ro p o sal esp -md5-des-g2
Chapter 9 VPN 1287

hostname(config)# in t tun n el1
hostname(config-if-tun1)# zo n e vp n
hostname(config-if-tun1)# tun n el ip secvp n 1
hostname(config)# in t tun n el2
hostname(config-if-tun1)# zo n e vp n
hostname(config-if-tun1)# tun n el ip sec vp n 2
Step 4: Configure policy and route for VPN
Device A
hostname(M0D1)(config)# ip vro uter trust-vr
hostname(M0D1)(config-vrouter)# ip ro ute192.168.1.2/24 tun n el1
hostname(M0D1)(config-vrouter)# ip ro ute 192.168.10.2/24 tun n el1:1
hostname(M0D1)(config-vrouter)# ip ro ute 172.16.20.0/24 192.168.2.2
hostname(M0D1)(config-vrouter)# ip ro ute 172.16.20.0/24 192.168.20.2
hostname(M0D1)(config-vrouter)# exit
hostname(M0D1)(config)# rule id 1 fro m an y to an y service an y p ermit
Device C
hostname(config)# ip ro ute 172.16.20.0/24 tun n el1 20
hostname(config)# ip ro ute 172.16.20.0/24 tun n el2 10
hostname(config)# rule id 1 fro m an y to an y service an y p ermit
1288 Chapter 9 VPN

SSL VPN
Overview
The device provides an SSL based remote access solution. Remote users can access the Intranet
resources safely through SSL VPN.
SSL VPN requires an SSL VPN server and an SSL VPN client. SSL VPN server provides the fol-
lowing functions:
l Accepting connections from the client;
l Assigning IP addresses, DNS server addresses, and WIN server addresses to SSL VPN cli-
ents;
l Authenticating and authorizing SSL VPN clients;
l Security check of SSL VPN client hosts;
l Decrypting and forwarding encrypted packet from the client.
The SSL VPN client for Hillstone devices is called Hillstone Security Connect. You can down-
load and install it on your PC. When your client has successfully connected to the SSL VPN
server, your communication with the server is encrypted and secured.
The default concurrent online client number may vary from hardware platforms. If you want to
have a larger client number, consult your local agents to purchase new SSL VPN license.
Configuring SSL VPN Server

This section describes the following configurations about SSL VPN server:
l Configuring an IPv4 Access Address Pool
l Configuring an IPv6 Access Address Pool
l Configuring Resources List
Chapter 9 VPN 1289

l Configuring a UDP Port
l Configuring an SSL VPN Instance
l Binding the SSL VPN Instance to a Tunnel Interface
l Authentication Using UKey Certificate
l Two-Step Verification
l Host Binding
l Host Check
l Optimal Path Detection
l Force Disconnecting an SSL VPN Client
l Configuring Change Password URL of the Client
l Configuring Forgot Password URL of the Client
l Configuring SSL Cipher Suite
l Exporting and Importing a User-list File
l Control the Access by Using the Radius Server
l General Configuration
Configuring an IPv4 Access Address Pool
Address pool is used to store IPv4 addresses allocated to clients. When a client connects to its
server, the server will take an IPv4 address from the address pool according to the client propriety
(like DNS server address or WIN server address) and give it to the client.
access-address-pool pool-name
1290 Chapter 9 VPN

l pool-name – Specifies a name for the address pool.
This command creates a new address pool and leads you into the address pool configuration
mode; if the pool with this name exists, you will enter its configuration mode directly.
To delete an address pool, in the global configuration mode, use the following command:
no access-address-pool pool-name
The following sections explain how to configure address pools, including:
l Configuring an address range and network mask of a pool
l Configuring excluded addresses
l Configuring a DNS server
l Configuring a WINS server
Configuring an IP Range of the Address Pool
To configure the start ip, end ip and network mask of an address pool, in the IPv4 address pool
address start-ip end-ip netmask A.B.C.D
l start-ip – Specifies the start IPv4 address.
l end-ip – Specifies the end IPv4 address.
l netmask A.B.C.D – Specifies the network mask for this IPv4 address range.
To delete the IP range setting of an address pool, in the IPv4 address pool configuration mode,
no address
Chapter 9 VPN 1291

Configuring Reserved Addresses
Some addresses in the address pool need to be reserved for other devices, like gateways, FTP serv-
ers, etc. These reserved IPv4 addresses are not allowed to allocate to clients.
To configure the start IP and end IP of reserved IP range, in the IPv4 address pool configuration
exclude address start-ip end-ip
l start-ip – Specifies the start IP for reserved IP range.
l end-ip – Specifies the end IP for reserved IP range.
To delete the reserved address range, in the IPv4 address pool configuration mode, use the fol-
lowing command:
no exclude
If an IPv4 client needs static IPv4 address, IP-user binding rule can be applied to meet this
requirement. Binding the user of IPv4 client to an IPv4 address in the address pool can guarantee
that this IPv4 address is allocated to the client when it reaches the server. In addition, IPv4
address for a client can be defined to an address range by using IP-role binding which defines an
IP range for this role. When a client with the role connects to the server, it gets one address from
the IPv4 addresses bound to this role.
When an IPv4 server allocates IPv4 addresses, it follows the rules below:
1. Check whether the IP-user binding rule is configured for the client. If yes, allocate the
bound IP to the client; if no, the server will select an IP which is not bound or used from
the address pool, then allocate it to the client.
2. Check whether the IP-role binding rule is configured for the client. If yes, get an IP from
the IP range and allocate to the client; if no, the server will select an IP which is not bound
or used from the address pool, then allocate it to the client.
1292 Chapter 9 VPN

Notes: IPv4 addresses in the IP-user binding rules and those in the IP-role binding
Binding an IP to a User
To bind an IP address to a user, in the IPv4 address pool configuration mode, use the following
command:
ip-binding user user-name ip ip-address
l user user-name – Specifies the username.
l ip ip-address – Specifies an available IPv4 address in the address pool which will be bound
to the user.
To cancel an IP-user binding, in the IPv4 address pool configuration mode, use the following
command:
Binding an IP to a Role
To bind an IP address to a role, in the IPv4 address pool configuration mode, use the following
command:
ip-binding role role-name ip_range start-ip end-ip
l role role -name – Specifies the role name.
l ip_range start-ip end-ip – Specifies the available IP range (start IPv4 address and end IPv4
address) in the address pool.
To cancel a binding between an IP range and a role, in the IPv4 address pool configuration mode,
Chapter 9 VPN 1293

Normally, if a user belongs to multiple roles which bind to different IPv4 addresses, the system
searches for the first rule which matches the user and applies the IPv4 address under this rule to
the user. By default, new rule is at the bottom of the rule list.
To move the position of an IP-role binding rule in the rule list, in the IPv4 address pool con-
To specify a DNS server, in the IPv4 address pool configuration mode, use the following com-
mand:
dns address1 [ address2 ] [ address3 ] [ address4 ]
l address1 – Specifies the IPv4 address of DNS servers. You can specify up to four addresses.
To cancel the DNS setting, in the IPv4 address pool configuration mode, use the following com-
mand:
n o dn s
Configuring a WINS Server
To specify a WINS server, in the IPv4 address pool configuration mode, use the following com-
mand:
wins address1 [address2 ]
1294 Chapter 9 VPN

l address1 – Specifies the IPv4 address of WINS server. You can specify up to two WINS
servers.
To cancel the WINS server setting, in the IPv4 address pool configuration mode, use the fol-
lowing command:
no wins
Viewing IPv4 Address Pool
To view information about an IPv4 address pool, in any mode, use the following command:
show access-address-pool [ pool-name ]
l pool-name – Specifies the name of IPv4 address pool to be shown. If this parameter is not
specified, you can view all IPv4 address pools.
Here is an example of viewing IPv4 address pool:
hostname(config)# sh o w access-address-p o o l p o o l_test1
Name: pool_test1
Address range: 3.3.3.1 - 3.3.3.10 (start IP and end IP)

Exclude range: 3.3.3.1 - 3.3.3.2 (reserved IP addresses)
Netmask: 255.255.255.0 (network mask of the address pool)
Wins server: (WINS server setting)
wins1: 10.1.1.1
Dns server: (DNS server setting)
dns1: 10.10.209.1
IP Binding User: (IP-user binding)
test 3.3.3.8
IP Binding Role: (IP-role binding)
role1 3.3.3.3 3.3.3.7
Chapter 9 VPN 1295

To view statistical information about an IPv4 address pool, in any mode, use the following com-
mand:
show access-address-pool pool-name statistics
l pool-name – Specifies the name of IPv4 address pool whose statistics you want to view.
Here is an example of viewing statistics of an IPv4 address pool:
hostname(config)# sh o w access-address-p o o l p o o l_test1 statistics
Total Ip Num 10 (total IP count in the address pool)

Exclude Ip Num 2 (reserved IP count)
Fixed Ip Num 6 (bound IP count)
Used Ip Num 2 (assigned IP count)
Fixed Used Ip Num 0 (assigned IP among the bound IP addresses)
Free Ip Num 6 (available IP count in the address pool)
IPv6 address pool is used to store IPv6 addresses allocated to clients. When a client connects to
its server, the server will take an IPv6 address from the address pool according to the client pro-
priety (like DNS server address or WIN server address) and give it to the client.
To creat an IPv6 address pool, in the global configuration mode, use the following command:
access-address-pool-ipv6 pool-name
l pool-name – Specifies a name for the address pool.
This command creates a new address pool and leads you into the IPv6 address pool configuration
To delete an IPv6 address pool, in the global configuration mode, use the following command:
no access-address-pool-ipv6 pool-name
The following sections explain how to configure IPv6 address pool, including:
1296 Chapter 9 VPN

l Configuring an address range and prefix of a pool
To configure the start ip, end ip and network mask of an IPv6 address pool, in the IPv6 address
pool configuration mode, use the following command:
address start-ipv6-address end-ipv6-address prefix prefix-length
l start-ipv6-address – Specifies the start IPv6 address.
l end-ipv6-address – Specifies the end IPv6 address.
l prefix prefix-length – Specifies the prefix for this IPv6 address range. The range is 111 to
128.
no address
exclude address start-ipv6-address end-ipv6-address
l start-ipv6-address – Specifies the start IP for reserved IP range.
l end-ipv6-address – Specifies the end IP for reserved IP range.
Chapter 9 VPN 1297

lowing command:
no exclude
address for a client can be defined to an address range by using IP-role binding which defines an
command:
ip-binding user user-name ip ipv6-address
1298 Chapter 9 VPN

l ip ipv6-address – Specifies an available IPv6 address in the address pool which will be bound
to the user.
command:
no ip-binding useruser-name
command:
ip-binding role role-name ip-range start-ipv6-address end-ipv6-address
l ip-range start-ipv6-address end-ipv6-address – Specifies the available IP range (start IPv6

address and end IPv6 address) in the address pool.
Chapter 9 VPN 1299

mand:
dns ipv6-address1 [ ipv6-address2 ] [ ipv6-address3 ] [ ipv6-address4 ]
l ipv6-address1 – Specifies the IPv6 address of DNS servers. You can specify up to four
addresses.
mand:
n o dn s
show access-address-pool-ipv6 [ pool-name ]
hostname(config)# sh o w access-address-p o o l-ip v6
===================================================
Name Address range Prefix length
1300 Chapter 9 VPN

--------------------------------------------------------
1-ipv6-pool 1000:5678:2222~ - 1000:5678:2222~112
2-ipv6-pool 1001:5678:2222~ - 1001:5678:2222~112
3-ipv6-pool 1002:5678:2222~ - 1002:5678:2222~112
4-ipv6-pool 1003:5678:2222~ - 1003:5678:2222~112
5-ipv6-pool 1004:5678:2222~ - 1004:5678:2222~112
6-ipv6-pool 1005:5678:2222~ - 1005:5678:2222~112
========================================================-
=======
hostname(config)# sh o w access-address-p o o l-ip v6 2-ip v6-p o o l
Name: 2-ipv6-pool
Address range: 1001:5678:2222:3333:5555:ABCD:EFAB:1000 -

1001:5678:2222:3333:5555:ABCD:EFAB:3000 (start IP and end IP)
Exclude range: 1001:5678:2222:3333:5555:ABCD:EFAB:1000 -
1001:5678:2222:3333:5555:ABCD:EFAB:2000 (reserved IPv6 addresses)
prefix length: 112(prefix length of the address pool)
dns1: AAAA:BBBB::1
dns2: 3333:2222::1
mand:
show access-address-pool-ipv6 pool-name statistics
Chapter 9 VPN 1301

hostname(config)# sh o w access-address-p o o l-ip v6 2-ip v6-p o o l statistics

Fixed Used Ip Num 0 (assigned IP among the bound IPv6 addresses)
Configuring Resources List
Resource list refers to resources configured in the system that can be easily accessible by users.
Each resource contains multiple resource items. The resource item is presented in the form of
resource name followed by resource item name in your default browser page. After the SSL VPN
user is authenticated successfully, the authentication server will send the user group information
of the user to the SSL VPN server. Then, according to the binding relationship between the user
group and resources in the SSL VPN instance, the server will send a resource list which the user
can access to the client. After that, the client will analyze and make the IE browser that your sys-
tem comes with pop up a page to display the received resource list information so that the user
can access the private network resource directly by clicking the resource item name. The resource
list page is poped up only once after the authentication is passed. If a user does not belong to any
user group, the browser will not pop up the resource list page after authentication is passed.
To configure a SSL VPN resource, in the global configuration mode, use the following command:
scvpn resource-list list-name
l list-name – Specifies the resource name. The value range is 1 to 63.
After this command is executed, you will enter SSL VPN resource list configuration mode and
you can continue to configure resource items for the new resource. To delete a resource, in the
no resource-list list-name
1302 Chapter 9 VPN

Notes:
l Less than 256 resource lists can be configured.
l SSL VPN client versions that allow you to configure the resource list are as
follows: SSL VPN Windows client 1.4.6.1238 or later versions, iOS 2.0.6 or
later versions, and Android 4.6 or later versions.
Adding Resource Items
To add resource items for resource, in SSL VPN resource list configuration mode, use the fol-
lowing command:
name name url url-string
l name – Specifies the name for resource item. The value range is 1 to 95.
l url-string – Specifies the URL for resource item. The value range is 1 to 255.
To delete a resource item, in SSL VPN resource list configuration mode, use the following com-
mand:
no name name
Notes: The maximum configurable resourse entries of different platforms vary in

three levels: 200 entries, 500 entries, and 1000 entries.
Viewing Resource List
To view the configuration information of resource list, in any mode, use the following command:
show scvpn resource-list [list-name]
l list-name – Specifies the resource name you want to view. The value range is 1 to 63. Inform-
ation about all resources will be displayed if you keep this parameter unconfigured.
Chapter 9 VPN 1303

Configuring a UDP Port
To specify the UDP port number of SSL VPN connection, in the global configuration mode, use
scvpn-udp-port port-number
l port-number – Specifies the UDP port number. The value range is 1 to 65535. The default
value is 4433.
When UDP port number is specified, all SSL VPN connections will communicate on this port.
no scvpn-udp-port
Configuring an SSL VPN Instance
To create an SSL VPN instance, in the global configuration mode, use the following command:
tunnel scvpn instance-name
l instance-name – Specifies a name for the SSL VPN instance.
This command creates an SSL VPN instance and leads you into the SSL VPN instance con-
figuration mode; if the instance exists, you will enter the SSL VPN instance configuration mode
directly.
To delete an SSL VPN instance, in the SSL VPN instance configuration mode, use the following
command:
no tunnel scvpn instance-name
This section describes how to configure an SSL VPN instance, including:
l Specifying the service type
l Specifying an access address pool
l Specifying a server interface
1304 Chapter 9 VPN

l Specifying an SSL protocol version
l Specifying a PKI trust domain
l Specifying an Encryption Trust Domain
l Specifying tunnel cipher suite
l Specifying an AAA server
l Specifying an HTTPS port number
l Configuring the transport protocol
l Configuring an SSL VPN tunnel route
l Configuring anti-replay
l Configuring packet fragmentation
l Configuring idle time
l Configuring multi-logon
l Configuring URL redirection
l Clearing cache data of the host that uses the SSL VPN client
l Using SSL VPN in HA peer mode
l Binding L2TP VPN instance
l Binding Resources
l Enabling/Disabling the Browser Login Function
Specifying the Service Type
By default, the service type of SSL VPN instanse is IPv4. To specify the service type of the SSL
VPN instance, including IPv4 or IPv6. This command can only be configured when the version is
Chapter 9 VPN 1305

IPv6. In the SSL VPN instance configuration mode, use the following command:
service-type {ipv4 | ipv6}
l ipv4 | ipv6 – Specifies the service type of the SSL VPN instance, including IPv4 or IPv6.
Specifying an Access Address Pool
To specify an IPv4 address pool for the IPv4 SSL VPN instance, in the SSL VPN instance con-
l pool-name – Specifies the name of IPv4 address pool.
To cancel the IPv4 address pool, in the SSL VPN instance configuration mode, use the following
command:
no access-address-pool
To specify an IPv6 address pool for the IPv6 SSL VPN instance, in the SSL VPN instance con-
To cancel the IPv6 address pool, in the SSL VPN instance configuration mode, use the following
command:
no access-address-pool-ipv6
Specifying a Server Interface
The client uses HTTPS protocol to access to the device. To specify the SSL VPN interface of the
device, in the SSL VPN instance configuration mode, use the following command:
l interface-name – Specifies the name of the interface for the SSL VPN client to connect.
To cancel the SSL VPN interface, in the SSL VPN instance configuration mode, use the fol-
lowing command:
1306 Chapter 9 VPN

no interface interface-name
Specifying an SSL Protocol Version
To specify the SSL protocol version of an SSL VPN instance, in the SSL VPN instance con-
ssl-protocol { tlsv1 | tlsv1.2 | gmssl | any }
l tlsv1 – Uses TLSv1 protocol.
l tlsv1.2 – Uses TLSv1.2 protocol. This is the default option.
l gmssl – Uses GMSSLv1.0 protocol. After selecting this option, you’re recommended to
select the trust domain that contains SM2 type key for the PKI trust domain and the encryp-
ted trust domain. The SM4 is preferred for encryption algorithm and the SM3 is preferred for
hash algorithm.
l any – Uses any of the following protocols: TLSv1, TLSv1.1 and TLSv1.2.
To restore to the default value, in the SSL VPN instance configuration mode, use the following
command:
no ssl-protocol
If tlsv1.2 or any is specified to the SSL protocol in SSL VPN server, you need to convert the cer-
tificate that you are going to import to the browser or certificate in the USB Key to make it sup-
port the tlsv1.2 protocol before the digital certificate authentication via SSL VPN client, so that
the SSL VPN server can be connected successfully when the Username/Password + Digital Cer-
tificate or Digital Certificate Only authentication method is selected. Prepare a PC with Windows
or Linux system which has been installed with OpenSSL 1.0.1 or later before processing the cer-
tificate.
We will take the certificate file named oldcert.pfx as an example, the procedure is as follows:
1. In the OpenSSL software interface, enter the following command to convert a certificate in
.pfx format to a certificate in .pem format: openssl pkcs12 –in oldcert.pfx –out cert.pem
Chapter 9 VPN 1307

2. Enter the following command to convert the certificate in .pem format to a .pfx format cer-
tificate that supports tlsv1.2 protocol: openssl pkcs12 –export –in cert.pem –out new-
cert.pfx –CSP “Microsoft Enhanced RSA and AES Cryptographic Provider”
3. Import the newly generated .pfx format certificate into your browser or USB Key.
After the above operation, you have to log into SSL VPN server with SSL VPN client whose ver-
sion is 1.4.6.1239 or later. When configuring an SSL VPN function that uses the GM standard,
you need to install the SSL VPN client that supports the GM standard on the PC(The current win-
dows client version that supports GM standard is 1.4.7.1252), and log in with the user-
name/password of GM.
Specifying a PKI Trust Domain
PKI trust domain in SSL VPN is used in HTTPS authentication.

To specify a PKI trust domain for SSL VPN instance, in the SSL VPN instance configuration
trust-domain trust-domain-name
l trust-domain-name – Specifies the name of PKI trust domain. The default domain is trust_
domain_default.
command:
no trust-domain
Tip: For information on how to create a PKI trust domain, see “PKI” in the
“User Authentication”
Specifying an Encryption Trust Domain
To specify the encryption trust domain which is usded for the GMSSL negotiation for the SSL
VPN, in the SSL VPN configuration mode, use the following command:
trust-domain-enc enc-cert
1308 Chapter 9 VPN

l enc-cert – Specifies the encryption for the GMSSL negotiation, trust domain that system pre-
defined.
To delete the configured encryption trust domain, in the SSL VPN configuration mode, use the
following command:
no trust-domain-enc
Specifying Tunnel Cipher Suite
Tunnel cipher suite includes encryption algorithm, authentication algorithm and compression
algorithm.
To specify cipher suite for the tunnel, in the SSL VPN instance configuration mode, use the fol-
lowing command:
tun n el-cip h er en cryp tio n {n ull | des | 3des | aes | aes192 | aes256 | sm4} h ash {n ull | md5
| sh a | sh a256 | sh a384 | sh a512 | sm3} [co mp ressio n defl]
l null | des | 3des | aes | aes192 | aes256 | sm4 – Specifies an encryption algorithm. The
default value is AES. Null means no encryption is specified. For more information about
encryption algorithms, see Encryption Algorithm.
l null | md5 | sha | sha256 | sha384 | sha512| sm3 – Specifies an authentication algorithm.
The default value is MD5. Null means no authentication is specified. For more information
about authentication algorithms, see Hash Algorithm.
l compression defl – Specifies the compression algorithm DEFALTE. The default setting is
no compression. For more information on compression algorithms, see Compression
Algorithm.
To restore to the default algorithm settings, in the SSL VPN instance configuration mode, use the
following command:
no tunnel-cipher
Specifying an AAA Server
AAA server in SSL VPN is used for client user authentication.
Chapter 9 VPN 1309

To specify an AAA server, in the SSL VPN instance configuration mode, use the following com-
mand:
aaa-server aaa-server-name [do main domain-name ] [ keep-domain-name ]
l aaa-server-name – Specifies the name of AAA server you want to use for authentication.
l domain domain-name – Specifies the domain for the AAA server so that it can be dis-
tinguished from other servers.
l keep-domain-name – After specifying this parameter, the AAA server uses the full name of
the user, including the username and the domain name, to perform the authentication.
To cancel the AAA server in an SSL VPN, in the SSL VPN instance configuration mode, use the
following command:
no aaa-server aaa-server-name [domain domain-name]
Specifying an HTTPS Port Number
HTTPS port is used for the clients to access the device.

To specify an HTTPS port number, in the SSL VPN instance configuration mode, use the fol-
lowing command:
https-port port-number
l port-number – Specifies a port number of HTTPS protocol in SSL VPN instance. The range
is 1 to 65535. The default value is 4433. As Web browser uses port 443 for HTTPS, do not
choose 443 as the SSL VPN HTTPS port number. If multiple SSL VPN instances use the
same interface, their HTTPS ports should have different port numbers.
command:
no https-port
1310 Chapter 9 VPN

Configuring the Transport Protocol
The system supports ZTNA data transmission over TCP or UDP. The default protocol is UDP,
and the default port is 4433. To configure the transport protocol and port number, in the ZTNA
transport-service {tcp | udp} port-number
l tcp | udp - Specifies TCP or UDP for data transmission.
l port-number – Specifies the port number for data transmission. The range is 1 to 65535.
To delete the transport protocol and port number, in the ZTNA instance configuration mode, use
no transport-service {tcp | udp}
Configuring an SCVPN Tunnel Route
To reach the destination network segment or destination domain name through SCVPN tunnel,
you need to specify them by configuring the SCVPN tunnel route.
l The specified destination network segment will be distributed to the VPN client, then the cli-
ent uses it to generate the route to the specified destination.
l The specified destination domain name will be distributed to the VPN client, and the client
will generate the route to the specified destination according to the resolving results from
DNS.
Configuring an IPv4 Tunnel Route to the Specified Network Segment
You can only specify the IPv4 SCVPN tunnel route for the IPv4 SSL VPN instance. To reach the
destination network segment through SCVPN tunnel, in the SCVPN instance configuration
split-tunnel-route ip-address/netmask [ metric metric-number ]
Chapter 9 VPN 1311

l ip-address/netmask – Specifies the IP address and network mask of the destination network
segment.
l metric metric-number – Specifies a metric value for the route. The value range is 1 to 9999.
To delete a route, in the SCVPN instance configuration mode, use the following command:
n o sp lit-tun n el-ro ute ip-address/netmask [ metric metric-number ]
Configuring an IPv6 Tunnel Route to the Specified Network Segment
You can only specify the IPv6 SCVPN tunnel route for the IPv6 SSL VPN instance. To reach the
destination network segment through SCVPN tunnel, in the SCVPN instance configuration
split-tunnel-route-ipv6 ipv6-address/prefix [ metric metric-number ]
l ipv6-address/prefix – Specifies the IPv6 address and network mask of the destination net-
work segment.
To delete a route, in the SCVPN instance configuration mode, use the following command:
n o sp lit-tun n el-ro ute-ip v6 ipv6-address/prefix [ metric metric-number ]
Configuring a Tunnel Route to the Specified Domain Name
After specifying the domain name, the system will distribute it to the client. The client will gen-
erate the route to the specified destination according to the resolving results from DNS. To spe-
cify the domain name, in the SCVPN instance configuration mode, use the following command:
domain-route {disable | enable | max-entries value | url]
1312 Chapter 9 VPN

l disable – Does not distribute the specified domain name to the client. This is the default
option.
l enable – Distributes the specified domain name to the client.
l max-entries value – The maximum numbers of routes that can be generated after obtaining
the resolved IP addresses of the domain name. The default value is 1000. The value ranges
from 1 to 10000.
l url – Specify the URL of the domain name. You can add one each time and you can add up
to 64 domain names. The URL cannot exceed 63 characters and it cannot end with a dot (.).
Both wildcards and a single top level domain, e.g. com and .com are not supported.
To delete the specified domain name, use the following command in the SCVPN instance con-
figuration mode:
no domain-route url
Anti-replay is used to prevent hackers from injecting the captured packets repeatedly by rejecting
the packets.
To enable anti-replay, in the SSL VPN instance configuration mode, use the following command:
an ti-rep lay {32 | 64 | 128 | 256 | 512}
l 32 – Specifies that the anti-replay window size is 32. This is the default value.
l 64 – Specifies that the anti-replay window size is 64.
Bigger window size suits more in bad network conditions, such as serious packets disorder.
Chapter 9 VPN 1313

To restore the anti-replay window size to the default value, in the SSL VPN instance con-
no anti-replay
Configuring Packet Fragmentation
You can specify if packet fragmentation is permitted in the device.

To configure packet fragmentation, in the SSL VPN instance configuration mode, use the fol-
lowing command:
l copy - Copies the DF value from the destination of the packet. This is the default value.
l clear - Permits packet fragmentation.
l set - Forbids packet fragmentation.
To restore to the default value, in the SSL VPN configuration mode, use the following command:
no df-bit
Configuring Idle Time
Idle time defines the time length a client is allowed to connect to the device without any oper-
ation. When a client takes no action for the time period of idle time specified here, it is forced to
log out the device.
To specify the idle time, in the SSL VPN instance configuration mode, use the following com-
mand:
idle-time time-value
l time-value – Specifies the idle time value. The value range is 15 to 1500 minutes. The
command:
no idle-time
1314 Chapter 9 VPN

Configuring Multi-logon
To allow multiple users to log in at multiple places with the same username simultaneously, in the
SSL VPN configuration mode, use the following command:
allow-multi-logon
This command enables the function and does not limit the login number. If you want to specify
the number of users logging in with the same username simultaneously, in the SSL VPN con-
allow-multi-logon number number
l number – Specifies the number of users who are allowed to login with one username. The
value range is 1 to 99999999.
To disable multi-login, in the SSL VPN instance configuration mode, use the following command:
no allow-multi-logon
Configuring URL Redirection
URL redirection function in SSL VPN server displays a specified URL page to the authenticated
client user. By default, this function is disabled.
To enable URL redirection, in the SSL VPN instance configuration mode, use the following com-
mand:
redirect-url url title name
l url – Specifies the url address of the page shown for the new authenticated client. The value
range is 1 to 255 bytes. It can be an HTTP (http://) or an HTTPS (https://) address.
l title name – Specifies a description for the redirect page. The value range is 1 to 31 bytes.
To cancel URL redirection, in the SSL VPN instance configuration mode, use the following com-
mand:
no redirect-url
Chapter 9 VPN 1315

URL Format
You should follow the format of redirected URL pages defined by StoneOS. The format may vary
from URL types. Here are some format requirements for HTTP URL:
l For pages of UTF-8 encoding, type URL + username=$USER&password=$PWD, for

example, type the address http://www.-
abc.com/oa/login.do?username=$USER&password=$PWD.
l For pages of GB2312 encoding, type URL + username=$GBUSER&password=$PWD, for

abc.com/oa/login.do?username=$GBUSER&password=$PWD.
l For other pages, type http://www.abc.com.
Notes: For configuration example of URL redirection feature, see Example of Con-
figuring URL Redirect.
Clearing Cache Data of the Host that Uses the SSL VPN Client
For the security of the private data in the host that uses the SSL VPN client, you can clear the
cache data including the cache data in the Web temporary and other temporary files. To enable
this function, use the following command in the SSL VPN instance configuration mode:
host-cache-clear enable
To disable this function, use the following command in the SSL VPN instance configuration
mode:
host-cache-clear disable
Using SSL VPN in HA Peer Mode
In the network environment using HA peer mode, configure SSL VPN in both Hillstone devices.
When one device or its relevant links are down, the SSL VPN client can re-connect to the other
device. You need to configure the reconnection address table. The SSL VPN client will re-
1316 Chapter 9 VPN

connect to the SSL VPN server according to the priority of the reconnection address. If the SSL
VPN client fails to re-connect to the server, it will try every address in the reconnection address
table until it can connect to the server. You can at most specify four reconnection address. The
priority is based on the order you specified. The first one you configured has the high priority and
the last one you configured has the low priority. To configure the reconnection address table, use
the following command in the SSL VPN instance configuration mode:
cluster { ip A.B.C.D | do main url } [p o rt port-number ] [{ ip A.B.C.D | do main url }
[p o rt port-number ]] [{ ip A.B.C.D | do main url } [p o rt port-number ]] [{ ip A.B.C.D |
do main url } [p o rt port-number ]]
l ip A.B.C.D | domain url – Enter the IP address or the domain name of the SSL VPN server.
l port port-number – Enter the port number that the SSL VPN server used. The default port
is 4433.
Use the no cluster command to clear the above settings.

When using this new function, note the following matters:
l If you select the Auto Reconnect option in the SSL VPN client and use the client-auto-con-
nect count command to set the reconnection times as unlimited, the SSL VPN client will only
re-connect to the originally configured server, and will not re-connect to the server specified
in the reconnection address table. If you set the reconnection times as X, the SSL VPN client
will re-connect to the server in the table after X times of failed attempts to the originally con-
figured server.
l If you does not select the Auto Reconnect option in the SSL VPN client, the SSL VPN client
will directly re-connect to the server you specified in the reconnection address table
l When using the firmware that supports the using of SSL VPN in HA peer mode, the SSL
VPN whose version is lower than 1.4.4.1207 can connect to the SSL VPN server if the server
has no reconnection address table configured. StoneOS will inform the users to update the
SSL VPN client. If the server has configured the reconnection address table, the SSL VPN
whose version is lower than 1.4.4.1207 cannot connect to SSL VPN server. You need to
Chapter 9 VPN 1317

uninstall the client and login to the SSL VPN Web Login page to download the new version
of the SSL VPN client. Then install the new version. The new version is compatible with the
firmware that does not support this new function.
Binding L2TP VPN Instance
When using the old version of SSL VPN client (Hillstone byod client (HBC)) for iOS to connect
the SSL VPN server, you need to bind a L2TP VPN instance to the SSL VPN instance and the
bound L2TP VPN needs to reference an IPSec tunnel. To configure the binding settings, use the
following command in the SSL VPN instance configuration mode:
client-bind-lns tunnel-name
l tunnel-name – Specifies the name of the L2TP VPN instance you want to bind. This L2TP
VPN instance needs to reference an IPSec tunnel. To cancel the binding settings, use the fol-
lowing command: no client-bind-lns
The L2TP VPN instance and the IPSec tunnel mentioned above must meet the following require-
ments:
l The authentication method of the IPSec tunnel must be pre-shared key authentication.
l The secret string of the L2TP instance (specified by the secret secret-string command) must
be the same as pre-shared key of the IPSec tunnel.
l The AAA servers used by the L2TP instance and the SSL VPN instance must be the same.
l The address pool of the L2TP instance must be configured correctly. The device will allocate
the corresponding IP addresses using the address pool of the L2TP instance.
Binding Resources
Only after binding rules between resources and user groups/roles has been configured, can the
SSL VPN client make the IE browser pop up a page to display the received resource list inform-
ation after the authentication is passed. A user group/role can be bound with multiple resources,
1318 Chapter 9 VPN

and a resource can also be bound with multiple user groups/roles. Only 256 binding entries can
be configured in an SSL VPN instance.
To configure a binding rule, use the following command in the SSL VPN instance configuration
mode:
bind resource-list list-name {user-group aaa-server-name group-name | role role-name}
l list-name – Specifies the resource name. The value range is 1 to 63.
l aaa-server-name – Specifies the AAA server name which the user group belongs to. Cur-
rently, only the local authentication server and the RADIUS server are available.
l group-name – Specifies the user group name.
l role role-name - Specifies the role name.
To cancel the binding settings, in the SSL VPN instance configuration mode, use the following
command:
no bind resource-list list-name {user-group aaa-server-name group-name | role role-name}
Enabling/Disabling the Browser Download Function
With the browser download function, you're allowed to download the SSL VPN client via the
browser WebUI. By default, the function is enabled. When this function is disabled, you can only
download the SSL VPN client from www.hillstonenet.com.cn
To enable the function , in the SSL VPN instance configuration mode, use the following com-
mand:
client-download-page enable
To disable the function , in the SSL VPN instance configuration mode, use the following com-
mand:
client-download-page disable
Binding SSL VPN Instance to a Tunnel Interface
Only when an SSL VPN instance binds to a tunnel interface can it take effect.
Chapter 9 VPN 1319

To bind an SSL VPN instance to a tunnel interface, in the tunnel interface configuration mode,
tunnel scvpn instance-name
l instance-name – Specifies the name of the SSL VPN instance you want to bind.
To cancel the binding of an SSL VPN instance, in the tunnel interface configuration mode, use
no tunnel scvpn instance-name
Authentication with USB Key Certificate
The client is allowed to use a USB flash disk that stores a certificate to authenticate. A USB disk
which supports Windows SDK (Certificate Store Functions) and has a legal UKey certificate can
pass the authentication and connect to the server.
The USB Key certificate authentication supports the following authentication methods:
l Username/Password + USB Key Certificate: SSL VPN users should have a USB Key that
stores the correct digital certificate, and enter the correct user name, password and PIN code
when logging in before they can pass the authentication.
l USB Key Certificate Only: SSL VPN users should have a USB Key that stores the correct
digital certificate, and enter the correct PIN code when logging in to pass the authentication.
Notes: When using the authentication method of USB Key Certificate Only:
l The function of Allowing Password Change by Local User is not supported.
l The function of SMS Authentication is not supported.
l The SSL VPN client will not reconnect to the SSL VPN server automatically
if the USB Key is removed.
The following sections describe how to configure USB Key certificate authentication, including:
1320 Chapter 9 VPN

l Enabling USB Key certificate authentication
l Importing a CA certificate to a trust domain
l Configuring a trust domain
Enabling USB Key Certificate Authentication
By default, this function is disabled. To enable the USB Key certificate authentication, in the SSL
VPN instance configuration mode, use the following command:
client-cert-authentication [usbkey-only]
l usbkey-only – Specifies the USB Key authentication as USB Key only. If this parameter is
not specified, the authentication of Username/Password + USB Key will be used.
To disable the function, in the SSL VPN instance configuration mode, use the following com-
mand:
no client-cert-authentication [usbkey-only]
Importing a USB Key Certificate to a Trust Domain
CA certificates can be imported through various methods, including downloading from an FTP or
TFTP server and from USB disk. To import a certificate, in the execution mode, use the fol-
lowing command:
import pki trust-domain-name cacert from {ftp server ip-address [user user-namepassword pass-
word] | tftp server ip-address | usb0 | usb1} file-name
l ftp server ip-address [user user-name password password] – Specifies the IP address of FTP
server, username and password to log in. If the server supports anonymous login, skip the
username and password.
l tftp server ip-address – Specifies the IP address of TFTP server.
l usb0 | usb1 – Specifies the port to which the USB disk is plugged.
Chapter 9 VPN 1321

l file-name – Specifies the file name of CA certificate which must be in the root directory of
the USB disk.
Specifying a Trust Domain for the CA Certificate
USB Key certificate authentication requires a trust domain for the CA certificate. When the cer-
tificate provided from client matches one of the trust domain certificates, it passes authentication.
To specify a trust domain, in the SSL VPN instance configuration mode, use the following com-
mand:
client-auth-trust-domain trust-domain
l trust-domain – Specifies a configured PKI trust domain for the CA certificate. Repeat this
command to add more trust domains. The system supports up to 10 domains.
To cancel a PKI trust domain for a certificate, in the SSL VPN instance configuration mode, use
no client-auth-trust-domain trust-domain
Tip: For information on how to create PKI trust domain, see “PKI” in the
“User Authentication”
Two-Step Verification
Two-Step Verification means that when an SSL VPN user logs in by providing a "user-
name/password" or a "username/password+Digital Certificate", the Hillstone device will imple-
ment the two-step verification by means of SMS Authentication, Token Authentication or Email
Authentication after the username and password is entered. The user must enter the random veri-
fication code received in order to log into SSL VPN and access intranet resources.
Enabling/Disabling Two-Step Verification
The two-step verification function is disabled by default. Enabling or disabling the two-step veri-
fication function, in the SSL VPN instance configuration mode, use the following command:
1322 Chapter 9 VPN

l Enable: two-step verification enable
l Disable: two-step verification disable
Specifying the Type of Two-Step Verification
To specify the type of the two-step verification, in the SSL VPN instance configuration mode,
two-step verification type {token | sms modem | sms service-provider | email}
l token- Specifies to use the token authentication for two-step verification.
l sms modem- Specifies to send a short message through an SMS modem for two-step veri-
fication.
l sms service-provider- Specifies to send a short message through an SMS gateway for two-step
verification.
l email- Specifies to use Email authentication for two-step verification.
Token Authentication
The system supports for authentication through the token password when logging in, and user-
defined prompt information for token authentication.
Configuring Prompt Message
To configure the prompt message of the token authentication, in the SSL VPN instance con-
token-auth prompt-message message
prompt-message message- Specifies the prompt message. The range is 1 to 255 characters.
SMS Authentication
SMS authentication means that when an SSL VPN user logs in by providing a username and pass-
word, the Hillstone device, through an SMS modem or an SMS gateway, sends a dynamically
Chapter 9 VPN 1323

generated random password to the mobile phone number of the user in SMS after the username
and password is entered. The user must enter the random password received in the mobile phone
in order to log into SSL VPN and access intranet resources. This section describes how to con-
figure the global parameters for the SMS authentication function.
Notes: Not all platforms support SMS authentication.
Modem Authentication
Hillstone device adopts an external GSM modem. Before configuring the SMS authentication
function, you need to prepare an SIM card and a GSM modem, and then connect the modem to
the device properly. To connect the modem to the device, first, you should insert the SIM card
into the GSM modem properly; then, connect the modem to the USB port of the device via a
USB cable.
The following models of SMS modem are recommended:
Model Type Interface
4G MODEM M1806-NC5 LTE(FDD) USB interface

LTE(TDD)
WCDMA
TD-SCOMA
GSM/GPRS/EDGE
CDMA2000
GSM MODEM M1206B GSM USB interface
The following sections introduce how to configure SMS authentication, including:
l Configuring a mobile phone number for SMS authentication
l Configuring expiration time of SMS auth-code
l Configuring the SMS Verification Code Length
1324 Chapter 9 VPN

l Configuring the SMS Verification Content
l Configuring a maximum SMS number
l Sending a test message
Configuring a Mobile Phone Number for SMS Authentication
SSL VPN local users and AD users, when assigned with a mobile phone number by the admin-
istrator, can use SMS password sent by the system to authenticate.
To configure the phone number for a local user, in the user configuration mode, use the following
command:
phone phone-number
l phone-number – Specifies the mobile phone number.
To cancel a number, in the user configuration mode, use the following command:
no phone
For an AD user, configure the mobile phone number in the mobile propriety of AD server.
Configuring Expiration Time of SMS Auth-code
Each SMS authentication code has a period of validity. If the user neither types the auth-code
within the period nor applies for a new code, SSL VPN server will disconnect the connection.
To configure the SMS auth-code validity period, in the SSL VPN instance configuration mode,
sms-auth expiration expiration
l expiration – Specifies the validity period. The range is 1 to 10 minutes. The default value is
10.
To restore the validity period to the default value, in the SSL VPN instance configuration mode,
no sms-auth expiration
Chapter 9 VPN 1325

Configuring the SMS Verification Code Length
To specify the length of the SMS verification code, in the SSL VPN instance configuration mode,
sms-auth verification-code-length length
l length – Specifies the length of the SMS verification code. The range is 4 to 8 characters.
In the SSL VPN instance configuration mode, use the following command to restore the default
value.
no sms-auth verification-code-length
Configuring the SMS Verification Content
To specify the SMS verification content, in the SSL VPN instance configuration mode, use the
following command:
sms-auth message-content content
l content – Specifies the SMS verification content. The input must contain "＄VRFYCODE"
(This parameter is used to get the verification code). "$USERNAME" and "EXPIRATION"
are optional. The value range is 9 to 500 characters.
In the SSL VPN instance configuration mode, use the following command to restore the default
content.
no sms-auth message-content
Configuring a Maximum SMS Number
You can specify the maximum number of SMS messages sent by the SMS modem per hour or per
day. If the modem is required to send more messages than the maximum number, it will reject and
record a log.
To configure the maximum SMS number, in the global configuration mode, use the following com-
mand:
sms mo dem { num-per-hour | num-per-day } number
1326 Chapter 9 VPN

l {num-per-hour | num-per-day} number – Specifies the maximum number of SMS messages
per hour or per day. The value range is 1 to 1000.
If you do not limit the maximum number of SMS messages sent by the SMS modem per hour or
per day, in the global configuration mode, use the following command:
n o sms mo dem {n um-p er-h o ur | n um-p er-day}
Sending a Test Message
To test if the device works properly, you can send a test message to a phone number.
To send a test message, in any mode, use the following command:
exec sms send test-message to phone-number
l phone-number – Specifies the phone number which receives the test message.
If the phone of the test number does not receive the test message, the system will record a log
with description about failure reason.
Viewing SMS Modem Settings
To view the configuration information of an SMS modem, in any mode, use the following com-
mand:
show sms modem
SMS Gateway Authentication
Hillstone device, through SMS gateway or other proxy server, can send a short message to users in
SMS after the username and password is entered. Before configuring the function, you need to ask
the supplier to provide the necessary information, such as the gateway address, device ID which
sends the short messages.
SMS gateway authentication configuration includes:
Chapter 9 VPN 1327

1. Create a Service Provider(SP) instance.
2. Bind the SP instance to a configured SSL VPN tunnel, and enable the SMS gateway authen-
tication function.
Specifying the Default Protocol Type of SMS gateway
The types of SMS gateway protocol supported by the device include SGIP, UMS, ACC,
ALIYUNSMS, XUANWU, CAS, BEIKE and HTTP(S). SGIP indicates the SGIP protocol of
Chinaunicom. UMS indicates the enterprise information platform of Chinaunicom. ACC indicates
the ACC protocol of Chinatelecom. ALIYUNSMS indicates the SMS service platform of Alibaba
Cloud. XUANWU indicates the Xuanwu Technology SMS service platform. CAS indicates the
12302 SMS service platform. BEIKE indicates BEIKE SMS gateway. HTTP(S) indicates
HTTP/HTTPS protocol. To specify the default protocol type of SMS gateway, in the global con-
sms service-provider default-protocol {sgip | ums | acc | aliyunsms | xuanwu | cas | beike |
http(s) }
l sgip | ums | acc | aliyunsms | xuanwu | cas | beike | http(s) - Specifies the default protocol
type of SMS gateway that the SP instance is running. SGIP indicates the SGIP protocol of
Chinaunicom. UMS indicates the enterprise information platform of Chinaunicom. ACC indic-
ates the ACC protocol of Chinatelecom. ALIYUNSMS indicates the SMS service platform of
Alibaba Cloud. XUANWU indicates the Xuanwu Technology SMS service platform. CAS
indicates the 12302 SMS service platform. BEIKE indicates BEIKE SMS gateway. http(s)
indicates HTTP/HTTPS protocol.
In the global configuration mode, use the command no sms service-provider default-protocolto
cancel the specified default protocol type.
Creating an SP Instance
To create an SP instance, use the following command in the global configuration mode:
1328 Chapter 9 VPN

sms service-provider sp-name [ protocol { sgip | ums | acc | aliyunsms | xuanwu | cas
| beike | http(s) }]
l sp-name - Specifies the SP instance name. The value range is 1 to 31.
l protocol {sgip | ums | acc| aliyunsms | xuanwu | cas | beike | http(s)- Specifies the pro-
tocol of SMS gateway that the SP instance is running. System only supports SGIP of Chin-
aunicom. UMS indicates the enterprise information platform of Chinaunicom. ACC indicates
the ACC protocol of Telecom. ALIYUNSMS indicates the SMS service platform of Alibaba
Cloud. XUANWU indicates the Xuanwu Technology SMS service platform. CAS indicates
the 12302 SMS service platform. BEIKE indicates BEIKE SMS gateway. HTTP(S) indicates
HTTP/HTTPS protocol.
This command creates an SP instance and leads you into the SP instance configuration mode; if
the instance exists, you will enter the SP instance configuration mode directly. The system sup-
ports at most eight SP instances now.
In the global configuration mode, use the following command to delete the specified SP instance:
no sms service-provider sp-name
In the SP instance configuration mode, you can configure as follows:
l Specifying the VRouter
l Specifying the Request Method
l Specifying the Charset
l Specifying the UMS/ACC/ALIYUNSMS/CAS/BEIKE Protocol
l Specifying the URL
l Specifying the Success Code
l Specifying the Attributes
l Specifying the Gateway Address and Port Number
Chapter 9 VPN 1329

l Specifying the Number to Send Auth-message
l Specifying the Device ID
l Specifying the Username and Password
l Specifying the Template Parameter
l Specifying a Maximum SMS Number
l Enabling/Disabling the Sending Sign Code Function
l Specifying the Company Code
l Specifying the AccessKeyId
l Specifying the AccessKeySecret
l Specifying Instance of SMS Gateway
l Enabling/Disabling SMS Gateway Authentication
l Specifying the Sender Name or Sign Name
l Specifying the Template Code
l Specifying the Request Type
l Specifying the Organization Code
l Specifying the SMS Service Type
l Specifying the Trading Code
l Specifying the Channel
1330 Chapter 9 VPN

Specifying the VRouter
The system supports multi-VR, and the default VR is trust-vr. To specify the VRouter which SP
belongs to, use the following command：
vro uter {trust-vr | vr-name }
l trust-vr - Specifies the VR as trust-vr.
l vr-name – Specifies a created VR.
In SP instance configuration mode, use the following command to restore the default VR:
n o vro uter {trust-vr | vr-name }
Specifying the Request Method
When the HTTP (S) protocol type is specified for the SP instance, you can specify the request
method of HTTP(S). The default request method is POST. To specify the request method, in the
SP instance configuration mode, use the following command:
request-type [get | post]
l get–Specifies the request method of HTTP(S) as GET.
l post– Specifies the request method of HTTP(S) as POST.
To restore the default request type, use the command norequest-type.
Specifying the Charset
When the HTTP (S) protocol type is specified for the SP instance, you can specify the charset of
HTTP(S). The default charset is UTF-8. To specify the charset, in the SP instance configuration
charset [utf-8 | gbk]
l utf-8–Specifies to use UTF-8 to encode the content of the authentication message.
l gbk–Specifies to use GBK to encode the content of the authentication message.
To restore the default charset, use the command nocharset .
Chapter 9 VPN 1331

Specifying the UMS/ACC/ALIYUNSMS/CAS/BEIKE Protocol
To specify the protocol of UMS, ACC , ALIYUNSMS, CAS or BEIKE, in the SP instance con-
l http | https– Specifies the protocol type as HTTP or HTTPS. The default protocol of UMS,
CAS and BEIKE is HTTPS. The default protocol of ACC and ALIYUNSMS is HTTP.
In the SP instance configuration mode, use the following command to restore the default protocol
type:
no protocol
Specifying the URL
When the HTTP (S) protocol type is specified for the SP instance, you can specify the URL of
HTTP(S). You need to enter a complete access path. The system requests to communicate with
the SMS gateway based on the specified URL address. To specify the URL address, in the SP
url url string
l url string–Specifies the URL address of the SMS gateway, such as "http(s)://1.1.1.1". The
range is 1 to 255 characters.
To delete the specified URL address, use the command no url.
Specifying the Success Code
When the HTTP (S) protocol type is specified for the SP instance, you can specify the success
code of HTTP(S). Success code is used to determine whether the SMS gateway successfully sent
an authentication message. The SMS gateway sends an authentication message to the mobile
phone, and when completed, it will send a message containing the status code to the system. If
the message contains the specified success code, the system will judge that the authentication
message has been sent successfully. For example, if an SMS gateway sent an authentication mes-
sage successfully, the status code returned is "OK: 325689", and if failed, the status number
returned is "ERROR: eUser". In this instance, you can specify the success code as "OK". When
1332 Chapter 9 VPN

the system receives a message sent by the SMS gateway, it determines whether the message con-
tains "OK". If the message contains the specified success code, it means that the SMS gateway
has sent message successfully. To specify the success code, in the SP instance configuration
success-code string
l string–Specifies the success code. The range is 1 to 50 characters. Different SMS gateways
return different status code. Refer to the status code in the SMS gateway manual.
To delete the specified success code, use the command no success-code.
Specifying the Attributes
When the HTTP (S) protocol type is specified for the SP instance，you can configure attributes
to communicate with the SMS gateway. Attributes including the parameter name of the mobile
number field, the parameter name of the message content field, the password filed, and the user-
name filed, etc. You can configure up to 32 attributes. The parameter name of the mobile number
field and the parameter name of the message content field are default attributes and must be spe-
cified.
To specify the parameter name of the mobile number field and the parameter name of the message
content field, in SP instance configuration mode, use the following command:
default-attribute {phone-attr-name phone-attr-name | msg-content-attr-name msg-content-
name}
l phone-attr-name phone-attr-name–Specifies the parameter name of the mobile number

field, such as phone. This is the default attribute and the range is 1 to 400 characters.
l msg-content-attr-name msg-content-name–Specifies the parameter name of the message

content field, such as msg. This is the default attribute and the range is 1 to 400 characters.
The system will obtain the parameter values of the mobile number field and the parameter values
of the message content field when SMS gateway and the system is communicating.
When the SMS gateway and the system communicate, the SMS gateway can obtain the parameter
values of the mobile number field and the parameter values of the message content field from the
system. To delete the parameter name of the specified mobile number field and the parameter
Chapter 9 VPN 1333

name of the message content field, use the command no default-attribute {phone-attr-name |
msg-content-attr-name}.
To specify the parameters of password to log in SMS gateway, which is an optional attribute, in SP
password-attribute password-name password-value
l password-name–Specifies the parameter name of the password, such as password. The

l password-value–Specifies the parameter value of the password, such as 123456. The

To delete the specified parameters of password, use the command no password-attribute.

To specify the parameters of username to log in SMS gateway, which is an optional attribute, in
user-attribute user-name user-value
l user-name–Specifies the parameter name of the username, such as username. The range is
1 to 20 characters.
l user-value–Specifies the parameter value of the username, such as user1. The range is 2 to
255 characters.
To delete the specified parameters of username, use the command nouser-attribute.
Specifying the Gateway Address and Port Number
To specify the gateway address and port number, in the SP instance configuration mode, use the
following command:
gateway {h o st hostname | ip ip-address } [ port port-number ]
l host hostname - Specifies the hostname of the gateway, the range is 1 to 31.
l ip ip-address - Specifies the IP address of the gateway.
l port port-number - Specifies the port number of the gateway. If this parameter is not spe-
cified, the system will use 8801 as the port number of the gateway by default. When the
1334 Chapter 9 VPN

protocol type is specified as "SGIP", the default port number is 8801; When the protocol type
is specified as "UMS", the default port number is 9600. When the protocol type is specified as
"XUANWU" or "CAS", the default port number is 8080.
Execute this command for many times and the latest configuration takes effect.
In the SP instance configuration mode, use the following command to delete the gateway address
and port number:
n o gateway {h o st hostname | ip ip-address }
Specifying the Number to Send Auth-message
After enabling the SMS Authentication function, the system will send an Auth-message to the
mobile phone number. In the SP instance configuration mode, use the following command to set
number:
source-number phone-number
l phone-number – Specifies the user's phone number, the range is 1 to 21.
In the SP instance configuration mode, use the following command to cancel the specification of
user’s phone number:
no source-number
Specifying the Device ID
Before configuring the SMS gateway, you have to ask your supplier to provide the device ID of
SP, which sends the SMS messges. In the SP instance configuration mode, use the following com-
mand to specify device ID:
device-code code-number
l code-number - Specifies the device ID. The range is 1 to 4294967295.
In the SP instance configuration mode, use the following command to cancel the device ID spe-
cification:
no device-code
Chapter 9 VPN 1335

Specifying the Username and Password
To specify the username and password, in the SP instance configuration mode, use the following
common:
user username password password
l username – Specifies the username to log in SMS gateway. The range is 1 to 64. When the
protocol type is specified as "UMS", "SGIP" or "CAS", the range is 1-31. When the protocol
type is specified as "XUANWU", the range is 1-6.
l password – Specifies the password for the user. The range is 1 to 64. When the protocol
type is specified as "UMS", "SGIP" or "CAS", the range is 1-31. When the protocol type is
specified as "XUANWU", the range is 1-6.
In SP instance configuration mode, use the following command to cancel the specificantion of
username and password:
no user username password password
Specifying the Template Parameter
To specify the template parameter of BEIKE SMS gateway, in the SP instance configuration
template value
l value – Specifies the template parameter of BEIKE SMS gateway. The length is 1 to 64 char-
acters.
In SP instance configuration mode, use the following command to delete the template parameter
of BEIKE SMS gateway:
no template
Specifying a Maximum SMS Number
You can specify the maximum number of SMS messages sent by the SMS gateway per hour or per
day. To configure the maximum SMS number, in the SP instance configuration mode, use the
1336 Chapter 9 VPN

following command:
{n um-p er-h o ur | n um-p er-day} number
l number – Specifies the maximum number of SMS messages per hour or per day. The value
In the SP instance configuration mode, use the following command to cancel the maximum num-
ber:
n o {n um-p er-h o ur | n um-p er-day}
Enabling/Disabling the Sending Sign Code Function
When this function is enabled, the ACC SMS gateway will add a sign code field when sending a
request to the ACC server, which will prevent the content of the SMS from being tampered with.
In the SP instance configuration mode, use the following command to enable the sending sign
code function:
sign enable
In the SP instance configuration mode, use the following command to disable the sending sign
code function:
no sign enable
Sding a Test Message
To test if the device works properly, you can send a test message to a phone number. To send a
test message, in any mode, use the following command:
exec sms sp sp-name tunnel-name sendtest-message to phone-number [test-msg-con-
tent content ]
l phone-number – Specifies the phone number.
l tunnel-name – Specifies the tunnel name which bound the SP instance.
l content–Specifies the content of the test message. The default value is "This is a test mes-
sage, please don't feedback!". The range is 1 to 64 characters.
Chapter 9 VPN 1337

Specifying the Company Code
When the SP instance uses the UMS protocol type, users can specify the enterprise code
registered on the UMS platform, in the SP instance configuration mode, use the following com-
mand:
spcode spcode-number
l spcode-number - Specifies the company code. The range is 1 to 31 digits.
In the SP instance configuration mode, use the following command to cancel the company code:
no spcode
Specifying the AccessKeyId
If the protocol of SMS gateway that the SP instance is running is ALIYUNSMS, users must spe-
cify the AccessKeyId which will be used as the username for authentication between the device
and the SMS gateway of Alibaba Cloud . To specify the AccessKeyId, in the SP instance con-
accesskeyid word
l word - Specifies the AccessKeyId. The range is 1 to 64 characters. This parameter should be
the same with the template AccessKeyId applied in the SMS of Alibaba Cloud.
In the SP instance configuration mode, use the no accesskeyid command to cancel the specified
AccessKeyId.
Specifying the AccessKeySecret
cify the AccessKeySecret which will be used as the password for authentication between the
device and the SMS gateway of Alibaba Cloud. To specify the AccessKeySecret, in the SP
accesskeysecret word
1338 Chapter 9 VPN

l word - Specifies the AccessKeySecret. The range is 1 to 63 characters. This parameter should
be the same with the template AccessKeySecret applied in the SMS of Alibaba Cloud.
In the SP instance configuration mode, use the no accesskeysecret command to cancel the spe-
cified AccessKeySecret.
Specifying Instance of SMS Gateway
The SP instance needs to be bound to the SSL VPN tunnel to take effect. To specify the SMS
gateway instance, in the SSL VPN instance configuration mode, use the following command:
sms-auth enable servicer-provider sp-name
l sp-name – Specifies the name of the SP instance, which must be the created SP instance.
The value range is 1 to 31 characters.
Enabling/Disabling SMS Gateway Authentication
The SP instance should be bound to SSL VPN tunnel so that it can take effect. By default, the
SMS gateway authentication is disabled. In the SSL VPN instance configuration mode, use the fol-
lowing command to enable the SMS gateway authentication function:
sms-auth enable sp-name
l sp-name – Specifies the SP instance name, which should be a created SP. The range is 1 to
31.
In the SSL VPN instance configuration mode, use the following command to disable the func-
tion:
sms-auth disable sp-name
If the protocol of the SP instance bound to SSL VPN tunnel is SGIP, USM or ACC, users can
specify a message sender name to display in the message content. If the protocol of the SP
instance bound to SSL VPN tunnel is ALIYUNSMS, users must specify the sign name applied in
the SMS of Alibaba Cloud to display in the message content. To specify the sender name or sign
name, in the SSL VPN instance configuration mode, use the following command:
Chapter 9 VPN 1339

sms-auth sms-sender-name sender-name
l sender-name – Specifies the sender name. The range is 1 to 63 characters. The sign name
should be the same with the sign name applied in the SMS of Alibaba Cloud.
In the SP instance configuration mode, use the following command to cancel the specified sender
name or sign name:
no sms-auth sms-sender-name
If the protocol of the SP instance bound to SSL VPN tunnel is ALIYUNSMS, users must specify
the code of the SMS template applied in the SMS of Alibaba Cloud. To specify the template code,
in the SSL VPN instance configuration mode, use the following command:
sms-auth sms-msg-templatecode word
In the SP instance configuration mode, use the following command to cancel the specified tem-
plate code:
no sms-auth sms-msg-templatecode
exec sms sp sp-name tunnel-name send test-message to phone-number
1340 Chapter 9 VPN

l sp-name – Specifies the SP name.
l phone-number – Specifies the phone number.
l tunnel-name – Specifies the tunnel name which bound the SP instance.
Specifying the Request Type
If the protocol of SMS gateway that the SP instance is running is CAS, you can ask the 12302
SMS service platform for the request type. To specify the request type, in the SP instance con-
figuration mode, use the following common:
post_type post_type
l post_type –Specifies the request type. The range is 1-6.
In the SP instance configuration mode, use the following command to cancel the request type:
no post_type
Specifying the Organization Code
SMS service platform for the organization code. To specify the organization code, in the SP
instance configuration mode, use the following common:
orgcode orgcode
l orgcode –Specifies the organization code. The range is 1-31.
In the SP instance configuration mode, use the following command to cancel the organization
code:
no orgcode
Chapter 9 VPN 1341

Specifying the SMS Service Type
SMS service platform for the SMS service type. To specify the SMS service type, in the SP
smstype smstype
l smstype –Specifies the SMS service type. The range is 1-31.
In the SP instance configuration mode, use the following command to cancel the SMS service
type:
no smstype
Specifying the Trading Code
If the protocol of SMS gateway that the SP instance is running is XUANWU, you must ask the
Xuanwu Technology SMS service platform for the trading code. To specify the trading code, in
the SP instance configuration mode, use the following common:
trading_code trading-code
l trading-code –Specifies the trading code. The range is 1-7.
In the SP instance configuration mode, use the following command to cancel the trading code:
no trading_code
Specifying the Channel
Xuanwu Technology SMS service platform for the channel. To specify the channel, in the SP
channel channel-value
l channel-value –Specifies the channel. The range is a-z.
In the SP instance configuration mode, use the following command to cancel the channel:
no channel
1342 Chapter 9 VPN

Viewing SMS Gateway Settings
To view the SMS gateway configurations, use the following command in any mode:
show sms service-provider [sp-name]
l sp-name – Specifies the SP instance name. If not specified, the system will show all the SP
instance configurations that have already created.
Viewing SMS Statistic Information
To view the statistic information that indicates the SMS message is failed or succeed, use the fol-
show tunnel scvpn scvpn-name smsp-statistice [clear]
l scvpn-name – Specifies the SSL VPN instance name that exists.
l clear – Clear all the statistic information.
Email Authentication
Email Authentication means that when an SSL VPN user logs in by providing a "user-
name/password" or a "username/password+Digital Certificate", Hillstone device, through a mail
server, can automatically send a Email containing random verification code to the user after the
username and password is entered. The user must enter the random verification code received in
order to log into SSL VPN and access intranet resources.
Configurations of Email authentication on SSL VPN server include:
l Configuring the Email Address
l Specifying the Email Server
l Configuring the Verification Code Length
l Configuring the Lifetime of Email Verification Code
Chapter 9 VPN 1343

l Configuring the Sender Name
l Configuring the Email Verification Content
Configuring the Email Address
Users can receive the verification code via Email address configured on a local server or a Radius
server.
When receiving the verification code via Email address configured on a local server, to configure
the Email address, in the user configuration mode, use the following command:
email email-address
l email-address - Specifies the Email address used to receive the verification code. The range is
1 to 127 characters.
In the user configuration mode, use the no email command to cancel the specified Email address.
When receiving the verification code via Email address configured on a Radius server, users need
to configure the Email address on the Radius server. Take FreeRadius as an example:
“test1” Cleartext-Password： =“123456”

Login-LAT-Group="radiusgroup1",
Hillstone-user-type=16,
Hillstone-user-vsys-id=0,
Hillstone-user-login-type=63,
Hillstone-user-admin-privilege=4294967295,
[email protected] ( Add the
attribute value of Hillstone-user-email in “etc/-
freeradius/users”.)
Specifying the Email Server
To specify the existing Email server which the Email address that used to send the verification
code is configured on, in the SSL VPN instance configuration mode, use the following command:
1344 Chapter 9 VPN

email-auth smtp-server smtp-server-name
l smtp-server--name - Specifies the existing Email server which the Email address that used to
send the verification code is configured on,. The range is 1 to 31 characters.
In the SSL VPN instance configuration mode, use the no email-auth smtp-server command to can-
cel the specified Email server.
To specify the length of the Email verification code, in the SSL VPN instance configuration
email-auth verification-code-length length
l length - Specifies the length of the Email verification code. The range is 4 to 8 characters. The
default value is 8.
In the SSL VPN instance configuration mode, use the no email-auth verification-code-length
command to restore the default value.
Configuring the Lifetime of Email Verification Code
Each Email verification code has a period of validity. If the user neither types the code within the
period nor applies for a new code, SSL VPN server will disconnect the connection.
To the lifetime of the Email verification code, in the SSL VPN instance configuration mode, use
email-auth expiration value
l value– Specifies the lifetime of the Email verification code. The range is 1 to 10 minutes.
In the SSL VPN instance configuration mode, use the no sms-auth expiration command to
Chapter 9 VPN 1345

Configuring the Sender Name
To specify a verification code sender name to display in the Email content, in the SSL VPN
email-auth sender-name name
l name - Specifies a verification code sender name to display in the Email content. The range is
1 to 63 characters. The default value is "hillstone". In order to prevent the mail from being
identified as spam, it's recommended that users to configure the sender name.
In the SSL VPN instance configuration mode, use the no email-auth sender-name command to
Configuring the Email Verification Content
To specify the Email verification content, in the SSL VPN instance configuration mode, use the
following command:
email-auth message-content content
l content - Specifies the Email verification content. The input must contain "＄USERNAME"
(This parameter is used to get the username) and "＄VRFYCODE" (This parameter is used to
get the verification code). The default content is "SCVPN user <＄USERNAME> email veri-
fication code: ＄VRFYCODE. Do not reveal to anyone! If you did not request this, please
ignore it.".
In the SSL VPN instance configuration mode, use the no email-auth message-content command
to restore the default content.
Host Binding
Host binding is used to authenticate the hosts of SSL VPN clients. When you use the SSL VPN
client to log into the server, the client collects information about the PC running it, including
mainboard SN, hardware SN, CPU ID and BIOS SN, and uses MD5 algorithm to generate a 32-bit
1346 Chapter 9 VPN

string, which is the host ID. Then, the client sends the host ID with username and password to
the SSL VPN server for authentication. The SSL VPN server authenticates the user by looking up
the candidate list and binding list.
The candidate list and binding list are described as below:
l Candidate list: A table recording username and host ID as well as their mapping relationship.
l Binding list: A table of authorized host IDs and their usernames. You can add a pair of host
ID and its username to the table or allow login user to be added automatically. When a client
logs in, the SSL VPN server checks if the binding list has the host ID and matched username,
if so, the user passes authentication; if not, the SSL VPN communication will be dis-
connected.
Note: For hosts deployed on virtual platforms, the host ID might not be unique. Therefore, the
host binding function might not work properly.
Enabling Host Binding
By default, host binding is disabled. To enable host binding, in the SSL VPN instance con-
user-h o st-verify [allo w-multi-h o st] [allo w-sh ared-h o st] [auto -ap p ro ved-first-b in d]
l user-host-verify – Enables host binding. By default, a user is allowed to log into the server
using one single computer.
l allow-multi-host – Allows one user to log in using multiple hosts.
l allow-shared-host – Allows multiple users to log in using one host.
l auto-approved-first-bind – Specifies that the server automatically adds the username and
host ID to the binding list when the user logged in for the first time.
To disable host check, in the SSL VPN instance configuration mode, use the following command:
no user-host-verify
Chapter 9 VPN 1347

Approving a Candidate
Approving a pair of host ID and user in the candidate list means to add it to the binding list. To
approve a candidate, in any mode, use the following command:
exec scvpn instance-name approve-binding user user-name host host-id
l scvpn instance-name – Specifies the name of SSL VPN instance.
l user user-name – Specifies the username in the candidate list.
l host host-id – Specifies the host ID of the user.
Configuring a Super User
A super user can log into the server using any host. To change a user in candidate or binding list
to a super user, in any mode, use the following command:
exec scvp n instance-name no-host-binding-check user user-name
l user user-name – Specifies the name of user who will be changed to a super user. The length
is 1 to 95 characters.
To cancel a super user, in any mode, use the following command:

exec scvpn instance-name host-binding-check user user-name
Configuring a Shared Host
If a host is considered as a shared host, users logging into the server from this host are not limited
by host binding authentication. To configure a host in candidate or binding list as a shared host, in
exec scvpn instance-name no-user-binding-check host host-id
1348 Chapter 9 VPN

l host host-id – Specifies the ID of the host which will be changed to a shared host. The host
must be in the candidate list or binding list.
To cancel a shared host, in any mode, use the following command:

exec scvpn instance-name user-binding-check host host-id
Increasing/Decreasing Pre-approved Hosts
Even when multi-host login is allowed for a user, by default, the system only records the first
login host-user pair into its binding list; other login pairs are in the candidate list. However, the
host-user binding pair number in the binding list can be changed.
To increase the pre-approved host-user binding pair number, in any mode, use the following com-
mands:
exec scvpn instance-name increase-host-binding user user-name number
l user user-name – Specifies the name of user.
l number – Specifies the number of pre-approved host-user binding pairs to be added to the
binding list for the user. The number ranges from 1 to 32. The total number of pre-approved
host-user binding pairs in a binding list ranges from 0 to 100.
exec scvpn instance-name decrease-host-binding user user-name number
l user user-name – Specifies the name of user.
l number – Specifies the number of pre-approved host-user binding pairs to be decreased in

the binding list for the user. The number ranges from 1 to 32. The total number of pre-
approved host-user binding pairs in a binding list ranges from 0 to 100.
Chapter 9 VPN 1349

Clearing a Binding List
To clear a binding list or an entry in the table, in any mode, use the following command:
exec scvpn instance-name clear-binding [{user user-name [host host-id] | host host-id }]
l user user-name – Specifies the name of user. If the next parameter is not defined, all hosts
bound to this user will be cleared.
l host host-id – Specifies the host ID of the host which will be cleared.
Exporting/Importing a Binding List
The binding list can be exported to (and imported from) an FTP server, TFTP server or USB
disk.
To export a binding list, in the execution mode, use the following command:
exp o rt scvp n user-h o st-b in din g to {ftp server ip-address [user user-name p asswo rd
password ] | tftp server ip-address | usb 0 | usb 1} [ file-name ]
l ftp server ip-address [user user-name password password] – Specifies that the table is expor-
ted to an FTP server. Type the IP address of FTP server. Type username and password if
needed; if the server supports anonymous login, skip user name and password.
l tftp server ip-address – Specifies that binding list is exported to a TFTP server. Type the IP
address of the TFTP server.
l usb0 | usb1 – Exports the binding list to the root directory of the USB disk.
l file-name – Specifies a name for the file of exported binding list.
To import a binding list, in the execution mode, use the following command:
imp o rt scvp n user-h o st-b in din g fro m {ftp server ip-address [user user-name p asswo rd pass-
word ] | tftp server ip-address | usb 0 | usb 1} [ file-name ]
1350 Chapter 9 VPN

l ftp server ip-address [user user-name password password] – Specifies that the table is impor-
ted from an FTP server. Type the IP address of FTP server. Type username and password if
needed; if the server supports anonymous login, skip user name and password.
l tftp server ip-address – Specifies that binding list is imported from a TFTP server. Type the
IP address of the TFTP server.
l usb0 | usb1 – Imports the binding list from the root directory of the USB disk.
l file-name – Specifies the file name of imported binding list.
Host Check
The host check function checks the security status of the hosts running SSL VPN clients, and
according to the checking result, the SSL VPN server will determine the security level for each
host and assign corresponding resource access permission based on their security level. The
checked factors are operating system, IE version, and the installation of some specific software.
Checked Factors
The factors to be checked by the SSL VPN server are displayed in the list below:
Factor Description
Operating system l Operating system, e.g., Windows 2000, Windows 2003, Windows
XP, Windows Vista, etc.
l Service pack version, e.g., Service Pack 1
l Windows patch, e.g., KB958215, etc.
l Whether the Windows Security Center and Automatic Update is

enabled.
l Whether the installation of AV software is compulsory, and whether

the real-time monitor and the auto update of signature database are
Chapter 9 VPN 1351

Factor Description
enabled
l Whether the installation of anti-spyware is compulsory, and whether

the real-time monitor and the online update of signature database are
enabled
l Whether the personal firewall is installed, and whether the real-time

protection is enabled
Other con- Whether the IE version and security level reach the specified requirements
figurations Whether the specified processes are running
Whether the specified services are installed
Whether the specified services are running
Whether the specified registry key values exist
Whether the specified files exist in the system
Role Based Access Control and Host Check Procedure
Role Based Access Control (RBAC) means that the permission of the user is not determined by
his user name, but his role. The resources can be accessed by a user after the login is determined
by his corresponding role. So role is the bridge connecting the user and permission.
The SSL VPN host check function supports RBAC. And the concepts of primary role and guest
role are introduced in the host check procedure. The primary role determines which host check
profile (contains the host check contents and the security level,can be configured via WebUI) will
be applied to the user and what access permission can the user have if he passes the host check.
And the guest role determines the access permission for the users who failed in the host check.
For more information about role and host check, see the Table 7: Relationship between Host
Check Rule and Check Results.
The host check procedure is:
1352 Chapter 9 VPN

1. The SSL VPN client sends request for connection and passes the authentication.
2. The SSL VPN server sends host check profile to the client.
3. The client checks the host security status according to the host check profile. If it failed in
the host check, the system will notify the check result.
4. The client sends the check result back to the server.
5. If the host check succeeds, the server will assign access permissions based on the primary
role defined in the host check profiles; if the host check fails, the server will disconnect the
client and issue a prompt, or assign access permissions based on the guest role defined in
the host check profile.
The host check function also supports dynamic access permission control. On one side, when the
client's security status changes, the server will send a new host check profile to the client to make
it re-check; on the other side, the client can perform the security check periodically, e.g., if the
AV software is disabled and it is detected by the host check function, the assigned role to the cli-
ent may changed, and so does the access permission.
Configuring a Host Check Profile
Host check profile defines the checking contents and security level. You can use WebUI or CLI
to create a host check profile, but the detailed settings of that profile can only be done in the
WebUI.
To create a host check profile, in the global configuration mode, use the following command:
scvpn host-check-profile hostcheck-profile-name
l hostcheck-profile-name – Specifies a name for the host check profile.
To delete a host check profile, in the global configuration mode, use the following command: no
scvpn host-check-profile hostcheck-profile-name.
Configuring a Host Check Profile via WebUI
To create a host check profile via WebUI, take the following steps:
Chapter 9 VPN 1353

1. On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN
page.
2. On the Task tab in the right auxiliary pane, click Host Check to visit the Host Check page.
3. Click New.
4. On the Basic and Advanced tabs, configure the following options.
Options on the Basic tab:
l Name: Specifies the name of the host check profile.
l OS version: Specifies whether to check the OS version on the client host. Click one
of the following options:
l No check - Do not check the OS version.
l Must match - The OS version running on the client host must be the same as
the version specified here. Select the OS version and service pack version from
the drop-down lists respectively.
l At least - The OS version running on the client host should not be lower than
the version specified here. Select the OS version and service pack version from
the drop-down lists respectively.
l Patch X: Specifies the patch that must be installed on the client host. Type the patch
name into the box. Up to five patches can be specified.
l Lowest IE version: Specifies the lowest IE version in the Internet zone on the client
host. The IE version running on the client host should not be lower than the version
specified here.
l Lowest IE security level: Specifies the lowest IE security level on the client host. The
IE security level on the host should not be lower than the level specified here.
1354 Chapter 9 VPN

Options on the Advanced tab:
l Security center: Checks whether the security center is enabled on the client host.
l Auto update: Checks whether the Windows auto update function is enabled.
l Anti-Virus software: Checks if the client host has installed anti-virus software and oth-
ers, including:
l Installed - The client host must have the AV software installed.
l Monitor - The client host must enable the real-time monitor of the AV soft-
ware.
l Virus signature DB update - The client host must enable the signature database
online update function.
l Anti-Spyware software: Checks if the client host has installed anti-spyware and others,
including:
l Installed - The client host must have the anti-spyware installed.
l Monitor - The client host must enable the real-time monitor of the anti-spy-
ware.
l Signature DB update - The client host must enable the signature database
online update function.
l Firewall: Checks if the client host has installed firewall and others, including:
l Installed - The client host must have the personal firewall installed.
l Monitor - The client host must enable the real-time monitor function of the per-
sonal firewall.
Chapter 9 VPN 1355

l Registry key value: Key X: Checks whether the key value exists. Up to five key values
can be configured. The check types are:
l No check - Do not check the key value.
l Exist - The client host must have the key value. Type the value into the box.
l No exist - The client does not have the key value. Type the value into the box.
l File path name: File X: Checks whether the file exists. Up to five files can be con-
figured. The check types are:
l No check - Do not check the file.
l Exist - The client host must have the file. Type the file name into the box.
l No check - The client does not have the file. Type the file name into the box.
l Running process name: Process X: Checks whether the process is running. Up to five
processes can be configured. The check types are:
l No check - Do not check the process.
l Exist - The client host must have the process running. Type the process name
into the box.
l No exist - The client cannot have the process running. Type the process name
into the box.
l Installed service name: Checks whether the service is installed. Up to five services
can be configured. The check types are:
l No check - Do not check the service.
l Exist - The client host must have the service installed. Type the service name
into the box.
1356 Chapter 9 VPN

l No exist - The client host cannot have the service installed. Type the service
name into the box.
l Running service name: Checks whether the service is running. Up to five services can
be configured. The check types are:
l No check - Do not check the service.
l Exist - The client host must have the service running. Type the service name
into the box.
l No exist - The client host cannot have the service running. Type the service
name into the box.
5. Click OK to save the settings.
Referencing a Host Check Profile to a Rule
To make the configured host check profile take effect, you must bind the profiles to the host
check rules. And then the host check function will work in the system.
To configure a host check rule, in the SSL VPN instance configuration mode, use the following
command:
host-check [ role role-name ] profile profile-name [ guest-role guestrole-name |redirect-
url url ] [ periodic-check period-time ]
l role role-name – Specifies a configured role in AAA server as the primary role for the user.
If this parameter is defined, the host check profile works for this role; if not, the profile is the
default profile and serves all users.
l profile profile-name – Specifies the name of the bound host check profile.
l guest-role guestrole-name|redirect-url url- Specifies the exception handling method.
l guest-role guestrole-name – Specifies the guest role. If the client host fails in host
check, this parameter enables the user to own the privileges of this guest role; if this
Chapter 9 VPN 1357

parameter is not defined, the client will be disconnected.
l redirect-url url- Specifies the redirect URL. If the client host fails in host check, this
parameter enables the browser jump to the specified URL , and guide the user to down-
load the software required for host security detection and disconnect the client; if this
parameter is not defined, the client will be disconnected.
l periodic-check period-time – Specifies the auto-check period of the user. The value range is
5 to 1440 minutes. The default value is 30.
Repeat this command to add more host check rules. If a user matches multiple host check rules,
the server uses the first matched rule; in addition, if a user binds to multiple roles with matched
host check rules, the server uses the first matched rule.
Repeat this command to add more host check rules. If a user matches multiple host check rules,
the server uses the first matched rule; in addition, if a user binds to multiple roles with matched
host check rules, the server uses the first matched rule.
To cancel the host check rule setting, in the SSL VPN instance configuration mode, use the fol-
lowing command:no host-check [role role-name] profile profile-name [guest-role guestrole-
name|redirect-url url] [periodic-check period-time].
The table below lists the relationship between the policy rule and host check result.
Check Result
Rule Setting
Successful Failed
Primary role: configured Obtain privileges of Obtain privileges of guest

Profile: configured primary role role
Guest role: configured

Redirect URL: not configured
Primary role: configured Obtain privileges of The browser jump to the
Profile: configured primary role specified URL , and guide
Guest role: not configured the user to download the
Redirect URL: configured software required for host
1358 Chapter 9 VPN

Check Result
Rule Setting
Successful Failed
security detection and dis-

connect the client
Primary role: configured Obtain privileges of Be disconnected
Profile: configured primary role
Guest role: not configured
Primary role: not configured In connection Obtain privileges of guest
Profile: configured role
Guest role: configured

Primary role: not configured In connection The browser jump to the
Profile: configured specified URL , and guide
Guest role: not configured the user to download the
Redirect URL: configured software required for host

security detection and dis-
connect the client
Primary role: not configured In connection Be disconnected
Profile: configured
Guest role: not configured
Selecting an Optimal Path
VPN networks with multiple ISPs (Internet Service Provider) can be greatly influenced by the
defects of narrow bandwidth and long delay in communication among different ISPs. To solve the
Chapter 9 VPN 1359

issue, the Hillstone device provides optimal path check feature which enables the device to auto-
matically select the fastest path for the client to connect to SSL VPN server.
There are two designs of network implementation for you to use optimal path selection feature.
As shown in the figure above, SSL VPN client visits the egress interface of the server. Firstly, the
SSL VPN server needs to apply for different ISP services and enable interfaces for each of the
ISP services as the tunnel egress interfaces. When the SSL VPN clients with different ISP
accesses try to visit headquarters, the optimal path selection feature judges the ISP of the requir-
ing client, arranges the SSL VPN interfaces in the sequence of relevancy to the ISP, and then
provides the sequence of SSL VPN egress interface to the client for it to choose; if optimal path
detection on the client is enabled, the client selects a preferential link path by sending UDP probe
packets.
1360 Chapter 9 VPN

As shown in the figure above, SSL VPN client accesses to SSL VPN server by the way of DNAT
device which translates the client address to SSL VPN server egress interface. The DNAT device
accesses Internet using multiple ISP links. You need to add the DNAT device’s egress interface
to an address entry in the SSL VPN server address pool. If optimal path detection on the SSL
VPN server is enabled, the server judges the ISP type of client’s access address and assigns
DNAT’s egress interface addresses to the client according to the priority of address so that the
client can select its optimal path; if optimal path detection on the client is enabled, the client
sends UDP probe packets to choose an optimal path.
To specify an interface as SSL VPN tunnel egress interface, in the SSL VPN instance con-
l interface-name – Specifies the name of server interface.
Repeat this command to specify more interfaces (up to two) as the tunnel egress interface.
To cancel the specified tunnel interface, in the SSL VPN instance configuration mode, use the fol-
lowing command:
Chapter 9 VPN 1361

To configure the optimal path selection, in the SSL VPN instance configuration mode, use the fol-
lowing command:
lin k-select [server-detect] [ A.B.C.D [ https-port port-number ]] [ A.B.C.D [ https-port
port-number ]] [ A.B.C.D [ https-port port-number ]] [ A.B.C.D [ https-port port-
number ]]
l server-detect – Enables the optimal link detection of the device. When this parameter is not
configured, optimal link detection is enabled. By default, the client selects link spontaneously.
l A.B.C.D – Specifies the Internet interface IP address of DNAT device. The system allows
up to four IP addresses.
l https-port port-number – Specifies the HTTPS port number of the DNAT Internet inter-
face. The value range is 1 to 65535. The default value is 4433. To avoid collision with WebUI
HTTPS port number, you are not recommended to use port 443.
To cancel optimal link selection, in the SSL VPN instance configuration mode, use the command
no link-select.
SSL VPN optimal link selection also provides multi-link redundancy, which enables the server to
switch links when one link disconnects so as to guarantee the connection stability between server
and client (traffic flow may be interrupted during switching).
Kicking out an SSL VPN Client
The SSL VPN server can force to disconnect with a client.

To kick out an SSL VPN client, in the configuration mode, use the following command:
exec scvpn instance-name kickout user-name
l instance-name – Specifies the name of SSL VPN instance.
l user-name – Specifies the name of client to be kicked out of the server.
1362 Chapter 9 VPN

Configuring Change Password URL of the Client
The system supports to redirect to the specified page to modify the password through the con-
figured URL through the client .
To configuring change password URL, in the SSL VPN instance configuration mode, use the fol-
lowing command:
change-password-urlurl
url – Specifies the URL address that needs to be redirected to modify the password. The ranges
To cancel the configuration,use the following command:
no change-password-url
Configuring Forgot Password URL of the Client
The system supports tsupports to redirect to the specified page through the configured URL to
reset the password.
To configuring forgot password URL, in the SSL VPN instance configuration mode, use the fol-
lowing command:
forgot-password-urlurl
url – Specifies the URL address that needs to be redirected to reset the password. The ranges is
To cancel the configuration,use the following command:
no forgot-password-url
Exporting and Importing a User-list File
To avoid userinfo setting disoperation, you can export/import the user-list file from/to the SSL
VPN server. The system supports the import of user-list files in BOM-UTF-8 .txt format and in
BOM-UTF-8 .csv format. When the user-list file is imported, the system will carry out validity
test and complexity check of the user password. If the results turn out to be successful, the
Chapter 9 VPN 1363

importing is successful; if the results turn out to be unsuccessful, the importing is unsuccessful.
The system exports the user-list file in .csv format, of which the content is the real-time inform-
ation of the user list in the system.
The user-list in .csv file is illustrated in the figure below.
The user-list in text file is illustrated in the figure below.
Notes: Before importing the user-list file, please read carefully the annotations in
the above figures and fill in the user information according to the format.
Exporting a User-list File
To export a user-list file, in the execution configuration mode, use the following command:
export aaa user to {tftp server ip-address | ftp server ip-address [user user-name ]} file-name
1364 Chapter 9 VPN

l ip-address – Specifies the IP address of the FTP or TFTP server.
l user user-name – Specifies the username of the FTP server.
l file-name – Specifies the file name of the exported user-list file.
Importing a User-list File
To import a user-list file, in the execution configuration mode, use the following command:
import aaa user from {tftp server ip-address | ftp server ip-address [user user-name ]} file-name
l user user-name – Specifies the username of the FTP server.
l file-name – Specifies the file name of the imported user-list file.
The principles of importing user-list files are:
l If a user in the imported user-list file already exists in the system, its user information in the
imported file will cover the original information in the system.
l If a user in the imported user-list file is new to the system, it and its user information will be
added to the system automatically.
Notes:
l When password file is imported, it takes effect immediately.
l The command line will show the number of imported users.
l In the imported user-list file, the "username" field should not contain slash/-
comma/double quotation marks/question mark/@; the "group" field should
not contain comma/double quotation marks/question mark.
Chapter 9 VPN 1365

l In the imported user-list file, the date in the "expire" field should be in the
format of DD/MM/YYYY HH:SS.
l If the user-list is imported in the format of text file, special notice should be
given to the following points:
l Every parameter in the file should be separated by half-width commas
l If a parameter does not exist, use a half-width comma to replace it, etc.
"123123,,local".
l The sequence of the parameters in the first row is fixed and case-insens-
itive, etc. "Servername,userName,pAssWord".
l The file should not contain blank lines or gibberish lines, or it is not
able be imported successfully.
l If the length of a parameter is less or more than its length range, it is

not able be imported successfully.
The length range of "username": 1-63 characters
The length range of "password": 1-31 characters
The length range of "phone": 6-15characters
The length range of "email": 1-127 characters
The length range of "description": 0-127 characters
Control the Access by Using the Radius Server
When you use the Radius authentication mode, you can set the access scope for the authenticated
users. For the authenticated users, the system obtains the information that regulates the access
scope of the users from the Radius server. Based on obtained information, the system will dynam-
ically create policy that is from the source address to the regulated access scope. For the users that
1366 Chapter 9 VPN

do not pass the authentication, the system refuses to allow them to access the network. When
users logged off or were kicked out by administrators, or when the logging time of a user has
timeout, the corresponding policy will be deleted automatically.
To view the regulated access scope, use the following command in any mode:
show auth-user username user-name
l user-name – Specifies the username of the user that you want to view.
Configuring Radius Server
To control the access by using the Radius server, you must define the following attributes in the
dictionary file:
Attribute Name Type Value
Hillstone-user-policy-dst-ip- ipaddr The start IP address of the access scope.

begin Only IPv4 address is supported.
Hillstone-user-policy-dst-ip- ipaddr The end IP address of the access scope.

end Only IPv4 address is supported.
After adding the attributes, specifying the values for the desired users, restarting the Radius
server, the system will then set the access scope for the users that are successfully authenticated
through the SSL VPN client. If you do not set the access scope for the users, they will not be lim-
ited.
General Configuration
The following configurations are shared by ZTNA and SSL VPN. The configurations take effect
on both ZTNA and SSL VPN.
l Customizing Client Download Source
Chapter 9 VPN 1367

l Customizing the Background Picture of Client Download Page
l Configuring Upgrade URL for Windows Type Client
l Customizing the Page Title
Configuring SSL Cipher Suite
To configure the SSL cipher suite, in the global configuration mode, use the following command:
secure-connect ssl-cipher-list string
l string - Specifies the SSL cipher suite list. The default is

"ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4".
To restore to the default SSL cipher suite list, in the global configuration mode, use the following
command:
no secure-connect ssl-cipher-list
to enable password changing right for local users if they pass SSL VPN or ZTNA authentication.
To enable/disable the right for local users to change the login password, in the password control
Tip: Secure Connect client of version 1.2.0.1106 and later allows the local users
to change password. Therefore, it's advised to use the latest Secure Connect cli-
ent.
When the server allows the client user to change password, the user can change login password
after passing SSL VPN or ZTNA authentication by the following steps:
1368 Chapter 9 VPN

1. Right-click the client icon in notification area of the task bar on the right-bottom corner and
a menu appears.
2. Click Changing Password and type current password and new password into the cor-
responding boxes.
3. Click OK to save the changes.
Customizing Client Download Source
End users can download Secure Connect clients at the following addresses:
l Client download address on the device: https://IP-Address:Port-Number. The "IP-Address"

and "Port-Number" refer to the IP address of the egress interface and HTTPS port number
specified in the configuration of the SSL VPN or ZTNA instance.
Chapter 9 VPN 1369

l Client download address provided by Hillstone Networks Official Website https://www.hill-
stonenet.com/more/services/product-downloads/.
By default, the client download source on the device is the same with that on Hillstone Networks
Official Website. In the application scenario where you want end users to download and use spe-
cific Secure Connect clients, such as a client of the specified version or a customized client, you
can import the client into the system to overwrite the default download source on the device.
You can import Windows, macOS and Linux type clients.
To import the client file from a server, in the execution configuration mode, use the following
command:
import secure-connect client {windows | linux | macos} from { {ftp | ftps | sftp} server ip-
address [vrouter vrouter-name] [user user-name password password] | tftp server ip-address |
usb0 | usb1} file-name
l {ftp | ftps | sftp} server ip-address [vrouter vrouter-name] [user user-name password pass-
word] – Specifies that the client file is imported from an FTP/FTPS/SFTP server. Type the
IP address of the FTP/FTPS/SFTP server, virtual router name, username and password (skip
if the server can be logged in anonymously).
l tftp server ip-address - Specifies that the client file is imported from a TFTP server and spe-
cifies the TFTP server address.
l usb0 | usb1 - Specifies that the client file is imported from the USB disk plugged to USB0 or
USB1 port.
l file-name – Specifies the client file. The system will check the imported file. It is recom-
mended to import a client file downloaded from Hillstone Networks Official Website and
keep the file name unchanged. Otherwise, the import might fail.
You can delete the imported client file. After deletion, the download source will be restored to
the default source. In the execution configuration mode, use the following command to delete the
imported client file:
exec secure-connect client {windows | linux | macos} delete
1370 Chapter 9 VPN

Viewing Secure Connect Client Information
In any mode, use the following command to view the information of Secure Connect clients
saved in the system:
show secure-connect client-info [windows | linux | macos]
Customizing the Background Picture of Client Download Page
You can customize the title and background of the download address on the device. The default
download page is shown as below:
To import the background picture from a server, in the execution configuration mode, use the fol-
lowing command:
import customize secure-connect download-webpage-background-picture from { {ftp | ftps |
sftp} server ip-address [vrouter vrouter-name] [user user-name password password] | tftp server
ip-address | usb0 | usb1} file-name
word] – Specifies that the background picture is imported from an FTP/FTPS/SFTP server.
Type the IP address of the FTP/FTPS/SFTP server, virtual router name, username and pass-
word (skip if the server can be logged in anonymously).
Chapter 9 VPN 1371

l tftp server ip-address - Specifies that background picture is imported from a TFTP server and
specifies the TFTP server address.
l usb0 | usb1 - Specifies that the background picture is imported from the USB disk plugged to
USB0 or USB1 port.
l file-name – Specifies the picture name and picture format. The picture must be in PNG
format, the resolution is recommended at 1920x *1080x, and the picture size must be less
than 2MB.
To restore to the default background picture, in any mode, use the following command:
exec customize secure-connect download-webpage-background-picture default
Configuring Upgrade URL for Windows Type Client
The Windows type client checks and downloads the new version by using the configured upgrade
URL. The system has a default URL that links to the official upgrade server and this URL cannot
be deleted. To configure the upgrade URL, use the following command in the global con-
figuration mode:
no secure-connect update-url
l ip-address – To use the intranet server to check and download the new version, enter the
URL of the intranet server. You need to deploy the new version in this intranet server.
To use the default URL that links to the official upgrade server, use the following command in
To view the default URL that links to the official upgrade server, use the following command in
any mode:
show secure-connect update-url
1372 Chapter 9 VPN

Notes:
l When the client version is 1.4.4.1199 or below and the StoneOS version is
5.5R1 or above, it is recommended to uninstall the previous client and login
the Web page to re-install it.
l If you want the end users to download the Windows type client carried in the
system image, configure this command secure-connect update-url localhost.
l After you import a Windows type client file using the import secure-connect
client command, the secure-connect update-url configuration will not take
effect.
Customizing the Page Title
By default, the title of client download page is "Hilllstone Secure Connect". To customize the
title of client download page, in the global configuration mode, use the following command:
secure-connect download-web-page-title title
l title - Specifies the title of client download page. The length is 1 to 63 characters.
To delete the customized title of client download page, use the following command in the global
configuration mode. After the customized title is deleted, no title will be displayed on the client
download page.
no secure-connect download-web-page-title
To view the customized title of client download page, use the following command in any mode:
show secure-connect download-web-page-title
Viewing SSL VPN Settings
Use the following commands to view information about SSL VPN.
Chapter 9 VPN 1373

l Show SSL VPN instance:
show tunnel scvpn [scvpn-instance-name]
l View HTTP sessions of the SSL VPN server being visited:

show scvpn session scvpn-instance-name [user user-name]
l Show online users of the specified SSL VPN instance:

show scvpn client scvpn-instance-name [user user-name]
l Show online users of all SSL VPN instances:

show auth-user scvpn [interface interface-name | vrouter vrouter-name | slot slot-no]
l Show user-host binding list:

show scvpn user-host-binding scvpn-instance-name {host [host-id] | user [user-name]}
l Show the license capacity of SSL VPN authorized user:

show secure-connect user capacity
l Show client upgrade URL:

l Show client information:

show secure-connect client-info
l Show the customized client download page title:

Hillstone Secure Connect Client for Windows

The SSL VPN/ZTNA client for Windows is Hillstone Secure Connect. It can run in the fol-
lowing operating systems:
l Windows7/Windows8.1/Windows10/Windows11
l Windows server 2008 R2/Windows server 2012/Windows server 2012 R2/Windows server
2016/Windows server 2019/Windows server 2022
1374 Chapter 9 VPN

The encrypted data can be transmitted between the client and the device after a connection has
been established successfully. The functions of the client are:
l Get interface and route information from the PC on which the client is running.
l Show the connecting status, statistics, interface information, and route information.
l Show log messages.
l Upgrade the client software.
l Resolve the resource list information received from the server.
l Collect and report endpoint device status information.
System supports IPv4 and IPv6 Secure Connect Windows clients.

This section mainly describes how to download, install, start, uninstall the Secure Connect Win-
dows client, and gives instructions on how to use its GUI and menu. The device side supports
the following authentication methods:
l Username/Password
l Username/Password + Digital Certificate (including USB Key certificate and file certificate)
l Digital Certificate (including USB Key certificate and file certificate) only
System supports IPv4 and IPv6 Secure Connect Windows clients.
Downloading and Installing the Client
Take either of the following methods to download and install the Secure Connect Windows cli-
ent:
l Visit Hillstone Networks Official Website https://www.hill-

Chapter 9 VPN 1375

l Visit https://IP-Address:Port-Number on the device side. In the URL, IP-Address and Port-
Number refer to the IP address and HTTPS port number of the egress interface specified in
the SSL VPN/ZTNA instance.
A virtual network adapter will be installed on your PC together with the Secure Connect Win-
dows client. It is used to transmit encrypted data between the device and the client.
Starting Up and Connecting
After the Secure Connect Windows client is installed successfully, take the following steps to
start and log in the client:
1. Double-click the shortcut of Hillstone Secure Connect on your desktop, or from the Start
menu, choose All Programs > Hillstone Secure Connect > Hillstone Secure Connect. The
client main page is displayed.
1376 Chapter 9 VPN

2. Click Add. The following dialog box is displayed.
Enter the connection information.
Option Description
TLS/SSL Select this tab to use the TLS/SSL protocol.
SMSSL Select this tab to use the SMSSL protocol.
Connection Enter the connection name.

Name
Chapter 9 VPN 1377

Option Description
Server Enter the IP address of SSL VPN or ZTNA server.
Port Enter the HTTPS port number of SSL VPN or ZTNA

server.
Auth type Select the authentication type. "User name/Password",

"User name/Password + Digital certificate" and "Only
Digital certificate" are supported. For digital certificate
authentication, software certificates and USB-Key cer-
tificates are supported.
User name Enter the name of the login user. When Auth type is spe-
cified as "User name/Password" or "User name/Password
+ Digital certificate", the client user name and password
should be entered.
Password Enter the password of the login user. If local authen-

tication server is configured on the device, the user name
and password should be configured in advance on the
device.
Remember After this option is enabled, you do not need to enter the
Password user's password at the next-time connection.
Digital cer- When the authentication type is "User name/Password +

tificate Digital certificate" or "Only Digital certificate", click this
option to enter the dialog box for selecting a certificate.
The selected certificate will be sent to the device for
authentication.
TLS cer- Options in the "TLS certificate" dialog box are
1378 Chapter 9 VPN

Option Description
tificate described as follows:
l Use system default certificates: Click this radio but-

ton to allow the device to use the Hillstone UKey
certificate as the system default certificate. This is
the default setting.
l Use USB-Key certificates: Click this radio button

and select a USB-Key certificate from the current
certificate list. The USB Key should be inserted
into the USB interface of the PC in advance. You
can use the USB Key deployment tool named
SelectUSBKey to set the third-party certificate as
the default certificate. For more information, refer
to Third-Party USB Key.
l Use software certificates: Click this radio button

and select a software certificate from the current
certificate list. The software certificate should be
imported into the PC in advance.
l Current certificate list: Display the existing cer-

tificate in the system. Click Refresh icon to update
the list.
SMSSL cer- Options in the "SMSSL certificate" dialog box are
tificate described as follows:
l Device: Select the current USB Token device

name in the drop-down list. The USB Token
Chapter 9 VPN 1379

Option Description
device should be inserted into the USB interface of

the PC in advance.
l Application: The application is a structure that con-

tains a container, a device authentication key, and a
file. Select the specified application name in the
drop-down list.
l Container: The container is the unique storage

space in the USB Token device to save the key. It
is used to store the encryption key pair, the encryp-
tion certificate corresponding to the encryption key
pair, the signature key pair, and the signature cer-
tificate corresponding to the signature key pair.
Select the name of the specified container in the
drop-down list.
l Signature certificate: Display the name of the SM2

signature certificate in the specified container.
l Encryption certificate: Display the name of the

SM2 encryption certificate in the specified con-
tainer.
PIN Enter the PIN code of the USB Key when the authen-
tication type is "User name/Password + Digital cer-
tificate" or "Only Digital certificate".
PIN PIN at the next-time connection.
1380 Chapter 9 VPN

Option Description
Optimal chan- Set whether to enable optimal path detection function.

nel For more information about optimal path detection, see
Selecting an Optimal Path. It is disabled by default.
Gateway Set whether to enable the gateway detection function,

detection which applies in the ZTNA access scenario. If the ZTNA
device has backup gateway configured, ZTNA users can
enable gateway detection on ZTNA clients. When a user
logs in, the ZTNA client will obtain the backup gateway
list, detect the link quality of each gateway and establish a
connection to the one with the best link quality. After
the connection is established, the ZTNA client will
detect and update the link quality of all gateways every 30
minutes. If a connection or login failure occurs, the
ZTNA client will switch to connect the gateway with the
best link quality. It is enabled by default.
Preferred After gateway detection is enabled, the ZTNA client will

gateway obtain the backup gateway list during user login. At this
time, users can manually select a preferred gateway. By
default, the preferred gateway is not set. If it is set, the
ZTNA client will preferentially connect it when the user
logs in via this client again. If the connection fails, the
best link quality.
SPA Set whether to enable the SPA function, which applies

in the ZTNA access scenario. If the ZTNA device has
Chapter 9 VPN 1381

Option Description
SPA enabled and is configured with hidden IP address

and port number, ZTNA users also need to enable SPA
on ZTNA clients. When a user logs in via the ZTNA
client, the user needs to pass single packet author-
ization before establishing a connection to the ZTNA
device. When SPA is disabled or is enabled but not
configured with hidden IP address and port number on
the ZTNA device, the ZTNA device will no perform
single packet authorization on the clients no matter
whether SPA is enabled on clients.
l Enable: When SPA is enabled, the knock port

should be manually specified.
l Disable: When SPA is disabled, ZTNA clients will

not knock when logging in.
l Auto: No matter whether SPA is enabled on the

ZTNA device, clients consider that the ZTNA
device requires single packet authorization and
knocks on the default knock port number. This is
the default option.
Stability Set whether to use TCP for data transmission. This func-
Optimization tion applies in the SSL VPN access scenario. It is dis-
abled by default. To use it, make sure the device side has
the TCP port configured. It is disabled by default.
1382 Chapter 9 VPN

Tips: If the password control function and the change password function are
enabled on the device, for example: the system will remind the user to change
the password before and after the password expires, and verify the historical
password to ensure that the new password is different from the previous pass-
word. For more information about password control function, refer to Con-
figuring a Local AAA Server.
3. After the connection information configuration is completed, click OK. The system will
save a login entry. If needed, you can repeat the previous steps to add more login entries.
4. On the client main page, the configured connection information has been saved as a login
entry. Click Connect. The client will attempt to establish a connection to the device.
5. If SMS authentication is enabled, type the authentication code into the box in the SMS
Auth dialog (as shown below) and click Verify. If you have not received the authentication
code within one minute, you can re-apply by clicking Resend.
6. If token authentication is enabled on the device side, the token Authentication dialog will
appear. You need to pass the token authentication.
l After passing the authentication, you have three chances to type the authentication
code. If you give incorrect authentication code three times in succession, the
Chapter 9 VPN 1383

connection will be disconnected automatically.
l You have three chances to apply the authentication code, and the sending interval is
one minute. Re-applying authentication code will void the old code, thus you must
provide the latest code to pass the authentication.
7. If Email authentication is enabled on the device side, the Email Authentication dialog will
appear. You need to pass the Email authentication.
l After passing the authentication, you have three chances to type the authentication
code. If you give incorrect authentication code three times in succession, the con-
nection will be disconnected automatically.
l You have three chances to apply the authentication code, and the sending interval is
one minute. Re-applying authentication code will void the old code, thus you must
provide the latest code to pass the authentication.
Finishing the above steps, the client will connect to the server automatically. After the con-
nection has been established successfully, the icon ( ) will be displayed in the notification area.
And the encrypted communication between the client and server can be implemented now.
Editing and Deleting Login Entry
To edit or delete a login entry, place the cursor on the login entry. Click the icon to edit the
entry; and the icon to delete the entry.
Viewing Connection and Statistics Information
On the client main page, click the Statistics tab to view connection and statistics information.
1384 Chapter 9 VPN

Address information: Shows the IP addresses
Server The IP address of the connected SSL VPN/ZTNA server.
Client The IP address of the client.
Encryption information: Shows the encryption information.
Cipher suite The encryption algorithm and authentication algorithm used by SSL
VPN/ZTNA.
Cipher version The SSL version used by SSL VPN/ZTNA.
Connection Status
Status The current connecting state between the client and server.
IP Compress
Algorithm Shows the compression algorithm used by SSL VPN/ZTNA.
Tunnel Packets
Send The number of sent packets through the encryption tunnel.
Receive The number of received packets through the encryption tunnel.
Tunnel Bytes
Send Bytes sent through the SSL VPN/ZTNA. tunnel.
Chapter 9 VPN 1385

Receive Bytes received through the SSL VPN/ZTNA. tunnel.
During
During Time period during which the client is online.
Compress rate
Send Length ratio of sent data after compression.
Receive Length ratio of received data after compression.
Viewing Interface and Routing Information
On the client main page, click the Interface tab to view interface information; click the Route tab
to view routing information.
Option Description
Interface name The name of the interface used to send encrypted data.
Interface type The type of the interface used to send encrypted data.
Interface status The status of the interface used to send encrypted data.
IP address type The IP address type of the interface used to send encrypted data.
IP address The IP address (allocated by the device) of the interface used to send
1386 Chapter 9 VPN

Option Description
encrypted data.
Subnet mask The subnet mask of the interface used to send encrypted data.
Default Gateway The default gateway address of the interface used to send encrypted
data.
DNS Server The address of the DNS server used by the client.
address
WINS address The address of the WINS server used by the client.
Viewing Log Information
On the client main page, click the Log tab to view log information.
Click and select "Log Level" to set the level of logs to be displayed.
Third-party USB Key
Hillstone UKey certificate is the default certificate for the USB Key authentication. When authen-
ticating with Hillstone UKey certificate, the client will select the Hillstone UKey certificate auto-
matically and send it to the server, and the server will perform the authentication with the default
certificate. This authentication process is transparent to the authenticated clients, i.e., the client
need not to choose the certificate. If the third-party USB Key is used, you can set the third-party
Chapter 9 VPN 1387

certificate as the default certificate to simplify the authentication process by using the tool named
SelectUSBKey.
To set the third-party certificate to the default certificate, first you have to export the CSP Name
of the USB Key in form of a registry file, and then add the exported file content to the registry of
the client PC.
To export the CSP Name of the USB Key, take the following steps:
1. Install the driver of the third-party USB Key.
2. Insert the third-party USB Key.
3. Double click SelectUSBKey.exe, and the Select Default Certificate dialog is shown as
below:
Export： Exports the CSP Name of the USB Key in form of a registry file.
Update： Refreshes the certificate list.
Close： Closes the dialog.
4. Select the certificate you want from the certificate list, and then click Export.
1388 Chapter 9 VPN

After exporting the CSP Name of the USB Key, double click the exported file, and then add the
content to the registry of the client PC. When authenticating with the third-party certificate, the
client will automatically select the third-party USB Key certificate and send it to the server.
Client Menu
Right-click the green icon of the client, the client menu appears. Descriptions of the menu items:
l Change Password: Displays the dialog for changing password.
l Redirect URL: When the device end has a redirect URL configured, users can click this menu
to quickly jump to this URL address.
l Resource List: When accessing the SCVPN service, user can click this menu to open the
browser page displaying internal resources.
l Application Resource List: When a user successfully connects to a ZTNA service using the
Secure Connect client, this menu is displayed. After the user logs in, a ZTNA portal page will
be displayed. The user can click this menu to display the latest ZTNA portal page to view the
application resource access privilege after it is closed. The portal page displays the application
resources that the user is granted access and is not granted access. For those that the user is
not granted access, the user can attempt to acquire the access privilege by adjusting the access
terminal configurations. The application resources that the user is denied from accessing will
not be displayed on the portal page. If a user is denied from accessing any application
resources, the portal page displays a message indicating that no Web resources are available to
the user.
l Show Window: When Secure Connect client window is minimized, click this menu item to
display the client main page.
l Quit: Click Quit to close the client.
Chapter 9 VPN 1389

Click Settings on the client main page.
l Startup and automatic run: Enable this option to automatically run the client when the PC is
starting.
l Automatic reconnect: Enable this option to automatically reconnect to the SSL VPN/ZTNA
server when the connection is hung up.
l Automatic login: Enable this option to allow the specified user to login automatically when
the client is starting. Select the auto login user from the drop-down list.
l Minimize window: Enable this option to allow the client window to be minized.
Uninstalling the Client
To uninstall the client on your PC, from the Start menu, click All Programs > Hillstone Secure
Connect > Uninstall.
Hillstone Secure Connect Client for Linux

The SSL VPN/ZTNA client for Linux is Hillstone Secure Connect. It can run in the following
operation systems:
l CentOS 7.6/7.7/7.8/7.9/8.0/8.1/8.2/8.3/8.4/8.5
l Ubuntu 18.04/18.10/19.04/19.10/20.04/20.10/21.04
l Ubuntu Kylin 18.04/20.04
1390 Chapter 9 VPN

The encrypted data can be transmitted between the client and the SSL VPN/ZTNA server after a
connection has been established successfully. The functions of the client are:
l Get interface and route information from the PC in which the client is running.
l Show the connection status, traffic statistics, and route information.
l Collect and report endpoint status information.
Take CentOS 7.6 as an example to introduce downloading and installing client, starting client and
establishing connection, upgrading and uninstalling client, the client GUI and menu. The client
configuration of other three Linux systems can refer to 64-bit Ubuntu Kylin16.04 desktop.
To download and install the Secure Connect Linux client, take the following steps:
1. Visit Hillstone Networks Official Website https://www.hill-

stonenet.com/more/services/product-downloads/, or https://IP-Address:Port-Number on
the device side. In the URL, IP-Address and Port-Number refer to the IP address and
HTTPS port number of the egress interface specified in the SSL VPN/ZTNA instance.
2. After downloading the installation file, right-click the client icon and select Properties to go
to the properties page. In the properties page, click Permissions tab and check Allow execut-
ing files as program, then close it.
3. Double-click the client icon and follow the setup wizard to complete the installation.
After the Secure Connect Linux client is installed successfully, take the following steps to start
and log in the client:
Chapter 9 VPN 1391

1. Double-click the Hillstone Secure Connect icon on your desktop. The client main page is
displayed.
Option Description
1392 Chapter 9 VPN

Option Description

Name

server.
User name Enter the name of the login user.

device.
Optimal chan- Set whether to enable optimal path detection function.

nel For more information about optimal path detection, see
Selecting an Optimal Path. It is disabled by default.

Chapter 9 VPN 1393

Option Description


best link quality.


1394 Chapter 9 VPN

Option Description

the default option.
5. If SMS authentication, email authentication or token authentication is enabled, enter the cor-
responding authentication code to complete the authentication.
Chapter 9 VPN 1395

After the client connects to the SSL VPN/ZTNA server, the encrypted data can be transmitted
between the client and the server now.
VPN/ZTNA.
Connection Status
1396 Chapter 9 VPN

IP Compress
Tunnel Packets
Tunnel Bytes
During
Compress rate
Chapter 9 VPN 1397

Option Description
encrypted data.
data.
address
1398 Chapter 9 VPN

Client Menu
the user.
Chapter 9 VPN 1399

l Minimize window: Enable this option to allow the client window to be minimized.
Hillstone Secure Connect Client for Android

The SSL VPN/ZTNA client for Android is Hillstone Secure Connect. It can run in Android
Android 8.x/Android 9.x/Android 10.x/Android 11.x/Android 12.x/Android 13.x/Hong-
mengOS 2.0. The functions of Secure Connect Android client contain the following items:
l Obtain the interface information of the Android OS.
l Display the connection status with the device, traffic statistics, interface information, and rout-
ing information.
l Display the log information of the application.
l Collect and report endpoint status information.
To download and install the Secure Connect Android client, take the following steps:
1400 Chapter 9 VPN

1. Visit https://www.hillstonenet.com/more/services/product-downloads/ to download the
installation file of the client, or https://IP-Address:Port-Number on the device side. In the
URL, IP-Address and Port-Number refer to the IP address and HTTPS port number of the
egress interface specified in the SSL VPN/ZTNA instance.
2. Use the Android device to scan the QR code of the Secure Connect Android client.
3. Open the URL and download the Hillstone-Secure-Connect-Versione_Number.apk file.
4. After downloading successfully, find this file in the Android device.
5. Click it and the installation starts.
6. Read the permission requirement.
7. Click Install.
After installing the client successfully, the icon of the Secure Connect Android client appears in
the desktop as shown below.
After the Secure Connect Android client is installed successfully, take the following steps to start
1. Double-click the Hillstone Secure Connect icon on the desktop and enter the client main
page.
2. In the "Home" tab, click "+" and enter the "Add Connection" page.
Chapter 9 VPN 1401

Option Description
Authentication Select the authentication method. "User name/-

Method password", "User name/password + Digital Certificate"
and "Digital Certificate" are supported.

Name

Address

server.
User name Enter the name of the login user. When authentication
method is specified as "User name/password" or "User
name/password + Digital Certificate", the client user
name and password should be entered.

tication server is configured on the device, the user
name and password should be configured in advance on
the device.
PIN Enter the PIN code of the USB Key when the authen-
tication type is "User name/password + Digital cer-
tificate" or "Digital certificate".
Password Select the SSL protocol type:
Standard l TLS/SSL: indicates the TLS/SSL protocol.
l GMSSL: indicates the GUOMI SSL protocol.
1402 Chapter 9 VPN

Option Description
Select Cer- Select the digital certificate that has been imported
tificate into the Android device in advance.

Detection which applies in the ZTNA access scenario. If the
ZTNA device has backup gateway configured, ZTNA
users can enable gateway detection on ZTNA clients.
When a user logs in, the ZTNA client will obtain the
backup gateway list, detect the link quality of each gate-
way and establish a connection to the one with the best
link quality. After the connection is established, the
ZTNA client will detect and update the link quality of
all gateways every 30 minutes. If a connection or login
failure occurs, the ZTNA client will switch to connect
the gateway with the best link quality.
Optimal Gate- After gateway detection is enabled, the ZTNA client

way will obtain the backup gateway list during user login. At
this time, users can manually select a preferred gateway.
By default, the preferred gateway is not set. If it is set,
the ZTNA client will preferentially connect it when the
user logs in via this client again. If the connection fails,
the ZTNA client will switch to connect the gateway
with the best link quality.
SPA Set whether to enable the SPA function, which

applies in the ZTNA access scenario. If the ZTNA
device has SPA enabled and is configured with hid-
Chapter 9 VPN 1403

Option Description
den IP address and port number, ZTNA users also

need to enable SPA on ZTNA clients. When a user
logs in via the ZTNA client, the user needs to pass
single packet authorization before establishing a con-
nection to the ZTNA device. When SPA is disabled
or is enabled but not configured with hidden IP
address and port number on the ZTNA device, the
ZTNA device will no perform single packet author-
ization on the clients no matter whether SPA is
enabled on clients.
l On: When SPA is enabled, the knock port should

be manually specified. By default, SPA is enabled.
l Off: When SPA is disabled, ZTNA clients will


knocks on the default knock port number.
1404 Chapter 9 VPN

entry. Select it and click Connection Status to start the connection.
5. If SMS authentication, token authentication or email authentication is enabled, you need to

enter the corresponding authentication code to complete the authentication.
After the client connects to the SSL VPN/ZTNA server, the encrypted communication between
the client and server can be implemented now.
To edit a login entry, click the icon;
To delete a login entry, press it and drag it to the right.
Viewing Connection Information
Click "Information" tab on the client main page to view connection statistics, interface and rout-
ing information.
Option Description
Server Address IP address of the connected SSL VPN/ZTNA server.
Port Port number of the connected SSL VPN/ZTNA server.
User Name Login user name of the connected SSL VPN/ZTNA

server.
Chapter 9 VPN 1405

Option Description
Connection Duration Time period during which the client is online.
Receive Bytes Received bytes through the encryption tunnel.
Send Bytes Sent bytes through the encryption tunnel.
Receive Packets Number of received packets through the encryption tun-

nel.
Send Packets Number of sent packets through the encryption tunnel.
Receive Compression Rate Length ratio of received data after compression.
Send Compression Rate Length ratio of sent data after compression.
Interface statistics:
Option Description
Interface Name The name of the interface used to send encrypted data.
Interface Type The type of the interface used to send encrypted data.
Interface State The status of the interface used to send encrypted data.
Physical Address The MAC address of the interface used to send encrypted data.
IP Address Type The IP address type of the interface used to send encrypted data.
Network The IP address (allocated by the device) of the interface used to send
Address encrypted data.
Subnet Mask The subnet mask of the interface used to send encrypted data.
data.
DNS Address The address of the DNS server used by the client.
1406 Chapter 9 VPN

Hillstone Secure Connect Client for iOS
The SSL VPN/ZTNA client for iOS is Hillstone Secure Client. It supports iOS 12.x/iOS
13.x/iOS 14.x/iOS 15.x/iOS 16.x versions. The Secure Connect iOS client mainly has the fol-
lowing functions:
l Simplify the tunnel creation process between the iOS device and the Hillstone device
l Display the connection status between the iOS device and the Hillstone device
l Display the log information
You can take either of the following methods to download and install the Secure Connect iOS cli-
ent:
l Search Hillstone Secure Client(beta) in the App Store.
l Visit https://www.hillstonenet.com/more/services/product-downloads/, locate the QR

code for iOS client, use the iOS device to scan the code and then jump to App Store for
downloading and installation.
l Visit https://IP-Address:Port-Number on the device side. In the URL, IP-Address and Port-
Number refer to the IP address and HTTPS port number of the egress interface specified in
the SSL VPN/ZTNA instance
After the client is installed successfully, for the first time login, take the following steps to start
Chapter 9 VPN 1407

1. Double-click the Hillstone Secure Connect icon on the desktop and enter the client main
page.
2. In the "Home" tab, click "+" and enter the "Add Connection" page.
Option Description

Name

Address

server.

device.
Password Select the SSL protocol type:
Standard l TLS/SSL: indicates the TLS/SSL protocol.
l GMSSL: indicates the GUOMI SSL protocol.

Detection which applies in the ZTNA access scenario. If the ZTNA
1408 Chapter 9 VPN

Option Description

best link quality.
Optimal After gateway detection is enabled, the ZTNA client will

Gateway obtain the backup gateway list during user login. At this
best link quality.

l On: When SPA is enabled, the knock port should
Chapter 9 VPN 1409

Option Description
be manually specified. By default, SPA is enabled.
l Off: When SPA is disabled, ZTNA clients will not

knock when logging in.

knocks on the default knock port number.
entry. Select it and click Connection Status to start the connection.
5. If SMS, token or email authentication is enabled, type the corresponding code to complete
the authentication.
6. After login, the iOS device will start the VPN configuration deployment automatically. In
the Would Like to Add VPN Configurations page, click Allow.
1410 Chapter 9 VPN

7. Enter your passcode. The passcode is the one for unlocking your iOS screen. With the cor-
rect passcode entered, the iOS device starts to install the profile.
8. After the installation is complete, start Settings of the iOS device and navigate to VPN.
9. Select the configured connection name and click the Connect button.
10. After the client connects to the SSL VPN/ZTNA server, the encrypted communication
between the client and server can be implemented now.
Notes: For subsequent logins, you do not need to perform the VPN configuration
deployment steps. You can log in the client and start the connection directly.
To edit a login entry, click the icon;
To delete a login entry, press it and drag it to the right.
Viewing Connection Information
Click "Information" tab on the client main page to view connection statistics, interface and rout-
ing information.
Option Description
Server Address IP address of the connected SSL VPN/ZTNA server.
Port Port number of the connected SSL VPN/ZTNA server.
User Name Login user name of the connected SSL VPN/ZTNA

server.
Connection Duration Time period during which the client is online.
Receive Bytes Received bytes through the encryption tunnel.
Chapter 9 VPN 1411

Option Description
Send Bytes Sent bytes through the encryption tunnel.
Receive Packets Number of received packets through the encryption tun-

nel.
Send Packets Number of sent packets through the encryption tunnel.
Receive Compression Rate Length ratio of received data after compression.
Send Compression Rate Length ratio of sent data after compression.
Interface statistics:
Option Description
Interface Name The name of the interface used to send encrypted data.
Interface Type The type of the interface used to send encrypted data.
Interface State The status of the interface used to send encrypted data.
Physical Address The MAC address of the interface used to send encrypted data.
IP Address Type The IP address type of the interface used to send encrypted data.
Network The IP address (allocated by the device) of the interface used to send
Address encrypted data.
Subnet Mask The subnet mask of the interface used to send encrypted data.
data.
DNS Address The address of the DNS server used by the client.
Hillstone Secure Connect Client for macOS

The SSL VPN/ZTNA client for macOS is Hillstone Secure Connect. It can run in macOS
10.13/macOS 10.14/macOS 10.15/macOS 11.0/macOS 12.0/macOS 13.0 versions. The
1412 Chapter 9 VPN

encrypted data can be transmitted between the client and the SSL VPN/ZTNA server after a con-
nection has been established successfully. The functions of the client are:
l Establish the encrypted connection with the SSL VPN/ZTNA server.
l Show the connection status, traffic statistics, and route information.
To download and install the Secure Connect macOS client, take the following steps:
1. Visit Hillstone Networks Official Website https://www.hill-

stonenet.com/more/services/product-downloads/, or https://IP-Address:Port-Number on
the device side. In the URL, IP-Address and Port-Number refer to the IP address and
HTTPS port number of the egress interface specified in the SSL VPN/ZTNA instance.
2. After downloading the installation file, double-click it. In the pop-up, drag the Secure Con-
nect macOS client to the Applications folder to perform the installation.
Notes: To open the installation file, you must have the administrator permission and
select Anywhere in System Preferences > Security & Privacy > General > Allow
apps downloaded from.
Chapter 9 VPN 1413

After the Secure Connect macOS client is installed successfully, take the following steps to start
1. Select Launchpad > Hillstone Secure Connect. The client starts.
1414 Chapter 9 VPN

Option Description

Name

server.
Auth type The authentication type is username/password.

device.
Remember After this option is selected, you do not need to enter the
Optimal chan- Set whether to enable optimal path detection function. It

nel is disabled by default.

Chapter 9 VPN 1415

Option Description


best link quality.

1416 Chapter 9 VPN

Option Description


the default option.
save a login entry. If needed, you can repeat the previous step to add more login entries.
Chapter 9 VPN 1417

5. If SMS authentication, email authentication or token authentication is enabled, enter the cor-
responding authentication code to complete the authentication.
Finishing the above steps, the client will connect to the server automatically.
VPN/ZTNA.
1418 Chapter 9 VPN

Connection Status
IP Compress
Tunnel Packets
Tunnel Bytes
During
Compress rate
Chapter 9 VPN 1419

Option Description
encrypted data.
data.
address
1420 Chapter 9 VPN

Client Menu
the user.
Chapter 9 VPN 1421

l Minimize window: Enable this option to allow the client window to be minimized.
Uninstalling the Client
To uninstall the client, right-click the client icon and select Move to Trash from the drop-down-
list.
Example of Configuring URL Redirect

This section describes a URL redirect configuration example.
An enterprise uses Hillstone device as the SSL VPN server in its OA system. The goal is to log
into both the SSL VPN and OA system at one time.
This requirement can be met by the URL redirect function. The topology is shown as below:
1422 Chapter 9 VPN

Configuration Steps
Step 1: Create a local user
hostname(config-aaa-server)# user test
hostname(config-user)# p asswo rd test
hostname(config)#
Step 2: Configure an address pool
hostname(config)# access-address-p o o l p o o l1
hostname(config-address-pool)# address 20.1.1.1 20.1.1.255 n etmask 255.255.255.0
hostname(config-address-pool)# dn s 20.1.1.1
hostname(config-address-pool)# win s 20.1.1.2
hostname(config-address-pool)# exit
Chapter 9 VPN 1423

hostname(config)#
Step 3: Configure URL redirect in an SSL VPN instance. To limit the access range of the remote
user, use the no split-tunnel-route 0.0.0.0/0 command
hostname(config)# tun n el scvp n ssl1
hostname(config-tunnel-scvpn)# access-address-p o o l p o o l1
hostname(config-tunnel-scvpn)# aaa-server lo cal
hostname(config-tunnel-scvpn)# in terface eth ern et0/5
hostname(config-tunnel-scvpn)# h ttp s-p o rt 4433
hostname(config-tunnel-scvpn)# redirect-url h ttp ://192.10.5.201/o a/lo gin .-

do ?usern ame=$U SER&p asswo rd=$PWD title-en O A title-zh
hostname(config-tunnel-scvpn)# sp lit-tun n el-ro ute 10.160.64.0/21
hostname(config-tunnel-scvpn)# exit
hostname(config)#
Step 4: Create a tunnel interface and bind the SSL VPN instance to it (the tunnel interface and
SSL VPN address pool must be in the same network segment)
hostname(config)# zo n e VPN
hostname(config-zone-VPN)# exit
hostname(config-if-tun1)# zo n e VPN
hostname(config-if-tun1)# tun n el scvp n ssl1
hostname(config)#
Step 5: Configure a policy from VPN zone to trust zone
1424 Chapter 9 VPN

hostname(config-policy-rule)# src-zo n e VPN
hostname(config)#
Step 6: In the web browser of PC1, visit https://6.6.6.1:4433, and in the login page, type test
and test into the Username and Password boxes respectively. After the authentication, download
and install Secure Connect.
Step 7: After logging in with Secure Connect, the page will be redirected to the OA system
authentication page
Examples of Configuring SSL VPN

This section describes several SSL VPN examples with the username/password authentication
method.
Requirement
Server1 (10.160.65.52/21) in the Intranet is protected by a Hillstone device. PC1 (6.6.6.5/24) in

Internet wants to visit the resources on Server1 (10.160.65.52/21).
Chapter 9 VPN 1425

l Requirement 1: The goal is to control the access by encrypting the data by SSL VPN with the
username/password authentication method.
l Requirement 2: The goal is to control the access by encrypting the data by SSL VPN with the
USB Key authentication method. As long as the UKey of the client supports standard Win-
dows SDK (Certificate Store Functions) and the stored certificate is valid, the client can log
in. Hillstone UKey is used as the example.
Example 1
hostname(config-user)# p asswo rd 123456
hostname(config)#exit
1426 Chapter 9 VPN

hostname(config)#
Step 3: Configure an SSL VPN instance. By default, the system adds the split-tunnel-route
0.0.0.0/0 route entry. To limit the access range of the remote user, use the no split-tunnel-route
0.0.0.0/0 command
hostname(config)#
SSL VPN address pool should be in the same IP address segment)
hostname(config-zone-VPN)#
hostname(config)#
Step 5: Configure a policy from VPN zone to trust zone
Chapter 9 VPN 1427

hostname(config)#
Step 6: Type https://6.6.6.1:4433 in the Web browser to visit the login page. Enter username
user1 and password 123456. When you log in successfully, download the SSL VPN client Hill-
stone Secure Connect
Step 7: After logging in, PC1 can access resources in the trust zone through SSL VPN
Example 2
On the basis of Example 1, add USB Key authentication feature. This feature requires that
user’s UKey should support standard Windows SDK (Certificate Store Functions) with a legal
certificate in it. This example uses the Hillstone UKey.
Preparations
Before using the USB Key, make the following preparations:
l Prepare the certificate and the corresponding CA certificate;
l Prepare the Hillstone UKey and the CD provided by Hillstone;
l Import the certificate to the UKey using Hillstone UKey manager.
Configuration Steps
Step 1: Configure an SSL VPN server
1428 Chapter 9 VPN

#Create a PKI trust domain named stone and specify that
the certificate is obtained by the method of terminal
hostname(config)# p ki trust-do main sto n e
hostname(config)#
#Enable USB Key certificate authentication of SSL VPN

instance SSL1 and specify a CA trust domain
hostname(config-tunnel-scvpn)# clien t-cert-auth
hostname(config-tunnel-scvpn)# clien t-auth -trust-do main sto n e
hostname(config)#
#Import the CA certificate file to the CA trust domain

hostname# imp o rt p ki sto n e cacert fro m tftp server 192.168.1.2 certn ew.cer
Step 2: Operations on the clients
1. Install Hillstone UKey driver on the client PC.
2. Insert the UKey.
3. In the SSL VPN client Login dialog, fill each option as below and click Login:
l Server: 6.6.6.1
l Port: 4433
l Username: user1
Chapter 9 VPN 1429

l Password: hillstone
l PIN: 1111 (the default value)
Example of Configuring Host Check

This section describes an SSL VPN host check configuration example.
Requirements
The Hillstone device works as the SSL VPN server for an enterprise. The goal is to meet the fol-
lowing requirements:
l The client can access headquarters resources with SSL VPN.
l Resources in the software network segment (10.1.1.0/24) can be accessed by role sw only;
resources in the downloading network segment (10.1.2.0/24) can be accessed by role dl; and
resources in public network segment (10.1.3.0/24) can be accessed by all users.
l Perform host security check to the clients and control the resources access based on the
check results.
The topology is shown as below:
1430 Chapter 9 VPN

Configuration Steps
hostname(config-aaa-server)# user p c1
hostname(config-user)# p asswo rd xxxfcvg236
Chapter 9 VPN 1431

hostname(config-user)# p asswo rd xcab uv112
hostname(config-user)# p asswo rd xacfo mg763
hostname(config)#
Step 2: Configure a role mapping rule
hostname(config)# ro le sw
hostname(config)# ro le dl
hostname(config)# ro le-map p in g-rule rule1
hostname(config-role-mapping)# match user p c1 ro le sw
hostname(config-role-mapping)# match user p c1 ro le dl
hostname(config-role-mapping)# match user p c2 ro le dl
hostname(config-aaa-server)# ro le-map p in g-rule rule1
hostname(config)#
Step 3: Configure an interface on the SSL VPN server
hostname(config)#
Step 4: Configure the host check profiles
hostname(config)# scvp n h o st-ch eck-p ro file dl-security-ch eck
1432 Chapter 9 VPN

hostname(config-profile_scvpn)# exit
hostname(config)# scvp n h o st-ch eck-p ro file sw-security-ch eck
hostname(config-profile_scvpn)# exit
hostname(config)#
To configure a host check profile on WebUI interface, take the following steps:
1. On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN
page.
2. On the Task tab in the right auxiliary pane, click Host Check to visit the Host Check page.
3. Click New. In the Host Checking Configuration dialog, configure the options as below:
Basic
l Name: dl-security-check
l OS version: At least, Win2003, None
l Patch 1: KB958215
l Lowest IP version: IE6.0
l Lowest IP security level: High
Advanced
l Security center: Must
l Anti-Virus software: Installed, Monitor, Virus signature DB update
l Anti-Spyware software: Installed, Monitor, Signature DB update
l Firewall: Installed, Monitor
4. Click OK to save the settings and return to the SSL VPN page.
Chapter 9 VPN 1433

5. Repeat Step 3-4 to create the profile named sw-security-check. The profile contents are:
Basic
l Name: sw-security-check
l OS version: Must match, WinXP, SP3
l Patch 1: KB921883
l Lowest IP version: IE7.0
l Lowest IP security level: High
Advanced
l Security center: Must
l Auto update: Must
l Anti-Virus software: Installed, Monitor, Virus signature DB update
l Anti-Spyware software: Installed, Monitor, Signature DB update
l Firewall: Installed, Monitor
l File path name: File 1: Exist, C:\Program Files\McAfee\VirusScan\Enterprise.exe
6. Click OK to save settings.
hostname(config-address-pool)# address11.1.1.10 11.1.1.100 n etmask 255.255.255.0
hostname(config-address-pool)# win s win s
hostname(config)#
1434 Chapter 9 VPN

Step 6: Configure an SSL VPN instance. To limit the access range of the remote user, use the no
split-tunnel-route 0.0.0.0/0 command
hostname(config-tunnel-scvpn)# sp lit-tun n el-ro ute 10.1.1.0/24 metric 10
hostname(config-tunnel-scvpn)# h o st-ch eck ro le sw p ro file sw-security-ch eck guest-

ro le dl
hostname(config-tunnel-scvpn)# h o st-ch eck p ro file dl-security-ch eck p erio dic-ch eck

50
hostname(config)#
hostname(config-if-tun1)# ip address11.1.1.1/24
hostname(config)#
Step 8: Configure a policy rule
Chapter 9 VPN 1435

hostname(config)# address sw
hostname(config)# address dl
hostname(config)# address p ub lic
hostname(config-policy-rule)# dst-addr sw
hostname(config-policy-rule)# ro le sw
hostname(config-policy-rule)# dst-addr dl
hostname(config-policy-rule)# ro le dl
1436 Chapter 9 VPN

hostname(config-policy-rule)# dst-addr p ub lic
hostname(config)#
After finishing the above configurations, when the client connects the server, the server will
check the host based on the configured host check profile, and assign the corresponding access
right according to the check result. The following list shows the relationship between the host
check rule and the access right.
Check result and access right

User Host check rule
Successful Failed
Role: sw Profile: sw-security- Permit to access Permit to access
check Guest role: dl Periodic: resources in the soft- resources in the

download network
30 minutes CLI: host-check ware network segment,
PC1 segment, and the
role sw profile sw-security- and the host check will host check will be
check guest-role dl performed every 30 performed every 30
minutes automatically. minutes auto-
matically.
PC2 Role: Null (the access right of Permit to access Disconnect

the default role dl will be resources in the soft-
Chapter 9 VPN 1437

Check result and access right
User Host check rule
Successful Failed
assigned) Profile: dl-security- ware network segment,

check Guest role: Null Peri- and the host check will
odic: 50 minutes CLI: host- performed every 30
check profile dl-security-check minutes automatically.
periodic-check 50
PC3 Role: Null Profile: dl-security- Permit to access Disconnect

check Guest role: Null Peri- resources in the public
odic: 50 minutes CLI: host- network segment, and
check profile dl-security-check the host check will be
periodic-check 50 performed every 50
minutes automatically.
Example of Configuring Optimal Path

This section provides an example of configuring SSL VPN optimal path.
Requirement 1
A company uses a Hillstone device as the SSL VPN server which has two accesses to the Inter-
net, ISP1 (ethernet0/1, IP: 202.2.3.1/24) and ISP2 (ethernet0/3, IP: 196.1.2.3/24). The goal is
that the PC (IP: 64.2.3.1) can access the headquarters server (IP: 10.1.1.2) using optimal path
detection feature.
1438 Chapter 9 VPN

You have two configuration methods to meet this requirement, which are:
l Using the server to choose an optimal path
l Using the client to choose an optimal path
Using SSL VPN Server to Choose an Optimal Path
hostname(config-user)# p asswo rd drgrh rgerg231
hostname(config)#
Chapter 9 VPN 1439

Step 2: Configure the server interface
hostname(config)#
hostname(config)#
Step 4: Configure an SSL VPN instance (with optimal path detection). To limit the access range
of the remote user, use the no split-tunnel-route 0.0.0.0/0 command
1440 Chapter 9 VPN

hostname(config-tunnel-scvpn)# lin k-select server-detect
hostname(config)#
hostname(config)#
Chapter 9 VPN 1441

hostname(config)#
Step 7: Configure an ISP
hostname(config)# isp -n etwo rk isp 1
hostname(config-isp)# sub n et 202.2.3.0/24
hostname(config)#
When the client PC initiates a connection request to SSL VPN server using ISP2, the server iden-
tifies that the IP addresses of SSL VPN egress interface ethernet0/1 and client PC both belong to
ISP1, so it assigns an IP of egress interface with higher priority to the client and the PC can access
the headquarters server using ISP1.
Using SSL VPN Client to Choose an Optimal Path
Configuration steps of using client to choose optimal path have slight differences with steps of
using the server in choosing optimal path, and the different steps are:
Step 4: Configure an SSL VPN instance (with optimal path detection feature)
……
hostname(config-tunnel-scvpn)# lin k-select
……
Step 7: Skip this step

When the PC initiates connection requests to the headquarters using ISP2 link, the server will
assign the IP addresses of both ethernet0/1 and ethernet 0/3 to the client and the client judges
the optimal path by sending UDP probe packets.
1442 Chapter 9 VPN

Requirement 2
A company uses a Hillstone device as the SSL VPN server in its headquarters and uses a DNAT
device with two Internet accesses (ISP1: 202.2.3.1/24 and ISP2: 196.1.2.3/24). The goal for the
client PC (64.2.3.1) is to access to the headquarters server (IP: 10.1.1.2) using optimal path detec-
tion feature.
You have two configuration methods to meet this requirement, which are:
l Using SSL VPN server to choose an optimal path
l Using SSL VPN client to choose an optimal path
Chapter 9 VPN 1443

Using SSL VPN Server to Choose an Optimal Path
hostname(config-user)# p asswo rd drgrh rgerg231
hostname(config)#
Step 2: Configure the server interface
hostname(config)#
hostname(config-address-pool)#win s 10.1.1.2
hostname(config)#
1444 Chapter 9 VPN

Step 4: Configure an SSL VPN instance (with optimal path detection). To limit the access range
of the remote user, use the no split-tunnel-route 0.0.0.0/0 command
hostname(config-tunnel-scvpn)# p o o l p o o l1
hostname(config-tunnel-scvpn)# sp lit-tun n el-ro ute10.1.1.0/24 metric 10
hostname(config-tunnel-scvpn)# lin k-select server-detect 202.2.3.1 h ttp s-p o rt 2234

196.1.2.3 h ttp s-p o rt 3367
hostname(config)#
hostname(config)#
Step 6: Configure a policy rule (a rule from dmz zone to trust zone)
hostname(config-policy-rule)# src-zo n e dmz
Chapter 9 VPN 1445

hostname(config)#
Step 7: Configure an ISP
hostname(config)# isp -n etwo rk isp 1
hostname(config)#
When the client PC initiates a connection request to SSL VPN server using ISP2, the DNAT
device translates the client address (196.1.2.3:3367) to SSL VPN server’s egress interface
address (192.168.1.2:4433). Then, the server identifies that the IP addresses of client PC and
DNAT Internet interface (202.2.3.1/24) belong to ISP1, so it assigns the IP of DNAT’s Inter-
net interface which has higher priority to the client and the PC can access the headquarters server
using ISP1.
Using SSL VPN Client to Choose an Optimal Path
Configuration steps of using client to choose optimal path have slight differences with steps of
using the server in choosing optimal path, and the different steps are:
Step 4: Configure an SSL VPN instance (with optimal path detection feature)
……
hostname(config-tunnel-scvpn)# lin k-select 202.2.3.1 h ttp s-p o rt 2234 196.1.2.3 h ttp s-
1446 Chapter 9 VPN

p o rt 3367
……
Step 7: Skip this step

When the PC initiates connection requests to the headquarters using ISP2 link, the DNAT device
translates client address (196.1.2.3:3367) to SSL VPN server’s egress interface address
(192.168.1.2: 4433). The SSL VPN server will assign the IP address of DNAT device’s Inter-
net interface to the client, and the client judges the optimal path by sending UDP probe packets.
Chapter 9 VPN 1447

Dial-up VPN
Overview
Dial-up VPN means the center device has only one VPN tunnel established to allow multiple
remote clients accessing to it through this VPN tunnel. The remote clients should be configured
with same IKE VPN settings with the center device for data protection. Meanwhile, the center
device uses pre-shared key or certificate to authenticate the clients and establishes VPN tunnel to
communicate with the clients.
Applying Dial-up VPN

There are two methods of applying a configured VPN tunnel to the security device to achieve
secure traffic transmissions: one is to use policy-based VPN, the other is to use route-based VPN.
l Policy-based VPN: When you use policy-based VPN, the VPN tunnel is introduced into a
policy rule so that traffic which conforms to the rule can be transferred through the VPN tun-
nel. Policy-based VPN supports accessing from branch to center, but does not support access-
ing from center to branch or hub-and-spoke.
l Route-based VPN: When you use route-based VPN, the VPN tunnel binds to a tunnel inter-
face and the next hop of static route is the tunnel interface.
Configuring the Center Device

This section introduces the following configurations of dial-up VPN center device:
l Configuring P1 proposal
l Configuring an ISAKMP gateway
l Configuring P2 proposal
l Configuring a dial-up user
1448 Chapter 9 VPN

Configuring P1 Proposal
P1 proposal is an IKE security proposal applied to ISAKMP gateway in the SA Phase 1. Con-
figuring an IKE proposal includes settings of authentication, encryption algorithm, DH group and
SA lifetime.
To create a P1 proposal (IKE security proposal), in the global configuration mode, use the fol-
lowing command:
isakmp proposal p1-name
l p1-name – Type a name for the new P1 proposal. This command leads you into the P1 pro-
posal configuration mode in which you can configure the proposal.
To delete the specified P1 proposal, use the command no isakmp proposal p1-name.
Authentication defined here refers to IKE identity authentication which is used to confirm the
identities of the two communicating peers. Authentication can be performed in two ways: pre-
shared key authentication and digital certificate authentication. For pre-shared key authentication,
community is used to generate a private key as the input.
To specify the authentication method of IKE security proposal, in the P1 proposal configuration
auth en ticatio n {p re-sh are | rsa-sig | dsa-sig | gm-de }
l pre-share – Specifies that the pre-shared key is used for authentication. This is the default
method.
l rsa-sig – Specifies that RSA digital certificate is used for authentication.
l dsa-sig – Specifies the DAS digital certificate is used for authentication.
Chapter 9 VPN 1449

l gm-de – Uses the envelope authentication mode. When the authentication mode is selected,
only encryption algorithm SM1 and SM4 are supported and verification algorithm SHA or
SM3 are supported.
To restore to the default authentication method, use the command no authentication.
The following five encryption algorithms are supported: 3DES, DES, 128-bit AES, 192-bit AES
and 256-bit AES.
To specify the encryption algorithm of IKE security proposal, in the P1 proposal configuration
en cryp tio n {3des | des | aes | aes-192 | aes-256}
l 3des – Specifies to use 3DES encryption algorithm. The private key length is 192 bits. This
is the default encryption method.
l des – Specifies to use DES encryption algorithm. The private key length is 64 bits.
l aes – Specifies to use AES encryption algorithm. The private key length is 128 bits.
l aes-192 – Specifies to use 192-bit AES encryption algorithm. The private key length is 192
bits.
l aes-256 – Specifies to use 256-bit AES encryption algorithm. The private key length is 256
bits.
To restore to the default encryption algorithm, use the command no encryption.
The following authentication algorithms are supported: MD5, SHA-1 and SHA-2 (including SHA-
256, SHA-384 and SHA-512).
To specify a Hash algorithm for IKE security proposal, in the P1 proposal configuration mode,
hash {md5 | sha | sha256 | sha384 | sha512}
1450 Chapter 9 VPN

l md5 – Specifies to use MD5 for authentication. The hash value length is 128 bits.
l sha – Specifies to use SHA-1 for authentication. The hash value length is 160 bits. This is
the default value.
l sha256 – Specifies to use SHA-256 for authentication. The hash value length is 256 bits.
To restore to the default algorithm method, use the command no hash.
by the robustness of the DH group. The longer the key element is, the more secure the generated
key will be, and the more difficult it will be to decrypt it. The selection of DH group is important,
because the DH Group is only determined in the Phase 1 SA negotiation, and the Phase 2 nego-
tiation will not re-select a DH group. The two phases use the same DH group; therefore the selec-
tion of DH group will have an impact on the keys generated for all sessions. During negotiation,
the two ISAKMP gateways should select the same DH group, i.e., the length of key element
should be equal. If the DH groups do not match, the negotiation will fail.
To select a DH group, in the P1 proposal configuration mode, use the following command:
gro up {1 | 2 | 5 | 14 | 15 |16 | 19 | 20 | 21 | 24}
l 1 - Selects DH Group1. The key length is 768 bits (MODP Group).
l 2 - Selects DH Group2. The key length is 1024 bits (MODP Group). This is the default
value.
Chapter 9 VPN 1451

l 19 - Selects DH Group19. The key length is 256 bits (ECP Group).
l 24 - Selects DH Group24. The key length is 2048 bits (MODP Group with 256-bit Prime
Order Subgroup).
no group.
Specifying a SA Lifetime
Phase 1 SA negotiation has a default lifetime. When ISAKMP SA lifetime is due, it sends an SA
P1 deleting message to the peer, and then initiates a new SA negotiation.
To specify a SA lifetime, in the P1 proposal configuration mode, use the following command:
lifetime time-value
l time-value – Specifies the lifetime of SA Phase 1. The value range is 300 to 86400 seconds.
To restore to the default lifetime, use the command no lifetime.
Configuring an ISAKMP Gateway
This section introduces configurations about ISAKMP gateway.
Creating an ISAKMP Gateway
To create an ISAKMP gateway, in the global configuration mode, use the following command:
isakmp peer peer-name
1452 Chapter 9 VPN

l peer-name – Specifies a name for the ISAKMP gateway.
This command leads you into ISAKMP gateway configuration mode in which you can configure
the parameters of the gateway.
To delete the specified ISAKMP gateway, in the global configuration mode, use the command no
isakmp peer peer-name.
Specifying an AAA Server for ISAKMP Gateway
AAA server defined here is used to authenticate the peer device.

To specify an AAA server for the ISAKMP gateway, in the ISAKMP gateway configuration
l server-name – Specifies the name of AAA server. All types of AAA server can be ISAKMP
gateway, including local, Radius, AD, LDAP and TACACS+ server.
To delete the specified AAA server, in the ISAKMP gateway configuration mode, use the fol-
lowing command:
no aaa-server
Binding an Interface to the ISAKMP Gateway
To bind an interface to the ISAKMP gateway, in the ISAKMP gateway configuration mode, use
l interface-name – Specifies the name of the bound interface.
To cancel the binding of interface, use the command no interface.
Configuring an IKE Negotiation Mode
There are two IKE negotiation modes: Main and Aggressive. The main mode is the default mode.
The aggressive mode cannot protect identity. You have no choice but use the aggressive mode in
Chapter 9 VPN 1453

the situation that the IP address of the center device is static while the IP address of client device
is dynamic.
To configure an IKE negotiation mode, in the ISAKMP gateway configuration mode, use the fol-
lowing command:
mo de {main | aggressive}
l main – The main mode can provide ID protection and it is the default mode.
l aggressive – Specifies to use the aggressive mode.
To cancel the IKE negotiation mode, use the command no mode.
Specifying a Peer Type
To specify a type for the peer device, in the ISAKMP gateway configuration mode, use the fol-
lowing command:
type usergroup
To cancel the specified type of a peer device, in the ISAKMP gateway configuration mode, use
no type
Specifying P1 Proposal
To specify P1 proposal for the ISAKMP gateway, in the ISAKMP gateway configuration mode,
isakmp -p ro p o sal p 1-p ro p o sal1[p 1-p ro p o sal2] [p 1-p ro p o sal3] [p 1-p ro p o sal4]
l p1-proposal1 – Specifies the name of P1 proposal. You are allowed to specify up to four P1
proposals for an ISAKMP gateway’s peer.
To cancel the specified P1 proposal, use the command no isakmp-proposal.
If you decide to use pre-shared key to authenticate, to specify a pre-shared key for ISAKMP gate-
way, in the ISAKMP gateway configuration mode, use the following command:
1454 Chapter 9 VPN

pre-share string
l string – Specifies the content of pre-shared key.
To cancel the specified pre-shared key, use the command no pre-share.
If digital certificate is used to authenticate, you need to specify a PKI trust domain for the cer-
tificate. To specify a PKI trust domain, in the ISAKMP gateway configuration mode, use the fol-
lowing command:
trust-domain string
l string – Specifies the PKI trust domain.
To cancel the specified PKI trust domain, use the command no trust-domain.
Tip: For more information about PKI trust domain, see “PKI” in the “User
Authentication”
To specify the type of local identifier (FQDN and Asn1dn are supported), in the ISAKMP gate-
way configuration mode, use the following command:
lo cal-id {fqdn string | asn 1dn [ string ] | u-fqdn string }
l fqdn string – Specifies to use FQDN type ID. string is the identifier.
l asn1dn [string] – Specifies to use Asn1dn type ID, which can only be used in authentication
with certificate. string is the identifier which can me omitted because the system can get the
identifier from certificate.
l u-fqdn string – Specifies to use U-FQDN type ID (email address type, like user-
[email protected]).
To cancel the local ID setting, use the command no local-id.
Chapter 9 VPN 1455

To specify the connection type of the ISAKMP gateway, in the ISAKMP gateway configuration
l bidirectional – Specifies that the ISAKMP gateway serves as both initiation and responder.
This is the default value.
l initiator-only – Specifies that the ISAKMP gateway serves only as the initiator.
l responder-only – Specifies that the ISAKMP gateway serves only as the responder.
As dial-up VPN cannot be initiator, this parameter can only be set to bidirectional or
responder-only.
To restore to the default value, use the command no connection-type.
Enabling NAT Traversal
If an NAT device exists in an IPsec or IKE VPN tunnel and it translates VPN data, NAT tra-
versal function must be enabled. This function is disabled by default.
To enable NAT traversal, in the ISAKMP configuration mode, use the following command:
nat-traversal
To disable NAT traversal, use the command no nat-traversal.
Configuring DPD
DPD (Dead Peer Detection) is used to detect the status of peer device. When this function is
enabled, the responder initiates a DPD request if it cannot receive packets from the peer for a
long time. This function is disabled by default.
To enable DPD, in the ISAKMP gateway configuration mode, use the following command:
dpd
To configure DPD, in the ISAKMP gateway configuration mode, use the following command:
dp d [in terval seconds ] [retry times ]
1456 Chapter 9 VPN

l interval seconds – Specifies the interval of sending DPD requests. The value range is 1 to 10
l retry times – Specifies the times of sending DPD request to the peer. The device will
keep sending discovery requests to the peer until it reaches the specified times of DPD
retires. If the device does not receive response from the peer after the retry times, it will
determine that the peer ISAKMP gateway is down. The value range is 1 to 10 times. The
default value is 3.
To add description for an ISAKMP gateway, in the ISAKMP gateway configuration mode, use the
following command:
description string
l string – Specifies description content for the ISAKMP gateway.
To delete the description, use the command no description.
Configuring P2 Proposal
Phase 2 proposal is used during SA Phase 2 negotiation. This section describes how to configure
P2 proposal, including protocol type, encryption algorithm, hash algorithm and lifetime.
Creating P2 Proposal
To create P2 proposal (IPsec proposal), in the global configuration mode, use the following com-
mand:
ip sec p ro p o sal p2-name
l p2-name – Specifies a name for the P2 proposal. This command leads you into P2 proposal
configuration mode where you make all relative configurations.
To delete the specified IPsec proposal, use the command no ipsec proposal p2-name.
Chapter 9 VPN 1457

P2 proposal can use AH or ESP protocol type.

To specify a P2 proposal type, in the P2 proposal configuration mode, use the following com-
mand:
p ro to co l {esp | ah }
l esp – Specifies to use ESP protocol, which is the default value.
l ah – Specifies to use AH protocol.
To restore to the default setting, use the command no protocol.
P2 proposal can use one to four encryption algorithms.

To specify an encryption algorithm for P2 proposal, in the P2 proposal configuration mode, use
en cryp tio n {3des | des | aes | aes-192 | aes-256 | n ull} [3des | des | aes | aes-192 | aes-256
| n ull] [3des | des | aes | aes-192 | aes-256 | n ull]……
l 3des - Specifies to use 3DES encryption algorithm. The key size is 192 bits and it is the
default algorithm in the system.
l des - Specifies to use DES. The key size is 64 bits.
l aes - Specifies to use AES. The key size is 128 bits.
l aes-192 - Specifies to use 192bit AES. The key size is 192 bits.
l aes-256 - Specifies to use 256bit AES. The key size is 256 bits.
l null - No encryption.
To restore to the default setting, use the command no encryption.
1458 Chapter 9 VPN

P2 proposal can use one to three hash algorithms.

To specify a hash for P2, in the P2 proposal configuration type, use the following command:
h ash { md5 | sha | sha256 | sha384 | sha512 | sm3 | null } [ md5 | sha | sha256 |
sha384 | sha512 | null ] [ md5 | sha | sha256 | sha384 | sha512 | null ]
l md5 - Specifies to use MD5 for authentication. The hash value is 128 bits.
l sha - Specifies to use SHA-1 for authentication. The hash value is 160 bits. This is the default
value.
l sha256 - Specifies to use SHA-256 for authentication. The hash value is 256 bits.
l null - No hash algorithm.
To restore to the default setting, use the command no hash.
Configuring PFS
PFS (Perfect Forward Secrecy) is used to ensure that the compromise of one private key in the
private key set will not result in the decryption of the entire set of private keys. When PFS is
enabled, a private key can be used once and the reference for generating it can only be used once.
In this way, when one private key is compromised and revealed, it will not affect the whole
encrypted communication.
To enable PFS, in the P2 proposal configuration mode, use the following command:
gro up {n o p fs | 1 | 2 | 5 | 14 | 15 |16| 19 | 20 | 21 | 24}
l nopfs - Disables PFS. This is the default setting.
Chapter 9 VPN 1459

l 2 - Selects DH Group2. The key length is 1024 bits (MODP Group). This is the default
value.
l 24 - Selects DH Group24. The key length is 2048 bits (MODP Group with 256-bit Prime
Order Subgroup).
To restore to the default setting, use the command no group.
Specifying a Lifetime/Lifesize
Lifetime of P2 proposal can be measured by time or by traffic volume. When SA reaches the spe-
cified traffic flow amount or runs out of time, this SA expires and new negotiation should be ini-
tiated.
To specify a lifetime of P2 proposal, in the P2 proposal configuration mode, use the following
commands:
lifetime seconds
l seconds – Specifies to use time period to measure lifetime. The default value is 28800
seconds.
lifesize kilobytes
1460 Chapter 9 VPN

l kilobytes – Specifies to use traffic volume to measure lifetime. The default value is 0 byte,
which means no limit on lifesize.
To restore to the default settings, use the following commands:

n o lifetime
n o lifesize
This section describes how to configure an IPsec tunnel, including specifying a protocol type,
ISAKMP gateway, IKE proposal, ID, fragmentation and anti-replay.
Creating an IKE Tunnel
To create an IKE tunnel, in the global configuration mode, use the following command:
l tunnel-name - Type a name for the new IKE tunnel.
This command leads you into the IKE tunnel configuration mode where you configure all IKE
tunnel related configurations.
To delete the specified IKE tunnel, in the global configuration mode, use the command no tunnel
ipsec tunnel-name auto.
Specifying an IPsec Mode
To specify the operation mode (tunnel mode) for the IKE tunnel, in the IKE tunnel con-
mode tunnel
To restore to the default mode, use the command no mode.
Specifying an ISAKMP Gateway
To specify an ISAKMP gateway, in the IKE tunnel configuration mode, use the following com-
mand:
Chapter 9 VPN 1461

isakmp-peer peer-name
l peer-name – Specifies the name of ISAKMP gateway.
To cancel the specified ISAKMP gateway, use the command no isakmp-peer.
Specifying P2 Proposal
To specify P2 proposal for the IKE tunnel, in the IKE tunnel configuration mode, use the fol-
lowing command:
ipsec-proposal p2-name
l p2-name – Specifies a name for the P2 proposal.
To cancel the specified P2 proposal, use the command no ipsec-proposal.
Specify a Phase 2 ID
To specify a Phase 2 ID of the IKE IPsec tunnel, in the IKE tunnel configuration mode, use the
following command:
id {auto | local ip-address/mask remote ip-address/mask service service-name}
l auto – Specifies the ID of Phase 2.
l local ip-address/mask – Specifies the local ID of Phase 2 automatically.
l remote ip-address/mask – Specifies the Phase 2 ID of the peer device. As the dial-up VPN
initiator has no stable ID, the Phase 2 ID should be 0.0.0.0/0.
l service service-name – Specifies the service name.
You can configure up to 256 phase 2 IDs and use them to establish multiple IKE tunnels. If the
center device has been configured with multiple phase 2 IDs, it can negotiate with a remote client
to create multiple IPSec SAs. After auto routing is enabled, a route entry whose destination IP
address is the local ID of the peer and next hop is the egress IP address of the remote client as a
gateway would be added to the routing table automatically once an IPSec SA had been created.
When an IPSec SA is deleted, the corresponding route entry will be deleted from the routing
table.
1462 Chapter 9 VPN

To restore the default configurations, use the command no id {auto | local ip-address/mask
remote ip-address/mask service service-name}.
Creating an IPSec SA When There is Inclusion Relation for ID
When the remote ID of phase 2 ID configured in the center device contains the local ID of phase
2 ID configured in the remote client, an IPSec SA can still be successfully created between the
center device and the remote client after this feature is configured. To enable this feature, in the
IKE tunnel configuration mode, use the following command:
dialup-control-id
To restore to the default setting, use the command no dialup-control-id.
Configuring IPSec Balancing and Filtering
A central device can negotiate with a remote client to create multiple IPSec SAs. At the same
time, encapsulated packets will be filtered when out-acrossing the IKE tunnel interface and be bal-
anced when in-acrossing the IKE tunnel interface. If a packet's source IP address, destination IP
address, and service type match a phase 2 ID, the packet will be processed by the central device;
otherwise, the packet will be discarded.
To configure IPSec balancing and filtering, in the IKE tunnel configuration mode, use the fol-
lowing command:
check-id
To restore to the default setting, use the command no check-id.
Enabling Auto Connection
The device has two methods of establishing SA: auto and traffic intrigued.
l When it is auto, the device checks SA status every 60 seconds and initiates negotiation
request when SA is not established
l When it is traffic intrigued, the tunnel sends negotiation requests only when there is traffic
passing through the tunnel.
By default, traffic intrigued mode is used.
Chapter 9 VPN 1463

To enable auto connection, in the IKE tunnel configuration mode, use the following command:
auto-connect
To restore to the default setting, use the command no auto-connect.
Notes: Auto connection works only when the peer IP is static and the local device
is initiator.
To allow IP packet fragmentation on the forwarding device, in the IKE configuration mode, use
l copy – Copies the IP packet DF options from the sender directly. This is the default value.
l clear – Allows packet fragmentation.
l set – Disallows packet fragmentation.
To restore to the default value, use the command no df-bit.
Anti-replay is used to prevent hackers from attacking the device by resending the sniffed packets,
i.e., the receiver rejects the obsolete or repeated packets. By default, this function is disabled.
To configure anti-replay for IKE IPsec tunnel, in the IKE IPsec tunnel configuration mode, use
anti-replay {32 | 64 | 128 | 256 | 512}
l 32 - Specifies the anti-replay window as 32.
1464 Chapter 9 VPN

When the network condition is poor, choose a larger window.

To disable anti-replay, use the command no anti-replay.
Configuring Commit Bit
The commit bit function is used to avoid packet loss and time difference in the tunnel. Con-
figuring this function on this end makes the corresponding peer to use it. However, commit bit
may slow the responding speed.
To configure commit bit, in the IKE IPsec tunnel configuration mode, use the command: respon-
der-set-commit
To disallow the responder to set commit bit, use the command: no responder-set-commit
Idle time length is the longest time the tunnel can exist without traffic passing through. When the
time is over, SA will be cleared.
To configure the idle time, in the IKE IPsec tunnel configuration mode, use the following com-
mand:
l time-value – Specifies a time value. The value range is 120 to 3000 seconds.
To disable idle time, in the IKE IPsec tunnel configuration mode, use the following command:
no idle-time
To give some description of an IKE tunnel, in the IKE tunnel configuration mode, use the fol-
lowing command:
description string
Chapter 9 VPN 1465

l string – Type the description you want.
To delete IKE tunnel description, use the command no description.
For route-based dial-up VPN or PnPVPN, the IP addresses of the branches are always changing,
causing operational inconvenience for the administrator if manual routing is used. The auto rout-
ing function allows the device to automatically add routing entries from center to branch to avoid
complexity of manual routing.
By default the auto routing is disabled. To enable it, in the ISAKMP gateway configuration mode,
gen erate-ro ute
For dial-up VPN, the Phase 2 local ID of auto generated route is its destination address and its
next hop is the peer IP address. For information about how to configure a Phase 2 ID, see Specify
a Phase 2 ID.
For PnPVPN, the destination address of auto generated route is the AND operation result of the
start IP and netmask of client DHCP address pool (dhcp-pool-addr-start & dhcp-pool-netmask),
and the next hop address is the peer IP address. For information about client DHCP address pool
and netmask, see Configuring a PnPVPN Server Using CLI.
To disable auto routing, use the command no generate-route.
Notes:
l If the Phase 2 local ID of initiator in a dial-up VPN is 0.0.0.0/0, you are

strongly suggested not to enable auto routing on the center device.
l When the branch office accesses the center, you can use the command no
reverse-route to disable reverse routing and return all the reverse data
from the original paths on the center device. The command line will show the
number of imported users.
1466 Chapter 9 VPN

Configuring a Dial-up User
This section describes how to create a dial-up user, including user account and pre-shared key.
Creating a Dial-up User Account
To create a dial-up user account, in the global configuration mode, use the following command:
user user-name aaa-server local
l user-name – Type the user name.
This command leads you into the user configuration mode, where you can specify the user IKE
ID with the following command:
ike-id {fqdn string | asn 1dn string }
l fqdn string – Specifies to use IKE ID of FQDN type. string is the ID content.
l asn1dn string – Specifies to use ID of Asn1dn type, which only applies to authentication
with certificate.
To cancel the IKE ID setting, in the user configuration mode, use the following command:
no ike-id
Generating a Pre-shared Key for Dial-up User
The center device generates a pre-shared key using dial-up user’s username and IKE ID.
To generate a pre-shared key, in any mode, use the following command:
exec generate-user-key rootkey pre-share-key userid string
l pre-share-key – Specifies the pre-shared key of the device.
l string – Specifies the IKE ID of username.
Chapter 9 VPN 1467

Configuring the Dial-up Client
The remote client should configure parameters corresponding to the center device, including P1
proposal, P2 proposal, ISAKMP gateway and tunnel. The configuration commands are similar to
those of center device, but if the local ID of initiator’s ISAKMP gateway uses pre-shared key,
the key must be the corresponding pre-shared key of the center device.
Example of Configuring Dial-up VPN

This section provides a configuration example of dial-up VPN.
Requirement
Two dial-up clients (user1 and user 2) and the center device (2.2.2.1/24) consist of a dial-up
VPN. The goal is to allow two computers (PC1 and PC2) accessing the center device protected
server (Server1) using secured VPN tunnel.
Configuring the Center Device
1468 Chapter 9 VPN

hostname(config)# zo n e vp n zo n e
hostname(config-zone-vpnzone)# exit
hostname(config-if-eth0/0)# zo n e vp n zo n e
Step 2: Configure a dial-up user account and pre-shared key
hostname(config-user)# ike_id fqdn h illsto n e1
hostname(config-user)# ike_id fqdn h illsto n e2
hostname# exec gen erate-user-key ro o tkey 123456 userid h illsto n e1
userkey: 3zPNDY6MmI8Wejk5fa3jh PU 39p 8=
hostname# exec gen erate-user-key ro o tkey 123456 userid h illsto n e2
userkey: tAFW+48HcAr15+NcISm6TZJZzGU =
hostname(config)#
Chapter 9 VPN 1469

Step 3: Configure IKE VPN
hostname(config)# isakmp p eer test
hostname(config-isakmp-peer)# mo de aggressive
hostname(config-isakmp-peer)# p re-sh are 123456
hostname(config-tunnel-ipsec-auto)# isakmp -p eer test
hostname(config-tunnel-ipsec-auto)# id lo cal 192.168.1.2/24 remo te 0.0.0.0/0 service

an y
hostname(config)#
hostname(config-policy-rule)# dst-zo n e vp n zo n e
1470 Chapter 9 VPN

hostname(config-policy-rule)# actio n tun n el vp n
hostname(config-policy-rule)# src-zo n e vp n zo n e
hostname(config-policy-rule)# actio n fro mtun n el vp n
hostname(config)#
Configuring Dial-up Client 1
hostname(config)#
Chapter 9 VPN 1471

Step 2: Configure IKE VPN
hostname(config-isakmp-peer)# p re-sh are 3zPNDY6MmI8Wejk5fa3jh PU 39p 8=
hostname(config-isakmp-peer)# lo cal-id fqdn h illsto n e1
hostname(config-tunnel-ipsec-auto)# id lo cal 192.168.2.2/24 remo te 192.168.1.2/24

service an y
hostname(config)#
1472 Chapter 9 VPN

hostname(config)#
Configuring Dial-up Client 2
Step1: Configure interface
hostname(config)#
Chapter 9 VPN 1473

Step2: Configure IKE VPN
hostname(config-ipsec-proposal)#
hostname(config-isakmp-peer)# p re-sh are tAFW+48HcAr15+NcISm6TZJZzGU =
hostname(config-isakmp-peer)#
hostname(config-tunnel-ipsec-auto)# id lo cal 192.168.3.2/24 remo te 192.168.1.2/24

service an y
hostname(config)#
1474 Chapter 9 VPN

hostname(config-policy-rule)# dst-zo n etrust
hostname(config)#
Chapter 9 VPN 1475

PnPVPN
Overview
IPsec VPN requires sophisticated operation skills and high maintenance cost. To relieve network
administrators from the heavy work, Hillstone provides an easy-to-use VPN technology -
PnPVPN (Plug-and-Play VPN). PnPVPN consists of two parts: PnPVPN Server and PnPVPN Cli-
ent.
l PnPVPN Server: Normally deployed in the headquarters and maintained by an IT engineer.

The PnPVPN Server issues most of the configuration commands to clients. The Hillstone
device usually works as a PnPVPN Server and one Hillstone device can serve as multiple serv-
ers.
l PnPVPN Client: Normally deployed in the branch offices and controlled remotely by
headquarters engineer. With simple configuration, such as client ID, password and server IP
settings, the PnPVPN Client can receive configuration commands (e.g. DNS, WINS, DHCP
address pool, etc.) from the PnPVPN Server.
Notes: The Hillstone device can serve as both a PnPVPN Server and a PnPVPN Cli-
ent. When working as a PnPVPN Server, the maximum number of VPN instances
and the supported client number of each device may vary from hardware platforms.
PnPVPN Workflow
The workflow for PnPVPN is as follows:
1. The client initiates a connection request and sends its own ID and password to the server.
2. The server validates the ID and password when it receives the client request. If the client
passes the authentication, the server issues configuration information including DHCP
1476 Chapter 9 VPN

address pool, DHCP mask, DHCP gateway, WINS, DNS and tunnel routes, etc. to the cli-
ent.
3. The client distributes the received information to corresponding functional modules.
4. The client PC automatically gains an IP address, IP mask, gateway address and other net-
work parameters and connects itself to the VPN.
PnPVPN Link Redundancy

The PnPVPN server supports dual VPN link dials for a PnPVPN client, and automatically gen-
erates the routing to the client. Also, it can configure the VPN monitor for the client. Two
ISAKMP gateways and two tunnel interfaces need to be configured in the server. The two VPN
tunnels need to refer different ISAKMP gateways and be bound to different tunnel interfaces.
The client supports to configure dual VPN dials and redundant routing. When the two VPN tun-
nels are negotiating with the server, the client generates routes with different priority according to
the tunnel routing configuration at the server side. The high priority tunnel acts as the master link
and the tunnel with low priority as the backup link, so as to realize redundant routing. The master
VPN tunnel will be in the active state first. When master tunnel is interrupted, the client will use
the backup tunnel to transfer the data. When the master tunnel restores to be normal, it will trans-
fer the data again.
Configuring a PnPVPN Server

This section describes the configurations on the server, both in the command line interface and
on the WebUI.
Configuring a PnPVPN Server Using CLI
Some of IPsec VPN commands also apply to PnPVPN configuration; in addition, PnPVPN has its
unique configuration commands. The commands below in this chapter cannot complete PnPVPN
command set alone; for complete PnPVPN settings, see Example of Configuring PnPVPN.
Chapter 9 VPN 1477

Configuring User’s Network
After the client successfully negotiates with the server, the server will distribute some network
setting parameters, including DNS server address, WINS server address, tunnel route, DHCP
address pool address/netmask and gateway address, to the client. These parameters are configured
in the corresponding user configuration modes, but some of them (settings of DNS, WINS and
tunnel route) can also be set in IKE tunnel configuration. When there is a conflict between the
two settings, configuration in the user configuration mode has higher priority over settings in the
IKE tunnel configuration mode.
To enter the local user configuration mode, use the following command:
aaa-server aaa-server-name type local (this command leads you to the local AAA server con-
figuration mode)
user user-name
l user-name – Specifies the user name.
The commands below complete a user’s network settings. Among these parameters, settings of
DHCP address pool, DHCP netmask and gateway are required while others are optional.
dns A.B.C.D [ A.B.C.D ] [ A.B.C.D ] [ A.B.C.D ]
l A.B.C.D – Specifies the IP address of DNS server. You can define one primary DNS
server and up to three alternative servers. To cancel the DNS server setting, use the command
no dns.
wins A.B.C.D [ A.B.C.D ]
l A.B.C.D – Specifies the IP address of WINS server. You can define one primary DNS server
and one alternative WINS server. To cancel the WINS server setting, use the command no
wins.
split-tunnel-route A.B.C.D/Mask
1478 Chapter 9 VPN

l A.B.C.D/Mask – Specifies the tunnel route. A.B.C.D is the IP address prefix and Mask is
the digit of subnet mask. To clear the settings, use the command no split-tunnel-
route A.B.C.D/Mask.
dhcp-pool-address start-ipaddr end-ipaddr
l start-ipaddr end-ipaddr – Specifies the start IP address and end IP address of DHCP address
pool. To cancel the setting, use the command no dhcp-pool-address.
dhcp-pool-netmask A.B.C.D
l A.B.C.D – Specifies the network mask of DHCP address pool. To cancel the setting, use the
command no dhcp-pool-netmask.
dhcp-pool-gateway A.B.C.D
l A.B.C.D – Specifies the gateway address of DHCP address pool. This address is the Intranet
interface’s IP address of PnPVPN client and serves as the PC gateway address. As the IP
address of PC is defined by the DHCP address pool and subnet mask, the gateway address and
DHCP address pool should be in the same network segment. To cancel the setting, use the
command no dhcp-pool-gateway.
Configuring Tunnel Network
If all or most of the clients use unified DNS, WINS or tunnel route setting, you can configure
these parameters in the IKE tunnel mode to reduce workload of making settings in the user con-
figuration mode.
To enter the IKE tunnel configuration mode, use the following command:
l tunnel-name – Specifies the name of IKE tunnel.
To configure the DNS, WINS and tunnel route, use the following commands:
dns A.B.C.D [ A.B.C.D ] [ A.B.C.D ] [ A.B.C.D ]
Chapter 9 VPN 1479

l A.B.C.D – Specifies the IP address of DNS server. You can define one primary server
and up to three alternative servers. To cancel the setting, use the command no dns.
wins A.B.C.D [ A.B.C.D ]
l A.B.C.D – Specifies the IP address of WINS server. You can define one primary WINS
server and one alternative server. To cancel the setting, use the command no wins.
split-tunnel-route A.B.C.D/Mask
l A.B.C.D/Mask – Specifies the tunnel route. A.B.C.D is the IP address prefix and Mask is
the digit of subnet mask. To clear the settings, use the command no split-tunnel-
route.
Configuring Wildcard of ISAKMP Gateway’s Peer
When PnPVPN Server uses Radius server to authenticate, you are required to configure the wild-
card of ISAKMP gateway’s peer. The wildcard is used to match username and determine the
PnPVPN Server of the accessed client (a Hillstone device can serve as multiple PnPVPN serv-
ers), so that the Radius server for user’s authentication can be identified.
To configure the wildcard of ISAKMP gateway’s peer, in the ISAKMP gateway configuration
peer-id fqdn wildcard string
l fqdn – Uses wildcard of FQDN type.
l wildcard string – Specifies the wildcard ID which is usually the client’s domain name, like
abc.com.
To cancel wildcard settings, use command no peer-id.
Configuring Tunnel Interface of PnPVPN Client
To allow the sub-networks in the branch office accessing the server, you can configure IP address
and enable SNAT rule for the client tunnel interface on the PnPVPN server end. If SR Series plat-
1480 Chapter 9 VPN

form is used as the PnPVPN client, make sure that the version in the platform supports this func-
tion.
Notes: When this function is working, the PnPVPN server cannot access its clients.
To enter local user configuration mode, use the following command:

aaa-server aaa-server-name type local (This command leads you to the local AAA server con-
figuration mode.)
user user-name
l user-name – Specifies the user name.
To configure tunnel interface of PnPVPN client, in the local user configuration mode, use the fol-
lowing command:
tunnel-ip-address A.B.C.D [ snat ]
l A.B.C.D – Specifies the IP address of client tunnel interface, but it should not conflict
with the existing IP addresses in the client.
l snat – Enables SNAT rule. In default, the SNAT rule on tunnel interface is disabled.
To cancel tunnel interface of PnPVPN client, in the local user configuration mode, use the fol-
lowing command:
no tunnel-ip-address
Configuring a PnPVPN Sever Using WebUI
This section describes how to configure PnPVPN server in the WebUI, including:
l Configuring a User
l Configuring IKE VPN
l Configuring an Tunnel Interface
Chapter 9 VPN 1481

l Configuring a Route
l Configuring a Policy
Notes: PnPVPN support two types of authentication server: Local and Radius.
Configuring a User
To configure a user, take the following steps:
1. Select Objects > Local User from the menu bar.
2. In the Local User dialog, select a local server from the Local server drop-down list. Click
New, and select User from the drop-down list.
3. On the Basic tab in the User Configuration dialog, type a name for the user into the Name
box.
4. Specify a password for the user in the Password box and confirm it in the Confirm password
box.
5. Click FQDN in the IKE ID section, and type the ID's content into the text box below. The
ID is used in authentication.
6. Click the PnPVPN tab and fill out options in the tab. If the user does not use configured
DNS, WINS or tunnel route of the tunnel, these options must be configured.
7. Configure other options as needed.
Configuring IKE VPN
This section introduces how to configure IKE VPN, including how to configure P1 proposal, P2
proposal, VPN peer and tunnel.
To configure P1 proposal, take the following steps:
1482 Chapter 9 VPN

1. On the Navigation pane, click Configure > Network > IPsec VPN to visit the IPsec VPN
page and click the Phase1 Proposal tab.
2. Click New. In the Phase1 Proposal Configuration dialog, finish the options as described
below:
l Proposal name: Type the name of the Phase1 proposal.
l Authentication: Select pre-share.
l HASH: Select Group2.
3. You can fill out other options or leave them blank as needed.
To configure P2 proposal, use the following steps:
page and click the Phase2 Proposal tab.
2. Click New.
3. In the Phase2 Proposal Configuration dialog, type the name of P2 proposal into the Pro-
posal name box.
4. Select a protocol, HASH algorithm, encryption algorithm and PFS group as needed.
5. You can fill out other options or use the default value as needed.
To configure the peer, take the following steps:
page. Click the VPN Peer List tab.
2. In the Peer Configuration dialog, click New.
Chapter 9 VPN 1483

3. On the Basic tab, configure the options below:
l Peer name: Type the name of the ISAKMP gateway.
l Interface: Select an interface bound to the ISAKMP gateway.
l Mode: Select Aggressive.
l Type: Select user group, and select the AAA server you need from the AAA server
drop-down list.
l Proposal 1: Select a P1 proposal you want from the list.
l Pre-shared key: Type the pre-shared key into the box.
4. Configure other options as needed or use the default values.
5. Click Generate. In the Generate user key dialog, type the IKE ID into the IKE ID box, and
then click Generate. The generated user key will be displayed in the Generate result box.
PnPVPN client uses this key as the password to authenticate the login users. Then, close
the dialog.
Notes: If Radius server works as the authentication server, wildcard must be con-
figured.
To configure a tunnel, take the following steps:
page.
2. On the upper-left of the IKE VPN List, Click New.
1484 Chapter 9 VPN

3. Under Step 1: Peer, click Import in the Peer name section, and select a peer you want from
the drop down list; type the IP address of the peer into the Peer address box. Or, you can
create a new peer (ISAKMP gateway) on this tab.
4. Click Step 2: Tunnel and configure the options:
l Name: Type a name for the tunnel.
l Mode: Select tunnel.
l P2 proposal: Select a proposal you need from the drop down list.
5. Click the Advanced tab. In this tab, configure DNS, WINS and tunnel route (tunnel users
will use the DNS and WINS defined here).
Notes: If Radius server works as the authentication server, wildcard must be con-
figured.
Configuring a Tunnel Interface
To configure tunnel interface, take the following steps:
1. On the Navigation pane, click Configure > Network > Network to visit the Network page.
2. Click New on the upper-left of the interface list, and select Tunnel Interface from the drop-
down list. Configure the following options:
l Name: Type the number of the tunnel.
l Binding zone: Select Layer 3 zone.
l Zone: Select a zone for the interface from the drop-down list.
Chapter 9 VPN 1485

3. Under Tunnel binding, select IPsec VPN and select VPN tunnel from the VPN name drop
down list. Gateway address is not needed here.
4. Click OK to save settings.
Configuring a Route
To allow hosts in the server network to access the client network, you need to add static routes.
To add a route, take the following steps:
1. On the Navigation pane, click Configure > Network > Routing to visit the Routing page.
2. On the Destination Route tab, click New.
3. In the Destination Route Configuration dialog, type the IP address for the route into the
Destination box.
4. Type the corresponding subnet mask into the Subnet mask box.
5. To specify the type of next hop, click Interface, and select the VPN tunnel interface from
the Interface drop-down list below, then type the gateway address for the tunnel's peer into
the optional box below.
Configuring a Policy
Policies are configured according to the network deployment (on the Navigation pane, click Con-
figure > Security > Policy to visit the Policy page).
Configuring a PnPVPN Client
This section describes how to configure a PnPVPN Client. To configure a PnPVPN, take the fol-
lowing steps:
1486 Chapter 9 VPN

page.
2. On the Task tab in the right auxiliary pane, click PnPVPN Client.
3. In the PnPVPN Configuration dialog, finish the options.
l Server address 1: Type the IP address of PnPVPN Server into the box. This option is
required.
l Server address 2: Type the IP address of PnPVPN Server into the box. The server
address 1 and the server address 2 can be the same or different. It is optional.
l ID: Specifies the IKE ID assigned to the client by the server.
l Password: Specifies the password assigned to the client by the server.
l Confirm password: Enter the password again to make confirmation.
l Auto save: Select Enable to auto save the DHCP and WINS information released by
PnPVPN Server.
l Outgoing IF 1: Specifies the interface connecting to the Internet. This option is

required.
l Outgoing IF 2: Specifies the interface connecting to the Internet. The IF1 and the
IF2 can be the same or different. It is optional.
l Incoming IF: Specifies the interface on PnPVPN Server accessed by Intranet PC or

application servers. Click the interface you want. If Incoming IF is selected, also
select an interface from the Interface drop-down list; if multiple Intranet interfaces
connect to PnPVPN, you should click BGroup IF, and add interface members of that
bgroup. To add interface members, select the interface(s) you want from the Avail-
Chapter 9 VPN 1487

able list, and add it to the Selected list. To delete an interface member, select it and
remove it from the Selected list .
Example of Configuring PnPVPN

This section describes an example of PnPVPN configuration.
Requirement
A company has its headquarters in Beijing and two branch offices in Shanghai and Guangzhou, all
three of which have Internet access. Its business demands that a VPN network should be estab-
lished. The goals of the network are:
l Employees in Guangzhou Branch and Shanghai Branch can access the headquarters database
via VPN;
l All the employees (including the Beijing headquarters and two branches) can share resources
via VPN.
PnPVPN is a practical and easy-to-use method to meet the requirements above. Take the fol-
lowing steps:
l The headquarters uses a next-genration firewall as the PnPVPN Server and chooses the local
authentication.
l Each of the two branches has a next-generation firewall, working as the PnPVPN Client and
accessing the headquarters VPN network.
l To share resource among all employees in the three places, you should configure policies and
routes.
1488 Chapter 9 VPN

According to the topology, the network environment can be described as follows:
l The headquarters LAN network segment is 192.168.1.0/24 and it uses ethernet0/0 of trust
zone to access the network.
l The headquarters server group network segment is 192.168.200.0/24 and it uses ethernet0/2
of trust zone to access the network.
Chapter 9 VPN 1489

l The headquarter security device use ethernet 0/1 (IP: 202.106.6.208) of untrust zone to
access the network.
l Shanghai Branch uses an interface with IP 61.170.6.208 to access the Internet, and Guang-
zhou Branch uses an interface with IP 59.42.6.208 to access the Internet.
l PnPVPN Server will allocate the network segment 192.168.2.0/2 to Shanghai Branch and
192.168.3.0/24 to Guangzhou Branch.
Configuration Steps
Take the steps below to configure the server end and client ends:
Configuring the Server
Step 1: Configure the local AAA server
hostname(config)# aaa-server test type local
hostname(config)#
Step 2: Configure the network in Shanghai Branch
hostname(config)# aaa-server test typ e lo cal
hostname(config-aaa-server)# user sh an gh ai
hostname(config-user)# ike-id fqdn sh an gh ai
hostname(config-user)# dh cp -p o o l-address 192.168.2.1 192.168.2.100
hostname(config-user)# dh cp -p o o l-n etmask 255.255.255.0
hostname(config-user)# dh cp -p o o l-gateway 192.168.2.101
hostname(config-user)# sp lit-tun n el-ro ute 192.168.200.0/24
1490 Chapter 9 VPN

hostname(config)#
Step 3: Configure the network in Guangzhou Branch
hostname(config-aaa-server)# user guan gzh o u
hostname(config-user)# ike-id fqdn guan gzh o u
hostname(config-user)# dh cp -p o o l-address 192.168.3.1 192.168.3.100
hostname(config-user)# dh cp -p o o l-n etmask 255.255.255.0
hostname(config-user)# dh cp -p o o l-gateway 192.168.3.101
hostname(config)#
Step 4: Configure a PnPVPN Server
hostname(config)# isakmp p ro p o sal test1
hostname(config)# ip sec p ro p o sal test2
hostname(config-ipsec-proposal)# gro up 2
hostname(config)# isakmp p eer test1
Chapter 9 VPN 1491

hostname(config-isakmp-peer)# aaa-server test
hostname(config-isakmp-peer)# isakmp -p ro p o sal test1
hostname(config-isakmp-peer)#gen erate-ro ute
hostname(config)# tun n el ip sec test auto
hostname(config-tunnel-ipsec-auto)# ip sec-p ro p o sal test2
hostname(config-tunnel-ipsec-auto)# isakmp -p eer test1
hostname(config-tunnel-ipsec-auto)# mo de tun n el
hostname(config-tunnel-ipsec-auto)# id auto
hostname(config-tunnel-ipsec-auto)# dn s 192.168.200.1 192.168.200.11
hostname(config-tunnel-ipsec-auto)# win s 192.168.200.2 192.168.200.12
hostname(config)#
Step 5: Generate client private keys
hostname(config)# exec gen erate-user-key ro o tkey 123456 userid shanghai
userkey: kyZAKmLWCc5Nz75fseDiM2r+4Vg=
hostname(config)# exec gen erate-user-key ro o tkey 123456 userid guan gzh o u
userkey: SdqhY4+dPThTtpipW2hs2OMB5Ps=
Step 6: Configure policies
hostname(config-if-tun1)# tun n el ip sec test
1492 Chapter 9 VPN

hostname(config-policy-rule)# dst-zo n e VPN
hostname(config-policy-rule)# dst-zo n e VPN
hostname(config)#
Chapter 9 VPN 1493

Configuring the Clients
In the Shanghai Branch:
page.
2. On the Task tab in the right auxiliary pane, click PnPVPN Client. In the PnPVPN Con-
figuration dialog, configure the options as below:
l Server address: 202.106.6.208
l ID: shanghai
l Password: kyZAKmLWCc5Nz75fseDiM2r+4Vg=
l Confirm password: kyZAKmLWCc5Nz75fseDiM2r+4Vg=
l Auto save: Select the Enable checkbox
l Outgoing IF: ethernet0/0
l Incoming IF: ethernet0/3
In the Guangzhou Branch:
page.
2. On the Task tab in the right auxiliary pane, click PnPVPN Client. In the PnPVPN Con-
figuration dialog, configure the options as below:
l Server address: 202.106.6.208
l ID: guangzhou
1494 Chapter 9 VPN

l Password: SdqhY4+dPThTtpipW2hs2OMB5Ps=
l Confirm password: SdqhY4+dPThTtpipW2hs2OMB5Ps=
l Auto save: Select the Enable checkbox
l Outgoing IF: ethernet0/0
l Incoming IF: ethernet0/3
Chapter 9 VPN 1495

GRE
Overview
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety
of network layer protocols inside virtual point-to-point links over an Internet Protocol inter-
network. StoneOS uses GRE over IPSEC feature to ensure the security of routing information
passing between networks.
Configuring GRE
This section introduces how to configure GRE, including:
l Configuring a GRE tunnel
l Binding the GRE tunnel to a tunnel interface
Configuring a GRE Tunnel
Configurations for GRE tunnel should be performed in the GRE tunnel configuration mode.
To enter the GRE tunnel configuration mode, in the global configuration mode, use the following
command:
tunnel gre gre-tunnel-name
l gre-tunnel-name – Specifies the name of the new GRE tunnel. This command creates a new
GRE tunnel; if the tunnel with this name exists, you will enter its configuration mode dir-
ectly.
To delete the specified GRE tunnel, use the following command:

no tunnel gre gre-tunnel-name
In the GRE tunnel configuration mode, you need to configure the following parameters for the
tunnel:
1496 Chapter 9 VPN

l Source interface/address
l Destination address
l Egress interface
l IPsec VPN tunnel (optional)
l Verification key
Specifying a Source Interface/Address
To define a source interface for the GRE tunnel, in the GRE tunnel configuration mode, use the
following command:
source { interface interface-name [ ipv6 ] |{ ipv4-address | ipv6-address } }
l interface interface-name [ipv6] – Specifies the name of interface as the source interface of
the GRE tunnel.
l ipv4-address | ipv6-address– Specifies the IP address (Ipv4 and IPv6).
To cancel source address setting, in the GRE tunnel configuration mode, use the following com-
mand:
no source
Specifying a Destination Address
To specify a destination address for the GRE tunnel, in the GRE tunnel configuration mode, use
destination{ipv4-address | ipv6-address}
l ipv4-address | ipv6-address– Specifies the destination address for the GRE tunnel.
To cancel the specified destination address, in the GRE tunnel configuration mode, use the fol-
lowing command:
no destination
Chapter 9 VPN 1497

To specify the egress interface for the GRE tunnel, in the GER tunnel configuration mode, use
l interface-name – Specifies the name of egress interface.
To cancel the egress interface setting, in the GRE tunnel configuration mode, use the following
command:
no interface
Specifying an IPsec VPN Tunnel
When using GRE over IPsec function, you need to specify an IPsec VPN tunnel to encapsulate
the tunnel data.
To specify an IPsec VPN tunnel, in the GRE tunnel configuration mode, use the following com-
mand:
next-tunnel ipsec tunnel-name
l tunnel-name – Specifies the name of IPsec VPN tunnel.
To cancel the specified IPsec VPN tunnel, in the GRE tunnel configuration mode, use the fol-
lowing command:
no next-tunnel
Specifying a Verification Key
By specifying a verification key, the system encapsulates and verifies the packets. When the key
carried by the packets is the same as the key configured in the receiver, the packets will be decryp-
ted. If the keys are not the same, the packets will be dropped. To specify the verification key, in
the GRE tunnel configuration mode, use the following command:
key key-value
l key-value – Specifies the verification key. The value ranges from 0 to 4294967295.
1498 Chapter 9 VPN

To cancel the configurations, use the following command in the GRE tunnel configuration mode:
no key
Binding the GRE Tunnel to a Tunnel Interface
A well configured GRE tunnel needs to be bound to the tunnel interface so that it can work.
To bind the GRE tunnel to a tunnel interface, in the tunnel interface configuration mode, use the
following command:
tun n el gre gre-tunnel-name [gw ip-address ]
l gre-tunnel-name – Specifies the name of the well configured GRE tunnel which binds to the
interface.
l gw ip-address – This parameter is required when multiple tunnels bind to this interface. It
defines the next hop (the peer tunnel interface) IP address of GRE tunnel. The default value
is 0.0.0.0.
To cancel the binding of GRE tunnel to the tunnel interface, in the tunnel interface configuration
no tunnel gre gre-tunnel-name
Viewing GRE Tunnel Information
To view GRE tunnel setting information, in any mode, use the following command:
show tunnel gre [ gre-tunnel-name ]
l gre-tunnel-name – Specifies the name of GRE tunnel you want to view.
Example of Configuring GRE Tunnel

This section provides a configuration example of GRE over IPsec with OSPF in a Hillstone
device.
Chapter 9 VPN 1499

Requirement
The headquarters (Center) and the branch office (Branch1) are connected by the Internet using
OSPF protocol. The connection uses GRE over IPsec technique to ensure secure data trans-
mission between the center and the branch. The figure below is the topology of the network lay-
out.
Configuration Steps
Configurations for this requirement include settings on the headquarters device (Center) and on
the branch office device (Branch1).
Configuring the Center
The following commands are the necessary settings of IPsec VPN and OSPF.
1500 Chapter 9 VPN

hostname(config)#
Step 2: Configure the IPsec VPN
hostname(config)# isakmp p ro p o sal b ran ch 1
hostname(config)# ip sec p ro p o sal b ran ch 1
hostname(config)# isakmp p eer b ran ch 1
hostname(config-isakmp-peer)# isakmp b ran ch 1
hostname(config)# tun n el ip sec b ran ch 1 auto
hostname(config-tunnel-ipsec-auto)# isakmp -p eer b ran ch 1
hostname(config-tunnel-ipsec-auto)# ip sec-p ro p o sal b ran ch 1
hostname(config)#
Step 3: Configure the GRE tunnel
Chapter 9 VPN 1501

hostname(config)# tun n el gre cen ter-b ran ch 1
hostname(config-tunnel-gre)# so urce 202.106.1.1
hostname(config-tunnel-gre)# destin atio n 202.106.2.1
hostname(config-tunnel-gre)# in terface eth ern et0/0
hostname(config-tunnel-gre)# n ext-tun n el ip sec b ran ch 1
hostname(config-tunnel-gre)# exit
hostname(config)#
Step 4: Bind the GRE tunnel to the tunnel interface
hostname(config-if-tun1)# tun n el gre cen ter-b ran ch 1 gw 172.16.1.2
hostname(config)#
Step 5: Configure OSPF
hostname(config-router)# ro uter-id 172.16.1.1
hostname(config)#
1502 Chapter 9 VPN

hostname(config)#
Configuring the Branch
hostname(config)#
Chapter 9 VPN 1503

hostname(config)#
Step 2: Configure the IPsec VPN
hostname(config)# isakmp p ro p o sal cen ter
hostname(config)# ip sec p ro p o sal cen ter
hostname(config)# isakmp p eer cen ter
hostname(config-isakmp-peer)# isakmp cen ter
hostname(config)# tun n el ip sec cen ter auto
hostname(config-tunnel-ipsec-auto)# isakmp -p eer cen ter
hostname(config-tunnel-ipsec-auto)# ip sec-p ro p o sal cen ter
hostname(config)#
Step 3: Configure the GRE tunnel
hostname(config)# tun n el gre b ran ch 1
hostname(config-tunnel-gre)# so urce 202.106.2.1
hostname(config-tunnel-gre)# destin atio n 202.106.1.1
hostname(config-tunnel-gre)# in terface eth ern et0/0
hostname(config-tunnel-gre)# n ext-tun n el ip sec cen ter
hostname(config-tunnel-gre)# exit
1504 Chapter 9 VPN

hostname(config)#
Step 4: Bind the GRE tunnel to the tunnel interface
hostname(config-if-tun1)# tun n el gre b ran ch 1 gw 172.16.1.1
hostname(config)#
Step 5: Configure OSPF
hostname(config-router)# ro uter-id 172.16.1.2
hostname(config)#
Chapter 9 VPN 1505

hostname(config-policy-rule)#
hostname(config)#
1506 Chapter 9 VPN

L2TP
Overview
L2TP (Layer Two Tunneling Protocol) is a VPDN technique that allows dial-up users to launch
VPN connection from L2TP clients or L2TP access concentrators (LAC), and connect to a L2TP
network server (LNS) via PPP. After the connection has been established successfully, LNS will
assign IP addresses to legal users and permit them to access the private network.
The device acts as a LNS or a LAC client in the L2TP tunnel network. When the device acts as a
LNS, the device accepts connections from L2TP clients or LACs, implements authentication and
authorization, and assigns IP addresses, DNS server addresses and WINS server addresses to legal
users. When the device acts as a LAC client, the device actively initiates PPP negotiation and
authentication. After the tunnel is established, the traffic will be transmitted to the opposite end
through the L2TP VPN tunnel.
Note: For more information about L2TP, see RFC2661.
Typical L2TP Tunnel Network

There are two kinds of typical L2TP tunnel network modes:
The figure above shows the network topology where the L2TP client directly sends requests for
connection to the LNS, and attempts to establish a tunnel. Any PC installed with Windows
2000/2003/XP/Vista or Linux system can serve as the L2TP client.
Chapter 9 VPN 1507

The figure above shows the network topology where the remote user dials up to LAC via
PSTN/ISDN, and the LAC launches a VPN connection and attempts to establish a tunnel. LAC
is the device that provides access service for remote dial-up users. It lies between the remote dial-
up user and LNS, and is responsible for data forwarding between them. The connection between
LAC and remote dial-up users adopts PPP or local connection, while the connection between
LAC and LNS requires a tunnel established over L2TP.
L2TP over IPSec

L2TP does not encrypt the data transmitted through the tunnel, so it cannot assure security dur-
ing the transmission. You can use L2TP in combination with IPsec, and encrypt data by IPSec,
thus assuring the security for the data transmitted through the L2TP tunnel.
To configure L2TP over IPsec, take the following steps:
1. Configure a L2TP client, and make sure IPsec encryption is enabled. For more information
about how to configure IPsec encryption on a client, see the user manual of your OS; for
the configuration on Windows XP, see Example of Configuring L2TP over IPsec.
2. Configure IPsec VPN. For more information, see IPsec Protocol.
3. Configure a L2TP instance, and reference the configured IPsec tunnel.
When using the L2TP client on Windows systems, keep in mind that:
l The L2TP client on Windows systems only supports the IKE negotiation of the main mode;
therefore, you need to configure the IKE negotiation mode to main mode on LNS. For the
supported mode of the L2TP client on other systems, see related user manual.
1508 Chapter 9 VPN

l IPsec on Windows systems only supports the transport mode; therefore, you need to con-
figure IPsec to transparent mode on LNS.
Configuring LNS
The configurations of LNS include:
l Configuring an address pool
l Configuring a L2TP instance
l Binding the L2TP instance to a tunnel interface
l Kicking out a user
l Restarting a tunnel
Configuring an Address Pool
LNS assigns the IP addresses in the address pool to users. After the client has established a con-
nection to LNS successfully, LNS will choose an IP address along with other related parameters
(such as DNS server address, WINS server address, etc) from the address pool, and assigns them
to the client. To create a L2TP address pool, in the global configuration mode, use the following
command:
l2tp pool pool-name
l pool-name – Specifies the name of the address pool.
The above command creates the address pool with the specified name, and leads you to the L2TP
address pool configuration mode; if the specified name exists, the system will directly enter the
L2TP address pool configuration mode.
To delete the specified L2TP address pool, in the global configuration mode, use the following
command:
no l2tp pool pool-name
You can configure the following options in the L2TP address pool configuration mode:
Chapter 9 VPN 1509

l IP range of the address pool
l Reserved IP address
l IP binding rules
Configuring the IP Range of the Address Pool
To configure an IP range of the address pool, in the L2TP address pool configuration mode, use
address start-ip end-ip
l start-ip – Specifies the start IP of the IP range.
l end-ip – Specifies the end IP of the IP range.
You can specify up to 60000 IP addresses for an address pool.

To delete the specified IP range, in the L2TP address pool configuration mode, use the following
command:
no address
Configuring the Reserved IP Address
Some IP addresses can be reserved in the reserved address pool, and they will not be allocated.
When allocating IP addresses in the address pool, LNS will reserve the addresses that are occu-
pied by other services (such as gateway, FTP server, etc.). To configure the reserved IP address,
in the L2TP address pool configuration mode, use the following command:
exclude-address start-ip end-ip
l start-ip – Specifies the start IP of the reserved IP address.
l end-ip – Specifies the end IP of the reserved IP address.
To delete the specified reserved IP address, in the L2TP address pool configuration mode, use
no exclude address
1510 Chapter 9 VPN

L2TP provides fixed IP addresses by creating and implementing IP binding rules that consist of
static IP binding rule and role-IP binding rule. The static IP binding rule binds the client user to a
fixed IP address in the address pool. Once the client has established a connection successfully,
the system will assign the binding IP to the client. The rule-IP binding rule binds the role to a spe-
cific IP range in the address pool. Once the client has established a connection successfully, the
system will assign an IP address within the IP range to the client.
When LNS is allocating IP addresses in the address pool, the system will check the IP binding
rule and determine how to assign IP addresses for the client based on the specific checking order
below:
1. Check if the client is configured with any static IP binding rule. If so, assign the binding IP
address to the client; otherwise, further check other configurations. Note if the binding IP
address is in use, the user will be unable to log in when it is in use.
2. Check if the client is configured with any role-IP binding rule. If so, assign an IP address
within the binding IP range to the client; otherwise, the user will be unable to log in.
Notes: The IP addresses defined in the static IP binding rule and role-IP binding
rule should not be overlapped.
Configuring a Static IP Binding Rule
To configure a static IP binding rule, in the L2TP address pool configuration mode, use the fol-
lowing command:
ip-binding user user-name ip-address
l user user-name – Specifies the username of the client.
l ip-address – Specifies the binding IP address which must be an available address in the
address pool.
Chapter 9 VPN 1511

To cancel the specified static IP binding rule, in the L2TP address pool configuration mode, use
Configuring a Role-IP Binding Rule
To configure a role-IP binding rule, in the L2TP address pool configuration mode, use the fol-
lowing command:
l role role-name – Specifies the name of the role.
l ip_range start-ip end-ip – Specifies the start IP and end IP of the binding IP range which
must be an available IP range in the address pool.
To cancel the specified role-IP binding rule, in the L2TP address pool configuration mode, use
Moving a role-IP Binding Rule
One user can be bound to one or multiple roles, and different roles can be configured with dif-
ferent role-IP binding rules. For the user that is bound to multiple roles and the roles are also con-
figured with their corresponding role-IP binding rules, the system will query the role-IP binding
rules in turn, and assign an IP address based on the first matched rule. By default the system will
put the new rule at the bottom of all rules. You can move a role-IP binding rule to change its
matching sequence. To move a role-IP binding rule, in the L2TP address pool configuration
move role-name1 { before role-name2 | after role-name2 | top | bottom }
l role –name1 – Specifies the name of the role-IP binding rule that will be moved.
l before role-name2 – Moves the role-IP binding rule before the rule named role-name2.
l after role-name2 – Moves the role-IP binding rule after the rule named role-name2.
1512 Chapter 9 VPN

l top – Moves the role-IP binding rule to the top of all the rules.
l bottom – Moves the role-IP binding rule to the bottom of all the rules.
Configuring a L2TP Instance
To create an L2TP instance, in the global configuration mode, use the following command:
tunnel l2tp tunnel-name
l tunnel-name – Specifies the name of the L2TP instance.
After executing the above command, the system will create the L2TP instance with the specified
name, and enter the L2TP instance configuration mode; if the specified name exists, the system
will directly enter the L2TP instance configuration mode.
To delete the specified L2TP instance, in the global configuration mode, use the following com-
mand:
no tunnel l2tp tunnel-name
You can configure the following options in the L2TP instance configuration mode:
l IP address assignment
l Address pool
l DNS server
l WINS server
l Egress interface of the tunnel
l AAA server
l PPP authentication protocol
l Hello interval
l Tunnel authentication
Chapter 9 VPN 1513

l Tunnel password
l Local name of LNS
l AVP hidden
l Window size of the tunnel data
l Multi-Logon
l Enabling/disabling user-specified client IP
l Retry times of control packets
l Enabling/Disabling Calculating the Checksum of UDP Packet
Specifying the IP Address Assignment Method
LNS assigns IP addresses and DNS server address to users using the address pool or the local
AAA server. By default, LNS assigns IP addresses by address pool.
To specify the IP address assignment method for the L2TP instance, use the following command
in the L2TP instance configuration mode:
assign -clien t-ip fro m { p o o l | aaa-server }
l pool – Uses the address pool to assign IP addresses and DNS server address.
l aaa-server – Uses the AAA server to assign IP addresses and DNS server address.
Notes: The type of the local AAA server must be Radius.
Specifying an Address Pool
To specify a L2TP address pool for the L2TP instance, in the L2TP instance configuration mode,
pool pool-name
1514 Chapter 9 VPN

l pool-name – Specifies the name of the L2TP address pool defined in the system.
To cancel the specified L2TP address pool, in the L2TP instance configuration mode, use the fol-
lowing command:
no pool
To configure a DNS server, in the L2TP instance configuration mode, use the following com-
mand:
dn s address1 [ address2 ]
l address1 – Specifies the IP address of the DNS server. You can configure up to two DNS
servers.
To cancel the specified DNS server, in the L2TP instance configuration mode, use the following
command:
no dns
To configure a WINS server, in the L2TP instance configuration mode, use the following com-
mand:
wins address1 [ address2 ]
l address1 – Specifies the IP address of the WINS server. You can configure up to two WINS
servers.
To cancel the specified WINS server, in the L2TP instance configuration mode, use the following
command:
no wins
Specifying the Egress Interface of the Tunnel
To specify the egress interface of the tunnel, in the L2TP instance configuration mode, use the
following command:
Chapter 9 VPN 1515

To cancel the specified egress interface, in the L2TP instance configuration mode, use the fol-
lowing command:
no interface
The AAA server specified here is used by LNS for L2TP authentication. To specify an AAA
server, in the L2TP instance configuration mode, use the following command:
aaa-server aaa-server-name [ domain domain-name [ keep-domain-name ]]
l aaa-server-name – Specifies the name of the AAA server.
l domain domain-name – Specifies the domain name of the AAA server to distinguish dif-
ferent AAA servers.
the user, including the username and the domain name, to perform the authentication.
To cancel the specified AAA server, in the L2TP instance configuration mode, use the following
command:
n o aaa-server aaa-server-name [do main domain-name ]
Specifying a PPP Authentication Protocol
When establishing a connection with the client or LAC, the LNS can adopt either PAP or CHAP
for authentication during the PPP negotiation. To specify a PPP authentication protocol, in the
L2TP instance configuration mode, use the following command:
p p p -auth {p ap | ch ap | an y}
l pap – Uses PAP for PPP authentication.
l chap – Uses CHAP for PPP authentication. This is the default option.
1516 Chapter 9 VPN

l any – Uses CHAP for PPP authentication by default. If CHAP is not supported, then uses
PAP.
To restore to the default authentication configuration, in the L2TP instance configuration mode,
no ppp-auth
L2TP uses Hello packets to detect if the tunnel is connected. LNS sends Hello packets to the
L2TP client or LAC regularly, and will drop the connection to the tunnel if no response is
returned after the specified period. To specify the Hello interval, in the L2TP instance con-
keepalive time
l time – Specifies the Hello interval. The value range is 60 to 1800 seconds. The default value
is 60.
To restore to the default Hello interval, in the L2TP instance configuration mode, use the fol-
lowing command:
no keepalive
Enabling Tunnel Authentication
Before establishing a tunnel, you can enable tunnel authentication to assure the security of the
connection. The tunnel authentication can be launched by either LNS or LAC. The tunnel cannot
be established unless the both ends are authenticated, i.e., the secret strings of the two ends are
consistent. By default tunnel authentication is disabled. To enable the function, in the L2TP
tun n el-auth en ticatio n
To disable tunnel authentication, in the L2TP instance configuration mode, use the following
command:
no tunnel-authentication
Chapter 9 VPN 1517

Specifying the Secret String
To specify the secret string that is used for LNS tunnel authentication, in the L2TP instance con-
secret secret-string [ peer-name name ]
l secret-string – Specifies the secret string for the tunnel. The value range is 30 to 60 char-
acters.
l peer-name name – Specifies the host name of LAC. If multiple LACs are connected to LNS,
you can specify different secret strings for different LACs by this parameter. If this parameter
is not specified, the system will use the same secret string for all the LACs.
To cancel the specified secret string, in the L2TP instance configuration mode, use the following
command: no secret secret-string [peer-name name]
Specifying the Local Name of LNS
To specify the local name of LNS, in the L2TP instance configuration mode, use the following
command:
local-name name
l name – Specifies the name of the LNS tunnel. The value range is 6 to 30 characters. The
default name is LNS.
To restore to the default value, in the L2TP instance configuration mode, use the following com-
mand:
no local-name
Enabling AVP Hidden
L2TP uses AVP (attribute value pair) to transfer and negotiate some L2TP parameters and attrib-
utes. By default AVP is transferred in plain text. For data security consideration, you can encrypt
the data by the secret string to hide the AVP during the transmission. To enable or disable AVP
hidden, in the L2TP instance configuration mode, use the following commands:
1518 Chapter 9 VPN

l Enable: avp-hidden
l Disable (default): no avp-hidden
Notes: To enable AVP hidden, you must configure the secret string for the tunnel.
Specifying the Window Size of the Tunnel Data
To configure the window size for the data transmitted through the tunnel, in the L2TP instance
tunnel-receive-window window-size
l window-size – Specifies the window size. The value range is 4 to 800 packets. The default
value is 8.
mand:
no tunnel-receive-window
Configuring Multi-Logon
Multi-logon function allows a user to log on and be authenticated on different hosts sim-
ultaneously. This function is enabled by default. To enable or disable multi-logon, in the L2TP
instance configuration mode, use the following commands:
l Enable: allow-multi-logon
l Disable: no allow-multi-logon
Enabling/Disabling User-Specified Client IP
By default the client IP is selected from the address pool, and allocated by LNS automatically. If
this function is enabled, you can specify an IP address. However, this IP address must belong to
the specified address pool, and be consistent with the username and role. If the specified IP is
already in use, the system will not allow the user to log on. To enable or disable user-specified cli-
ent IP, in the L2TP instance configuration mode, use the following commands:
Chapter 9 VPN 1519

l Enable (default): accept-client-ip
l Disable: no accept-client-ip
Specifying the Retry Times of Control Packets
L2TP uses two types of packets: control packets and data packets. The control packets are
responsible for establishing, maintaining and clearing the L2TP tunnel, while the data packets are
responsible for transmitting data. The transmission of data packets is not reliable. Even if data is
lost, the transmission will not be retried; while the transmission of control packets is reliable. If
no response is received from the peer after the specified retry times, the system will determine
the tunnel connection is disconnected. The interval of re-transmitting control packets starts from
1 second, and increases by the multiples of 2, i.e., 1 second, 2 seconds, 4 seconds, 8 seconds, 16
seconds…
To specify the retry times of control packets, in the L2TP instance configuration mode, use the
following command:
transmit-retry times
l times – Specifies the retry times of control packets. The value range is 1 to 10 times. The
default value is 5.
mand:
no transmit-retry
Referencing an IPsec Tunnel
When configuring L2TP over IPsec, you need to combine an IPsec tunnel to the L2TP tunnel in
order to encrypt data. To reference an IPsec tunnel in the L2TP instance, in the L2TP instance
next-tunnel ipsec tunnel-name
l tunnel-name – Specifies the name of the IPsec VPN tunnel defined in the system.
1520 Chapter 9 VPN

To cancel the specified IPsec tunnel, in the L2TP instance configuration mode, use the following
command:
no next-tunnel ipsec
Configuring Mandatory LCP Phase
After a remote dial-up user connects to the LAC, the LAC starts the L2TP VPN to the LNS and
establishes the tunnel. When the LNS authenticates the users, it can execute the LCP (Link Con-
trol Protocol) phase or not.
By default, the LNS does not execute the LCP phase with the L2TP client. Instead, it authen-
ticates the L2TP client based on the authentication type specified by the Proxy Authen Type
AVP in the ICCN (Incoming-Call-Connected) packets.
To configure the mandatory LCP phase between the LNS and the L2TP client, use the following
command in the L2TP instance configuration mode:
ppp-lcp-force
To disable the mandatory LCP phase, use the no ppp-lcp-force command.
When a remote dial-up user connects to the LNS directly, the ICCN packets will not carry the
Proxy Authen Type AVP. The LNS will always execute the LCP phase with the L2TP client.
Enabling/Disabling Calculating the Checksum of UDP Packet
System will calculate the checksum of UDP packet is disabled. If you need to improve the per-
formance of the device, you can disable this function. To enable/disable calculating the checksum
of UDP packet, in the L2TP instance configuration mode, use the following command:
l Enable: l2tp-udp-checksum enable
l Disable: l2tp-udp-checksum disable
Binding the L2TP Instance to a Tunnel Interface
The configured L2TP instance will not take effect until it is bound to a tunnel interface. When a
L2TP instance is only bound to a tunnel interface and you do not specify the domain name to the
Chapter 9 VPN 1521

L2TP tunnel (the tunnel with a L2TP instance bound), all clients that connect to a certain LNS
will be divided to the VR that relates to the this LNS.
You can also bind multiple tunnel interfaces to one L2TP instance and specify a domain name for
each L2TP tunnel. When clients connect to the LNS and the user pass the authentication, the sys-
tem will divide users into a L2TP tunnel with the same domain name specified. Then, if the tun-
nel interfaces belong to different VRs, LNS, by using the authentication server, can repeatedly
distribute the internal resource addresses to the clients in each L2TP tunnel
Each tunnel interface can only be bound with one L2TP instance. To bind the L2TP instance to a
tunnel interface, in the tunnel interface configuration mode, use the following command:
tun n el l2tp tunnel-name [ bind-to-domain domain-name ]
l tunnel-name – Specifies the name of the L2TP instance defined in the system.
l bind-to-domain domain-name – Binds the domain name to the L2TP tunnel. If you bind the
domain name, usernames without the domain name cannot dial up successfully. If you do not
bind the domain name, LNS will omit the domain name of usernames when authenticating
users.
To cancel the binding and the specified domain name, in the tunnel interface configuration mode,
no tunnel l2tp tunnel-name
To cancel the specified domain name, in the tunnel interface configuration mode, user the fol-
lowing command:
no tunnel l2tp tunnel-name bind-to-domain domain-name
Specifying the ACF Information Carried by PPP Data
When establishing a connection with the client or LAC, you can specify whether the PPP data
message sent by the LNS contains the ACF field information (Address Control Field) when encap-
sulating the PPP data message, that is, the address and control field carried by PPP data message .
In the global configuration mode, use the following command:
l2tp-include-ppp-acf
1522 Chapter 9 VPN

In the global configuration mode, use the following command to cancel PPP data containing ACF
information
no l2tp-include-ppp-acf
Kicking out a User
To kick out a user from the LNS connection, in the execution mode, use the following command:
exec l2tp tunnel-name kickout user user-name
l user-name – Specifies the name of the user who will be kicked out.
Restarting a Tunnel
After the tunnel is restarted, all the connections to the tunnel will be cleared. To restart a tunnel,
clear l2tp tunnel-name
Viewing L2TP Information
To view the L2TP information, use the following commands:
l Show the L2TP instance information:

show tunnel l2tp [l2tp-tunnel-name]
l Show the L2TP tunnel status:

show l2tp tunnel l2tp-tunnel-name
l Show the specified client information of the L2TP instance:

show l2tp client {tunnel-name l2tp-tunnel-name [user user-name]| tunnel-id ID}
Chapter 9 VPN 1523

l Show the L2TP address pool configuration:
show l2tp pool [pool-name]
l Show the L2TP address pool statistics:

show l2tp pool pool-name statistics
l Show all the clients of the L2TP instance:

show auth-user l2tp [interface interface-name | vrouter vrouter-name | slot slot-no]
Configuring L2TP Client
To establish a L2TP tunnel between the L2TP client and LNS, you need to configure a L2TP cli-
ent. For more information about L2TP on Windows 2000/2003/XP/Vista, see the cor-
responding Windows 2000/2003/XP/Vista documents.
Notes: When establishing a dial-up connection to LNS from the L2TP client on
Windows system, make sure the system has not been not installed with Hillstone
Secure Defender.
Configuring Device as L2TP Client

The configurations of L2TP Client include:
l Configuring a L2TP Client Instance
l Clear L2TP Client Connection
l View L2TP Client Instance Information
Configuring a L2TP Client Instance
To create an L2TP client instance, in the global configuration mode, use the following command:
tunnel l2tp-client tunnel-name
1524 Chapter 9 VPN

l tunnel-name – Specifies the name of the L2TP client instance.
After executing the above command, the system will create the L2TP client instance with the spe-
cified name, and enter the L2TP client instance configuration mode; if the specified name exists,
the system will directly enter the L2TP client instance configuration mode.
To delete the specified L2TP client instance, in the global configuration mode, use the following
command:
no tunnel l2tp-clienttunnel-name
You can configure the following options in the L2TP client instance configuration mode:
l Specifying the Tunnel Interface
l Specifying IP Address of LNS
l Specifying Keepalive of Tunnel
l Configuring Auto Connect
l Specifying a PPP Authentication Protocol
l Specifying the LCP-echo Interval and Transmit Retries
l Specifying the User Name and Password of L2TP Client
l Specifying the Retry Times of Control Packets
Specifying the Tunnel Interface
To specify the tunnel interface used to bind to the L2TP VPN tunnel, tunnel interface transmits
traffic to/from L2TP VPN tunnel, in the L2TP client instance configuration mode, use the fol-
lowing command:
interfaceinterface-name
l interface-name – Specifies the name of tunnel interface.
To cancel the specified tunnel interface in the L2TP client instance configuration mode, use the
following command:
Chapter 9 VPN 1525

no interface
Specifying IP Address of LNS
To specify the IP address of the LNS server, in the L2TP client instance configuration mode, use
lns ipip-address
l ip-address- Specifies the IP address of the LNS server.
To cancel the specified LNS server, in the L2TP client instance configuration mode, use the fol-
lowing command:
no lns ipip-address
Specifying Keepalive of Tunnel
To ensure normal communication between the LNS and L2TP client, the L2TP client periodically
sends Hello packets to check whether the LNS is properly connected. Keepalive indicates the
interval at which the L2TP client sends two Hello packets. The smaller the value, the quicker the
fault sensing; the larger the value, the lower the occupied bandwidths. To specify the Hello inter-
val, in the L2TP client instance configuration mode, use the following command:
keepalivetime
time – Specifies the Hello interval. The value range is 60 to 1800 seconds. The default value is
60.
To restore to the default Hello interval, in the L2TP client instance configuration mode, use the
following command:
no keepalive
Configuring Auto Connect
After the auto connect function is enabled, the L2TP client and LNS can establish tunnels. Users
can access the intranet connected to the LNS, without performing the PPP dialup. In the L2TP
client instance configuration mode, use the following command:
l2tp-auto-client
1526 Chapter 9 VPN

To disable the auto connect function, in the L2TP client instance configuration mode, use the fol-
lowing command:
no l2tp-auto-client
Specifying a PPP Authentication Protocol
When establishing a connection with the LNS, the L2TP client can adopt either PAP or CHAP
for authentication during the PPP negotiation. To specify a PPP authentication protocol, in the
L2TP client instance configuration mode, use the following command:
ppp-auth {pap | chap | any}
l pap – Uses PAP for PPP authentication.
l chap – Uses CHAP for PPP authentication. This is the default option.
l any – Uses CHAP for PPP authentication by default. If CHAP is not supported, then uses
PAP.
To restore to the default authentication configuration, in the L2TP client instance configuration
no ppp-auth
Specifying the LCP-echo Interval and Transmit Retries
Specifies the interval and retry times for sending LCP Echo packets, in the L2TP client instance
ppp-lcp-echo intervaltimeretrytimes
l interval time – Specifies the interval at which LCP Echo packets are sent. The value range is
l retrytimes - Specifies the retry times for sending LCP Echo packets. If L2TP client has not
received any response after the specified retry times, it will determine the connection is dis-
connected. The default value is 4.
Chapter 9 VPN 1527

To restore to the default value, in the L2TP client instance configuration mode, use the following
command:
no ppp-lcp-echo intervaltimeretrytimes
Specifying the User Name and Password of L2TPClient
The L2TP client uses the user name and password to initiate a request to the LNS for establishing
an L2TP VPN tunnel.
Specifies the name and password of the L2TP client, in the L2TP client instance configuration
useruser-namepasswordpassword
l user-name - Specifies the name of the L2TPclient, The value range is 1 to 31 characters.
l password - Specifies the password of the L2TP client, The value range is 4 to 63 characters.
Specifying the Retry Times of Control Packets
To specify the retry times of control packets, in the L2TP client instance configuration mode, use
transmit-retrytimes
times – Specifies the retry times of control packets. The value range is 1 to 10 times. The
default value is 5.
To restore to the default value, in the L2TP client instance configuration mode, use the following
command:
no transmit-retry
Clear L2TP Client Connection
To clear the connection of L2TP client, in any mode, use the following command:
clear l2tp-client [tunnel-name]
l tunnel-name - Specifies the name of L2TP client connection.
1528 Chapter 9 VPN

View L2TP Client Instance Information
To view the L2TP client information, use the following commands:

Show the L2TP client instance information:
show tunnel l2tp-client [tunnel-name]
Show the dialing information of the L2TP client:
show l2tp-client [tunnel-name]
Configuring L2TPv3 Tunnel

L2TPv3(Layer Two Tunneling Protocol - Version 3) is an IP-based high-performance tunneling
technology and used to transparently transmit Layer 2 traffic.
To configure the L2TPv3 tunnel, in the globle configuration mode, use the following command:
tunnel l2tpv3 tunnel-name
l tunnel-name - Specifies the name of the L2TPv3 tunnel.
To delete the specified L2TPv3 tunnel, use the following command:

no tunnel l2tpv3 tunnel-name
To cofigure the egress interface for L2TPv3 tunnel, in the L2TPv3 tunnel configuration mode,
l interface-name - Specifies the name of the egress interface for L2TPv3 tunnel.
To delete the egrss interface for specified L2TPv3 tunnel, use the following command:
no interface
To configure local session-id and remote session-id for interoperation between the local and
remote devices of an L2TPv3 tunnel, in the L2TPv3 tunnel configuration mode, use the fol-
lowing command:
idlocal-session-id remote-session-id
Chapter 9 VPN 1529

l local-session-id - Specifies the local session-id for L2TPv3 tunnel.
l remote-session-id - Specifies the remote session-id for L2TPv3 tunnel.
All packets must match the configured cookie value or be discarded. Cookies are used in security
checks performed at the endpoints of a tunnel to prevent network spoofing and attacks.
The local and remote cookie values must be the same.
To configure the local cookie, in the L2TPv3 tunnel configuration mode, use the following com-
mand:
cookie local {4 lower-value | 8 lower-value high-value}
l 4 lower-value - Specifies a 4-byte local cookie value in simple text.
l 8 lower-value high-value - Specifies the four low-order bytes of an 8-byte local cookie value in
simple text.
To delete the specified local cookie, use the following command:

no cookie local
To configure the remote cookie, in the L2TPv3 tunnel configuration mode, use the following
command:
cookie remote {4 lower-value | 8 lower-value high-value}
l 4 lower-value - Specifies a 4-byte local cookie value in simple text.
l 8 lower-value high-value - Specifies the four low-order bytes of an 8-byte local cookie value in
simple text.
To delete the specified remote cookie, use the following command:

no cookie remote
To configure the destination IP address of L2TPv3 tunnel, in the L2TPv3 tunnel configuration
destinationip-address
l ip-address - Speicifies the destination IP address of L2TPv3 tunnel.
1530 Chapter 9 VPN

To delete the specified destination IP address, use the following command:
no destination
To configure the zone of L2TPv3 tunnel, in the L2TPv3 tunnel configuration mode, use the fol-
lowing command:
zone zone
l zone - Speicifies the destination IP address of L2TPv3 tunnel.
To delete the specified zone, use the following command:

no zone
To bind tunnel interface for L2TPv3 tunnel, in the tunnel interface configuration mode, use the
following command:
tunnel l2tpv3 tunnel-name [filter ipv6]
l tunnel-name - Specifies the name of L2TPv3 tunnel.
l filter ipv6 - Configure IPv6 packet filtering for the L2TPv3 tunnel.
To cancel the configuration of binding tunnel interface for L2TPv3 tunnel, use the following com-
mand:
no tunnel l2tpv3 tunnel-name
To view L2TPv3 tunnel information, in the tunnel interface configuration mode, use the fol-
lowing command:
show tunnel l2tpv3 tunnel-name
Example of Configuring L2TP

This section describes a typical L2TP configuration example.
Requirement
A remote employee needs to visit the Intranet of the headquarters via L2TP VPN. The network
topology is shown as below:
Chapter 9 VPN 1531

Configuration Steps
Configure LNS and L2TP client respectively.
Configurations on LNS
Step 1 : Configure interfaces
1532 Chapter 9 VPN

hostname(config)#
Step 2 : Configure a local AAA server
hostname(config)#
Step 3 : Configure the LNS address pool and specify the IP range
hostname(config)# l2tp p o o l p o o l1
hostname(config-l2tp-pool)# address 10.232.241.2 10.232.244.254
hostname(config-l2tp-pool)#dn s 202.106.0.20 10.188.7.10
hostname(config-l2tp-pool)# exit
hostname(config)#
Step 4 : Configure a L2TP instance
hostname(config)# tun n el l2tp test
hostname(config-tunnel-l2tp)# p o o l p o o l1
hostname(config-tunnel-l2tp)# in terface eth ern et0/1
hostname(config-tunnel-l2tp)# p p p -auth an y
hostname(config-tunnel-l2tp)# keep alive 1800
hostname(config-tunnel-l2tp)# aaa-server lo cal
hostname(config-tunnel-l2tp)# exit
hostname(config)#
Step 5 : Create a tunnel interface and bind the L2TP instance named test to the interface
Chapter 9 VPN 1533

hostname(config-if-tun1)# ip address 10.232.241.1 255.255.248.0
hostname(config-if-tun1)# tun n el l2tp test
hostname(config)#
Step 6 : Configure a policy rule
hostname(config)#
Configurations on the Client
The following sections describe how to configure the client in a Windows XP system. The con-
figuration steps are:
1. Create a L2TP dial-up connection.
2. Configure the dial-up connection and modify the properties.
3. Modify the registry to disable IPsec encryption.
1534 Chapter 9 VPN

Creating a L2TP Dial-up Connection
To create a L2TP connection on Windows XP, take the following steps:
1. Click Start > Control Panel > Network Connections.
2. Click Create a new connection > Connect to the network at my workplace, and click Next.
3. In the New Connection Wizard dialog, click Virtual Private Network Connection, and click
Next.
4. Type L2TP into the Company Name box, and click Next.
5. Select Do not dial the initial connection, and click Next.
6. Type the LNS IP address 58.31.46.207 into the Host name or IP address box, and click
Next.
7. Complete other L2TP client configurations as prompted.
Configuring L2TP Dial-up Connection
To modify the properties of the dial-up connection, take the following steps:
Chapter 9 VPN 1535

1. In My Network Places, double click the connection named L2TP.
2. In the Connect L2TP dialog shown below, click Properties.
3. In the L2TP Properties dialog, click the Security tab, and click Advanced (custom settings).
Click Settings behind.
4. In the Advanced Security Settings dialog, select Optional encryption (connect even if no
encryption) from the Data encryption drop-down list, click Allow these protocols in the
Logon security box, and select Unencrypted password (PAP) and Challenge Handshake
Authentication Protocol (CHAP), as shown below:
1536 Chapter 9 VPN

5. In the L2TP Properties dialog, click the Network tab. Select L2TP IPsec VPN from the
Type of VPN drop-down list, and select Internet Protocol (TCP/IP) in the This connection
Chapter 9 VPN 1537

uses the following items box, as shown below:
Modifying the Registry
By default Windows XP enables IPsec encryption on the L2TP connection. You can disable the
default action by modifying the Windows XP registry. If IPsec encryption is not disabled, the
L2TP client will be disconnected automatically during dialing up.
To modify the registry, take the following steps:
1. Click Start > Run, and type Regedt32 into the Open box.
2. In the Registry Editor dialog, navigate to HKEY_LOCAL_MACHINE\Sys-

tem\CurrentControlSet\Services\RasMan\Parameters.
1538 Chapter 9 VPN

3. Add a DWORD value for Parameters. Click Parameters, and right-click any blank place in
the right pane. From the menu, click New > DWORD value, as shown below. Specify the
name as ProhibitIPsec, type as REG_DWORD, and value as 1. Click OK to save the set-
tings.
4. Exit the registry editor and restart the system to make the modification take effect.
Connecting to LNS from the Client
After the above LNS and client configuration, you can initiate a VPN connection to LNS and
establish a tunnel from the client.
In My Network Places, double click the dial-up connection named L2TP. In the Connect L2TP
dialog, type shanghai and 123456 into the User name and Password boxes respectively, and click
Connect, as shown below.
Chapter 9 VPN 1539

After the dial-up connection has been established, the employee in Shanghai can gain access to
the Web server and FTP server in the Intranet securely over L2TP.
In MS-DOS, the command ipconfig will return the address in the LNS address pool 10.232.241.2
15, i.e., the IP address allocated to PC by LNS.
Example of Configuring L2TP over IPsec

This section describes a typical L2TP over IPsec configuration example.
Requirement
An employee needs to visit the Web server in the Intranet via L2TP VPN. Data transmission
between the PC and LNS is encrypted by IPsec. The network topology is shown below.
1540 Chapter 9 VPN

Configuration Steps
Configure LNS and L2TP client respectively.
Configurations on LNS
hostname(config)#
Step 2: Configure IPsec VPN
hostname(config)# isakmp proposal p1
Chapter 9 VPN 1541

hostname(config-isakmp-peer)# accep t-all-p eer-id
hostname(config-isakmp-peer)# mo de main
hostname(config-tunnel-ipsec-auto)# mo de tran sp o rt
hostname(config-tunnel-ipsec-auto)# accep t-all-p ro xy-id
hostname(config)#
Step 3: Configure a local AAA server
1542 Chapter 9 VPN

hostname(config)#
Step 4: Configure the LNS address pool and specify the IP range
hostname(config)# l2tp p o o l p o o l2
hostname(config-l2tp-pool)# address 10.10.10.2 10.10.10.100
hostname(config-l2tp-pool)#dn s 202.106.0.20
hostname(config-l2tp-pool)# exit
hostname(config)#
Step 5: Configure a L2TP instance and reference an IPsec tunnel
hostname(config)# tun n el l2tp l2tp 1
hostname(config-tunnel-l2tp)# p o o l p o o l2
hostname(config-tunnel-l2tp)# in terface eth ern et0/3
hostname(config-tunnel-l2tp)# n ext-tun n el ip sec vp n 1
hostname(config-tunnel-l2tp)# p p p -auth ch ap
hostname(config-tunnel-l2tp)# keep alive 1800
hostname(config-tunnel-l2tp)# aaa-server test
hostname(config-tunnel-l2tp)# exit
hostname(config)#
Step 6: Create a tunnel interface and bind the L2TP instance named l2tp1 to the interface
hostname(config-if-tun1)# zo n e dmz
hostname(config-if-tun1)# tun n el l2tp l2tp 1
hostname(config)#
Chapter 9 VPN 1543

hostname(config-policy-rule)# src-zo n e dmz
hostname(config)#
Configurations on the Client
The following sections describe how to configure the client in a Windows XP system. The con-
figuration steps are:
1. Create a L2TP dial-up connection.
2. Configure the dial-up connection and modify the properties.
3. Modify the registry to enable IPsec encryption.
Creating L2TP Dial-up Connection
To create a L2TP connection on Windows XP, take the following steps:
1. Click Start > Control Panel > Network Connections.
2. Click Create a new connection > Connect to the network at my workplace, and click Next.
1544 Chapter 9 VPN

3. In the New Connection Wizard dialog, click Virtual Private Network Connection, and click
Next.
4. Type L2TP over IPsec into the Company Name box, and click Next.
5. Select Do not dial the initial connection, and click Next.
6. Type the LNS IP address 192.168.1.1 into the Host name or IP address box, and click
Next.
7. Complete other L2TP client configurations as prompted.
Configuring the L2TP Dial-up Connection
To modify the properties of the dial-up connection, take the following steps:
1. In My Network Places, double click the connection named L2TP over IPsec.
2. In the Connect L2TP over IPsec dialog, click Properties.
3. Click tabs to configure properties, as described below:
• Security:
l Click Advanced (custom settings), and then click Settings behind. In the Advanced
Security Settings dialog, select Optional encryption (connect even if no encryption)
from the Data encryption drop-down list, click Allow these protocols in the Logon
security box, and select Unencrypted password (PAP) and Challenge Handshake
Authentication Protocol (CHAP). Click OK to save the settings.
l Click IPsec settings. In the IPsec Settings dialog, select Use pre-shared key for
authentication, and type hello1 into the Key box. Click OK to save the changes.
• Network:
l Select L2TP IPsec VPN from the Type of VPN drop-down list, and select Internet
Protocol (TCP/IP) in the This connection uses the following items box.
Chapter 9 VPN 1545

4. Click OK to save the changes and close the dialog.
Enabling IPsec Encryption
By default Windows XP enables IPsec encryption on the L2TP connection. If disabled, you can
re-enable the default action by modifying the Windows XP registry.
To modify the registry, take the following steps:
1. Click Start > Run, and type Regedt32 into the Open box.
2. In the Registry Editor dialog, navigate to HKEY_LOCAL_MACHINE\Sys-

tem\CurrentControlSet\Services\RasMan\Parameters.
3. Add a DWORD value for Parameters. Click Parameters, and right click any blank place in
the right pane. From the menu, click New > DWORD value. Specify the name as Pro-
hibitIPsec, type as REG_DWORD, and value as 0. Click OK to save the settings.
4. Exit the registry editor and restart the system to make the modification take effect.
Connecting LNS from the Client
After the above LNS and client configuration, you can initiate a VPN connection to LNS and
establish a tunnel from the client.
In My Network Places, double click the dial-up connection named L2TP over IPsec. In the Con-
nect L2TP over IPsec dialog, type shanghai and 123456 into the User name and Password boxes
respectively, and click Connect. After the dial-up connection has been established, the employee
in Shanghai can gain access to the Web server in the Intranet securely over L2TP.
VXLAN
Overview
Virtual extensible local area network (VXLAN) is a tunnel encapsulation technology for large layer
2 network expansion overe NOV3 that uses MAC-in-UDP encapsulation. VXLAN uses a 24-bit
network segment ID, called VXLAN network identifier (VNI), to identify users. This VNI is
1546 Chapter 9 VPN

similar to a VLAN ID and supports a maximum of 16M [(2^24 - 1)/1024^2] VXLAN segments.
VXLAN uses MAC-in-UDP encapsulation to extend Layer 2 networks to ensure uninterrupted
services during VM migration, the IP address of the VM must remain unchanged.
VXLAN uses VTEP (VXLAN Tunnel Endpoint) equipment to encapsulate and decapsulate
VXLAN packets, including ARP request packets and normal VXLAN data packets. VETP encap-
sulates the original Ethernet frame through VXLAN and sends it to the peer VTEP device. The
peer VETP device decapsulates the VXLAN packet after receiving it, and then forwards it accord-
ing to the original MAC. The VTEP can be a physical switch, a physical server, or other VXLAN-
enabled Hardware equipment or software.
Creating VXLAN Static Tunnel

To creat VXLAN static tunnel and enter the VXLAN tunnel configuration mode, in the global
tunnel vxlanname
l name - Specified the name of the VXLAN static tunnel that will be created.
To delete the specified VXLAN static tunnel, in the global configuration mode, use the
commandno tunnel vxlanname.
To configure the destination VETP IP address of the VXLAN static tunnel, in the VXLAN tun-
nel configuration mode, use the following command:
destinationipv4-address
l ipv4-address - Specified the destination VETP IP address of the VXLAN static tunnel.
To delete the destination VETP IP address of the VXLAN static tunnel, in the VXLAN tunnel
configuration mode, use the commandno destination .
To configure the ID (Global network identity) of the VXLAN static tunnel, in the VXLAN tun-
nel configuration mode, use the following command:
vniid
l id - Specified the ID (Global network identity) of the VXLAN static tunnel. The value range
is 1 to 16777215.
Chapter 9 VPN 1547

To delete the ID of the VXLAN static tunnel, in the VXLAN tunnel configuration mode, use the
commandno vni .
To configure the egress interface of the VXLAN static tunnel, in the VXLAN tunnel con-
l interface-name - Specified the egrss interface of the VXLAN static tunnel.
To delete the egress interface of the VXLAN static tunnel, in the VXLAN tunnel configuration
mode, use the commandno interface.
To bind the layer2 zone for the VXLAN static tunnel, in the tunnel interface configuration mode,
zone l2-zone
l2-zone - Specified the name of the layer2 zone for the VXLAN tunnel.
To delete the layer2 zone for the VXLAN static tunnel, in the tunnel interface configuration
mode, use the commandno zone l2-zone.
Viewing VXLAN Configuration
l To view the configuration of the VXLAN static tunnel:

show tunnel vxlanname
1548 Chapter 9 VPN

Chapter 10 Zero Trust Network Access (ZTNA)
Introduction
Compared with the traditional VPN access mode, which allows an authorized user to access any
resources on the internal network, ZTNA (Zero Trust Network Access) starts with a default deny
posture of zero trust on any entities, whether outside or inside the enterprise network perimeter.
It grants controlled and least-privilege access to resources after assessment of user identity, device
identity and other context-aware attributes, such as access time. It allows users to securely access
private applications across clouds and data centers from any location and device.
Hillstone ZTNA solution supports management and control of user access based on dimensions
including user identity, device identity and access time and grants access only to specific applic-
ations based on adaptive and granular policies. By persistently monitoring the state change of
access endpoints, ZTNA solution flexibly adjusts the granted access range. ZTNA login process is
as follows:
1. ZTNA user enters the server address, port number, user name and password on the client to
request authentication and two-step verification, if any.
2. ZTNA server allocates private IP addresses to authenticated users and delivers the endpoint
information collection script.
3. ZTNA client executes the script to collect endpoint information, such as OS version, fire-
wall and anti-virus software installation information, IE security level, process running, etc.
and reports to the ZTNA server.
4. ZTNA server parses endpoint information to obtain the endpoint tag and sends the user
name appended with the endpoint tag to the authentication module.
5. Authentication module creates authenticated users, attends the endpoint tag and acquires
user group information.

6. ZTNA server matches the user name, user group, endpoint tag and other conditions with
ZTNA policies to determine application resources that the user can access.
7. ZTNA client receives the popped-up ZTNA portal, displaying the icons of application
resources that the client is granted and is not granted access. The icons will be displayed
with the application resource name and URL address.
ZTNA requires a license to work. The firewall provides 8 concurrent-users authorization by

default (128 for X series and K9180). The upper limit for the number of concurrent online
ZTNA users varies from hardware platforms. If you want to have a larger user number, consult
your local agents to purchase new ZTNA license. For more information about the license, please
refer to System Management > License Management.
ZTNA shares the Hillstone Secure Connect client with SSL VPN. To access ZTNA, please down-
load and install the latest Hillstone Secure Connect client. The client upgrade supports both
ZTNA and SSL VPN access. The firewall supports ZTNA access from Windows, macOS, Linux,
iOS and Android endpoints via corresponding clients. For information about client installation
and usage on these endpoints, refer to:
l Hillstone Secure Connect Client for Windows
l Hillstone Secure Connect Client for macOS
l Hillstone Secure Connect Client for Linux
l Hillstone Secure Connect Client for iOS
l Hillstone Secure Connect Client for Android
1550 Chapter 10 Zero Trust Network Access (ZTNA)

Configuring ZTNA Service
This section describes the following configurations about ZTNA service:
l Configuring Endpoint Tag
l Managing Endpoint Item
l Configuring Application Resource/Application Resource Group
l Configuring ZTNA Policy
l Configuring Access Address Pool
l Configuring ZTNA Instance
l Configuring Two-Step Verification
l Configuring Single Packet Authorization (SPA)
l Managing Endpoint Tag Logs
l Other Configurations
Configuring Endpoint Tag

Endpoint tag identifies user endpoint information. The system attends an endpoint tag to a user
based on endpoint information carried in user traffic. The user carrying a particular endpoint tag
will be granted access to specific resources only. In this way, ZTNA implements check and con-
trol of user access privilege.
An endpoint tag is composed of one or multiple criteria sets, and a criteria set is composed of one
or multiple conditions. Each endpoint tag contains at most 16 criteria sets and 16 conditions. The
system supports a maximum of 1024 endpoint tags and up to 128 endpoint tags for each VSYS.
l The logical relationship between criteria sets is Or. When a user's endpoint tag matches any cri-
teria set contained in an endpoint tag, the endpoint tag is considered to be matched.

l The logical relationship between the conditions contained in a criteria set is And. When a
user's endpoint tag matches all conditions contained in a criteria set, the criteria set is con-
sidered to be matched.
This section describes the following endpoint tag configurations:
l Creating an Endpoint Tag
l Configuring a Criteria Set
l Configuring a Condition
l Configuring a Tip
Creating an Endpoint Tag
To configure an endpoint tag and enter the endpoint tag configuration mode, in the global con-
endpoint-tag tag-name [id]
l tag-name - Specifies the endpoint tag name. The range is 1 to 95 characters. If the specified
name already exists, you will enter the configuration mode of this endpoint tag directly. Each
endpoint name should be unique in the VSYS it belongs to, while endpoint tags in different
VSYS can share the same name.
l id - Specifies the endpoint tag ID. The value ranges from 1 to 128. If the ID is not specified,
the system will automatically assign one. Each endpoint tag ID should be unique in the VSYS
it belongs to, while endpoint tags in different VSYS can share the same ID.
To delete the specified endpoint tag, in the global configuration mode, use the following com-
mand:
no endpoint-tag tag-name
To change the name of an endpoint tag, in the endpoint tag configuration mode, use the following
command:

name tag-name
l tag-name - Specifies the endpoint tag's new name. The length is 1 to 95 characters.
To add description to an endpoint tag, in the endpoint tag configuration mode, use the following
command:
description description
l description - Specifies the description of the endpoint tag. The length is 1 to 255 characters.
To delete the description of an endpoint tag, in the endpoint tag configuration mode, use the fol-
lowing command:
no description
Configuring a Criteria Set
To configure a criteria set for the endpoint tag and enter the criteria set configuration mode, in the
endpoint tag configuration mode, use the following command:
criteria-set [id]
l id - Specifies the criteria set ID. The value ranges from 1 to 16. If the ID is not specified, the
system will automatically assign one. If the specified ID exists, you will enter the con-
figuration mode of this criteria set directly.
To delete the specified criteria set, in the endpoint tag configuration mode, use the following com-
mand:
no criteria-set id
Configuring a Condition
The condition of an endpoint tag is composed of the following parts:
l OS type: only Windows is supported currently.
l Endpoint state: a string composed of "key name operator value".

To configure a condition for the endpoint tag, in the criteria set configuration mode, use the fol-
lowing command:
criteria [id ]os-type {windows | macOS | Linux | iOS | Android} key key-name operator key-
value
l id - Specifies the condition ID. The value ranges from 1 to 16. If the ID is not specified, the
system will automatically assign one.
l os-type {windows | macOS | Linux | iOS | Android} - Specifies the OS type of the user
endpoint.
l key key-name operator key-value - Specifies the endpoint item to be matched and the cor-
responding value. key-name is the name of the endpoint item. operator is the relational oper-
ator. key-value is the value of the endpoint item. For more information about the value, refer
to Managing Endpoint Items.
To delete the specified condition of an endpoint tag, in the criteria set configuration mode, use
no criteria id
Configuring a Tip
For application resources that an end user is not allowed to access because the endpoint device
does not match an endpoint tag, configure a tip to let the end user know the reason and update
the endpoint device to obtain the access privilege. By default, the tip for each endpoint tag is
"Access Failed Contact your administrator".
When a ZTNA policy binds multiple endpoint tags:
l If an end user matches any of the endpoint tags and is granted access to the application
resource, no tip will be displayed for the corresponding application resource on the ZTNA
portal.

l If an end user is not granted access to the application resource because no endpoint tag is
matched, all tips will be displayed for the corresponding application resource on the ZTNA
portal. If all bound endpoint tags are not configured with tips, the default tip will be dis-
played.
To configure a tip to be displayed when an end user is not granted access because an endpoint tag
is not matched, in the endpoint tag configuration mode, use the following command:
tips message
l message - Specifies the tip to be displayed. The length is 1 to 511 characters. URL addresses
are supported and will be displayed as hyperlinks on the ZTNA portal.
To delete the tip, in the endpoint tag configuration mode, use the following command:
no tips
Viewing Endpoint Tag Configuration Information
To view the configuration information of the specified endpoint tag and the ZTNA policy ref-
erence count, in any mode, use the following command:
show endpoint-tag name tag-name
l tag-name - Specifies the endpoint tag name.
To view the endpoint tag configuration information that matches the specified filter conditions
and the ZTNA policy reference count and hit count of the endpoint tag, in any mode, use the fol-
lowing command.
show endpoint-tag filter {name tag-name | description description}
l name tag-name - Shows the endpoint tag configuration information that matches the specified
endpoint tag name and the ZTNA policy reference count and hit count of the endpoint tag.
l description description - Shows the endpoint tag configuration information that matches the
specified description and the ZTNA policy reference count and hit count of the endpoint tag.

To view the configuration information, the ZTNA policy reference count and hit count and
descriptions of all endpoint tags, in any mode, use the following command:
show endpoint-tag

Managing Endpoint Items
Endpoint item management implements endpoint information collection configuration, script gen-
eration and delivery and persistent endpoint state monitoring. After a client logs in, the system
will continuously monitor the endpoint state and update the attended endpoint tag and the gran-
ted resource access range, no matter whether the client accesses resources. The monitoring pro-
cess is as follows:
1. The client periodically collects endpoint information based on the collection script and
reports to the ZTNA server. By default, the client collects and reports collected endpoint
information at the interval of 60 minutes. The interval can be modified as required via the
ztna-endpoint-information-monitor command.
2. ZTNA server parses the received endpoint information and re-acquires the endpoint tag if
the endpoint state changes. Then the endpoint tag attended to the authorized user will be
updated, the ZTNA policy is re-matched and the resource access range granted to the user is
updated as well. For existing sessions of this user, the system will process them based on
the configuration of the session-rematch command.
Endpoint items include the predefined and custom ones. Configuration of predefined endpoint
items enables the ZTNA server to acquire more endpoint information for granular application
access control.
The system supports endpoint item management of the following operating systems:
l Windows endpoint item management
l macOS endpoint item management
l Linux endpoint item management
l iOS endpoint item management
l Android endpoint item management

Windows Endpoint Item Management
The following table shows the types of predefined Windows endpoint items supported by the sys-
tem.
Predefined Windows Endpoint Items
Endpoint
Item Name Description Operator Value
(key-name)
os-version Checks the OS is、is-not windows-

version of the 7/8.1/10/11；
Windows end- windows-server-2008-
point. R2/2012/2012-
R2/2016/2019/2022
anti-virus Checks is、is-not installed、enabled、

whether anti- updated
virus software is
installed,
enabled and
updated in the
Windows end-
point.
firewall Checks is、is-not installed、enabled

whether fire-
wall is installed
and enabled in
the Windows
endpoint.

Predefined Windows Endpoint Items
Endpoint
(key-name)
anti-spyware Checks is、is-not installed、enabled、

whether anti- updated
spy software is
installed,
enabled and
updated in the
Windows end-
point.
windows- Checks is、is-not enabled

update whether Win-
dows update is
enabled in the
Windows end-
point.
ie-version Checks the IE =、!=、>、 IE7 ~ IE11

version of the <、>=、<=
Windows end-
point.
ie-security- Collects the IE =、!=、>、 custom -define、low、

level security level of <、>=、<= m edium -low、
the Windows m edium 、m edium -
endpoint. high、high

The following table shows the types of custom Windows endpoint items supported by the sys-
tem.
Custom Windows Endpoint Items
Endpoint
(key-name)
process Checks whether exist、not- Alias of the spe-

the specified pro- exist cified process
cess is running in
the Windows end-
point.
service- Checks whether exist、not- Alias of the spe-

installed the specified ser- exist cified service
vice is installed in
the Windows end-
point.
service-run- Checks whether exist、not- Alias of the spe-

ning the specified ser- exist cified service
vice is running in
the Windows end-
point.
registry-key Checks whether exist、not- Alias of the spe-

the specified exist cified registry
registry key exists key
in the Windows
endpoint.
file Checks whether exist、not- Alias of the spe-

Custom Windows Endpoint Items
Endpoint
(key-name)
the specified file exist cified file

exists in the Win-
dows endpoint.
hotfix Checks whether exist、not- Alias of the spe-

the specified Win- exist cified hot fix
dows hot fix is
installed in the
Windows end-
point.
Configuring a Custom Windows Endpoint Item
To configure custom Windows endpoint items, you need to enter the ztna-endpoint-information-
windows-profile configuration mode by using the following command in the global configuration
mode:
ztna-endpoint-information-windows-profile
Defining Registry Key as Endpoint Item
You can configure the firewall to check whether the specified registry key exists in the Windows
endpoint.
To define the registry key item that needs to be checked, in the ztna-endpoint-information-win-
dows-profile configuration mode, use the following command:
registry-key alias alias-name value registry-key-name

l alias alias-name - Specifies the registry key's alias. The length is 1 to 31 characters.
l value registry-key-name - Specifies the actual name of registry key. The length is 1 to 255
characters.
Repeat this command to add up to 5 registry keys as endpoint items.

To delete the endpoint item configuration of the specified registry key, in the ztna-endpoint-
information-windows-profile configuration mode, use the following command:
no registry-key alias alias-name
Defining Running Process as Endpoint Item
You can configure the firewall to check whether the specified process is running in the Windows
endpoint.
To define the process item that needs to be checked, in the ztna-endpoint-information-windows-
profile configuration mode, use the following command:
process alias alias-name value process-name
l alias alias-name - Specifies the process's alias. The length is 1 to 31 characters.
l value process-name - Specifies the actual name of the process. The length is 1 to 255 char-
acters.
Repeat this command to add up to 5 running processes as endpoint items.

To delete the endpoint item configuration of the specified process, in the ztna-endpoint-inform-
ation-windows-profile configuration mode, use the following command:
no process alias alias-name
Defining Running Service as Endpoint Item
You can configure the firewall to check whether the specified service is running in the Windows
endpoint.

To define the service item that needs to be checked, in the ztna-endpoint-information-windows-
service-running alias alias-name value service-name
l alias alias-name - Specifies the service's alias. The length is 1 to 31 characters.
l value service-name - Specifies the actual name of the service. The length is 1 to 255 char-
acters.
Repeat this command to add up to 5 running services as endpoint items.

To delete the endpoint item configuration of the specified service, in the ztna-endpoint-inform-
no service-running alias alias-name
Defining Installed Service as Endpoint Item
You can configure the firewall to check whether the specified service is installed in the Windows
endpoint.
To define the service item that needs to be checked, in the ztna-endpoint-information-windows-
service-installed alias alias-name value service-name
acters.
Repeat this command to add up to 5 installed services as endpoint items.

no service-installed alias alias-name

Defining File as Endpoint Item
You can configure the firewall to check whether the specified file exists in the Windows end-
point.
To define the file item that needs to be checked, in the ztna-endpoint-information-windows-pro-
file configuration mode, use the following command:
file alias alias-name value file-name
l alias alias-name - Specifies the file's alias. The length is 1 to 31 characters.
l value file-name - Specifies the file's absolute path. The length is 1 to 255 characters.
Repeat this command to add up to 5 files as endpoint items.

To delete the endpoint item configuration of the specified file, in the ztna-endpoint-information-
windows-profile configuration mode, use the following command:
no file alias alias-name
Defining Hot Fix as Endpoint Item
You can configure the firewall to check whether the specified hot fix is installed in the Windows
endpoint.
To define the hot patch item that needs to be checked, in the ztna-endpoint-information-win-
dows-profile configuration mode, use the following command:
hotfix alias alias-name value hotfix-name
l alias alias-name - Specifies the hot fix's alias. The length is 1 to 31 characters.
l value hotfix-name - Specifies the actual name of the hot fix. The length is 1 to 255 characters.
Repeat this command to add up to 5 hot fixes as endpoint items.

To delete the endpoint item configuration of the specified hot fix, in the ztna-endpoint-inform-
no hotfix alias alias-name

Viewing Windows Endpoint Item Configuration Information
To view all predefined and custom Windows endpoint items the system supports, in any mode,
show ztna-endpoint-information-windows-profile
To view the configuration information of the specified Windows endpoint item, in any mode, use
show ztna-endpoint-information-windows-profile key-name
l key-name - Specifies the Windows endpoint item name. Both the predefined and the custom
ones are supported.
macOS Endpoint Item Management
The following table shows the types of predefined macOS endpoint items supported by the sys-
tem.
Predefined macOS Endpoint Items
Endpoint
Item Name
Description Operator Value
(key-
name)
os-version Checks the is、is-not 10.13/10.14/10.15/11/12/13

OS version of
the m acOS
endpoint.
fileVault Checks is、is-not enabled

whether the
FileVault func-
tion is

Predefined macOS Endpoint Items
Endpoint
Item Name
Description Operator Value
(key-
name)
enabled in
the m acOS
endpoint.
The following table shows the types of custom macOS endpoint items supported by the system.
Custom macOS Endpoint Items
Endpoint
(key-name)
ad-domain Checks the AD is、is-not Alias of the spe-

domain name of the cified AD domain
macOS endpoint. name

cess is running in
the m acOS end-
point.

the m acOS end-
point.

Custom macOS Endpoint Items
Endpoint
(key-name)

vice is running in
the m acOS end-
point.

exists in the
m acOS endpoint.
Configuring a Custom macOS Endpoint Item
To configure custom macOS endpoint items, you need to enter the ztna-endpoint-information-
macos-profile configuration mode by using the following command in the global configuration
mode:
ztna-endpoint-information-macos-profile
Defining AD Domain Name as Endpoint Item
You can configure the firewall to check whether the macOS endpoint is using the specified AD
domain name.
To define the AD domain name item that needs to be checked, in the ztna-endpoint-information-
macOS-profile configuration mode, use the following command:
ad-domain alias alias-name value domain-name

l alias alias-name - Specifies the AD domain name's alias. The length is 1 to 31 characters.
l value domain-name - Specifies the actual name of the AD domain name. The length is 1 to
255 characters.
Only one AD domain name can be defined as the endpoint item.

To delete the endpoint item configuration of the specified AD domain name, in the ztna-end-
point-information-macos-profile configuration mode, use the following command:
no registry-key aliasalias-name
You can configure the firewall to check whether the specified process is running in the macOS
endpoint.
To define the process item that needs to be checked, in the ztna-endpoint-information-macos-pro-
acters.

no process aliasalias-name
You can configure the firewall to check whether the specified service is running in the macOS
endpoint.

To define the service item that needs to be checked, in the ztna-endpoint-information-macos-pro-
acters.

ation-macos-profile configuration mode, use the following command:
You can configure the firewall to check whether the specified service is installed in the macOS
endpoint.
To define the service item that needs to be checked, in the ztna-endpoint-information-macos-pro-
acters.

ation-macos-profile configuration mode, use the following command:

You can configure the firewall to check whether the specified file exists in the macOS endpoint.
To define the file item that needs to be checked, in the ztna-endpoint-information-macos-profile

macos-profile configuration mode, use the following command:
Viewing macOS Endpoint Item Configuration Information
To view all predefined and custom macOS endpoint items the system supports, in any mode, use
show ztna-endpoint-information-macos-profile
To view the configuration information of the specified macOS endpoint item, in any mode, use
show ztna-endpoint-information-macos-profile key-name
l key-name - Specifies the macOS endpoint item name. Both the predefined and the custom
ones are supported.
Linux Endpoint Item Management
The following table shows the types of predefined Linux endpoint items supported by the system.

Predefined Linux Endpoint Items
End-
point
Item Descrip- Oper-
Value
Name tion ator
(key-
name)
os-ver- Checks is、is- CentOS

sion the OS not 7.6/7.7/7.8/7.9/8.0/8.1/8.2/8.3/8.4/8.5;
version of Ubuntu
the Linux 18.04/18.10/19.04/19.10/20.04/20.10/-
endpoint. 21.04;
Ubuntu Kylin 18.04/20.04
The following table shows the types of custom Linux endpoint items supported by the system.
Custom Linux Endpoint Items
Endpoint
(key-name)

cess is running in
the Linux end-
point.


Custom Linux Endpoint Items
Endpoint
(key-name)
the Linux end-

point.

vice is running in
the Linux end-
point.

exists in the Linux
endpoint.
Configuring a Custom Linux Endpoint Item
To configure custom Linux endpoint items, you need to enter the ztna-endpoint-information-
macos-profile configuration mode by using the following command in the global configuration
mode:
ztna-endpoint-information-linux-profile
You can configure the firewall to check whether the specified process is running in the Linux end-
point.
To define the process item that needs to be checked, in the ztna-endpoint-information-linux-pro-

acters.

ation-linux-profile configuration mode, use the following command:
no process alias alias-name
You can configure the firewall to check whether the specified service is running in the Linux end-
point.
To define the service item that needs to be checked, in the ztna-endpoint-information-linux-pro-
acters.

You can configure the firewall to check whether the specified service is installed in the Linux end-
point.

To define the service item that needs to be checked, in the ztna-endpoint-information-linux-pro-
acters.

You can configure the firewall to check whether the specified file exists in the Linux endpoint.
To define the file item that needs to be checked, in the ztna-endpoint-information-macos-profile

linux-profile configuration mode, use the following command:
Viewing Linux Endpoint Item Configuration Information
To view all predefined and custom Linux endpoint items the system supports, in any mode, use

show ztna-endpoint-information-linux-profile
To view the configuration information of the specified Linux endpoint item, in any mode, use the
following command:
show ztna-endpoint-information-linux-profile key-name
l key-name - Specifies the Linux endpoint item name. Both the predefined and the custom ones
are supported.
iOS Endpoint Item Management
The following table shows the types of predefined iOS endpoint items supported by the system.
Predefined iOS Endpoint Items
Endpoint
(key-name)
os-version Checks the OS is、is-not iOS 12/13/14/15/16

version of the
iOS endpoint.
The following table shows the types of custom iOS endpoint items supported by the system.
Custom iOS Endpoint Items
Endpoint
(key-name)
device-m odel Checks the device is、is-not Alias of the spe-

m odel of the iOS cified device
endpoint. m odel
wifi-ssid Checks the con- is、is-not Alias of the spe-

nected WiFi SSID cified WiFi SSID

Custom iOS Endpoint Items
Endpoint
(key-name)
of the iOS end-

point.
client-version Checks the ZTNA is、is-not Alias of the spe-

client version of cified ZTNA cli-
the iOS endpoint. ent version
Configuring a Custom iOS Endpoint Item
To configure custom iOS endpoint items, you need to enter the ztna-endpoint-information-ios-
profile configuration mode by using the following command in the global configuration mode:
ztna-endpoint-information-ios-profile
Defining Device Model as Endpoint Item
You can configure the firewall to check the device model of the iOS endpoint.
To define the device model that needs to be checked, in the ztna-endpoint-information-ios-pro-
device-model alias alias-name value device-model-number
l alias alias-name - Specifies the iOS device model number's alias. The length is 1 to 31 char-
acters.
l value device-model-number - Specifies the iOS device model number. The length is 1 to 255
characters.
Repeat this command to add up to 5 iOS device model numbers as endpoint items.
To delete the endpoint item configuration of the specified device model number, in the ztna-end-
point-information-ios-profile configuration mode, use the following command:

no device-model alias alias-name
Defining WiFi SSID as Endpoint Item
You can configure the firewall to check the WiFi SSID that the iOS endpoint connects.
To define the WiFi SSID item that needs to be checked, in the ztna-endpoint-information-ios-pro-
wifi-ssid alias alias-name value wifi-ssid
l alias alias-name - Specifies the WiFi SSID's alias. The length is 1 to 31 characters.
l value wifi-ssid - Specifies the WiFi SSID. The length is 1 to 255 characters.
Repeat this command to add up to 5 WiFi SSIDs as endpoint items.

To delete the endpoint item configuration of the specified WiFi SSID, in the ztna-endpoint-
information-ios-profile configuration mode, use the following command:
Defining ZTNA Client Version as Endpoint Item
You can configure the firewall to check the ZTNA client version of the iOS endpoint.
To define the ZTNA client version item that needs to be checked, in the ztna-endpoint-inform-
ation-ios-profile configuration mode, use the following command:
client-version alias-name value client-version
l client-version alias-name - Specifies the ZTNA client version's alias. The length is 1 to 31
characters.
l value client-version - Specifies the ZTNA client version. The length is 1 to 255 characters.
Repeat this command to add up to 5 ZTNA client versions as endpoint items.

To delete the endpoint item configuration of the specified ZTNA client version, in the ztna-end-
point-information-ios-profile configuration mode, use the following command:
no client-version alias-name

Viewing iOS Endpoint Item Configuration Information
To view all predefined and custom iOS endpoint items the system supports, in any mode, use the
following command:
show ztna-endpoint-information-ios-profile
To view the configuration information of the specified iOS endpoint item, in any mode, use the
following command:
show ztna-endpoint-information-ios-profile key-name
l key-name - Specifies the iOS endpoint item name. Both the predefined and the custom ones
are supported.
Android Endpoint Item Management
The following table shows the types of predefined Android endpoint items supported by the sys-
tem.
Predefined Android Endpoint Items
Endpoint
(key-name)
os-version Checks the OS is、is-not Android

version of the 8/9/10/11/12/13
Android end-
point.
The following table shows the types of custom Android endpoint items supported by the system.

Custom Android Endpoint Items
Endpoint
(key-name)
device-m odel Checks the device is、is-not Alias of the spe-

m odel of the cified device
Android endpoint. m odel
wifi-ssid Checks the con- is、is-not Alias of the spe-

nected WiFi SSID cified WiFi SSID
of the Android
endpoint.
client-version Checks the ZTNA is、is-not Alias of the spe-

client version of cified ZTNA cli-
the Android end- ent version
point.
Configuring a Custom Android Endpoint Item
To configure custom Android endpoint items, you need to enter the ztna-endpoint-information-
android-profile configuration mode by using the following command in the global configuration
mode:
ztna-endpoint-information-android-profile
Defining Device Model as Endpoint Item
You can configure the firewall to check the device model of the Android endpoint.
To define the device model that needs to be checked, in the ztna-endpoint-information-android-
device-model alias alias-name value device-model-number

l alias alias-name - Specifies the Android device model number's alias. The length is 1 to 31
characters.
l value device-model-number - Specifies the Android device model number. The length is 1 to
255 characters.
Repeat this command to add up to 5 Android device model numbers as endpoint items.
To delete the endpoint item configuration of the specified device model number, in the ztna-end-
point-information-android-profile configuration mode, use the following command:
no device-model alias alias-name
Defining WiFi SSID as Endpoint Item
You can configure the firewall to check the WiFi SSID that the Android endpoint connects.
To define the WiFi SSID item that needs to be checked, in the ztna-endpoint-information-
android-profile configuration mode, use the following command:
wifi-ssid alias alias-name value wifi-ssid
l alias alias-name - Specifies the WiFi SSID's alias. The length is 1 to 31 characters.
l value wifi-ssid - Specifies the WiFi SSID. The length is 1 to 255 characters.
Repeat this command to add up to 5 WiFi SSIDs as endpoint items.

To delete the endpoint item configuration of the specified WiFi SSID, in the ztna-endpoint-
information-android-profile configuration mode, use the following command:
Defining ZTNA Client Version as Endpoint Item
You can configure the firewall to check the ZTNA client version of the Android endpoint.
To define the ZTNA client version item that needs to be checked, in the ztna-endpoint-inform-
ation-android-profile configuration mode, use the following command:
client-version alias-name value client-version

l client-version alias-name - Specifies the ZTNA client version's alias. The length is 1 to 31
characters.
l value client-version - Specifies the ZTNA client version. The length is 1 to 255 characters.
Repeat this command to add up to 5 ZTNA client versions as endpoint items.

To delete the endpoint item configuration of the specified ZTNA client version, in the ztna-end-
point-information-android-profile configuration mode, use the following command:
no client-version alias-name
Viewing Android Endpoint Item Configuration Information
To view all predefined and custom Android endpoint items the system supports, in any mode, use
show ztna-endpoint-information-android-profile
To view the configuration information of the specified Android endpoint item, in any mode, use
show ztna-endpoint-information-android-profile key-name
l key-name - Specifies the Android endpoint item name. Both the predefined and the custom
ones are supported.
Configuring the Endpoint Monitoring Period
After a user logs in successfully, the system will continuously monitor the endpoint state and
adaptively adjust the resource access range granted to the user. The system supports configuration
of the endpoint monitoring period. If endpoint information collection fails within the specified
monitoring period and the number of consecutive failures reaches the specified threshold, the sys-
tem will clear the user's endpoint tag and rematch ZTNA policies.
To configure the endpoint monitoring period, in the global configuration mode, use the following
command:
ztna-endpoint-information-monitor { [intervalinterval-value] [threshold threshold-value] }

l interval interval-value - Specifies the report period. The value ranges from 60 to 65535
minutes. The default value is 60.
l threshold threshold-value - Specifies the threshold for the number of consecutive failures of
endpoint information report. The value ranges from 2 to 65535. The default value is 2.
Viewing Endpoint Monitoring Configuration Information
To view endpoint monitoring configuration information, in any mode, use the following com-
mand:
show ztna-endpoint-information-monitor
Viewing Endpoint Information Database
To view endpoint information database, in any mode, use the following command:
show ztna-endpoint-information-database
Execution of this command will display the database version, supported endpoint OS and oper-
ators.

Configuring Application Resource/Application Resource Group
Application resource refers to the applications, contents, services, etc. that users want to access.
You need to configure the address, protocol, port number and others to define an application
resource entry. Each application resource can contain up to 16 application resource entries.
Application resource group is a group of up to 16 application resources. The system supports a
maximum of 256 application resources and 64 application resource groups.
The system supports the following ways to define an application resource entry:
l Based on IP address, protocol and port number
l Based on IP range, protocol and port number
l Based on domain name, protocol and port number
Creating an Application Resource
To create an application resource and enter the application resource configuration mode, in the
application-resource application-resource-name [id id]
l application-resource-name - Specifies the application resource's name, which is case-insens-

itive. The length is 1 to 95 characters. If the name already exists, you will enter the con-
figuration mode of this application resource directly.
l id id - Specifies the application resource ID. The value ranges from 1 to 256. If the ID is not
specified, the system will automatically assign one.
To delete the specified application resource, in the global configuration mode, use the following
command:
no application-resource application-resource-name

Configuring an IP-Based Application Resource Entry
To configure an application resource entry based on the IP address, in the application resource
ip ip-address protocol {tcp | udp} port port-number [timeout timeout-value | timeoutday
timeout-value]
l ip ip-address - Specifies the application resource's IP address. IPv4/IPv6 address, IPv4

address/netmask and IPv6 address/prefix length are supported. The value range for the prefix
length of an IPv6 address is 0 to 128.
l protocol {tcp | udp} - Specifies the transmission-layer protocol type of the application
resource, TCP or UDP.
l port port-number - Specifies the port number of the application resource. The value ranges
from 1 to 65535.
l timeout timeout-value | timeoutday timeout-value - Specifies the timeout value of ZTNA ses-
sions created when an application resource is accessed. When the ZTNA session times out, it
will be ended. timeouttimeout-value specifies the timeout value in seconds, which ranges
from 1 to 65535. timeoutday timeout-value specifies the timeout value in days, which ranges
from 1 to 1000. If the timeout/timeoutday parameter is not specified, the default lifetime of
TCP type ZTNA sessions is 1800s; the default lifetime of UDP type ZTNA sessions is 60s.
Notes: When only the timeout/timeoutday parameter configuration of a new IP-

based application resource entry is different with an existing one, the existing one
will be overwritten.
To delete an IP-based application resource entry, in the application resource configuration mode,
no ip ip-address protocol {tcp | udp} port port-number

Configuring an IP Range-Based Application Resource Entry
To configure an application resource entry based on the IP range, in the application resource con-
range min-ip max-ip protocol {tcp | udp} port port-number [timeout timeout-value | timeoutday
timeout-value]
l range min-ip max-ip - Specifies the application resource's IP range. min-ip and max-ip specify
the start IP address and end IP address respectively. A maximum of 65535 IP addresses are
allowed in an IP range.
l protocol {tcp | udp} - Specifies the transmission-layer protocol type of the application
resource, TCP or UDP.
from 1 to 65535.
will be ended. timeout timeout-value specifies the timeout value in seconds, which ranges
Notes: When only the timeout/timeoutday parameter configuration of a new IP

range-based application resource entry is different with an existing one, the existing
one will be overwritten.
To delete an IP range-based application resource entry, in the application resource configuration

no range min-ip max-ip protocol {tcp | udp} port port-number

Configuring a Domain Name-Based Application Resource Entry
To configure an application resource entry based on the domain name, in the application resource
domain string protocol {http | https} port port-number [timeout timeout-value | timeoutday
timeout-value]
l domain string- Specifies the domain name of the application resource. The length is 1 to 255
characters, and the length between two periods (.) cannot exceed 63 characters. You can set
an exact domain name or a wildcard domain name beginning with "*".
l protocol {http | https} - Specifies the application-layer protocol type of the application
resource, HTTP or HTTPS.
from 1 to 65535.
will be ended. timeouttimeout-value specifies the timeout value in seconds, which ranges
Notes: When only the timeout/timeoutday parameter configuration of a new

domain name-based application resource entry is different with an existing one, the
existing one will be overwritten.
To delete a domain name-based application resource entry, in the application resource con-
no domain string protocol {http | https} port port-number

Configuring Hyperlink for an Application Resource
On the ZTNA portal displayed after a user logs in, the user can copy the hyperlink to access an
application resource in a browser if the application resource is configured with an hyperlink; or,
the user can directly click the application resource icon to access it (make sure the link work). An
application resource without a hyperlink configured will not be displayed on the ZTNA portal.
The portal page displays the application resources that the user is granted access and is not granted
access. For those that the user is not granted access, the user can attempt to acquire the access
privilege by adjusting the access terminal configurations. The application resources that the user is
denied from accessing will not be displayed on the portal page. If a user is denied from accessing
any application resources, the portal page displays a message indicating that no Web resources are
available to the user. After the portal page is closed, the user can click the "Application Resource
List" option in the Secure Connect client menu to display the latest ZTNA portal page.
To configure a hyperlink, in the application resource configuration mode, use the following com-
mand:
hyperlink hyperlink
l hyperlink - Specifies the hyperlink. The length is 1 to 2047 characters. If the specified hyper-
link does not contain a protocol type, the default HTTP protocol will be used.
To delete the hyperlink, in the application resource configuration mode, use the following com-
mand:
no hyperlink
Configuring Description for an Application Resource
To add description to an application resource, in the application resource configuration mode, use

l description - Specifies the application resource description. The length is 1 to 255 characters.
When the application resource is already configured with description, it will be overwritten by
the new description.
To delete the application resource description, in the application resource configuration mode,
no description
Renaming an Application Resource
To change the application resource name, in the application resource configuration mode, use the
following command:
rename application-resource-name
l application-resource-name - Specifies the new name of the application resource, which is case-
insensitive. The length is 1 to 95 characters.
Or, you can use the following command in the global configuration mode to rename an application
resource:
rename application-resource original-application-resource-name new-application-resource-name
l original-application-resource-name - Specifies the original name of the application resource.
l new-application-resource-name - Specifies the new name of the application resource, which is

case-insensitive. The length is 1 to 95 characters.
Viewing Application Resource Configuration Information
To view the configuration information of the specified application resource, in any mode, use the
following command:
show application-resource {name application-resource-name | id id}
l name application-resource-name | id id - Specifies the application resource name or ID.

To view the configuration information of all application resources, in any mode, use the following
command:
show application-resource
Viewing Application Resource Configuration Information According to Filter

Conditions
To view application resource configuration information that matches the specified filter con-
ditions, in any mode, use the following command:
show application-resource filter { [name application-resource-name] [ip ip-address] [domain
string] [protocol {udp | tcp | http | https} ] [port port-number] [description description] [hyper-
link hyperlink ] }
l name application-resource-name - Shows the application resource configuration information

matching the specified application resource name. Partial match and full match are supported.
l ip ip-address - Shows the application resource configuration information matching the spe-
cified IP address. IPv4/IPv6 address, IPv4 address/netmask and IPv6 address/prefix length
are supported.
l domain string - Shows application resource configuration information matching the specified
domain name. Partial match and full match are supported.
l protocol {udp | tcp | http | https} - Shows the application resource configuration inform-
ation matching the specified protocol. When you filter for application resources defined based
on IP address, the supported protocol types are UDP and TCP; When you you filter for applic-
ation resources defined based on domain name, the supported protocol types are HTTP and
HTTPS.
l port port-number - Shows the application resource configuration information matching the
specified port number.

l description description - Shows the application resource configuration information matching
the specified description. Partial match and full match are supported.
l hyperlink hyperlink - Shows the application resource configuration information matching the
specified hyperlink. Partial match and full match are supported.
Viewing Reference Information of an Application Resource
User traffic hitting a ZTNA policy will be or not be granted access to the application resource ref-
erenced by the policy.
To view the reference information of the specified application resource, in any mode, use the fol-
lowing command:
show reference application-resource application-resource-name
l application-resource-name - Specifies the application resource name.
Creating an Application Resource Group
An application resource group is composed of one or multiple application resource members. To

create an application resource group and enter the application resource group configuration mode ,
in the global configuration mode, use the following command:
application-resource-group application-resource-group-name [id id]
l application-resource-group-name - Specifies the application resource group name, which is

case-insensitive. The length is 1 to 95 characters. If the specified name exists, you will enter
the configuration mode of this application resource group.
l id id - Specifies the application resource group ID. The value ranges from 1 to 64. If the ID is
not specified, the system will automatically assign one.
To delete the specified application resource group, in the global configuration mode, use the fol-
lowing command:
no application-resource-group group-name

Adding Members to an Application Resource Group
A maximum of 16 application resources can be added to a group.

To configure a member for the specified application resource group, in the application resource
application-resource application-resource-name
l application-resource-name - Specifies the name of an existing application resource.
To delete the specified member from the application resource group, in the application resource
Configuring Description for an Application Resource Group
To configure description for an application resource group, in the application resource group con-
l description - Specifies the application resource group description. The length is 1 to 255 char-
acters. When the application resource group is already configured with description, it will be
overwritten by the new description.
To delete the application resource group description, in the application resource group con-
no description
Renaming an Application Resource Group
To change the application resource group name, in the application resource group configuration
rename application-resource-group-name

l application-resource-group-name - Specifies the new name of the application resource group,
which is case-insensitive. The length is 1 to 95 characters.
Or, you can use the following command in the global configuration mode to rename an application
resource group:
rename application-resource-group original-application-resource-group-name new-application-
resource-group-name
l original-application-resource-group-name - Specifies the original name of the application

resource group.
l new-application-resource-group-name - Specifies the new name of the application resource

group, which is case-insensitive. The length is 1 to 95 characters.
Viewing Application Resource Group Configuration Information
To view the configuration information of the specified application resource group, in any mode,
show application-resource-group {name application-resource-group-name | id id}
l name group-name | id id - Specifies the application resource group name or ID.
To view the configuration information of all application resource groups, in the global con-
show application-resource-group
Viewing Reference Information of an Application Resource Group
User traffic hitting a ZTNA policy will be or not be granted access to the application resource
group referenced by the policy.
To view the reference information of the specified application resource group, in any mode, use
show reference application-resource-group group-name

l group-name - Specifies the application resource group name.

Configuring ZTNA Policy
Each ZTNA policy is labeled with a unique ID. When traffic flows into the ZTNA server, the
device will query for ZTNA polices by turn, and processes the traffic according to the first
matched policy. However, the ZTNA policy ID is not related to the matching sequence during
the query. The policy sequence displayed by the command show ztna-policy is the actual
sequence for the policy matching (the system will match the policies from the top to the bottom).
You can specify the location of a ZTNA policy when creating the policy or moving its position in
the global ZTNA policy configuration mode. The positions of a ZTNA policy can be either an
absolute position, i.e., at the top or bottom, or a relative position, i.e., before or after a specific
policy ID or name.
ZTNA grants access to users based on ZTNA policies. The system supports up to 2000 ZTNA
policies. A ZTNA policy functions based on the matching condition and action. It supports the
following dimensions as matching conditions:
l User/User group: When a user/user group matches the one configured in the ZTNA policy,
this user/user group is considered to meet the matching condition.
l Application resource/Application resource group: When a requested application resource/ap-

plication resource group matches the one configured in the ZTNA policy, this application
resource/application resource group is considered to meet the matching condition.
l Endpoint tag: When the endpoint tag carried with an authenticated user matches the one con-
figured in the ZTNA policy, this endpoint tag is considered to meet the matching condition.
l Schedule: When the user access time matches the one configured in the ZTNA policy, the
access time is considered to meet the matching condition.
Each ZTNA policy can be configured with one or multiple matching conditions. For a ZTNA
policy configured with multiple matching conditions, the policy is considered to be hit and the
traffic will be processed based on the action specified in the policy only when all matching con-
ditions are met. When a matching condition is not configured in a ZTNA policy, all objects are
considered to meet this matching condition. The policy action includes two types (at least one
must be configured):

l permit: User traffic hitting a specified ZTNA policy will be granted access to resources con-
figured in the policy.
l deny: User traffic hitting a specified ZTNA policy will be denied access to resources con-
figured in the policy.
User traffic that does not hit any ZTNA policies will hit the ZTNA default policy and be pro-
cessed based on the default action.
This section describes the following ZTNA policy configurations:
l Creating a ZTNA Policy
l Configuring the ZTNA Policy Name
l Binding an Application Resource/Application Resource Group
l Binding an Endpoint Tag
l Binding a User/User Group
l Configuring a Schedule
l Specifying the Action
l Enabling/Disabling a ZTNA Policy
l Configuring Description for a ZTNA Policy
l Log Management of ZTNA Policies
l Entering Global ZTNA Policy Configuration Mode
l Binding Anti-Virus Profile
l Binding Sandbox Profile
l Binding IPS Profile

l Binding File Filter Profile
l Binding File Content Filter Profile
l Clearing ZTNA Policy Statistics Information
Creating a ZTNA Policy
To create a ZTNA policy and enter the ZTNA policy configuration mode, in the global con-
ztna-rule [name rule-name | id id] [top | before {name rule-name | id} | after {name rule-name
| id} ]
l name rule-name - Specifies the ZTNA policy name. The length is 1 to 95 characters.
l id id - Specifies the ZTNA policy ID. The value ranges from 1 to 2000. If the specified ID
exists, you will enter the configuration mode of this ZTNA policy directly. If the ID is not
specified for a new ZTNA policy, the system all automatically assign one.
l top | before {name rule-name | id} | after {name rule-name | id} - Specifies the position of
the ZTNA policy. By default, the newly-created ZTNA policy is located at the end of all the
ZTNA polices.
l top - Specifies the location of the policy to the top of all policies.
l before {name rule-name | id} - Specifies the location of the policy before the specified policy
ID or name.
l after {name rule-name | id} - Specifies the location of the policy after the specified policy ID
or name.
To delete the specified ZTNA policy, in the global configuration mode, use the following com-
mand:
no ztna-rule {name rule-name | id id}

Configuring the ZTNA Policy Name
For an existing ZTNA policy, to specify or modify its name, in the ZTNA policy configuration
name name
l name - Specifies the ZTNA policy name. The length is 1 to 95 characters.
To delete the ZTNA policy name, in the ZTNA policy configuration mode, use the following
command:
no name
Binding an Application Resource/Application Resource Group
Each ZTNA policy can be bound with up to 10 application resources and 10 application resource
groups. The logical relationship among multiple application resources/application resource groups
is "Or". When a user accesses any of these application resources, the application resource dimen-
sion of the policy is considered to be hit. If a policy does not bind any application resources, all
application resources can be matched.
To bind the specified application resource with the ZTNA policy, in the ZTNA policy con-
application-resource application-resource-name
l application-resource-name - Specifies the name of an existing application resource.
To cancel the binding, in the ZTNA policy configuration mode, use the following command:
To bind the specified application resource group with the ZTNA policy, in the ZTNA policy con-
application-resource-group group-name
l group-name - Specifies the name of an existing application resource group.

no application-resource-group group-name
Binding an Endpoint Tag
Each ZTNA policy can be bound with up to 10 endpoint tags. The logical relationship among mul-
tiple endpoint tags is "Or". When a user matches any of these endpoint tags, the endpoint tag
dimension of the policy is considered to be hit. If a policy does not bind any endpoint tags, all
endpoint tags can be matched.
To bind the specified endpoint tag with the ZTNA policy, in the ZTNA policy configuration
endpoint-tag tag-name
no endpoint-tag tag-name
Binding a User/User Group
Each ZTNA policy can be bound with up to 8 users and 8 user groups. The logical relationship
among multiple user/user groups is "Or". When any of the users attempts to access, the user
dimension of the policy is considered to be hit. If a policy does not bind any users, all users can
be matched.
To bind the specified user with the ZTNA policy, in the ZTNA policy configuration mode, use
user aaa-server-name user-name
l aaa-server-name - Specifies the name of the AAA server that the user belongs to.
no user aaa-server-name user-name
To bind the specified user group with the ZTNA policy, in the ZTNA policy configuration mode,
user-group aaa-server-name user-group-name

l aaa-server-name - Specifies the name of the AAA server that the user group belongs to.
l user-group-name - Specifies the user group name.
no user-group aaa-server-name user-group-name
Configuring a Schedule
By default, the configured ZTNA policy will take effect immediately. If you apply a schedule to
the ZTNA policy, it will only take effect in the specified time defined in the schedule. You can
configure up to 10 schedules for a ZTNA policy, and the effective time of the policy is the sum
of all time configured in the schedules. The logical relationship among multiple schedules is "Or".
When any of these schedules is matched, the schedule dimension of the policy is considered to be
hit. If a policy does not bind any schedules, all time can be matched. For information about how
to configure a schedule, refer to System Management > Configuring Schedule.
To configure the specified schedule for the ZTNA policy, in the ZTNA policy configuration
schedule schedule-name
l schedule-name - Specifies the schedule name. To avoid possible unknown problems, you are
not recommended to use schedules with time overlapping.
To delete the specified schedule, in the ZTNA policy configuration mode, use the following com-
mand:
no schedule schedule-name
Specifying the Action
To specify the action to be performed on user traffic that hits the ZTNA policy, in the ZTNA
action {permit | deny}

l permit | deny - Specifies the action that will be performed on user traffic that hits the ZTNA
policy, i.e. permitting or denying access to the bound application resources/application
resource groups.
Enabling/Disabling a ZTNA Policy
By default, the configured ZTNA policy will take effect immediately. You can disable a ZTNA
policy to terminate its control over traffic. To enable or disable a ZTNA policy, in the ZTNA
l Disable: disable
l Enable: enable
Configuring Description for a ZTNA Policy
To configure description for ZTNA policy, in the ZTNA policy configuration mode, use the fol-
lowing command:
l description - Specifies the description of the ZTNA policy. The length is 1 to 255 characters.
When the policy is already configured with description, it will be overwritten by the new
description.
To delete the policy description, in the ZTNA policy configuration mode, use the following com-
mand:
no description
Log Management of ZTNA Policies
The system supports log management of ZTNA policies. By default, it is disabled.

l For the ZTNA policies of action Permit, logs will be generated when the matched traffic ses-
sion starts and ends.
l For the ZTNA policies of action Deny, logs will be generated when the matched traffic is
denied.
Before using this function, make sure the log function for the traffic is enabled. In the global con-
figuration mode, use the command logging traffic session on. To configure the log management of
ZTNA policies, in the ZTNA policy configuration mode, use the following command:
log {policy-deny | session-start | session-end}
l policy-deny – Generates logs when the matched traffic is denied. This parameter is applic-
able to the ZTNA policies of action Deny.
l session-start – Generates logs when the matched traffic starts its session. This parameter is
applicable to the ZTNA policies of action Permit.
l session-end – Generates logs when the matched traffic ends its session. This parameter is
applicable to the ZTNA policies of action Permit.
To cancel the log management configuration, in the ZTNA policy configuration mode, use the fol-
lowing command:
no log {policy-deny | session-start | session-end}
Binding Anti-Virus Profile
When the system is installed with the anti-virus license, you can bind an anti-virus profile to a
ZTNA policy to achieve virus detection on traffic matching the ZTNA policy and process the
detected viruses based on the Anti-Virus Profile. For information about anti-virus, please refer to
Anti-Virus.
To bind an anti-virus profile, in the ZTNA policy configuration mode, use the following com-
mand:
av profile-name

l profile-name - Specifies the anti-virus profile name.
no av
Binding Sandbox Profile
When the system is installed with the sandbox license, you can bind a sandbox profiles to a
ZTNA policy to achieve sandbox detection on traffic matching the ZTNA policy. By using the
cloud sandbox and the local sandbox technology, the system analyzes the suspicious file and col-
lects the actions of the suspicious file, verifies the legality of the file, gives the analysis result to
the system and deals with the malicious file based on the actions set by system. For information
about sandbox, please refer to Sandbox.
To bind a sandbox profile, in the ZTNA policy configuration mode, use the following command:
sandbox profile-name
l profile-name - Specifies the sandbox profile name.
no sandbox
Binding IPS Profile
When the system is installed with the IPS license, you can bind an IPS profile to a ZTNA policy
to detect network attacks in traffic matching the ZTNA policy and perform actions such as block-
ing on the attacks based on the IPS Profile. For information about IPS, please refer to IPS.
To bind an IPS profile, in the ZTNA policy configuration mode, use the following command:
ips profile-name
l profile-name - Specifies the IPS profile name.
no ips

Binding File Filter Profile
After the ZTNA policy is bound with a file filter profile, the system will perform file detection on
traffic matching the ZTNA policy and perform control actions on the file matching the filter con-
ditions based on the file filter profile. For information about file filter, please refer to File Filter.
To bind a file filter profile, in the ZTNA policy configuration mode, use the following command:
dlp profile-name
l profile-name - Specifies the file filter profile name.
no dlp
Binding File Content Filter Profile
After the ZTNA policy is bound with a file content filter profile, the system will perform file con-
tent detection on traffic matching the ZTNA policy and perform control actions such as blocking
or logging based on the file content filter profile. For information about file content filter, please
refer to File Content Filter.
To bind a file filter profile, in the ZTNA policy configuration mode, use the following command:
file-contentfilter profile-name
l profile-name - Specifies the file content filter profile name.
no file-contentfilter
Entering Global ZTNA Policy Configuration Mode
Some global configurations for the ZTNA policy should be completed in the global ZTNA policy
configuration mode. To enter the global ZTNA policy configuration mode, in the system global
ztna-policy-global
This section describes the following global ZTNA configurations:

l Specifying the Default Action
l Enabling/Disabling ZTNA Session Rematch
l Log Management of ZTNA Default Policy
l Moving a ZTNA Policy
Specifying the Default Action
You can specify the default action for the traffic that is not matched to any configured ZTNA
policy. The system will process the traffic according to the specified default action. By default,
the system will deny such traffic.
To configure the default action, in the global ZTNA policy configuration mode, use the following
command:
default-action {permit | deny}
l permit | deny - Specifies the default action, i.e. permitting or denying access to resources.
Enabling/Disabling ZTNA Session Rematch
By default, ZTNA session rematch is enabled. When you add, modify or delete a ZTNA policy,
the matched ZTNA policies for existing ZTNA sessions might change. The system will dispose
sessions as follows:
l If ZTNA session rematch is enabled, the system will rematch ZTNA policies for existing ses-
sions and delete the sessions for which the matched policy has changed.
l If ZTNA session rematch is disabled, the system will not rematch ZTNA policies for existing
sessions. Related sessions will be kept until they time out.
Use the following command in the global ZTNA policy configuration mode to disable and enable
ZTNA session rematch:
l Disable: session-rematch off
l Enable: no session-rematch off

Log Management of ZTNA Default Policy
For traffic hitting the ZTNA default policy, you can specify whether to generate logs. By default,
the system does not generate log for such kind of traffic. To generate log for such traffic, in the
global ZTNA policy configuration mode, use the following command:
log ztna-policy-default
To restore to the default value, in the global ZTNA policy configuration mode, use the following
command:
no log ztna-policy-default
Moving a ZTNA Policy
To move a ZTNA policy, in the global ZTNA policy configuration mode, use the following com-
mand:
move {name rule-name | id} {top | bottom | before {name rule-name | id} | after {name rule-
name | id} }
l name rule-name | id id – Specifies the ZTNA policy ID or name that you want to move.
l top – Moves the ZTNA policy to the top of all policies.
l bottom - Moves the ZTNA policy to the end of all policies.
l before {name rule-name | id id} – Moves the ZTNA policy before the specified policy ID
or name.
l after {name rule-name | id id} – Moves the ZTNA policy after the specified policy ID or
name.
Viewing ZTNA Policy Configuration Information
To view the configuration information of the specified ZTNA policy, in any mode, use the fol-
lowing command:
show ztna-policy {name rule-name | id id}

l name rule-name - Specifies the ZTNA policy name.
l id id - Specifies the ZTNA policy ID.
To view the ZTNA policy configuration information that matches the specified filter conditions,
show ztna-policy filter { [application-resource application-resource-name] [application-resource-
group application-resource-group-name] [description description] [endpoint-tag tag-name]
[namerule-name] [user user-name] [user-group user-group-name] }
l application-resource application-resource-name - Shows ZTNA policy configuration inform-

ation that matches the specified application resource name.
l application-resource-group application-resource-group-name - Shows ZTNA policy con-

figuration information that matches the specified application resource group name.
l description description - Shows ZTNA policy configuration information that matches the spe-
cified description.
l endpoint-tag tag-name - Shows ZTNA policy configuration information that matches the spe-
cified endpoint tag.
l namerule-name - Shows ZTNA policy configuration information that matches the specified
ZTNA policy name.
l user user-name - Shows ZTNA policy configuration information that matches the specified
user name.
l user-group user-group-name - Shows ZTNA policy configuration information that matches

the specified user group name.
To view the configuration information of all ZTNA policies, in any mode, use the following com-
mand:
show ztna-policy

Viewing ZTNA Policy Statistics Information
To view the statistics information of ZTNA policies ranked in the top 10, top 20 and top 50 hit
counts, in any mode, use the following command:
show ztna-policy statistics-information top {10 | 20 | 50 | all}
l top {10 | 20 | 50 | all} - Shows the statistics information of ZTNA policies ranked in the
top 10, top 20 and top 50 hit counts. all means the statistics information of all ZTNA policies
will be shown in descending order of hit counts.
To view all ZTNA policy statistics, use the following command:

show ztna-policy statistics-information
Clearing ZTNA Policy Statistics Information
To clear the statistics information of the specified ZTNA policy, in any mode, use the following
command:
clear ztna-policy statistics-information {name rule-name | id id}
l name rule-name - Specifies the ZTNA policy name.
l id id - Specifies the ZTNA policy ID.
To clear the statistics information of all ZTNA policies, use the following command:
clear ztna-policy statistics-information all
To clear the statistics information of the ZTNA default policy, use the following command:
clear ztna-policy statistics-information default-action

Configuring Access Address Pool
ZTNA supports IPv4 and IPv6 type address pools. For information about address pool con-
figuration.
Address pool is used to store IPv4 addresses allocated to clients. When a client connects to its
server, the server will take an IPv4 address from the address pool according to the client propriety
(like DNS server address or WIN server address) and give it to the client.
l pool-name – Specifies a name for the address pool. The length is 1 to 31 characters.
This command creates a new address pool and leads you into the address pool configuration
To delete an address pool, in the global configuration mode, use the following command:
no access-address-pool pool-name
The following sections explain how to configure address pools, including:
l Configuring an address range and network mask of a pool
l Configuring a WINS server
To configure the start ip, end ip and network mask of an address pool, in the IPv4 address pool
address start-ip end-ip netmask A.B.C.D

l start-ip – Specifies the start IPv4 address.
l end-ip – Specifies the end IPv4 address.
l netmask A.B.C.D – Specifies the network mask for this IPv4 address range.
no address
exclude address start-ip end-ip
l start-ip – Specifies the start IP for reserved IP range.
l end-ip – Specifies the end IP for reserved IP range.
lowing command:
no exclude
address for an client can be defined to an address range by using IP-role binding which defines an

command:
ip-binding user user-nameip ip-address
l ip ip-address – Specifies an available IPv4 address in the address pool which will be bound
to the user.
command:
command:

l ip_range start-ip end-ip – Specifies the available IP range (start IPv4 address and end IPv4
address) in the address pool.
l role-name1 – Specifies the role whose binding you want to move.
mand:
dns address1 [ address2 ] [ address3 ] [ address4 ]
l address1 – Specifies the IPv4 address of DNS servers. You can specify up to four addresses.

mand:
n o dn s
To specify a WINS server, in the IPv4 address pool configuration mode, use the following com-
mand:
wins address1 [ address2 ]
l address1 – Specifies the IPv4 address of WINS server. You can specify up to two WINS
servers.
To cancel the WINS server setting, in the IPv4 address pool configuration mode, use the fol-
lowing command:
no wins
show access-address-pool [ pool-name ]
hostname(config)# sh o w access-address-p o o l p o o l_test1
Name: pool_test1
Address range: 3.3.3.1 - 3.3.3.10 (start IP and end IP)

Exclude range: 3.3.3.1 - 3.3.3.2 (reserved IP addresses)
Netmask: 255.255.255.0 (network mask of the address pool)
Wins server: (WINS server setting)
wins1: 10.1.1.1

dns1: 10.10.209.1
IP Binding User: (IP-user binding)
test 3.3.3.8
IP Binding Role: (IP-role binding)
role1 3.3.3.3 3.3.3.7
mand:
show access-address-pool pool-name statistics
hostname(config)# sh o w access-address-p o o l p o o l_test1 statistics

Fixed Used Ip Num 0 (assigned IP among the bound IP addresses)
IPv6 address pool is used to store IPv6 addresses allocated to clients. When a client connects to
its server, the server will take an IPv6 address from the address pool according to the client pro-
priety (like DNS server address or WIN server address) and give it to the client.
To creat an IPv6 address pool, in the global configuration mode, use the following command:
l pool-name – Specifies a name for the address pool. The length is 1 to 31 characters.

This command creates a new address pool and leads you into the IPv6 address pool configuration
To delete an IPv6 address pool, in the global configuration mode, use the following command:
no access-address-pool-ipv6 pool-name
The following sections explain how to configure IPv6 address pool, including:
l Configuring an address range and prefix of a pool
To configure the start ip, end ip and network mask of an IPv6 address pool, in the IPv6 address
pool configuration mode, use the following command:
address start-ipv6-address end-ipv6-address prefix-len prefix-length
l start-ipv6-address – Specifies the start IPv6 address.
l end-ipv6-address – Specifies the end IPv6 address.
l prefix-len prefix-length – Specifies the prefix for this IPv6 address range. The range is 111 to
128.
no address

exclude address start-ipv6-address end-ipv6-address
l start-ipv6-address – Specifies the start IP for reserved IP range.
l end-ipv6-address – Specifies the end IP for reserved IP range.
lowing command:
no exclude
address for an client can be defined to an address range by using IP-role binding which defines an

command:
ip-binding user user-nameip ipv6-address
l ip ipv6-address – Specifies an available IPv6 address in the address pool which will be bound
to the user.
command:
command:
ip-binding role role-name ip-range start-ipv6-address end-ipv6-address
l ip-range start-ipv6-address end-ipv6-address – Specifies the available IP range (start IPv6

address and end IPv6 address) in the address pool.

mand:
dns ipv6-address1 [ ipv6-address2 ] [ ipv6-address3 ] [ ipv6-address4 ]
l ipv6-address1 – Specifies the IPv6 address of DNS servers. You can specify up to four
addresses.
mand:
n o dn s
show access-address-pool-ipv6 [ pool-name ]
hostname(config)# sh o w access-address-p o o l-ip v6

===================================================
Name Address range Prefix length
--------------------------------------------------------
1-ipv6-pool 1000:5678:2222~ - 1000:5678:2222~112
2-ipv6-pool 1001:5678:2222~ - 1001:5678:2222~112
3-ipv6-pool 1002:5678:2222~ - 1002:5678:2222~112
4-ipv6-pool 1003:5678:2222~ - 1003:5678:2222~112
5-ipv6-pool 1004:5678:2222~ - 1004:5678:2222~112
6-ipv6-pool 1005:5678:2222~ - 1005:5678:2222~112
========================================================-
=======
hostname(config)# sh o w access-address-p o o l-ip v6 2-ip v6-p o o l
Name: 2-ipv6-pool
Address range: 1001:5678:2222:3333:5555:ABCD:EFAB:1000 -

1001:5678:2222:3333:5555:ABCD:EFAB:3000 (start IP and end IP)
Exclude range: 1001:5678:2222:3333:5555:ABCD:EFAB:1000 -
1001:5678:2222:3333:5555:ABCD:EFAB:2000 (reserved IPv6 addresses)
prefix length: 112(prefix length of the address pool)
dns1: AAAA:BBBB::1
dns2: 3333:2222::1
mand:
show access-address-pool-ipv6 pool-name statistics

hostname(config)# sh o w access-address-p o o l-ip v6 2-ip v6-p o o l statistics

Fixed Used Ip Num 0 (assigned IP among the bound IPv6 addresses)

Configuring ZTNA Instance
To create a ZTNA instance, in the global configuration mode, use the following command:
tunnel ztna instance-name
l instance-name - Specifies a name for the ZTNA instance. The length is 1 to 31 characters.
This command creates a ZTNA instance and leads you into the ZTNA instance configuration
mode; if the instance exists, you will enter the ZTNA instance configuration mode directly.
To delete a ZTNA instance, in the ZTNA instance configuration mode, use the following com-
mand:
no tunnel ztna instance-name
This section describes how to configure a ZTNA instance, including:
l Specifying the Service Type
l Specifying an Access Address Pool
l Specifying a Server Interface
l Specifying an SSL Protocol Version
l Specifying a PKI Trust Domain
l Specifying an Encryption Trust Domain
l Specifying the Tunnel Cipher Suite
l Specifying an AAA Server
l Specifying an SSL Port Number
l Specifying the Transport Protocol
l Configuring a ZTNA Tunnel Route
l Configuring Anti-Replay

l Configuring Packet Fragmentation
l Configuring Idle Time
l Configuring Multi-logon
l Configuring Multi-Gateway Address
l Configuring URL Redirection
l Enabling/Disabling the Browser Download Function
l Authentication with USB Key Certificate
Specifying the Service Type
This command can only be configured when the version is IPv6. By default, the service type of
ZTNA instance is IPv4. To specify the service type of the ZTNA instance, including IPv4 or
IPv6, in the ZTNA instance configuration mode, use the following command:
service-type {ipv4 | ipv6}
l ipv4 | ipv6 – Specifies the service type of the ZTNA instance, including IPv4 or IPv6.
Specifying an Access Address Pool
To specify an IPv4 address pool for the IPv4 ZTNA instance, in the ZTNA instance con-
To cancel the IPv4 address pool, in the ZTNA instance configuration mode, use the following
command:
no access-address-pool
To specify an IPv6 address pool for the IPv6 ZTNA instance, in the ZTNA instance con-

To cancel the IPv6 ZTNA address pool, in the ZTNA instance configuration mode, use the fol-
lowing command:
no access-address-pool-ipv6
Specifying a Server Interface
The client uses HTTPS protocol to access the device. Each ZTNA instance can be configured
with 8 interfaces. To specify the ZTNA interface of the device, in the ZTNA instance con-
l interface-name – Specifies the name of the interface for the ZTNA client to connect.
To cancel the ZTNA interface, in the ZTNA instance configuration mode, use the following com-
mand:
Specifying an SSL Protocol Version
To specify the SSL protocol version of the ZTNA instance, in the ZTNA instance configuration
ssl-protocol { tlsv1 | tlsv1.2 | gmssl | any }
l tlsv1 – Uses TLSv1 protocol.
l tlsv1.2 – Uses TLSv1.2 protocol. This is the default option.
l gmssl – Uses GMSSLv1.0 protocol. After selecting this option, you're recommended to
select the trust domain that contains SM2 type key for the PKI trust domain and the encryp-

ted trust domain. The SM4 is preferred for encryption algorithm and the SM3 is preferred for
hash algorithm.
l any – Uses any of the following protocols: TLSv1, TLSv1.1 and TLSv1.2.
To restore to the default value, in the ZTNA instance configuration mode, use the following com-
mand:
no ssl-protocol
If tlsv1.2 or any is specified to the SSL protocol in ZTNA server, you need to convert the cer-
tificate that you are going to import to the browser or certificate in the USB Key to make it sup-
port the tlsv1.2 protocol before the digital certificate authentication via ZTNA client, so that the
ZTNA server can be connected successfully when the Username/Password + Digital Certificate
or Digital Certificate Only authentication method is selected. Prepare a PC with Windows or
Linux system which has been installed with OpenSSL 1.0.1 or later before processing the cer-
tificate.
We will take the certificate file named oldcert.pfx as an example, the procedure is as follows:
1. In the OpenSSL software interface, enter the following command to convert a certificate in
.pfx format to a certificate in .pem format: openssl pkcs12 –in oldcert.pfx –out cert.pem
2. Enter the following command to convert the certificate in .pem format to a .pfx format cer-
tificate that supports tlsv1.2 protocol: openssl pkcs12 –export –in cert.pem –out new-
cert.pfx –CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
3. Import the newly generated .pfx format certificate into your browser or USB Key.
Specifying a PKI Trust Domain
PKI trust domain in ZTNA is used in HTTPS authentication.

To specify a PKI trust domain for the ZTNA instance, in the ZTNA instance configuration
trust-domain trust-domain-name

l trust-domain-name – Specifies the name of PKI trust domain. The default domain is trust_
domain_default.
mand:
no trust-domain
Tips: For information on how to create a PKI trust domain, see PKI in User
Authentication.
Specifying an Encryption Trust Domain
To specify the encryption trust domain which is used for the GMSSL negotiation for ZTNA, in
the ZTNA configuration mode, use the following command:
trust-domain-enc trust-domain-name
l enc-cert – Specifies the predefined encryption trust domain for GMSSL negotiation.
To delete the configured encryption trust domain, in the ZTNA configuration mode, use the fol-
lowing command:
no trust-domain-enc
Specifying a Tunnel Cipher Suite
Tunnel cipher suite includes encryption algorithm, authentication algorithm and compression
algorithm.
To specify a cipher suite for the tunnel, in the ZTNA instance configuration mode, use the fol-
lowing command:
tun n el-cip h er en cryp tio n {n ull | des | 3des | aes | aes192 | aes256 | sm4} h ash {n ull | md5
| sh a | sh a256 | sh a384 | sh a512 | sm3} [co mp ressio n defl]

l null | des | 3des | aes | aes192 | aes256 | sm4 – Specifies an encryption algorithm. The
default value is AES. Null means no encryption is specified. For more information about
encryption algorithms, see Encryption Algorithm in VPN.
l null | md5 | sha | sha256 | sha384 | sha512| sm3 – Specifies an authentication algorithm.
The default value is MD5. Null means no authentication is specified. For more information
about authentication algorithms, see Hash Algorithm in VPN.
l compression defl – Specifies the compression algorithm DEFALTE. The default setting is
no compression. For more information on compression algorithms, see Compression
Algorithm in VPN.
To restore to the default cipher suite setting, in the ZTNA instance configuration mode, use the
following command:
no tunnel-cipher
AAA server in ZTNA is used for user authentication. To specify an AAA server, in the ZTNA
aaa-server aaa-server-name [domain domain-name] [keep-domain-name]
l aaa-server-name – Specifies the name of AAA server you want to use for authentication.
l domain domain-name – Specifies the domain for the AAA server so that it can be dis-
tinguished from other servers. The length is 1 to 31 characters.
the user, including the user name and the domain name, to perform the authentication.
To cancel the AAA server in an ZTNA, in the ZTNA instance configuration mode, use the fol-
lowing command:
no aaa-server aaa-server-name [domain domain-name]

Specifying an SSL Port Number
SSL port is used for the clients to access the device.

To specify an SSL port number, in the ZTNA instance configuration mode, use the following
command:
ssl-port port-number
l port-number – Specifies the SSL port number. The range is 1 to 65535. If multiple ZTNA
instances use the same interface, their SSL port numbers cannot be the same and should be dif-
ferent from other services' SSL port numbers.
mand:
no ssl-port
Configuring the Transport Protocol
The system supports ZTNA data transmission over TCP or UDP. The default protocol is UDP,
and the default port is 4433. To configure the transport protocol and port number, in the ZTNA
transport-service {tcp | udp} port-number
l tcp | udp - Specifies TCP or UDP for data transmission.
l port-number – Specifies the port number for data transmission. The range is 1 to 65535.
To delete the transport protocol and port number, in the ZTNA instance configuration mode, use
no transport-service {tcp | udp}
Configuring a ZTNA Tunnel Route
To reach the destination IPv4/IPv6 network segment or destination domain name through the
ZTNA tunnel, you need to specify them by configuring the IPv4/IPv6 ZTNA tunnel route.

l The specified destination network segment will be distributed to the ZTNA client, then the
client uses it to generate the route to the specified destination.
l The specified destination domain name will be distributed to the ZTNA client, and the client
will generate the route to the specified destination according to the resolving results from
DNS.
Configuring a ZTNA Tunnel Route to the Specified IPv4 Network Segment
You can only specify the IPv4 ZTNA tunnel route for the IPv4 ZTNA instance. To reach the des-
tination IPv4 network segment through a ZTNA tunnel, in the ZTNA instance configuration
split-tunnel-route ip-address/netmask [metric metric-number]
l ip-address/netmask – Specifies the IP address and network mask of the destination network
segment.
You can add multiple IPv4 tunnel routes as required.

To delete an IPv4 tunnel route, in the ZTNA instance configuration mode, use the following com-
mand:
no split-tunnel-route ip-address/netmask [metric metric-number]
Configuring a ZTNA Tunnel Route to the Specified IPv6 Network Segment
You can only specify the IPv6 ZTNA tunnel route for the IPv6 ZTNA instance. To reach the des-
tination IPv6 network segment through a ZTNA tunnel, in the ZTNA instance configuration
split-tunnel-route-ipv6 ipv6-address/prefix [metric metric-number]

l ipv6-address/prefix – Specifies the IPv6 address and prefix length of the destination net-
work segment.
You can add multiple IPv4 tunnel routes as required.

To delete an IPv6 tunnel route, in the ZTNA instance configuration mode, use the following com-
mand:
no split-tunnel-route-ipv6 ipv6-address/prefix [metric metric-number]
Configuring a ZTNA Tunnel Route to the Specified Domain Name
After specifying a ZTNA tunnel route to a domain name, the system will distribute the domain
name to the client. The client will generate the route to the specified destination according to the
resolving results from DNS. To configure a ZTNA tunnel route to the specified domain name, in
the ZTNA instance configuration mode, use the following command:
domain-route {disable | enable | max-entries value | url}
l disable – Does not distribute the specified domain name to the client. This is the default
option.
l enable – Distributes the specified domain name to the client.
l max-entries value – Specifies the maximum number of routes that can be generated after
obtaining the resolved IP addresses of the domain name. The default value is 1000. The value
l url – Specifies the URL of the domain name. You can add one each time and you can add up
to 64 domain names. The URL cannot exceed 63 characters and it cannot end with a dot (.).
Both wildcards and a single top level domain, e.g. com and .com are not supported.
To delete the specified domain name, use the following command in the ZTNA instance con-
figuration mode:
no domain-route url

Configuring Anti-Replay
Anti-Replay is used to prevent hackers from injecting the captured packets repeatedly by rejecting
the packets.
To enable Anti-Replay, in the ZTNA instance configuration mode, use the following command:
anti-replay {32 | 64 | 128 | 256 | 512}
l 32 – Specifies that the Anti-Replay window size is 32. This is the default value.
l 64 – Specifies that the Anti-Replay window size is 64.
Bigger window size suits more in bad network conditions, such as serious packets disorder.
To restore the Anti-Replay window size to the default value, in the ZTNA instance configuration
no anti-replay
You can specify if packet fragmentation is permitted in the device.

To configure packet fragmentation, in the ZTNA instance configuration mode, use the following
command:
df-bit {copy | clear | set}
l copy – Copies the DF value from the destination of the packet. This is the default value.
l clear – Permits packet fragmentation.
l set – Forbids packet fragmentation.
To restore to the default value, in the ZTNA configuration mode, use the following command:

no df-bit
Idle time defines the time length a client is allowed to connect to the device without any oper-
ation. When a client takes no action for the time period of idle time specified here, it is forced to
log out the device.
To specify the idle time, in the ZTNA instance configuration mode, use the following command:
l time-value – Specifies the idle time value. The value range is 1 to 1500 minutes. The default
value is 30.
mand:
no idle-time
Configuring Multi-Logon
To allow multiple users to log in at multiple places with the same user name simultaneously, in
the ZTNA configuration mode, use the following command:
allow-multi-logon
This command enables the function and does not limit the login number. If you want to specify
the number of users logging in with the same user name simultaneously, in the ZTNA con-
allow-multi-logon number number
l number – Specifies the number of users who are allowed to log in with one user name. The
value range is 1 to 99999999.
To disable multi-logon, in the ZTNA instance configuration mode, use the following command:
no allow-multi-logon

Configuring Multi-Gateway Address
ZTNA supports configuration of multiple backup gateways for clients to select which to connect.
When the ZTNA device is configured with backup gateways, ZTNA users can enable gateway
detection on clients to select the connected ZTNA gateway.
After gateway detection is enabled, ZTNA client will attempt to obtain the backup gateway list
from the gateway that the user is logging in, detect the link quality of all backup gateways and
then establish the ZTNA connection with the one that has the best link quality. After the con-
nection is established, ZTNA client will detect and update the link quality every 30 minutes.
When a connection or login failure occurs, ZTNA client will switch to connect the backup gate-
way that has the best link quality.
To configure a backup gateway, in the ZTNA instance configuration mode, use the following com-
mand:
gateway gateway-name {ipv4 ip-address | domain string}
l gateway-name - Specifies the backup gateway name. The range is 1 to 31 characters.
l ip-address - Specifies the IPv4 address of the backup gateway.
l string - Specifies the domain name of the backup gateway. The range is 1 to 255 characters,
and the length between two dots (.) cannot exceed 63 characters.
Repeat this command to configure multiple backup gateways.

To delete the specified backup gateway, in the ZTNA instance configuration mode, use the fol-
lowing command:
no gateway gateway-name
Notes: ZTNA configurations on the backup gateways need to be consistent with

those on the master backup gateway.

Configuring URL Redirection
URL redirection function in ZTNA server displays a specified URL page to the authenticated cli-
ent user. By default, this function is disabled.
To enable URL redirection, in the ZTNA instance configuration mode, use the following com-
mand:
redirect-url url title name
l url – Specifies the URL address of the page shown for the new authenticated client. The
value range is 1 to 255 characters. It can be an HTTP (http://) or an HTTPS (https://)
address.
l title name – Specifies a description for the redirect page. The value range is 1 to 31 char-
acters.
To cancel URL redirection, in the ZTNA instance configuration mode, use the following com-
mand:
no redirect-url
URL Format
l For pages of UTF-8 encoding, type URL + username=$USER&password=$PWD, for

abc.com/oa/login.do?username=$USER&password=$PWD.
l For pages of GB2312 encoding, type URL + username=$GBUSER&password=$PWD, for

abc.com/oa/login.do?username=$GBUSER&password=$PWD.
l For other pages, type http://www.abc.com.

Enabling/Disabling the Browser Download Function
With the browser download function, you're allowed to download the ZTNA client via the
browser WebUI. By default, the function is enabled. When this function is disabled, you can only
download the ZTNA client from www.hillstonenet.com.cn.
To enable the function , in the ZTNA instance configuration mode, use the following command:
client-download-page enable
To disable the function , in the ZTNA instance configuration mode, use the following command:
client-download-page disable
Binding ZTNA Instance to a Tunnel Interface

Only when a ZTNA instance binds to a tunnel interface can it take effect.
To bind a ZTNA instance to a tunnel interface, in the tunnel interface configuration mode, use
tunnel ztna instance-name
l instance-name – Specifies the name of the ZTNA instance you want to bind.
To cancel the binding of a ZTNA instance, in the tunnel interface configuration mode, use the fol-
lowing command:
no tunnel ztna instance-name
Authentication with USB Key Certificate

The client is allowed to use a USB flash disk that stores a certificate to authenticate. A USB disk
which supports Windows SDK (Certificate Store Functions) and has a legal UKey certificate can
pass the authentication and connect to the server.
The following sections describe how to configure USB Key certificate authentication, including:

l Enabling USB Key certificate authentication
l Importing a CA certificate to a trust domain
l Configuring a trust domain
Enabling USB Key Certificate Authentication
By default, this function is disabled. To enable the USB Key certificate authentication, in the
ZTNA instance configuration mode, use the following command:
client-cert-authentication [usbkey-only]
l usbkey-only – Specifies the USB Key authentication as USB Key only. If this parameter is
not specified, the authentication of Username/Password + USB Key will be used.
To disable the function, in the ZTNA instance configuration mode, use the following command:
no client-cert-authentication [usbkey-only]
Importing a USB Key Certificate to a Trust Domain
CA certificates can be imported through various methods, including downloading from an FTP or
TFTP server and from USB disk. To import a certificate, in the execution mode, use the fol-
lowing command:
import pki trust-domain trust-domain-name cacert from {ftp server ip-address [user user-name
password password] | tftp server ip-address | usb0 | usb1} file-name
l ftp server ip-address [user user-name password password] – Specifies the IP address of FTP
server, user name and password to log in. If the server supports anonymous login, skip the
user name and password.
l tftp server ip-address – Specifies the IP address of TFTP server.

l usb0 | usb1 – Specifies the port to which the USB disk is plugged.
l file-name – Specifies the file name of CA certificate.
Specifying a Trust Domain for the CA Certificate
USB Key certificate authentication requires a trust domain for the CA certificate. When the cer-
tificate provided from client matches one of the trust domain certificates, it passes authentication.
To specify a trust domain, in the ZTNA instance configuration mode, use the following com-
mand:
client-auth-trust-domain trust-domain
l trust-domain – Specifies a configured PKI trust domain for the CA certificate.
Repeat this command to add more trust domains. The system supports up to 10 domains.
To cancel a PKI trust domain for a certificate, in the ZTNA instance configuration mode, use the
following command:
no client-auth-trust-domain trust-domain
Tips: For information on how to create PKI trust domain, see PKI in User Authentic-
ation.

Configuring Two-Step Verification
Two-Step Verification means that when a ZTNA user logs in by providing a "user-
name/password" or a "username/password+Digital Certificate", the Hillstone device will imple-
ment the two-step verification by means of SMS Authentication, Token Authentication or Email
Authentication after the user name and password is entered. The user must enter the random veri-
fication code received in order to log in the ZTNA server and access intranet resources.
Enabling/Disabling Two-Step Verification
The two-step verification function is disabled by default. To enable or disable the two-step veri-
fication function, in the ZTNA instance configuration mode, use the following command:
l Enable: two-step verification enable
l Disable: two-step verification disable
Specifying the Type of Two-Step Verification
To specify the type of two-step verification, in the ZTNA instance configuration mode, use the
following command:
two-step verification type {token | sms modem | sms service-provider | email}
l token - Specifies to use the token authentication for two-step verification.
l sms modem - Specifies to send a short message through an SMS modem for two-step veri-
fication.
l sms service-provider - Specifies to send a short message through an SMS gateway for two-step
verification.
l email - Specifies to use Email authentication for two-step verification.

Token Authentication
The system supports for authentication through the token password when logging in, and user-
defined prompt information for token authentication.
Configuring Prompt Message
To configure the prompt message of the token authentication, in the ZTNA instance con-
token-auth prompt-message message
l prompt-message message- Specifies the prompt message. The range is 1 to 255 characters.
SMS Authentication
SMS authentication means that when a ZTNA user logs in by providing a user name and pass-
word, the Hillstone device, through an SMS modem or an SMS gateway, sends a dynamically gen-
erated random password to the mobile phone number of the user in SMS after the use rname and
password is entered. The user must enter the random password received in the mobile phone in
order to log in the ZTNA server and access intranet resources. This section describes how to con-
figure the global parameters for the SMS authentication function.
Notes: Not all platforms support SMS authentication.
Modem Authentication
Hillstone device adopts an external GSM modem. Before configuring the SMS authentication
function, you need to prepare a SIM card and a GSM modem, and then connect the modem to the
device properly. To connect the modem to the device, first, you should insert the SIM card into
the GSM modem properly; then, connect the modem to the USB port of the device via a USB
cable.
The following models of SMS modem are recommended:

Model Type Chip Interface
GSM MODEM GSM WAVECOM USB interface

(M1206B M1206B,
M1206B-FT and
M1806-NC5)
The following sections introduce how to configure SMS authentication, including:
l Configuring a mobile phone number for SMS authentication
l Configuring expiration time of SMS authentication code
l Configuring the SMS authentication code length
l Configuring the SMS authentication code content
l Configuring a maximum SMS number
Configuring a Mobile Phone Number for SMS Authentication
ZTNA local users and AD users, when assigned with a mobile phone number by the admin-
istrator, can use SMS password sent by the system to authenticate.
To configure the phone number for a local user, in the user configuration mode, use the following
command:
phone phone-number
l phone-number – Specifies the mobile phone number.
To cancel a number, in the user configuration mode, use the following command:
no phone
For an AD user, configure the mobile phone number in the mobile propriety of AD server.

Configuring Expiration Time of SMS Authentication Code
Each SMS authentication code has a period of validity. If the user neither types the authentication
code within the period nor applies for a new code, ZTNA server will disconnect the connection.
To configure the SMS authentication code validity period, in the ZTNA instance configuration
sms-auth expiration expiration
l expiration – Specifies the validity period. The range is 1 to 10 minutes. The default value is
10.
To restore the validity period to the default value, in the ZTNA instance configuration mode, use
no sms-auth expiration
Configuring the SMS Authentication Code Length
To specify the length of the SMS authentication code, in the ZTNA instance configuration mode,
sms-auth verification-code-length length
l length – Specifies the length of the SMS authentication code. The range is 4 to 8 characters.
In the ZTNA. instance configuration mode, use the following command to restore the code
length to the default value.
no sms-auth verification-code-length
Configuring the SMS Authentication Code Content
To specify the SMS authentication code content, in the ZTNA instance configuration mode, use
sms-auth message-content content

l content – Specifies the SMS authentication code content. The input must contain
"＄USERNAME" (This parameter is used to get the username) and "＄VRFYCODE" (This
parameter is used to get the verification code). The length is 9 to 500 characters.
In the ZTNA instance configuration mode, use the following command to restore the code con-
tent to the default value.
no sms-auth message-content
Configuring a Maximum SMS Number
You can specify the maximum number of SMS messages sent by the SMS modem per hour or per
day. If the modem is required to send more messages than the maximum number, it will reject and
record a log.
To configure the maximum SMS number, in the global configuration mode, use the following com-
mand:
sms modem {num-per-hour | num-per-day} number
l {num-per-hour | num-per-day} number – Specifies the maximum number of SMS messages

per hour or per day. The value range is 1 to 1000.
If you do not limit the maximum number of SMS messages sent by the SMS modem per hour or
per day, in the global configuration mode, use the following command:
no sms modem {num-per-hour | num-per-day}
To test if the device works properly, you can send a test message to a phone number.
To send a test message, in any mode, use the following command:
exec sms send test-message to phone-number
l phone-number – Specifies the phone number which receives the test message. The length is
6 to 16 characters.

Viewing SMS Modem Settings
To view the configuration information of an SMS modem, in any mode, use the following com-
mand:
show sms modem
SMS Gateway Authentication
Hillstone device, through SMS gateway or other proxy server, can send a short message to users in
SMS after the user name and password is entered. Before configuring the function, you need to
ask the supplier to provide the necessary information, such as the gateway address, device ID
which sends the short messages.
SMS gateway authentication configuration includes:
1. Create a Service Provider (SP) instance.
2. Bind the SP instance to a configured ZTNA instance, and enable the SMS gateway authen-
tication function.
Specifying the Default Protocol Type of SMS Gateway
The types of SMS gateway protocol supported by the device include SGIP, UMS, ACC,
ALIYUNSMS, XUANWU, CAS, BEIKE and HTTP(S). SGIP indicates the SGIP protocol of
Chinaunicom. UMS indicates the enterprise information platform of Chinaunicom. ACC indicates
the ACC protocol of Chinatelecom. ALIYUNSMS indicates the SMS service platform of Alibaba
Cloud. XUANWU indicates the Xuanwu Technology SMS service platform. CAS indicates the
12302 SMS service platform. BEIKE indicates BEIKE SMS gateway. HTTP(S) indicates
HTTP/HTTP(S) protocol. To specify the default protocol type of SMS gateway, in the global con-
sms service-provider default-protocol {sgip | ums | acc | aliyunsms| xuanwu | cas | beike |
http(s)}

l sgip | ums | acc | aliyunsms | xuanwu | cas | beike | http(s)- Specifies the default protocol
type of SMS gateway that the SP instance is running. SGIP indicates the SGIP protocol of
Chinaunicom. UMS indicates the enterprise information platform of Chinaunicom. ACC indic-
ates the ACC protocol of Chinatelecom. ALIYUNSMS indicates the SMS service platform of
Alibaba Cloud. XUANWU indicates the Xuanwu Technology SMS service platform. CAS
indicates the 12302 SMS service platform. BEIKE indicates the BEIKE SMS gateway. http(s)
indicates HTTP/HTTPS protocol.
In the global configuration mode, use the command no sms service-provider default-protocolto
cancel the specified default protocol type.
Creating an SP Instance
To create an SP instance, use the following command in the global configuration mode:
sms service-provider sp-name [protocol {sgip | ums | acc | aliyunsms| xuanwu | cas | beike |
http(s)} ]
l sp-name - Specifies the SP instance name. The value range is 1 to 31.
l protocol {sgip | ums | acc | aliyunsms | xuanwu | cas | beike | http(s)} - Specifies the pro-
tocol of SMS gateway that the SP instance is running. System only supports SGIP of Chin-
aunicom. UMS indicates the enterprise information platform of Chinaunicom. ACC indicates
the ACC protocol of Telecom. ALIYUNSMS indicates the SMS service platform of Alibaba
Cloud. XUANWU indicates the Xuanwu Technology SMS service platform. CAS indicates
the 12302 SMS service platform. BEIKE indicates the BEIKE SMS gateway. http(s) indicates
HTTP/HTTPS protocol.
This command creates an SP instance and leads you into the SP instance configuration mode; if
the instance exists, you will enter the SP instance configuration mode directly. The system sup-
ports at most eight SP instances now.
In the global configuration mode, use the following command to delete the specified SP instance:
no sms service-provider sp-name

You can perform the following configurations in the SP instance configuration mode:
l Specifying the VRouter
l Specifying the Request Method
l Specifying the Charset
l Specifying the UMS/ACC/ALIYUNSMS/CAS/BEIKE Protocol
l Specifying the URL
l Specifying the Success Code
l Specifying the Attributes
l Specifying the Gateway Address and Port Number
l Specifying the Number to Send Auth-message
l Specifying the Device ID
l Specifying the User Name and Password
l Specifying the Template Parameter
l Specifying a Maximum SMS Number
l Specifying the Company Code
l Specifying the AccessKeyId
l Specifying the AccessKeySecret
l Specifying Instance of SMS Gateway
l Specifying the Sender Name or Sign Name
l Specifying the Template Code

l Specifying the Request Type
l Specifying the Organization Code
l Specifying the SMS Service Type
l Specifying the Trading Code
l Specifying the Channel
l Sending a Test Message
l Enabling/Disabling the Sending Sign Code Function
Specifying the VRouter
The system supports multi-Vrouter, and the default VRouter is trust-vr. To specify the VRouter
which SP belongs to, use the following command in the SP instance configuration mode：
vro uter {trust-vr | vr-name }
l trust-vr - Specifies the VRouter as trust-vr.
l vr-name – Specifies a created VRouter.
In the SP instance configuration mode, use the following command to restore the default
VRouter:
n o vro uter
Specifying the Request Method
When the HTTP (S) protocol type is specified for the SP instance, you can specify the request
method of HTTP(S). The default request method is POST. To specify the request method, in the
request-type [get | post]
l get–Specifies the request method of HTTP(S) as GET.

l post– Specifies the request method of HTTP(S) as POST.
To restore the default request type, use the command no request-type.
Specifying the Charset
When the HTTP (S) protocol type is specified for the SP instance, you can specify the charset of
HTTP(S). The default charset is UTF-8. To specify the charset, in the SP instance configuration
charset [utf-8 | gbk]
l utf-8–Specifies to use UTF-8 to encode the content of the authentication message.
l gbk–Specifies to use GBK to encode the content of the authentication message.
To restore the default charset, use the command no charset .
Specifying the UMS/ACC/ALIYUNSMS/CAS/BEIKE Protocol
To specify the protocol of UMS, ACC , ALIYUNSMS, BEIKE or CAS, in the SP instance con-
l http | https– Specifies the protocol type as HTTP or HTTPS. The default protocol of UMS
and BEIKE is HTTPS. The default protocol of UMS and CAS is HTTPS. The default pro-
tocol of ACC and ALIYUNSMS is HTTP.
In the SP instance configuration mode, use the following command to restore the default protocol
type:
no protocol
Specifying the URL
When the HTTP (S) protocol type is specified for the SP instance, you can specify the URL of
HTTP(S). You need to enter a complete access path. The system requests to communicate with

the SMS gateway based on the specified URL address. To specify the URL address, in the SP
url url string
l url string–Specifies the URL address of the SMS gateway, such as "http(s)://1.1.1.1". The
To delete the specified URL address, use the command no url.
Specifying the Success Code
When the HTTP (S) protocol type is specified for the SP instance, you can specify the success
code of HTTP(S). Success code is used to determine whether the SMS gateway successfully sent
an authentication message. The SMS gateway sends an authentication message to the mobile
phone, and when completed, it will send a message containing the status code to the system. If
the message contains the specified success code, the system will judge that the authentication
message has been sent successfully. For example, if an SMS gateway sent an authentication mes-
sage successfully, the status code returned is "OK: 325689", and if failed, the status number
returned is "ERROR: eUser". In this instance, you can specify the success code as "OK". When
the system receives a message sent by the SMS gateway, it determines whether the message con-
tains "OK". If the message contains the specified success code, it means that the SMS gateway
has sent message successfully. To specify the success code, in the SP instance configuration
success-code string
l string–Specifies the success code. The range is 1 to 50 characters. Different SMS gateways
return different status code. Refer to the status code in the SMS gateway manual.
To delete the specified success code, use the command no success-code.
Specifying the Attributes
When the HTTP (S) protocol type is specified for the SP instance，you can configure attributes
to communicate with the SMS gateway. Attributes including the parameter name of the mobile
number field, the parameter name of the message content field, the password filed, and the user-
name filed, etc. You can configure up to 32 attributes. The parameter name of the mobile number

field and the parameter name of the message content field are default attributes and must be spe-
cified.
To specify the parameter name of the mobile number field and the parameter name of the message
content field, in SP instance configuration mode, use the following command:
default-attribute {phone-attr-name phone-attr-name | msg-content-attr-name msg-content-
name}
l phone-attr-name phone-attr-name–Specifies the parameter name of the mobile number

field, such as phone. This is the default attribute and the range is 1 to 400 characters.
l msg-content-attr-name msg-content-name–Specifies the parameter name of the message

content field, such as msg. This is the default attribute and the range is 1 to 400 characters.
The system will obtain the parameter values of the mobile number field and the parameter values
of the message content field when SMS gateway and the system is communicating.
When the SMS gateway and the system communicate, the SMS gateway can obtain the parameter
values of the mobile number field and the parameter values of the message content field from the
system. To delete the parameter name of the specified mobile number field and the parameter
name of the message content field, use the command no default-attribute {phone-attr-name |
msg-content-attr-name}.
To specify the parameters of password to log in SMS gateway, which is an optional attribute, in SP
password-attribute password-name password-value
l password-name–Specifies the parameter name of the password, such as password. The

l password-value–Specifies the parameter value of the password, such as 123456. The

To delete the specified parameters of password, use the command no password-attribute.

To specify the parameters of username to log in SMS gateway, which is an optional attribute, in
user-attribute user-name user-value

l user-name–Specifies the parameter name of the username, such as username. The range is
1 to 20 characters.
l user-value–Specifies the parameter value of the username, such as user1. The range is 2 to
255 characters.
To delete the specified parameters of username, use the command no user-attribute.
Specifying the Gateway Address and Port Number
To specify the gateway address and port number, in the SP instance configuration mode, use the
following command:
gateway {h o st hostname | ip ip-address } [ port port-number ]
l host hostname - Specifies the host name of the gateway. The range is 1 to 31 characters.
l ip ip-address - Specifies the IP address of the gateway.
l port port-number - Specifies the port number of the gateway. When the protocol type is spe-
cified as "SGIP", the default port number is 8801; When the protocol type is specified as
"ACC", the default port number is 80. When the protocol type is specified as "UMS", the
default port number is 9600. When the protocol type is specified as "XUANWU" or "CAS",
the default port number is 8080.
Execute this command for many times and the latest configuration takes effect.
In the SP instance configuration mode, use the following command to delete the gateway address
and restore to the default port number:
n o gateway {h o st | ip }
Specifying the Template Parameter
To specify the template parameter of BEIKE SMS gateway, in the SP instance configuration
template value

l value – Specifies the template parameter of BEIKE SMS gateway. The length is 1 to 64 char-
acters.
In SP instance configuration mode, use the following command to delete the template parameter
of BEIKE SMS gateway:
no template
Enabling/Disabling the Sending Sign Code Function
When this function is enabled, the ACC SMS gateway will add a sign code field when sending a
request to the ACC server, which will prevent the content of the SMS from being tampered with.
In the SP instance configuration mode, use the following command to enable the sending sign
code function:
sign enable
In the SP instance configuration mode, use the following command to disable the sending sign
code function:
no sign enable
Specifying the Number to Send Auth-message
When the SP instance uses the SGIP type SMS gateway, after enabling the SMS Authentication
function, the system will send an Auth-message to the mobile phone number. In the SP instance
configuration mode, use the following command to set the number:
source-number phone-number
l phone-number – Specifies the user's phone number. The range is 1 to 21 characters.
In the SP instance configuration mode, use the following command to cancel the specification of
user's phone number:
no source-number

Specifying the Device ID
When the SP instance uses the SGIP type SMS gateway, you have to ask your supplier to provide
the device ID of SP, which sends the SMS messages. In the SP instance configuration mode, use
the following command to specify the device ID:
device-code code-number
l code-number - Specifies the device ID. The range is 1 to 4294967295.
In the SP instance configuration mode, use the following command to cancel the device ID spe-
cification:
no device-code
Specifying the User Name/User ID and Password
To specify the user name/user ID and password, in the SP instance configuration mode, use the
following command:
user {username | userid} password password
l username | userid – Specifies the user name or user ID to log in SMS gateway. When the pro-
tocol type is specified as "UMS", "SGIP" or "CAS", the range is 1 to 64 characters. When the
protocol type is specified as "XUANWU", the range is 1 to 6 characters.
l password – Specifies the password for the user. When the protocol type is specified as
"UMS", "SGIP" or "CAS", the range is 1 to 64 characters. When the protocol type is specified
as "XUANWU", the range is 1 to 6 characters.
In SP instance configuration mode, use the following command to cancel the specification of user
name/user ID and password:
no user

Specifying a Maximum SMS Number
When the SP instance uses the SGIP or UMS type SMS gateway, you can specify the maximum
number of SMS messages sent by the SMS gateway per hour or per day. To configure the max-
imum SMS number, in the SP instance configuration mode, use the following command:
{n um-p er-h o ur | n um-p er-day} number
l number – Specifies the maximum number of SMS messages per hour or per day. The value
In the SP instance configuration mode, use the following command to cancel the maximum num-
ber:
n o {n um-p er-h o ur | n um-p er-day}
Specifying the Company Code
When the SP instance uses the UMS protocol type, users can specify the enterprise code
registered on the UMS platform, in the SP instance configuration mode, use the following com-
mand:
spcodespcode-number
l spcode-number - Specifies the company code. The range is 1 to 31 digits.
In the SP instance configuration mode, use the following command to cancel the company code:
no spcode
Specifying the AccessKeyId
cify the AccessKeyId which will be used as the user name for authentication between the device
and the SMS gateway of Alibaba Cloud . To specify the AccessKeyId, in the SP instance con-
accesskeyidword

l word - Specifies the AccessKeyId. The range is 1 to 63 characters. This parameter should be
the same with the template AccessKeyId applied in the SMS of Alibaba Cloud.
In the SP instance configuration mode, use the no accesskeyid command to cancel the specified
AccessKeyId.
Specifying the AccessKeySecret
cify the AccessKeySecret which will be used as the password for authentication between the
device and the SMS gateway of Alibaba Cloud. To specify the AccessKeySecret, in the SP
accesskeysecret word
l word - Specifies the AccessKeySecret. The range is 1 to 31 characters. This parameter should
be the same with the template AccessKeySecret applied in the SMS of Alibaba Cloud.
In the SP instance configuration mode, use the no accesskeysecret command to cancel the spe-
cified AccessKeySecret.
Specifying Instance of SMS Gateway
The SP instance needs to be bound to the ZTNA tunnel to take effect. To specify the SMS gate-
way instance, in the ZTNA instance configuration mode, use the following command:
sms-auth service-provider sp-name
l sp-name – Specifies the name of the SP instance, which must be the created SP instance.
The value range is 1 to 31 characters.
If the protocol of the SP instance bound to ZTNA tunnel is SGIP, USM or ACC, users can spe-
cify a message sender name to display in the message content. If the protocol of the SP instance
bound to ZTNA tunnel is ALIYUNSMS, users must specify the sign name applied in the SMS of

Alibaba Cloud to display in the message content. To specify the sender name or sign name, in the
ZTNA instance configuration mode, use the following command:
sms-auth sms-sender-name sender-name
l sender-name – Specifies the sender name. The range is 1 to 63 characters. The sign name
should be the same with the sign name applied in the SMS of Alibaba Cloud.
In the ZTNA instance configuration mode, use the following command to cancel the specified
sender name or sign name:
no sms-auth sms-sender-name
If the protocol of the SP instance bound to ZTNA tunnel is ALIYUNSMS, users must specify
the code of the SMS template applied in the SMS of Alibaba Cloud. To specify the template code,
in the ZTNA instance configuration mode, use the following command:
sms-auth sms-msg-templatecode word
In the ZTNA instance configuration mode, use the following command to cancel the specified
template code:
no sms-auth sms-msg-templatecode
Specifying the Request Type
SMS service platform for the request type. To specify the request type, in the SP instance con-
figuration mode, use the following common:

post-type post_type
l post_type –Specifies the request type. The range is 1 to 6 characters.
In the SP instance configuration mode, use the following command to cancel the request type:
no post-type
Specifying the Organization Code
SMS service platform for the organization code. To specify the organization code, in the SP
orgcode orgcode
l orgcode – Specifies the organization code. The range is 1 to 31 characters.
In the SP instance configuration mode, use the following command to cancel the organization
code:
no orgcode
Specifying the SMS Service Type
SMS service platform for the SMS service type. To specify the SMS service type, in the SP
smstype smstype
l smstype – Specifies the SMS service type. The range is 1 to 31 characters.
In the SP instance configuration mode, use the following command to cancel the SMS service
type:
no smstype

Specifying the Trading Code
Xuanwu Technology SMS service platform for the trading code. To specify the trading code, in
the SP instance configuration mode, use the following common:
trading-code trading-code
l trading-code – Specifies the trading code. The range is 1-7.
In the SP instance configuration mode, use the following command to cancel the trading code:
no trading-code
Specifying the Channel
Xuanwu Technology SMS service platform for the channel. To specify the channel, in the SP
channel channel-value
l channel-value – Specifies the channel. The range is a-z.
In the SP instance configuration mode, use the following command to cancel the channel:
no channel
exec sms sp sp-name send test-message to phone-number [test-msg-content content]
l sp-name – Specifies the SP name.
l phone-number – Specifies the phone number. The range is 6 to 16 characters.

l content–Specifies the content of the test message. The default value is "This is a test mes-
sage, please don't feedback!". The range is 1 to 64 characters.
Viewing SMS Gateway Settings
To view the SMS gateway configurations, use the following command in any mode:
show sms service-provider [sp-name]
l sp-name – Specifies the SP instance name. If not specified, the system will show all the SP
instance configurations that have already created.
Viewing SMS Statistic Information
To view the statistic information that indicates the SMS message is failed or succeed, use the fol-
show tunnel ztna ztna-name smsp-statistice [clear]
l ztna-name – Specifies an existing ZTNA instance name.
l clear – Clear all the statistic information.
Email Authentication
Email Authentication means that when a ZTNA user logs in by providing a "username/password"
or a "username/password+Digital Certificate", Hillstone device, through a mail server, can auto-
matically send a Email containing random verification code to the user after the user name and
password is entered. The user must enter the random verification code received in order to log in
the ZTNA server and access intranet resources.
Configurations of Email authentication on ZTNA server include:

l Configuring the Email Address
l Specifying the Email Server
l Configuring the Verification Code Length
l Configuring the Lifetime of Email Verification Code
l Configuring the Sender Name
l Configuring the Email Verification Content
Configuring the Email Address
Users can receive the verification code via Email address configured on a local server or a Radius
server.
When receiving the verification code via Email address configured on a local server, to configure
the Email address, in the user configuration mode, use the following command:
email email-address
l email-address - Specifies the Email address used to receive the verification code. The range is
In the user configuration mode, use the no email command to cancel the specified Email address.
When receiving the verification code via Email address configured on a Radius server, users need
to configure the Email address on the Radius server. Take FreeRadius as an example:
“test1” Cleartext-Password： =“123456”

Login-LAT-Group="radiusgroup1",
Hillstone-user-type=16,
Hillstone-user-vsys-id=0,
Hillstone-user-login-type=63,
Hillstone-user-admin-privilege=4294967295,
[email protected] ( Add the

attribute value of Hillstone-user-email in “etc/-
freeradius/users”.)
Specifying the Email Server
To specify the existing Email server which the Email address that used to send the verification
code is configured on, in the ZTNA instance configuration mode, use the following command:
email-auth smtp-server smtp-server-name
l smtp-server--name - Specifies the existing Email server. The range is 1 to 31 characters.
In the ZTNA instance configuration mode, use the no email-auth smtp-server command to cancel
the specified Email server.
To specify the length of the Email verification code, in the ZTNA instance configuration mode,
email-auth verification-code-lengthlength
l length - Specifies the length of the Email verification code. The range is 4 to 8 characters. The
default value is 8.
In the ZTNA instance configuration mode, use the no email-auth verification-code-length com-
mand to restore the default value.
Configuring the Lifetime of Email Verification Code
Each Email verification code has a period of validity. If the user neither types the code within the
period nor applies for a new code, ZTNA server will disconnect the connection.
To configure the lifetime of the Email verification code, in the ZTNA instance configuration
email-auth expirationvalue
l value– Specifies the lifetime of the Email verification code. The range is 1 to 10 minutes.

In the ZTNA instance configuration mode, use the no sms-auth expiration command to restore
the default value.
Configuring the Sender Name
To specify a verification code sender name to display in the Email content, in the ZTNA instance
email-auth sender-namename
l name - Specifies a verification code sender name to display in the Email content. The range is
1 to 63 characters. In order to prevent the mail from being identified as spam, it's recom-
mended to configure the sender name.
In the ZTNA instance configuration mode, use the no email-auth sender-name command to
Configuring the Email Verification Content
To specify the Email verification content, in the ZTNA instance configuration mode, use the fol-
lowing command:
email-auth message-contentcontent
l content - Specifies the Email verification content. The input must contain "＄USERNAME"
(This parameter is used to get the user name) and "＄VRFYCODE" (This parameter is used to
get the verification code). The range is 18 to 128 characters. The default content is "ZTNA
user <＄USERNAME> email verification code: ＄VRFYCODE. Do not reveal to anyone! If
you did not request this, please ignore it.".
In the ZTNA instance configuration mode, use the no email-auth message-content command to
restore the default content.

Configuring Single Packet Authorization (SPA)
Single Packet Authorization (SPA) is a universal access technology concept. Its main purpose is
to hide the host's port number and therefore the service running on it will be hidden. The system
will open the port only for packets carrying expected information.
The ZTNA device supports enabling the SPA function and hiding the ZTNA service IP address
and port number. ZTNA client also needs to enable the SPA function and pass the authorization
before establishing a connection to the ZTNA device. After SPA is configured, the SPA process
for ZTNA users logging in through the ZTNA client is as follows:
1. ZTNA client sends knock packets to ZTNA device with the knock port number being the
destination port number.
2. ZTNA device checks the destination IP address of the knock packets. If the destination IP
address is not a configured hidden IP address, it will be discarded. If it is a configured hid-
den IP address, ZTNA device will verify it and generate a permit entry with the destination
IP address, destination port number and source IP address.
3. ZTNA client sends ZTNA connection requests.
4. ZTNA device checks the requested IP address and port number. If they are hidden IP
address and port number, ZTNA device will search for the matched permit entry. If a
matched permit entry is found, the connection request is accepted. Otherwise, the request
will be discarded.
Enabling/Disabling SPA
By default, the SPA function is disabled.

To enable or disable the SPA function, in the global configuration mode, use the following com-
mand:

l Enabling: spa enable
l Disabling: no spa enable
Configuring Local Knock Port
Local knock port is where the ZTNA device listens for knock packets. The default knock port is
60001.
To configure the local knock port number, in the global configuration mode, use the following
command:
spa knock-port port-number
l port-number - Specifies the local knock port number. The value range is 1025 to 65535. The
In the global configuration mode, use the following command to restore the local knock port num-
ber.
no spa knock-port
Configuring the Hidden IP and Port Number
The SPA function takes effect when it is enabled and configured with the hidden IP address and
port number. When SPA is disabled or enabled but no configured with a hidden IP and port num-
ber, the ZTNA device will not perform single packet authorization on clients no matter whether
the clients have SPA enabled.
To configure the hidden IP address and port number, in the global configuration mode, use the
following command:
spa hide service-ip ip-address port port-number vrouter vrouter-name [description description]
l ip-address - Specifies the IPv4 address to be hidden.
l port-number - Specifies the port number to be hidden. The range is 1 to 65535.

l vrouter-name - Specifies the virtual router that the interface of the hidden IP address belongs
to.
l description - Specifies the description. The range is 1 to 63 characters.
Repeat this command to add more pieces of hidden IP addresses and port numbers.
To delete the specified hidden IP address and port number, in the global configuration mode, use
no spa hide service-ip ip-address port port-number vrouter vrouter-name
Viewing SPA Configuration Information
To view SPA configuration information, in any mode, use the following command:
show spa
Viewing SPA Permit Entries
To view SPA permit entries, in any mode, use the following command:
show spa-entry

Managing Endpoint Tag Logs
The system support management of endpoint tag logs by using the endpoint tag log function.
Enabling/Disabling Endpoint Tag Log
By default, the endpoint tag log function is enabled.

To enable or disable the endpoint tag log function, in the global configuration mode, use the fol-
lowing command:
l Enable: logging endpoint-tag on
l Disable: no logging endpoint-tag on
Clearing Endpoint Tag Logs
To clear endpoint tags, in the global configuration mode, used the following command:
clear logging endpoint-tag
Sending Endpoint Tag Logs
After the endpoint tag logging function is enabled, the system will send the endpoint tag logs to
the memory buffer by default. You can configure the system to send them to other destinations as
required. You can configure multiple destinations.
To configure the system to send endpoint tag logs to the specified destination, in the global con-
logging endpoint-tag to {console | syslog | localdb | buffer [size buffer-size] }
l console - Sends the endpoint tag logs to the console.
l syslog - Sends the endpoint tag logs to the syslog server. For configuration information about
the syslog server, refer to Configuring a Syslog Server.

l localdb - Sends the endpoint tag logs to the local database (on A and K series with hard-disk
card installed). Only platforms installed with hard disks support this parameter.
l buffer - Sends the endpoint tag logs to the memory buffer.
l size buffer-size - Specifies the memory buffer size for storing the endpoint tag logs, in bytes.
The range is 4096 to 2097152. The default value is 2097152.
To disable the system from sending endpoint tag logs to the specified destination, in the global
no logging endpoint-tag to {console | syslog | localdb | buffer}
Configuring Disk Storage Space Threshold
When configuring the system to send endpoint tag logs to the hard disk, you can configure a
threshold for the space size occupied by the sent logs. In the global configuration mode, use the
following command:
storage threshold log endpoint-tag percent
l percent - Specifies the threshold for the disk space size occupied by the sent logs. The range
is 0.01 to 90, in percent. The default value is 1. When the disk space occupied by endpoint
tag logs exceeds the specified threshold, the system will override the earliest logs or stopping
sending new logs to the disk based on the configuration of the storage threshold percentcom-
mand.
Configuring the Quota of Endpoint Tag Log Buffer
After configuring to send endpoint tag logs to the memory buffer, you can specify the reserved
buffer quota and maximum buffer quota for endpoint tag logs in a VSYS by creating a VSYS pro-
file. Reserved quota refers to the memory buffer value reserved for the endpoint logs; maximum
quota refers to the maximum memory buffer value available to the endpoint tag logs. The root
administrator has the permission to create VSYS profiles. If the logs' capacity in a VSYS exceeds
its maximum quota, the new logs will override the earliest logs in the buffer.

To configure the quota of buffer for endpoint tag logs, in the VSYS profile configuration mode,
lo g en dp o in t-tagb uffer-size max max-num reserve reserve-num
l max max-num reserve reserve-num – Specifies the maximum quota (max max-num) and
reserved quota (reserve reserve-num) of endpoint tag logs in a VSYS.The range of reserved
quota or maximum quota varies from different platforms. The reserved quota should not
exceed the maximum quota.
For information about VSYS profile configuration information, refer to Creating a VSYS Profile.
Viewing Endpoint Tag Logs
To view endpoint tag logs, in any mode, use the following command:
show logging endpoint-tag

ZTNA Portal
After a ZTNA user logs in, the user terminal will be prompted with the ZTNA portal page via the
default browser, displaying the applications resources to which the user is granted access and not
granted access.
l When the user's authentication information and endpoint tag match the ZTNA policy whose
action is Permit, the user is granted access to the application resources bound with this policy.
l When the user's authentication information matches teh ZTNA policy but the endpoint tag
does not match the ZTNA policy, the user is not granted access to the application resource
bound with this policy.
For an application resource to which a user is granted access, the user can click the application
resource icon on the ZTNA Portal page to switch to the desired URL address. Or, the user can
copy the URL address to a browser to access the application resource. For an application resource
to which a user is not granted access, the user can view the reason.
The ZTNA portal page does not display the following application resources:
l Application resources that the user is not allowed to access
l Application resources that the user is allowed to access, but no hyperlink is specified when
the application resource is defined
After the ZTNA Portal page is closed, the user can select "Application Resource List" from the
ZTNA client menu to obtain the ZTNA Portal page again.

Other Configurations
Force Disconnecting a ZTNA User
The ZTNA server can force to disconnect with a user.

To kick out a ZTNA user, in any mode, use the following command:
exec ztna instance-name kickout user-name
l instance-name – Specifies the name of ZTNA instance.
l user-name – Specifies the name of user to be kicked out of the server.
To kick out all ZTNA users, in any mode, use the following command:
exec ztna instance-name kickout-all-user
l instance-name - Specifies the name of ZTNA instance.
Configuring Change Password URL of the Client
The system supports to redirect to the specified page to modify the password through the con-
figured URL on the client .
To configure the change password URL, in the ZTNA instance configuration mode, use the fol-
lowing command:
change-password-url url
l url – Specifies the URL address that needs to be redirected to modify the password. The
ranges is 1 to 255 characters.
To cancel the configuration, use the following command:

no change-password-url

Configuring Forgot Password URL of the Client
The system supports to redirect to the specified page through the configured URL to reset the
password.
To configure the forgot password URL, in the ZTNA instance configuration mode, use the fol-
lowing command:
forgot-password-url url
l url – Specifies the URL address that needs to be redirected to reset the password. The ranges
To cancel the configuration, use the following command:

no forgot-password-url
Configuring Client Auto-Connection
The system supports to configure the client to automatically reconnect when the connection ter-
minates.
To configure client auto-connection, in the ZTNA instance configuration mode, use the fol-
lowing command:
client-auto-connect count {number | unlimited}
l number | unlimited - Specifies the number of reconnection times. number specifies a value in
the range 0 to 1024. unlimited means the client does not automatically reconnect. The default
value is "unlimited".
mand:
no client-auto-connect

The following configurations are shared by ZTNA and SSL VPN. The configurations take effect
on both ZTNA and SSL VPN.
l Customizing Client Download Source
l Customizing the Background Picture of Client Download Page
l Configuring Upgrade URL for Windows Type Client
l Customizing the Page Title
Configuring SSL Cipher Suite
To configure the SSL cipher suite, in the global configuration mode, use the following command:
secure-connect ssl-cipher-list string
l string - Specifies the SSL cipher suite list. The default is

"ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4".
To restore to the default SSL cipher suite list, in the global configuration mode, use the following
command:
no secure-connect ssl-cipher-list
to enable password changing right for local users if they pass SSL VPN or ZTNA authentication.
To enable/disable the right for local users to change the login password, in the password control

Tip: Secure Connect client of version 1.2.0.1106 and later allows the local users
to change password. Therefore, it's advised to use the latest Secure Connect cli-
ent.
When the server allows the client user to change password, the user can change login password
after passing SSL VPN or ZTNA authentication by the following steps:
1. Right-click the client icon in notification area of the task bar on the right-bottom corner and
a menu appears.
2. Click Changing Password and type current password and new password into the cor-
responding boxes.

Customizing Client Download Source
End users can download Secure Connect clients at the following addresses:
l Client download address on the device: https://IP-Address:Port-Number. The "IP-Address"

and "Port-Number" refer to the IP address of the egress interface and HTTPS port number
specified in the configuration of the SSL VPN or ZTNA instance.
l Client download address provided by Hillstone Networks Official Website https://www.hill-

By default, the client download source on the device is the same with that on Hillstone Networks
Official Website. In the application scenario where you want end users to download and use spe-
cific Secure Connect clients, such as a client of the specified version or a customized client, you
can import the client into the system to overwrite the default download source on the device.
You can import Windows, macOS and Linux type clients.
To import the client file from a server, in the execution configuration mode, use the following
command:
import secure-connect client {windows | linux | macos} from { {ftp | ftps | sftp} server ip-
address [vrouter vrouter-name] [user user-name password password] | tftp server ip-address |
usb0 | usb1} file-name

word] – Specifies that the client file is imported from an FTP/FTPS/SFTP server. Type the
IP address of the FTP/FTPS/SFTP server, virtual router name, username and password (skip
if the server can be logged in anonymously).
l tftp server ip-address - Specifies that the client file is imported from a TFTP server and spe-
cifies the TFTP server address.
l usb0 | usb1 - Specifies that the client file is imported from the USB disk plugged to USB0 or
USB1 port.
l file-name – Specifies the client file. The system will check the imported file. It is recom-
mended to import a client file downloaded from Hillstone Networks Official Website and
keep the file name unchanged. Otherwise, the import might fail.
You can delete the imported client file. After deletion, the download source will be restored to
the default source. In the execution configuration mode, use the following command to delete the
imported client file:
exec secure-connect client {windows | linux | macos} delete
Viewing Secure Connect Client Information
In any mode, use the following command to view the information of Secure Connect clients
saved in the system:
show secure-connect client-info [windows | linux | macos]
Customizing the Background Picture of Client Download Page

You can customize the title and background of the download address on the device. The default
download page is shown as below:

To import the background picture from a server, in the execution configuration mode, use the fol-
lowing command:
import customize secure-connect download-webpage-background-picture from { {ftp | ftps |
sftp} server ip-address [vrouter vrouter-name] [user user-name password password] | tftp server
ip-address | usb0 | usb1} file-name
word] – Specifies that the background picture is imported from an FTP/FTPS/SFTP server.
Type the IP address of the FTP/FTPS/SFTP server, virtual router name, username and pass-
word (skip if the server can be logged in anonymously).
l tftp server ip-address - Specifies that background picture is imported from a TFTP server and
specifies the TFTP server address.
l usb0 | usb1 - Specifies that the background picture is imported from the USB disk plugged to
USB0 or USB1 port.
l file-name – Specifies the picture name and picture format. The picture must be in PNG
format, the resolution is recommended at 1920x *1080x, and the picture size must be less
than 2MB.
To restore to the default background picture, in any mode, use the following command:
exec customize secure-connect download-webpage-background-picture default

Configuring Upgrade URL for Windows Type Client
The Windows type client checks and downloads the new version by using the configured upgrade
URL. The system has a default URL that links to the official upgrade server and this URL cannot
be deleted. To configure the upgrade URL, use the following command in the global con-
figuration mode:
l ip-address – To use the intranet server to check and download the new version, enter the
URL of the intranet server. You need to deploy the new version in this intranet server.
To use the default URL that links to the official upgrade server, use the following command in
To view the default URL that links to the official upgrade server, use the following command in
any mode:
Notes:
l When the client version is 1.4.4.1199 or below and the StoneOS version is
5.5R1 or above, it is recommended to uninstall the previous client and login
the Web page to re-install it.
l If you want the end users to download the Windows type client carried in the
system image, configure this command secure-connect update-url localhost.
l After you import a Windows type client file using the import secure-connect
client command, the secure-connect update-url configuration will not take
effect.

Customizing the Page Title
By default, the title of client download page is "Hilllstone Secure Connect". To customize the
title of client download page, in the global configuration mode, use the following command:
secure-connect download-web-page-title title
l title - Specifies the title of client download page. The length is 1 to 63 characters.
To delete the customized title of client download page, use the following command in the global
configuration mode. After the customized title is deleted, no title will be displayed on the client
download page.
no secure-connect download-web-page-title
To view the customized title of client download page, use the following command in any mode:
Viewing ZTNA Information
You can use the following commands to view ZTNA information:
l Show ZTNA instance information:

show tunnel ztna [ztna-instance-name]
l Show ZTNA authenticated user information:

show auth-user ztna [interface interface-name | groupname group-name | vrouter vrouter-
name | endpoint-tag endpoint-tag-name]
l Show client information:

show secure-connect client-info
l Show ZTNA user information:

show ztna-user instance-name [user user-name]
l Show the license capacity of ZTNA authorized user:

show secure-connect user capacity

l Show client upgrade URL:
l Show the customized client download page title:


Example of Configuring ZTNA
User user1 on the external network requests to access the server on the internal network through
Hillstone ZTNA.
l Endpoint state of PC1: Windows10 OS with firewall and anti-virus software installed
l Endoint state of PC2: WindowsXP OS without firewall and anti-virus software installed
l Applcation resources on Server: Application1 and Application2
Networking and Requirement

The following figure shows the networking:
Requirements:
l User user1 is allowed to access Application1 and Application 2 via PC1.
l User user1 is not granted access to Application1 and Application2 via PC2 because the ter-
minal device state does not meet requirements.
Configuration Steps
Step 2: Configure an access address pool

hostname(config-address-pool)# address 172.18.100.10 172.18.100.200 n etmask

255.255.255.0
hostname(config)#
Step 3: Configure a ZTNA instance
hostname(config)# tun n el ztn a ztn a-access
hostname(config-tunnel-ztna)# access-address-p o o l p o o l1
hostname(config-tunnel-ztna)# aaa-server lo cal
hostname(config-tunnel-ztna)# in terface eth ern et0/5
hostname(config-tunnel-ztna)# ssl-p o rt 5588
hostname(config-tunnel-ztna)# sp lit-tun n el-ro ute 192.168.6.0/24
hostname(config-tunnel-ztna)# exit
hostname(config)#
Step 4: Create a tunnel interface and bind the ZTNA instance to it (the tunnel interface and
address pool should be in the same IP address segment)
hostname(config-if-tun1)# tun n el ztn a ztn a-access
hostname(config)#
Step 5: Configure endpoint tags
hostname(config)# en dp o in t-tag tag1
hostname(config-endpoint-tag)# criteria-set 1
hostname(config-endpoint-tag-criteria-set)# criteria o s-typ e win do ws key o s-versio n is

win do ws-10

hostname(config-endpoint-tag-criteria-set)# criteria o s-typ e win do ws key an ti-virus is
in stalled
hostname(config-endpoint-tag-criteria-set)# criteria o s-typ e win do ws key firewall is

in stalled
hostname(config-endpoint-tag-criteria-set)# exit
hostname(config-endpoint-tag)# exit
hostname(config)#
Step 6: Configure application resources
hostname(config)# ap p licatio n -reso urce ap p licatio n 1
hostname(config-app-res)# ip 192.168.6.9 p ro to co l udp p o rt 8800hostname(config-

app-res)# hyperlinl http://a1a1.com
hostname(config)# ap p licatio n -reso urce ap p licatio n 2
hostname(config-app-res)# ip 192.168.6.10 p ro to co l tcp p o rt 9900hostname(config-

app-res)# hyperlinl http://a2a2.com
Step 7: Configure ZTNA policy
hostname(config)# ztn a-rule rule1
hostname(config-ztna-policy-rule)# ap p licatio n -reso urce ap p licatio n 1
hostname(config-ztna-policy-rule)# ap p licatio n -reso urce ap p licatio n 2
hostname(config-ztna-policy-rule)# en dp o in t-tag tag1
hostname(config-ztna-policy-rule)# user lo cal user1
hostname(config-ztna-policy-rule)# actio n p ermit
hostname(config-ztna-policy-rule)# en ab le
hostname(config-ztna-policy-rule)# exit
hostname(config)#
Step 8: User user1 accesses https://172.16.16.5:5588 in the browser of PC1 and PC2 and then
downloads and installs the client for Windows on the displayed page.

Step 9: User user1 logs in the ZTNA server through the client installed on PC1 and PC2. The
server address is "172.16.16.5", the port number is 5588, the user name and password are "user1"
and "123456".
Step 10: On the displayed ZTNA portal page after the user logs in on PC1, Application1 and
Application2 are in the accessible state. The user can click the icon to directly access the
resource. On the displayed ZTNA portal page after the user logs in on PC2, Application1 and
Application2 are grayed out. Clicking the icon will be prompted with a message indicating that
user is not granted access to them.

Chapter 11 Traffic Management
l iQoS
l QoS
l Load Balancing
l Session Limit
1682 Chapter 11 Traffic Management

QoS /iQoS
This chapter contains iQoS( intelegent quality of service) and QoS(quality of service). The upgrad-
ing descriptions of iQoS/QoS for different versions are listed in the table below.
Product version Description
Before version 5.5, and QoS function is After upgrading, the system uses the iQoS func-
not configured tion by default.
Before version 5.5, and QoS function has After upgrading, the QoS function is still
already been configured enabled. But iQoS is recommended to use. For
switching to iQoS, see Swichting iQoS/QoS.
Version 5.5 and above Use the iQoS function by default.
Swichting iQoS/QoS
If you have not configured the QoS function before upgrading to version 5.5, the system will
enable the iQoS function by default. You can configure iQoS function via WebUI or CLI and the
QoS function will not take effect.
If you have configured QoS before upgrading the system to verion 5.5, the QoS function will still
take effect. You can configure QoS function only via CLI. We recommend you to use iQoS func-
tion to control bandwidth. To switch from QoS to iQoS, in any mode, use the following com-
mand:
exec iqo s en ab le
To switch from iQoS to QoS, in any mode, use the following command:
exec iqo s disab le
iQoS
The system provides intelligent quality of service (iQoS) which guarantees the customer's net-
work performance, manages and optimizes the key bandwidth for critical business traffic, and
helps the customer greatly in fully utilizing their bandwidth resources.

iQoS is used to provide different priorities to different traffic, in order to control the delay and
flapping, and decrease the packet loss rate. iQoS can assure the normal transmission of critical
business traffic when the network is overloaded or congested.
iQoS is controlled by license. To use iQoS, apply and install the iQoS license.
iQoS Implement
The packets are classified and marked after entering the system from the ingress interface. For the
classified and marked traffic, the system will smoothly forward the traffic through shaping mech-
anism, or drop the traffic through policing mechanism. If selecting shaping mechanism to forward
the traffic, the congestion management and congestion avoidance mechanisms give different pri-
orities to different types of packets so that the packets of higher priority can pass the gateway
earlier to avoid network congestion.
In general, implementing iQoS includes:
l Classification and marking mechanism: Classification and marking is the process of identifying
the priority of each packet. This is the first step of iQos.
l Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify traffic
violation and make responses. The policing mechanism checks traffic in real time, and takes
immediate actions according to the settings when it discovers violation. The shaping mech-
anism works together with queuing mechanism. It makes sure that the traffic will never
exceed the defined flow rate so that the traffic can go through that interface smoothly.
l Congestion management mechanism: Congestion management mechanism uses queuing the-

ory to solve problems in the congested interfaces. As the data rate can be different among dif-
ferent networks, congestion may happen to both wide area network (WAN) and local area
network (LAN). Only when an interface is congested will the queuing theory begin to work.
l Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the

queuing algorithm, and it also relies on the queuing algorithm. The congestion avoidance
mechanism is designed to process TCP-based traffic.

Function Overview
By configuring pipes, the devices implement iQos. Pipe, which is a virtual concept, represents the
bandwidth of transmission path. The system classifies the traffic by using the pipe as the unit, and
control the traffic crossing the pipes according to the actions defined for the pipes. For all traffic
crossing the device, they will flow into virtual pipes according to the traffic matching conditions
they match. If the traffic does not match any condition, they will flow into the default pipe pre-
defined by the system.
Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and
traffic management actions:
l Traffic matching conditions: Defines the traffic matching conditions to classify the traffic
crossing the device into matched pipes. The system will limit the bandwidth to the traffic that
matches the traffic matching conditions. You can define multiple traffic matching conditions
to a pipe. The logical relation between each condition is OR. When the traffic matches a
traffic matching condition of a pipe, it will enter this pipe.
l Traffic management actions: Defines the actions adopted to the traffic that has been classified
to a pipe. The data stream control includes the forward control and the backward control. For-
ward control controls the traffic that flows from the source to the destination; backward con-
trol controls the traffic flows from the destination to the source.
Multiple-level Pipes
To provide flexible configurations, the system supports the multiple-level pipes. Configuring mul-
tiple-level pipes can limit the bandwidth of different applications of different users. This can
ensure the bandwidth for the key services and users. Pipes can be nested to at most four levels.
Sub pipes cannot be nested to the default pipe. The logical relation between pipes is shown as
below:

l You can create multiple root pipes that are independent individually. At most three levels of
sub pipes can be nested to the root pipe.
l For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the
minimum bandwidth of their upper-level parent pipe, and the total of their maximum band-
width cannot exceed the maximum bandwidth of their upper-level parent pipe.
l If you have configured the forward or backward traffic management actions for the root pipe,
all sub pipes that belongs to this root pipe will inherit the configurations of the traffic dir-
ection set on the root pipe.
l The root pipe that is only configured the backward traffic management actions cannot work.
The following chart illustrates the application of multiple-level pipes in a company. The admin-
istrator can create the following pipes to limit the traffic:
1. Create a root pipe to limit the traffic of the office located in Beijing.
2. Create a sub pipe to limit the traffic of its R&D department.
3. Create a sub pipe to limit the traffic of the specified applications so that each application has
its own bandwidth.

4. Create a sub pipe to limit the traffic of the specified users so that each user owns the
defined bandwidth when using the specified application.
Process of iQos
The system supports two-level traffic control: level-1 control and level-2 control. In each level,
the traffic control is implemented by pipes. Traffic that is dealt with by level-1 control flows into
the level-2 control, and then the system performs the further management and control according
to the pipe configurations of level-2 control. After the traffic flows into the device, the process of
iQos is shown as below:
According to the chart above, the process of traffic control is described below:

1. The traffic first flows into the level-1 control, and then the system classifies the traffic into
different pipes according to the traffic matching conditions of the pipe of level-1 control.
The traffic that cannot match any pipe will be classified into the default pipe. If the same
conditions are configured in different root pipes, the traffic will first match the root pipe lis-
ted at the top of the Level-1 Control list. After the traffic flows into the root pipe, the sys-
tem classifies the traffic into different sub pipes according to the traffic matching conditions
of each sub pipe.
2. According to the traffic management actions configured for the pipes, the system manages
and controls the traffic that matches the traffic matching conditions.
3. The traffic dealt with by level-1 control flows into the level-2 control. The system manages
and controls the traffic in level-2 control. The principle of traffic matching, management and
control are the same as the one of the level-1 control.
4. Complete the process of iQos.
Notes:
l For some Hillstone devices (SG-6000-X6150 and SG-6000-X6180),QSM

modules must be installed before using iQoS functions.
l For SG-6000-X7180, when there is no QSM module installed, you can install
the IOM module to get the iQoS function (make sure that the device has
installed iQoS license). In this case, the iQoS doesn't support the shaping
mode.
l For SG-6000-X8180, when there is no QSM installed, you can install the
SIOM to process QoS (make sure that the device has installed iQoS license).
In this case, the QoS is the same as the QoS function by installing the QSM
module.

l For SG-6000-X9180 and SG-6000-X10800, when there is no QSM installed,
you can install the IOM/SIOM to process QoS (make sure that the device
has installed iQoS license). If you install the IOM to process QoS, the QoS
doesn't support the shaping mode. If you install the SIOM to process QoS,
the QoS is the same as the QoS function by installing the QSM module.
l For SG-6000-X7180, SG-6000-X8180, SG-6000-X9180 and SG-6000-

X10800, when the device is installed with both QSM and IOM, QSM will
take effect first for QoS.
Configuring iQoS
By using pipes, devices implement QoS. Using pipes includes the following sections:
1. Create the traffic matching conditions, which are used to control the traffic that matches
these conditions. If configuring multiple traffic matching conditions for a pipe, the logical
relation between each condition is OR.
2. Create a white list according to your requirements. The system will not control the traffic in
the white list. Only root pipe and the default pipe support the white list.
3. Specify the traffic management actions, which are used to deal with the traffic that is clas-
sified into a pipe.
Specifying Traffic Control Level
Specify which traffic control level you want to enter, first-leve traffic control or second-level
traffic control and enter the traffic control mode. You can create pipes to manage the traffic. In
qo s-en gin e {first | seco n d}

l first – Enter the traffic control mode of the first-level traffic control.
l second – Enter the traffic control mode of the second-level traffic control.
Enabling/Disabling Traffic Control Level/Root Pipe/Sub Pipe
To enable/disable the traffic control level, in the traffic control mode of the specified level, use
l Disable the traffic control level: disable
l Enable the traffic control level: no disable
To enable/disable the root pipe, in the root pipe configuration mode of the specified root pipe,
l Disable the root pipe: disable
l Enable the root pipe: no disable
To enable/disable the sub pipe, in the sub pipe configuration mode of the specified sub pipe, use
l Disable the sub pipe: disable
l Enable the sub pipe: no disable
Notes: The disabled levels or pipes will not take effect during the iQoS process.
The unavailable pipes will not take effect as well.
Enabling/Disabling NAT IP Matching
You can enable the NAT IP matching function in the traffic control mode of the specified level as
needed.After it is enabled, system will use the IP addresses between the source NAT and the des-
tination NAT as the matching items. If the matching is successful, system will limit the speed of
these IP addresses. To enable the NAT IP matching, in the traffic control mode of the specified
level, use the following command:
match -n at-ip en ab le

To disable the NAT IP matching, in the traffic control mode of the specified level, use the com-
mand no match-nat-ip enable.
Notes: Before enabling NAT IP matching, you must config the NAT rules. Other-
wise, the configuration will not take effect.
Creaing a Root Pipe
In the traffic control mode, use the following command to create a root pipe and enter the root
pipe configuration mode. If the name of the root pipe already exists, the system will enter the root
pipe configuration mode directly.
ro o t-p ip e {p ip e-n ame | default}
l pipe-name – Enter the name of the newly created root pipe.
l default – Enter the default pipe.
In the traffic control mode, use the following command to delete a root pipe:
n o ro o t-p ip e p ip e-n ame
Notes:
l The name of the root pipe cannot exceed 63 characters.
l A root pipe can nest up to 3 level sub pipes.
l The default pipe cannot be deleted.
After entering the root pipe configuration mode, you can configure the following configurations:
l Enable/Disable the root pipe
l Configure the traffic matching conditions of the root pipe
l Create a traffic whit list of the root pipe

l Configure the traffic management action of the root pipe
l Configure the traffic control mode of the root pipe
l Specify a schedule for the root pipe
l Create a sub pipe
Creating a Sub Pipe
To create a sub pipe and enter the sub pipe configuration mode, use the following command in
the pipe configuration mode. If the sub pipe name already exists, the system will enter the sub
pipe configuration mode directly.
p ip e pipe-name
l pipe-name – Enter the name of the newly created sub pipe.
In the pipe configuration mode, use the following command to delete the created sub pipe:
n o p ip e pipe-name
Notes:
l The name of the pipe cannot exceed 63 characters.
l To delete the sub pipe, you need to execute the command no pipe pipe-name
in the pipe configuration mode of its parent pipe.
In the sub pipe configuration mode, you can configure the following options:
l Enable/Disable the sub pipe
l Configure the traffic matching conditions of the sub pipe
l Create a sub pipe

Configuring a Traffic Matching Condition
Before configuring a traffic matching condition, you need to first create a traffic matching con-
dition and then enter the traffic maching condition configuration mode. If the ID already exists,
the system will enter the traffic matching condition configuration mode directly. Without the ID
specified, the system will create a traffic matching condition and enter its configuration mode. To
create a traffic matching condition and enter its configuration mode, use the following command
in the pipe configuration mode:
p ip e-map [ id ]
l id – Enter the ID of the traffic matching condition.
Use the no pipe-map [id] command to delete the specified traffic matching condition.
After entering the traffic matching condition configuration mode, use the following command to
configure the traffic matching condition:
l Specify the source zone name of the traffic: src-zonesrc-zone
l Delete the source zone name of the traffic: no src-zone
l Specify the destination zone name of the traffic: dst-zonedst-zone
l Delete the destination zone name of the traffic: no dst-zone
l Specify the source host name of the traffic: src-hosthost-name
l Delete the source host name of the traffic: no src-hosthost-name
l Specify the destination host name of the traffic: dst-hosthost-name
l Delete the destination host name of the traffic: no dst-hosthost-name
l Specify the source IP address (IPv4 or IPv6) of the traffic: src-ip {ip/netmask | ip-address
netmask | ipv6-address/prefix }
l Delete the source IP address (IPv4 or IPv6) of the traffic: no src-ip {ip/netmask | ip-address
netmask | ipv6-address/prefix }

l Specify the destination IP address (IPv4 or IPv6) of the traffic: dst-ip {ip/netmask | ip-
address netmask | ipv6-address/prefix }
l Delete the destination IP address (IPv4 or IPv6) of the traffic: no dst-ip {ip/netmask | ip-
address netmask | ipv6-address/prefix }
l Specify the source IP address range (IPv4 or IPv6)of the traffic: src-rangemin-ip[max-ip]
l Delete the source IP address range (IPv4 or IPv6)of the traffic: no src-rangemin-ip [max-ip]
l Specify the destination IP address range (IPv4 or IPv6)of the traffic: dst-rangemin-ip [max-ip]
l Delete the destination IP address range (IPv4 or IPv6)of the traffic: no dst-rangemin-ip [max-
ip]
l Specify the ingress interface name of the traffic: ingress-if interface-name
l Delete the ingress interface name of the traffic: no ingress-ifinterface-name
l Specify the egress interface name of the traffic: egress-ifinterface-name
l Delete the egress interface name of the traffic: no egress-ifinterface-name
l Specify the source address entry (IPv4 or IPv6)of the traffic: src-addraddress-book
l Delete the source address entry (IPv4 or IPv6)of the traffic: no src-addraddress-book
l Specify the destination address entry (IPv4 or IPv6)of the traffic: dst-addraddress-book
l Delete the destination address entry (IPv4 or IPv6)of the traffic: no dst-addraddress-book
l Specify the user and its AAA server: userAAA-server user-name
l Delete the users and its AAA server: no userAAA-server user-name
l Specify the user group and its AAA server: user-groupAAA-server usergroup-name
l Delete the users group and its AAA server: no user-groupAAA-serverusergroup-name

l Specify the application or application group, including pre-defined application and user-
defined application: applicationapp-name
l Delete the application or application group, including pre-defined application and user-defined
application: no applicationapp-name
l Specify the name of the service or service group: serviceservice-name
l Delete the name of the service or service group: no serviceservice-name
l Specify the ToS field: tostos-value
l Delete the ToS field: no tostos-value
l Specify the VLAN information: vlanvlan-id
l Delete the VLAN information: no vlanvlan-id
l Specify the URL category: url-categorycategory-name
l Delete the URL category: no url-categorycategory-name
l Specify the TrafficClass field: traffic-classtraffic-class-value
l Delete the TrafficClass field: no traffic-classtraffic-class-value
Notes: When configuring traffic matching conditions for partial device models,
including SG-6000-X6150, SG-6000-X6180, and SG-6000-X7180, the system
does not support the configurations of specifying the name of the service groups or
services.
Configuring a Traffic White List
After configuring a traffic white list, the system will not manage the traffic in the white list. You
can specify a whit list for the root pipe or the default pipe.
Before configuring a white list, you need to first create a whilte list and then enter the white list
configuration mode. If the specified ID already exists, the system will directly enter the white list

configuration mode. If you do not specify an ID, the system wil create a white list and enter its
configuration mode. To create a white list and enter the white list configuration mode, in the pipe
excep tio n -map [ id ]
l id – Enter the ID of the white list.
Use the no exception-map [id] command to delete the specified white list.
After entering the white list configuration mode, use the following command to configure the
white list:
l Specify the source zone name of the traffic: src-zonesrc-zone
l Delete the source zone name of the traffic: no src-zone
l Specify the destination zone name of the traffic: dst-zonedst-zone
l Delete the destination zone name of the traffic: no dst-zone
l Specify the ingress interface name of the traffic: ingress-if interface-name
l Delete the ingress interface name of the traffic: no ingress-if interface-name
l Specify the egress interface name of the traffic: egress-if interface-name
l Delete the egress interface name of the traffic: no egress-if interface-name
l Specify the source IP address of the traffic: src-ip {ip/netmask | ip-address netmask }
l Delete the source IP address of the traffic: no src-ip {ip/netmask | ip-address netmask }
l Specify the destination IP address of the traffic: dst-ip {ip/netmask | ip-address netmask }
l Delete the destination IP address of the traffic: no dst-ip {ip/netmask | ip-address netmask }
l Specify the user and its AAA server: user AAA-server user-name
l Delete the users and its AAA server: no user AAA-server user-name

l Specify the user group and its AAA server: user-group AAA-server usergroup-name
l Delete the users group and its AAA server: no user-group AAA-server usergroup-name
l Specify the application or application group, including pre-defined application and user-
defined application: application app-name
l Delete the application or application group, including pre-defined application and user-defined
application: no application app-name
l Specify the name of the service or service group: service service-name
l Delete the name of the service or service group: no service service-name
l Specify the ToS field: tos tos-value
l Delete the ToS field: no tos tos-value
l Specify the VLAN information: vlan vlan-id
l Delete the VLAN information: no vlan vlan-id
l Specify the URL category: url-category category-name
l Delete the URL category: no url-category category-name
Notes: When configuring white list for partial device models, including SG-6000-
X6150, SG-6000-X6180, SG-6000-X7180 and SG-6000-X10800, the system does
not support the configurations of specifying the name of the service groups or ser-
vices.
Configuring the trigger threshold for the maximum floating bandwidth
Configure the upper and lower thresholds of the bandwidth utilization for a root pipe. When a
root pipe’s bandwidth utilization is lower than the lower threshold, the maximum bandwidth of
sub pipes is the configured maximum floating bandwidth. If a root pipe’s bandwidth utilization
is higher than the upper threshold, sub pipes apply the configured maximum bandwidth of each

IP/user. To configure the trigger threshold for the maximum floating bandwidth, in the root pipe
flex-qos low-water-mark value high-water-mark value
l low-water-mark value –Specifies the lower threshold of the bandwidth utilization for a
root pipe. The range is 20%-75%. The default lower threshold is 40%.
l high-water-mark value –Specifies the upper threshold of the bandwidth utilization for a
root pipe. The range is 76%-90%. The default upper threshold is 80%.
In the root pipe configuration mode, use no flex-qos command to restore to the default value.
Configuring Traffic Management Actions for a Root Pipe
To configure traffic management actions for a root pipe, in the root pipe configuration mode, use
the following actions:
p ip e-rule {fo rward | b ackward} b an dwidth {Kb p s | Mb p s | Gb p s} bandwidth-value [p er-
ip -min min-value ] [p er-ip -max max-value [delay delay-time ] [flex-p er-max {Kb p s | Mb p s}
value ]] [p er-ip -usin g {src-ip | dst-ip }] [to s-markin g tos-value ] [traffic-markin g traffic-class-
value ] [mo de aggressive [stren gth -level level-value ]] [p rio rity value ]
p ip e-rule {fo rward | b ackward} b an dwidth {Kb p s | Mb p s | Gb p s} bandwidth-value [p er-

user-min min-value ] [p er-user-max max-value [delay delay-time ] [flex-p er-max {Kb p s |
Mb p s} value ]] [to s-markin g tos-value ] [traffic-markin g traffic-class-value ] [mo de aggressive
[stren gth -level level-value ]] [p rio rity value ]
p ip e-rule {fo rward | b ackward} b an dwidth {Kb p s | Mb p s | Gb p s} bandwidth-value aver-

age-usin g {src-ip | dst-ip | user} [to s-markin g tos-value ] [ traffic-marking traffic-class-
value ] [mo de aggressive [stren gth -level level-value ]] [p rio rity value ]
l forward – Specify the traffic control actions to the traffic that matches the traffic matching
conditions and whose direction is from the source to the destination.
l backward -Specify the traffic control actions to the traffic that matches the traffic matching
conditions and whose direction is from the destination to the source.

l bandwidth {Kbps | Mbps | Gbps} - Specify the minimum bandwidth of the pipe. When
selecting Kbps, the bandwidth ranges from 32 to 100,000,000. When selecting Mbps, the
bandwidth ranges from 1 to 100,000. When selecting Gbps, the bandwidth ranges from 1 to
100.
l per-ip-min min-value - Specify the minimum bandwidth of each IP. The value ranges from
32Kbps to 1,000,000Kbps.
l per-ip-max max-value - Specify the maximum bandwidth of each IP. The value ranges from
32Kbps to 1,000,000Kbps.
l per-ip-using {src-ip|dst-ip} - Limit the bandwidth to each source IP address or destination IP

address. This configuration can take effect after you have configured the per-ip-min min-value
and per-ip-max max-value parameters.
l per-user-min min-value - Specify the minimum bandwidth of each user. When selecting Kbps,
the value ranges from 32Kbps to 10,000,000Kbps. When selecting Mbps, the value ranges
from 1Mbps to 10,000Mbps.
l per-user-max max-value - Specify the maximum bandwidth of each user. When selecting
Kbps, the value ranges from 32Kbps to 10,000,000Kbps. When selecting Mbps, the value
ranges from 1Mbps to 10,000Mbps.
l delay delay-time – Specify the delay time, whose value ranges from 1 second to 3600
seconds. The maximum bandwidth limit of each IP/ user is not effective within the delay
time range.
l flex-per-max {Kbps | Mbps}–Specifies the maximum floating bandwidth, which should be

larger than the maximum bandwidth of each IP/user. The maximum floating bandwidth is
triggered when a root pipe's bandwidth utilization is lower than the lower threshold. If Kbps
is selected, the value range is from 32Kbps to 1000,000Kbps. If Mbps is selected, the value
range is from 1Mbps to 1000Mbps.

l tos-marking tos-value - Specify the TOS filed.
l traffic-marking traffic-class-value ] - Specifies the value of the TrafficClass field for IPv6
traffic, ranging from 0-255. The TrafficClass field value of IPv6 traffic matched is set to the
specified value.
l mode aggressive [strength-level level-value] - Enable the peer quench function. By default,
this function is disabled. According to the distributed bandwidth by the user, the peer quench
function makes the traffic that arrives at the device be the same as the distributed bandwidth
as possible as it can, which reduces the missed packets of the device.When the peer quench
function is enabled,the default value of strength-level is 1,whose value ranges from 1 to 8. A
bigger value represents a higher strength-level and a lesser lost of packets.
l priority value - Specify the priority of the pipe. The value ranges from 0 to 7. The default
value is 7. A smaller value represents a higher priority and the system will first arrange the
traffic in a a pipe with a higher priority and will first borrow the idle bandwidth from other
pipes with a lower priority.
l average-using {src-ip | dst-ip | user} - Allocate the bandwidth equally to each source IP
address or each destination IP address in the pipe.
Use the no form of the above command to delete the traffic management actions of a specified dir-
ection.
Notes:
l You cannot limit the bandwidth to each user and each IP address at the same
time.
l You cannot enable the peer quench function in the positive and negative
traffic management direction at the same time. The peer quench function
only be supported in a end-pipe.

Configuring Traffic Management Actions for a Sub Pipe
To configure traffic management actions for a sub pipe, in the root pipe configuration mode, use
p ip e-rule {fo rward | b ackward} {min | reserve-b an dwidth } {p ercen t | Kb p s | Mb p s |
Gb p s} value max {p ercen t | Kb p s | Mb p s | Gb p s} max-value [p er-ip -min min-value ] [p er-
ip -max max-value [delay delay-time ]] [flex-p er-max {Kb p s | Mb p s} value ] [p er-ip -usin g
{src-ip | dst-ip }] [to s-markin g tos-value ] [ traffic-marking traffic-class-value ] [mo de
aggressive [stren gth -level level-value ]] [p rio rity value ]
p ip e-rule {fo rward | b ackward} {min | reserve-b an dwidth } {p ercen t | Kb p s | Mb p s |

Gb p s} min-value max {p ercen t | Kb p s | Mb p s | Gb p s} max-value [p er-user-min min-
value ] [p er-user-max max-value [delay delay-time ]] [flex-p er-max {Kb p s | Mb p s} value ] [to s-
markin g tos-value ] [ traffic-marking traffic-class-value ] [mo de aggressive [stren gth -level
level-value ]] [p rio rity value ]
l forward – Specify the traffic control actions to the traffic that matches the traffic matching
conditions and whose direction is from the source to the destination.
l backward - Specify the traffic control actions to the traffic that matches the traffic matching
conditions and whose direction is from the destination to the source.
l {min | reserve-bandwidth} {percent | Kbps | Mbps | Gbps} value - Specify the min-
imum bandwidth of the pipe, or set the reserved bandwidth of the pipe. min represents
the minimum bandwidth and reserve-bandwidth represents the reserved bandwidth. When
configuring the minimum bandwidth or the reserved bandwidth, percentrepresents that the
minimum percentage of the parent pipe bandwidth. The value ranges from 1 to 100. When
selecting Kbps, the value ranges from 32Kbps to 100,000,000Kbps. When selecting Mbps
the value ranges from 1Mbps to 100,000Mbps. When selecting Gbps, the value ranges from
1Gbps to 100Gbps.
l max {percent | Kbps | Mbps | Gbps} max-value - Specify the maximum bandwidth of the
pipe or the maximum percentage of its parent pipe. percentrepresents that the maximum
percentage of the parent pipe bandwidth. The value ranges from 1 to 100. When selecting
Kbps, the value ranges from 32Kbps to 100,000,000Kbps. When selecting Mbps, the value

ranges from 1Mbps to 100,000Mbps. When selecting Gbps, the value ranges from 1Gbps
to 100Gbps.
l per-ip-min min-value - Specify the minimum bandwidth of each IP address. When selecting
Kbps, the values ranges from 32Kbps to 10,000,000Kbps. When selecting Mbps, the value
l per-ip-max max-value - Specify the maximum bandwidth of each IP address. When selecting
Kbps, the values ranges from 32Kbps to 10,000,000Kbps. When selecting Mbps, the value
l per-ip-using {src-ip|dst-ip} - Specify which kind of IP addresses will be controlled by the

bandwidth limit you configured by the per-ip-max max-value and per-ip-min min-value com-
mands. src-ip represents the source IP address, and dst-ip represents the destination IP
address.
l per-user-min min-value - Specify the minimum bandwidth of each user. The values ranges
from 32Kbps to 1,000,000Kbps.
l per-user-max max-value - Specify the maximum bandwidth of each user. The values ranges
from 32Kbps to 1,000,000Kbps.
l delay delay-time – Specify the delay time, whose value ranges from 1 second to 3600
seconds. The maximum bandwidth limit of each IP/ user is not effective within the delay
time range.
l flex-per-max {Kbps | Mbps}–Specifies the maximum floating bandwidth, which should be

larger than the maximum bandwidth of each IP/user. The maximum floating bandwidth is
triggered when a root pipe’s bandwidth utilization is lower than the lower threshold. If
Kbps is selected, the value range is from 32Kbps to 1000,000Kbps. If Mbps is selected, the
value range is from 1Mbps to 1000Mbps.
l tos-marking tos-value - Specify the TOS filed.

l traffic-marking traffic-class-value ] - Specifies the value of the TrafficClass field for IPv6
traffic, ranging from 0-255. The TrafficClass field value of IPv6 traffic matched is set to the
specified value.
l mode aggressive [strength-level level-value] - Enable the peer quench function. By default,
this function is disabled. According to the distributed bandwidth by the user, the peer quench
function makes the traffic that arrives at the device be the same as the distributed bandwidth
as possible as it can, which reduces the missed packets of the device. When the peer quench
function is enabled,the default value of strength-level is 1,which value ranges from 1 to 8. A
bigger value represents a higher strength-level and a lesser lost of packets.
l priority value - Specify the priority of the pipe. The value ranges from 0 to 7. The default
value is 7. A smaller value represents a higher priority and the system will first arrange the
traffic in a a pipe with a higher priority and will first borrow the idle bandwidth from other
pipes with a lower priority.
Notes:
l You cannot limit the bandwidth to each user and each IP address at the same
time.
l You cannot enable the peer quench function in the positive and negative
traffic management direction at the same time. The peer quench function
only be supported in a end-pipe.
Configuring a Traffic Control Mode for a Root Pipe
A root pipe has the following three traffic control modes:
l Shaping mode: After configuring this mode, the system can limit the data transmission rate
and smoothly forward the traffic. This mode supports the bandwidth borrowing and priority

schedule for the traffic within the root pipe.
l Policing mode: After configuring this mode, the system will drop the traffic that exceeds the
bandwidth limit. This mode does not support the bandwidth borrowing and priority schedule,
and cannot guarantee the minimum bandwidth.
l Monitoring mode: After configuring this mode, the system will monitor the matched traffic,
generate the statistics, and will not control the traffic.
Bandwidth borrowing: All sub pipes in a root pipe can lend the idle bandwidth to the pipes that
are lack of bandwidth. The prerequisite is the bandwidth of themselves are enough to forward
their traffic.
Priority schedule: When there is traffic congestion, the system will arrange the traffic to enter the
waiting queue. You can set the traffic to have higher priority and the system will deal with the
traffic in order of precedence.
By default, a root pipe uses the policing mode. To configure the traffic control mode of a root
pipe, use the following command in the root pipe configuration mode:
qo s-mo de {p o lice | sh ap e | stat}
l police – Use the policing mode.
l shape – Use the shping mode.
l stat – Use the monitoring mode.
Configuring a Schedule for a Root Pipe
You can specify a schedule entry for a root pipe and this root pipe will take effect within the spe-
cified time. To specify a schedule for a root pipe, in the root pipe configuration mode, use the fol-
lowing command:
l schedule-name – Specify the name of the schedule entry.
Use the no schedule schedule-name command to cancel the schedule configuration.

Tip: For more information on creating a schedule, see “Configuring Schedule”
in the the “System Management”.
Configuring a Schedule for a Sub Pipe
You can specify a schedule entry for a sub pipe and this sub pipe will take effect within the spe-
cified time. To specify a schedule for a sub pipe, in the sub pipe configuration mode, use the fol-
lowing command:
sch edule schedule-name
l schedule-name – Specify the name of the schedule entry.
Use the no schedule schedule-name command to cancel the schedule configuration.

in the “System Management”.
Binding a Root Pipe to the QSM Moduel
When configuring iQos for SG-6000-X6150, SG-6000-X6180, SG-6000-X7180 and SG-6000-

X10800, you can bind the root pipe to the specified QSM model, which can improve the accuracy
of traffic limit. To bind a root pipe to the QSM module, use the following command in the root
pipe configuration mode:
bind slot {number}
l number – Specify the slot number where the QSM module locates.
Viewing Configurations of Traffic Control Levels and Pipes
To view the configurations of traffic control levels and pipes, use the following command in any
mode:
show qos-engine {first | second} [root-pipe pipe-name]

l first – View the configurations of the first-leve traffic control.
l second - View the configurations of the second-leve traffic control.
l root-pipe pipe-name - View the configurations of the specified root pipe.
Configuring Threshold Alarm
The system supports to configure threshold alarm of the pipeline utilization. After the function is
enabled and the alarm threshold is specified, when the pipeline usage reaches or exceeds the spe-
cified alarm threshold, the system will record a warning level event log. For the same pipeline, the
system records the event log at an interval of 10 seconds.
Enabling/Disabling Threshold Alarm
By default, threshold alarm is enabled. To enabling/disabling threshold alarm, in the global con-
qos-threshold-switch {on | off}
l on - Enable threshold alarm.
l off - Disable threshold alarm.
Specifying the Alarm Threshold
To specify the alarm threshold, n the global configuration mode, use the following command:
qos-threshold threshold
l threshold - Specify the alarm threshold. The unit is percent. The range is from 50 to 100. The
Show the Status of Threshold Alarm
To show the status of threshold alarm, in any mode, use the following command:
show qos-threshold

QoS
Overview
QoS (Quality of Service) is used to provide different priorities to different traffic, in order to con-
trol the delay and flapping, and decrease the packet loss rate. QoS can assure the normal trans-
mission of critical business traffic when the network is overloaded or congested.
QoS is an assembly of techniques for controlling bandwidth, delay, flapping, and packet loss in a
network. All QoS mechanisms are designed to affect at least one or even all the above features.
QoS Implementation
In general, QoS includes:
l Classification and marking mechanisms
l Policing and shaping mechanisms
l Congestion management mechanism
l Congestion avoidance mechanism
The QoS system structure is shown in the figure below.

As shown in the figure above, the packets are classified and marked after entering the system from
the ingress interface. During the process, the policing mechanism will drop some of the packets.
Then, the packets will be categorized again according to their marks. The congestion management
and congestion avoidance mechanisms give different priorities to different types of packets so
that the packets of higher priority can pass the gateway earlier to avoid network congestion. Fin-
ally, the system will send packets which have been processed by QoS mechanisms out from the
egress interfaces.
Classification and Marking
Classification and marking is the process of identifying the priority of each packet. This is the first
step of QoS control, and should be done near the source hosts.
Classification
The packets are generally classified by their packet headers. The packet headers are examined
closely by the rules specified in the figure below. The figure below shows the classification fields,
and the table below lists the criteria of classification:
Layer Description
Layer 1 Physical interface and sub-interface
Layer 2 MAC address, 802.1Q/p classification of service (CoS) bit string and
VLAN mark
Layer 3 IP Precedence, DiffServ code point (DSCP) and source/destination IP

address group
Layer 4 Port number (TCP or UDP)
Layer 7 Application type or application signature

Marking
The fields that can carry marks include:
l Layer 2 marking field: 802.1Q/p
l Layer 3 marking field: IP precedence and DSCP
802.1Q/p
Ethernet frames are marked with 802.1p user priority (CoS) of 802.1Q header. The Layer 2 Eth-
ernet frame has only 8 types of services (from 0 to 7), as shown in the table below:
CoS value/IP precedence Application
7 Reserved
6 Reserved
5 Voice
4 Video Conference
3 Call Signaling
2 High-priority Data
1 Medium-priority Data
0 Best-effort Data
IP Precedence and DSCP
Similar to CoS, IP precedence can be marked with 8 types of services (0 to 7). See the table
above.
DSCP (DiffServ Code Point) provides a 6-bit field for QoS marking, among which 3 bits are the
same as IP precedence, and the other 3 bits are ToS fields. Thus, the DSCP value range is 0 to 63.
The figure below shows the DSCP and IP precedence bits:

A DSCP value can be represented in two forms: digital and keyword. The keyword form of DSCP
value is also known as Per-Hop Behavior (PHB). At the time of writing there are 3 types of
defined PHBs: Best-Effort (BE or DSCP 0), Assured Forwarding (AF) and Expedited Forwarding
(EF). For more information, see RFC2547, 2597 and 3246. The DSCP value plays a significant
role in the subsequent QoS processing.
Policing and Shaping
QoS policing and shaping mechanisms are used to identify traffic violation and make responses.
Policing and shaping adopts the same algorithms for identifying traffic violation, but they make dif-
ferent responses.
The policing mechanism checks traffic in real time, and takes immediate actions according to the
settings when it discovers violation. For example, the policing mechanism can identify if the
traffic payload exceeds the defined traffic flow rate, and then decide to re-mark or drop the excess-
ive parts. It can control the traffic of both inbound and outbound directions.
The shaping mechanism works together with queuing mechanism. It sends all traffic to one inter-
face and make sure that the traffic will never exceed the defined flow rate so that the traffic can go
through that interface smoothly. The shaping mechanism is typically applied to the outbound dir-
ection.
The differences between policing and shaping are listed in the table below.
Policing Shaping
TCP re-connection due to packets Typically traffic delay, but seldom TCP re-connection
being dropped
Inflexible and unadaptable The queuing mechanism can reduce network con-
gestion
Ingress interface and egress interface Egress interface control

control

Policing Shaping
No cache or rate limit Cache and rate limit
Token Bucket Algorithm
Hillstone devices use token bucket algorithm to determine if the network traffic has violated
rules. Token bucket is an abstract container that holds tokens. The system puts tokens into the
bucket at a defined rate. When the bucket is full, the tokens will overflow it and the number of
tokens in the bucket will not change. The token bucket uses its tokens to transmit packets. When
the bucket has enough tokens to transmit the packets, the bucket is known as conforming to the
rule, otherwise it excesses the rule. The parameters in traffic evaluation include:
l CIR (Committed Information Rate): The rate of placing tokens, i.e. the average rate of data
transmission.
l CBS (Committed Burst Size): The size of the first token bucket, i.e. the maximum traffic
volume allowed in each burst. This value must be larger than the length of the largest packet.
This token bucket is abbreviated as C-bucket.
l EBS (Excess Burst Size): The size of the second token bucket, i.e. the maximum value of
exceeded traffic allowed. This token bucket is abbreviated as E-bucket.
When evaluating traffic, the control operations may vary from different situations which include:
1) C-bucket has enough tokens; 2) C-bucket tokens are insufficient but E-bucket is sufficient; 3)
both C-bucket and E-bucket do not have enough tokens. The figure below illustrates the double
token buckets algorithm:

As shown above, B is the size of packet; Tc is the number of CBS tokens; Te is the number of
EBS tokens.
When the CBS is larger than the packet size, the packet conforms and will be processed according
to system settings; when the CBS is smaller than the packet size, the system will check EBS; if
the EBS is larger than the packet size, the packet exceeds and will be processed according to sys-
tem settings; but if the EBS is smaller than the packet size, the packet violates the rule and will be
processed according to other settings.
Congestion Management
Congestion management mechanism is one of the most important tools in QoS control. It uses
queuing theory to solve problems in the congested interfaces. As the data rate can be different
among different networks, congestion may happen to both wide area network (WAN) and local
area network (LAN). Only when an interface is congested will the queuing theory begin to work.
Hillstone devices support class-based weighted fair queuing (CBWFQ) and low latency queuing
(LLQ).

l CBWFQ: Allows users to configure the minimum bandwidth of a certain type of traffic.
l LLQ: The algorithm combination of PQ, CQ and WFQ. LLQ is usually used in voice and
interactive video. During configuration, all the applications of LLQ type can occupy no more
than 33% of the total bandwidth.
Congestion Avoidance
Congestion avoidance mechanism is a supplement to the queuing algorithm, and it also relies on
the queuing algorithm. The congestion avoidance mechanism is designed to process TCP-based
traffic. On Hillstone devices, the congestion avoidance mechanism is implemented by the WRED
algorithm.
Configuring QoS
To implement QoS on the Hillstone device, first you need to configure a QoS profile, and then
apply the QoS profile to an interface. You can apply multiple QoS profiles to a single interface. To
configure QoS, take the following steps:
1. Configure a class. The process of identifying and classifying traffic. The class defines the
traffic that will be matched on the device, so that the device can classify the traffic.
2. Configure a QoS profile. The QoS profile defined actions for the matched traffic, including
policing, shaping, congestion management, and congestion avoidance.
3. Binding the QoS profile to an interface. Only after the configured QoS profile is bound to
an interface can QoS functions on the device.
Configuring a Class
Hillstone devices support the following types of matching conditions:
l Applicaion
l DSCP

l CoS
l IP range
l Address entry
l QoS tag
l IP precedence
l Ingress interface
l Role
The traffic matching conditions can only be configured in the class configuration mode. To enter
the class configuration mode, in the global configuration mode, use the following command:
class-map class-name
l class-name – Specifies the name of class. After executing the command, the system will cre-
ate a class and enter the class configuration mode; if the specified name exists, the system will
directly enter the class configuration mode.
The system provides a default class named class-default. During QoS, all the unmatched traffic
will be diverted to class-default. The minimum bandwidth of class-default is the interface band-
width minus all the reserved bandwidth. You are recommended to reserve 25% bandwidth for
class-default. This proportion has proven to be the best reservation. You can configure up to 10
matching conditions for each class.
To cancel the specified class, in the global configuration mode, use the command no class-map
clas-name.
Configuring an Application Matching Condition
Hillstone devices support over 100 applications, such as FTP, SMTP, OSPF, etc. To configure an
application matching condition, in the class configuration mode, use the following command:
match ap p licatio n app-name

l app-name – Specifies the name of the application. It can be the name of predefined applic-
ation or application group, or the name of user-defined application or application group.
Repeat the command to configure more application matching conditions.

To delete the specified application matching condition, in the class configuration mode, use the
command no match application app-name.
If multiple classes in a QoS Profile contain the same Application ID, the system will process the
packets based on the first matched rule. You can use the show application list command to view
Application ID.
Tip: For detailed information about service, see “Service and Application” in
the “Firewall”.
Configuring a DSCP Matching Condition
To configure a DSCP matching condition, in the class configuration mode, use the following com-
mand:
match dscp dscp-value1 [ dscp-value2 ] [ dscp-value3 ] [ dscp-value4 ]
l dscp-value – Specifies the DSCP as the matching condition. The DSCP can be either an
integer (0 to 63) or a keyword (such as af11, cs2). You can specify up to 4 DSCP values in
one command, and the logical relationship among them is OR.
Repeat the command to configure more DSCP matching conditions. To delete the specified
DSCP matching condition, in the class configuration mode, use the command:
n o match dscp dscp-value1 [ dscp-value2 ] [ dscp-value3 ] [ dscp-value4 ]
Configuring a CoS Matching Condition
To configure a CoS matching condition, in the class configuration mode, use the following com-
mand:
match cos cos-value1 [cos-value2 ] [cos-value3 ] [cos-value4 ]

l cos-value – Specifies the CoS value of 802.1Q as the matching condition. The value range is
0 to 7. You can specify up to 4 CoS values in one command, and the logical relationship
among them is OR.
Repeat the command to configure more CoS matching conditions.

To delete the specified CoS matching condition, in the class configuration mode, use the com-
mand no match cos cos-value1 [cos-value2 ] [cos-value3 ] [cos-value4 ].
Configuring an IP Range Matching Condition
The IP range matching condition is used to configure IP QoS. To configure an IP range matching
condition, in the class configuration mode, use the following command:
match ip-range start-ip end-ip
l start-ip – Specifies the start IP of the IP range.
l end-ip – Specifies the end IP of the IP range.
The ip-range should not exceed the range of Class B addresses.

Repeat the command to configure more IP range matching conditions.
To delete the specified IP range matching condition, in the class configuration mode, use the com-
mand no match ip-range start-ip end-ip.
Configuring an Address Entry Matching Condition
To configure an address entry matching condition, in the class configuration mode, use the fol-
lowing command:
match address address-entry
l address-entry – Specifies an address entry defined in the address book.
Repeat the command to configure more address entry matching conditions.

To delete the specified address entry matching condition, in the class configuration mode, use the
command no match address address-entry.

Configuring a QoS Tag Matching Condition
To configure a QoS tag matching condition, in the class configuration mode, use the following
command:
match policy-qos-tag tag-value
l tag-value– Specifies the value of QoS tag. The value range is 1 to 1024. You can configure a
QoS tag when creating a policy rule or P2P Profile.
Repeat the command to configure more QoS tag matching conditions.

To delete the specified QoS tag matching condition, in the class configuration mode, use the com-
mand no match policy-qos-tag tag-value.
Tip: For more information about how to create a policy rule and how to configure
a QoS tag, see the “Policy”.
Configuring an IP Precedence Matching Condition
To configure an IP precedence matching condition, in the class configuration mode, use the fol-
lowing command:
match precedence precedence-value1 [precedence-value2 ] [precedence-value3 ] [precedence-
value4 ]
l precedence-value – Specifies the value of IP precedence. The value range is 0 to 7. You can
specify up to 4 IP precedence values in one command, and the logical relationship among
them is OR.
Repeat the command to configure more IP precedence matching conditions.

To delete the specified IP precedence matching condition, in the class configuration mode, use
the command no match precedence precedence-value1 [precedence-value2 ] [precedence-value3 ]
[precedence-value4 ].

Configuring an Ingress Interface Matching Condition
To configure an ingress interface matching condition, in the class configuration mode, use the fol-
lowing command:
match input-interface interface-name
l interface-name – Specifies the ingress interface.
Repeat the command to configure more ingress interface matching conditions.

To delete the specified ingress interface matching condition, in the class configuration mode, use
the command no match input-interface interface-name.
Configuring a Role/User/User Group Matching Condition
To configure a role/user/user group matching condition, in the class configuration mode, use the
following command:
match {role role-name| user aaa-server-name user-name | user-group aaa-server-name user-group-
name}
l role-name – Specifies the name of the role.
l aaa-server-name – Specifies the name of the AAA server.
l user-name - Specifies the username.
l user-group-name - Specifies the name of the user group.
Repeat the command to configure more role matching conditions.

To delete the specified role matching condition, in the class configuration mode, use the com-
mand no match {role role-name| user aaa-server-name user-name | user-group aaa-server-name
user-group-name}.
Viewing the Class Information
To view the class information, in any mode, use the following command:
show class-map [class-name]

l class-name – Shows the information of the specified class. If this parameter is not specified,
the system will show the information of all the classes.
Configuring a QoS Profile
QoS profile is used to implement QoS on the matched traffic. Besides, you can also control the
valid time of QoS profile via a schedule. Hillstone devices support application QoS, IP QoS and
role QoS. You need to configure the profile for them as needed.
The QoS profile needs to be configured in the QoS profile configuration mode. To enter the QoS
profile configuration mode, in the global configuration mode, use the following command:
qos-profile qos-profile-name
l qos-profile-name – Specifies the name of the QoS profile. After executing the command, the
system will create a QoS profile with the specified name, and enter the QoS profile con-
figuration mode; if the specified name exists, the system will directly enter the QoS profile
configuration mode.
To delete the specified QoS Profile, in the global configuration mode, use the command no qos-
profile qos-profile-name.
To specify a schedule for the QoS profile, in the QoS profile configuration mode, use the fol-
lowing command:
l schedule-name – Specifies the name of the schedule defined in the system.
Repeat the command to specify more schedules for the QoS profile. You can specify up to 10
schedules for each QoS profile. To avoid possible unknown problems, you are not recommended
to use schedules with time overlapping.
To cancel the specified schedule, in the QoS profile configuration mode, use the following com-
mand:

in the“System Management”.
To implement QoS on the matched traffic, you need to specify a class for the QoS profile in the
QoS profile configuration mode, and then specify an action for the traffic that matches the class.
You can specify up to 64 classes (including the default class class-default) for each QoS profile.
The application QoS supports all the matching conditions, while IP QoS only supports the IP
range (start IP, end IP and address entry) matching condition, and role QoS only supports the role
matching condition.
To specify a class for the QoS profile, in the QoS profile configuration mode, use the following
command:
class class-name
l class-name – Specifies the name of the class. After executing the command, the system will
enter the QoS profile class configuration mode.
To delete the specified class, in the QoS profile configuration mode, use the command no class
class-name.
You can specify the QoS options for the matched traffic in the QoS profile class configuration
mode, including:
l Specifying the minimum bandwidth
l Configuring policing
l Configuring shaping
l Configuring IP-based QoS (IP QoS)
l Configuring an IP QoS Priority
l Configuring LLQ
l Configuring congestion avoidance

l Configuring DSCP
l Configuring CoS
l Configuring IP precedence
l Configuring a matching priority
l Configuring role-based QoS (role QoS)
Specifying the Minimum Bandwidth
To specify the minimum bandwidth for the class of QoS profile, in the QoS profile class con-
bandwidth {bandwidth-value | percent percentage} [schedule schedule-name]
l bandwidth-value – Specifies the minimum bandwidth for the class. This value is also the
weight for CBWFQ calculation. The value range is 32 to 1000000 kbps.
l percent percentage – Specifies the minimum bandwidth percentage of class in the interface's
total bandwidth. The value range is 1 to 100.
l schedule-name – Specifies the name of the schedule defined in the system. The con-
To cancel the specified minimum bandwidth, in the QoS profile class configuration mode, use the
command no bandwidth.
Configuring Policing
Traffic policing is used to control the traffic and apply the specified actions to conform and
exceed traffic. To configure policing for a class, in the QoS profile class configuration mode, use

police cir-value [cbs-value] [ebs-value] conform-action {drop | set-dscp-transmit dscp-value |
set-prec-transmit precedence-value | transmit} exceed-action {drop | set-dscp-transmit dscp-
value | set-prec-transmit precedence-value | transmit} [violate-action { drop| set-dscp-transmit
dscp-value | set-prec-transmit precedence-value | transmit}] [schedule schedule-name]
l cir-value – Specifies the committed information rate (for putting tokens into the token
bucket), i.e., the average rate of the permitted traffic, and also the maximum bandwidth of the
class. The value must be smaller than the actual bandwidth value of the interface. The value
range is 32 to 1000000 Kbps.
l cbs-value – Specifies the committed burst size (the size of the first token bucket), i.e. the
maximum traffic for each burst. The value must be larger than the size of the longest packet,
and smaller than the actual bandwidth value of the interface. The value range is 2048 to
51200000 bytes.
l ebs-value – Specifies the excess burst size (the size of the second token bucket), i.e., the
maximum traffic for the excess burst. The value must be smaller than the actual bandwidth
value of the interface. The value range is 2048 to 51200000 bytes.
l conform-action – Specifies the action for the packets that conform with the specifications.
Select one of the actions below:
l drop: Drops the packets.
l set-dscp-transmit dscp-value: Sets a DSCP for the packets and transmits.
l set-prec-transmit precedence-value: Sets an IP precedence for the packets and trans-

mits.
l transmit: Keeps the packets intact and transmits.
l exceed-action - Specifies the action for the packets that exceed the excess burst size. The
options are the same with those of the above conform-action.

l violate-action - Specifies the action for the packets that violate the specification. The only
available option is Drop, i.e., dropping the packet.
To cancel the specified policing, in the QoS profile class configuration mode, use the command
no police.
Configuirng Shaping
Traffic shaping working on egress interfaces is used to smooth the egress traffic according to the
rate configuration. To configure shaping for a class, in the QoS profile class configuration mode,
shape cir-value [cbs-value] [ebs-value] [schedule schedule-name]
l cir-value – Specifies the committed information rate (for putting tokens into the token
bucket), i.e., the average rate of the permitted traffic, and also the maximum bandwidth of the
class. The value must be smaller than the actual bandwidth value of the interface. The value
range is 32 to 1000000 Kbps.
l cbs-value – Specifies the committed burst size (the size of the first token bucket), i.e. the
maximum traffic for each burst. The value must be larger than the size of the longest packet,
and smaller than the actual bandwidth value of the interface. The value range is 2048 to
51200000 bytes.
l ebs-value – Specifies the excess burst size (the size of the second token bucket), i.e., the
maximum traffic for the excess burst. The value must be smaller than the actual bandwidth
value of the interface. The value range is 2048 to 51200000 bytes.

To cancel the specified shaping, in the QoS profile class configuration mode, use the command
no shape.
Configuring IP-based QoS (IP QoS)
IP-based QoS, i.e., IP QoS, is used to control the maximum or reserved bandwidth for each IP
within the LAN. The perquisite for implementing IP QoS is that the class in the QoS profile must
contain the IP range (start IP, end IP or address entry) matching condition. IP QoS should not be
used with other types of QoS simultaneously, i.e., if only one class in the QoS profile is con-
figured with IP QoS, all the other classes in the QoS profile must also be configured with IP QoS.
To configure IP QoS, in the QoS profile class configuration mode, use the following command:
ip-qos {shared-bandwidth | per-ip} {max-bandwidth bandwidth | reserve-bandwidth bandwidth
[max-bandwidth bandwidth]} [schedule schedule-name]
l shared-bandwidth – Specifies the bandwidth to the maximum bandwidth (max-bandwidth

bandwidth) or reserved bandwidth (reserve-bandwidth bandwidth) shared by all the IPs
within the IP range. The IP range is specified by ip-range of the class.
l per-ip – Specifies the bandwidth to the maximum bandwidth (max-bandwidth bandwidth) or

reserved bandwidth (reserve-bandwidth bandwidth) available to each IP within the IP range.
The IP range is specified by ip-range of the class.
l max-bandwidth bandwidth – Specifies the maximum bandwidth, i.e., the maximum band-
width shared by all the IPs (shared-bandwidth) or available to each IP (per-ip) within the IP
range. The value range is 32 to 1000000 kbps. When configuring reserve-bandwidth, the
default value of max-bandwidth is 100000.

l reserve-bandwidth bandwidth – Specifies the reserved bandwidth, i.e., the reserved band-
width shared by all the IPs (shared-bandwidth) or available to each IP (per-ip) within the IP
range. The value range is 32 to 1000000 kbps. This value must be smaller than the actual band-
width value of the interface.
To cancel the specified IP QoS, in the QoS profile class configuration mode, use the command
no ip-qos {shared-bandwidth | per-ip} {max-bandwidth bandwidth | reserve-bandwidth band-
width [max-bandwidth bandwidth]} [schedule schedule-name].
Allocation Principle of Reserved Bandwidth
The allocation of reserved bandwidth for IP addresses should following the principles below:
l Only when traffic is passing through the matched IP addresses will the system reserve the spe-
cified bandwidth; when the traffic terminates, the reserved bandwidth will be freed.
l If the sum of the reserved bandwidth is larger than the interface bandwidth, and the interface
bandwidth is occupied by the IP addresses, then the traffic passing through the newly
matched IP addresses will be diverted to class-default; if the bandwidth of class-default is 0,
the traffic will be dropped.
Here is an example of configuring IP QoS. The reserved bandwidth per IP for IP1 - IP20 is 1M,
and the maximum bandwidth per IP for IP21 - IP40 is 1M. The interface bandwidth is 10M.
When traffic is passing through IP1 - IP9 and IP21 - IP40, IP1 - IP9 will be allocated with the
reserved bandwidth of 1M each; the traffic that exceeds 1M reserved bandwidth of IP1 - IP9 and
the traffic passing through IP21 - IP40 will compete for the left 1M bandwidth. In such a case, if
there is any traffic passing through IP10, the left 1M bandwidth will be reserved for IP10. Thus,
IP1 - IP10 are allocated with 1M reserved bandwidth per IP, while all the exceeded traffic of IP1
- IP10 and all the traffic passing through IP21 - IP40 will be diverted to class-default. However,

the bandwidth of class-default is 0 (all the interface bandwidth is reserved), so the above traffic
will be dropped.
Configuring an IP QoS Priority
Sometimes the maximum bandwidth available to a user is restricted. In such a case if the user is
trying to download large files via Thunder or other P2P software, he will find it's rather slow to
open WebPages or receive responses from game servers. To solve the problem, Hillstone devices
introduce an IP QoS priority mechanism. The traffic for each IP is assigned with a priority, spe-
cifically depending on the type of the application. The traffic with higher priority has the priority
in processing. The IP QoS priority should be used in combination with IP QoS to realize the fol-
lowing effect: the bandwidth is restricted, at the same time important bandwidth is allocated with
higher priority. The QoS profile with IP QoS priority configured can only be applied to the
ingress interfaces.
StoneOS supports 5 IP QoS priorities (1 to 5) among which 1 is the highest priority, and 3 is the
default priority. The IP QoS priority is only valid within the device. Once the packets leave the
Hillstone device, the marked IP QoS priority will be void.
To make the IP QoS priority take effect, you should take the following steps on the device:
1. Configure an IP QoS priority for the ingress interface, specifically depending on the type of
the application.
2. Configure an IP-based QoS profile on the egress interface, and apply the configured IP QoS
priority to the profile.
To configure an IP QoS priority, in the QoS profile class configuration mode, use the following
command:
set ip-qos-priority number
l number – Specifies the IP QoS priority. The value range is 1 to 5. The default value is 3.
To restore to the default IP QoS priority, in the QoS profile class configuration mode, use the
command no set ip-qos-priority.

Configuring LLQ
Low Latency Queuing (LLQ) is a comprehensive algorithm of Priority Queuing (PQ), Custom
Queuing (CQ) and Weighted Fair Queuing (WFQ). LLQ is usually used for voice and interactive
video stream. The total bandwidth configured for LLQ should not be more than 33% of total
application bandwidth. To configure LLQ for the class, in the QoS profile class configuration
priority {bandwidth-value | percent percentage} [burst-size] [schedule schedule-name]
l bandwidth-value – Specifies the reserved bandwidth. The value range is 32 to 1000000

Kbps;
l percent percentage – Specifies the reserved bandwidth percentage in the interface's total
bandwidth. The value range is 1 to 100.
l burst-size – Specifies the burst size. The value range is 2048 to 51200000 bytes.
To cancel the specified LLQ, in the QoS profile class configuration mode, use the command no
priority.
Configuring Congestion Avoidance
The congestion avoidance on Hillstone devices is implemented by the Weighted Random Early
Detection (WRED) mechanism. With WRED enabled, the system will drop packets at random in
case of congestion, in order to avoid TCP global synchronization and improve line utilization.
WRED is disabled by default. To configure WRED, in the QoS profile class configuration mode,
random-detect [dscp-based | prec-based]

l dscp-based – WRED calculates the possibility of dropping the packets based on DSCP.
l prec-based – WRED calculates the possibility of dropping the packets based on IP pre-
cedence. This is the default options.
To cancel the specified WRED, in the QoS profile class configuration mode, use the command no
random-detect.
Configuring CoS
You can configure a Layer 2 CoS value for the outbound packets, and in combination of the com-
mand match cos, enable the device to implement QoS on packets based on the marked CoS value.
The QoS profile with CoS configured can only be bound to the ingress interfaces. To configure
CoS for the class, in the QoS profile class configuration mode, use the following command:
set cos cos-value
l cos-value – Specifies the CoS value. The value range is 0 to 7.
To cancel the specified CoS, in the QoS profile class configuration mode, use the command no
set cos .
Configuring DSCP
You can mark DSCP values for different packets, so that all the other QoS functions can operate
on the packets based on the configured DSCP values. The QoS profile with DSCP configured can
only be bound to the ingress interface. One single packet should not be configured with DSCP
and IP precedence simultaneously. You can only select one of them. To configure DSCP for the
class, in the QoS profile class configuration mode, use the following command:
set dscp dscp-value
l dscp-value – Specifies a DSCP value, either in form of an integer (0 to 63) or a keyword

(such as af11, cs2).
To cancel the specified DSCP, in the QoS profile class configuration mode, use the command no
set dscp.

Configuring IP Precedence
You can mark IP precedence values for different packets, so that all the other QoS functions can
operate on the packets based on the configured IP precedence values. The QoS profile with IP
precedence configured can only be bound to the ingress interface. One single packet should not
be configured with DSCP and IP precedence simultaneously. You can only select one of them.
To configure IP precedence for the class, in the QoS profile class configuration mode, use the fol-
lowing command:
set precedence precedence-value
l precedence-value – Specifies an IP precedence value. The value range is 0 to 7.
To cancel the specified IP precedence, in the QoS profile class configuration mode, use the com-
mand no set precedence.
Configuring a Matching Priority
Sometimes the traffic might be matched to multiple classes in the QoS profile. In such a case the
system will select a class based on the matching priority of the classes. To configure a matching
priority, in the QoS profile class configuration mode, use the following command:
match-priority priority-number
• priority-number – Specifies the priority for the class. The value range is 1 to 256. 1 is the
highest priority. Except for class-default, the default priority of all the other classes is 255. The
classes without any priority configured will be matching based on their creation sequence in the
QoS profile. The priority of class-default is 256, i.e., the lowest priority by default.
To cancel the specified matching priority, in the QoS profile class configuration mode, use the
command no match-priority.
Configuring an Exception Policy
Hillstone devices support exception policies. With this function configured, the system will not
implement QoS on the specified traffic. To configure an exception policy, in the QoS profile con-
exception-list {ip-range A.B.C.D A.B.C.D | address address-entry}

l A.B.C.D A.B.C.D – Specifies the IP range. The traffic in this range will not be controlled by
QoS.
l address-entry – Specifies the address entry. The traffic in this range will not be controlled by
QoS.
To delete the specified exception policy, in the QoS profile configuration mode, use the com-
mand no exception-list.
Example: The maximum bandwidth available to each user for Internet access is restricted to 1000
K, but access to the DMZ segment should not be restricted. The IP range for the Intranet users is
10.101.1.0 to 10.101.1.150; the internal servers (such as Web servers, FTP server, etc.) are loc-
ated in the DMZ segment with the IP range of 10.100.6.10 to 10.100.6.20. Use the following
commands:
hostname(config)# class-map in tern et
hostname(config-class-map)# match ip -ran ge 10.101.1.0 10.101.1.150
hostname(config-class-map)# exit
hostname(config)# qo s-p ro file ip qo s
hostname (config-qos-profile)# excep tio n -list ip -ran ge 10.100.6.10 10.100.6.20
hostname (config-qos-profile)# class in tern et
hostname (config-qos-prof-cmap)# ip -qo s p er-ip max-b an dwidth 1000
hostname (config-qos-prof-cmap)# exit
hostname (config-qos-profile)# exit
hostname(config-if-eth0/2)# qo s-p ro file in p ut ip qo s
hostname(config-if-eth0/2)# qo s-p ro file o utp ut ip qo s
hostname(config)#

Configuring Role-based QoS (Role QoS)
Role-based QoS, i.e., role QoS, is used to control the maximum or reserved bandwidth for each
user within the role. The perquisite for implementing role QoS is that the class in the QoS profile
must contain the role matching condition. Role QoS should not be used with other types of QoS
simultaneously, i.e., if only one class in the QoS profile is configured with role QoS, all the other
classes in the QoS profile must also be configured with role QoS.
To configure role QoS, in the QoS profile class configuration mode, use the following command:
ro le-qo s {sh are | p er-user} {max-b an dwidth bandwidth | reserve-b an dwidth bandwidth
[max-b an dwidth bandwidth ]} [sch edule schedule-name ]
l share – Specifies the bandwidth to the maximum bandwidth (max-bandwidth bandwidth) or

reserved bandwidth (reserve-bandwidth bandwidth) shared by all the users within the role.
l per-user – Specifies the bandwidth to the maximum bandwidth (max-bandwidth bandwidth)

or reserved bandwidth (reserve-bandwidth bandwidth) available to each user within the role.
l max-bandwidth bandwidth – Specifies the maximum bandwidth, i.e., the maximum band-
width shared by all the users (share) or available to each user (per-user) within the role. The
value range is 32 to 1000000 Kpbs. When configuring reserve-bandwidth, the default value of
max-bandwidth is 100000.
l reserve-bandwidth bandwidth – Specifies the reserved bandwidth, i.e., the reserved band-
width shared by all the users (shared-bandwidth) or available to each user (per-ip) within the
role. The value range is 32 to 1000000 Kpbs. This value must be smaller than the actual band-
width value of the interface.

If one user matches multiple roles, and all the roles are configured with role QoS in the QoS pro-
file, then only the first matched role QoS will work on the users. Therefore, when one user
matches multiple roles, you should pay special attention to the order of role QoS rules.
To cancel the specified role QoS, in the QoS profile class configuration mode, use the command
no role-qos {share | per-user} {max-bandwidth bandwidth | reserve-bandwidth bandwidth [max-
bandwidth bandwidth]} [schedule schedule-name].
The traffic without any role configured will be diverted to the default class class-default. By
default the system will not control the bandwidth of class-default.
Allocation Principle of Reserved Bandwidth
The allocation of reserved bandwidth for roles should following the principles below:
l Only when traffic is available to the matched users will the system reserve the specified band-
width; when the traffic terminates, the reserved bandwidth will be freed.
l If the sum of the reserved bandwidth is larger than the interface bandwidth, and the interface
bandwidth is occupied by the users, then the traffic available to the newly matched users will
be diverted to class-default; if the bandwidth of class-default is 0, the traffic will be dropped.
Here is a role-based QoS example. The the reserved bandwidth per user for role1 - role20 is 1M,
and the maximum bandwidth per user for role21 - role40 is 1M. The interface bandwidth is 10M.
role1 - role40 correspond to user1 - user40 respectively.
When there is traffic available to user1 - user9 and user21 - user40, user1 - user9 will be allocated
with the reserved bandwidth of 1M each; the traffic that exceeds 1M reserved bandwidth of user1
- user9 and the traffic available to user21 - user40 will compete for the left 1M bandwidth. In
such a case, if there is any traffic available to user10, the left 1M bandwidth will be reserved for
user10. Thus, user1 - user10 are allocated with 1M reserved bandwidth per user, while all the
exceeded traffic of user1 - user10 and all the traffic passing through user21-user40 will be diver-
ted to class-default. However, the bandwidth of class-default is 0 (all the interface bandwidth is
reserved), so the above traffic will be dropped.

Nesting a QoS Profile
Nesting a QoS profile is the process of binding the class of a QoS profile to another QoS profile,
so that you can reasonably allocate application bandwidth to different IPs/roles/users. To con-
figure a nest QoS profile, in the QoS profile class configuration mode, use the following com-
mand:
qos-profile qos-profile-name
l qos-profile-name – Specifies the name of QoS profile which should be an existing QoS pro-
file name in the system.
To cancel the specified nest QoS profile, in the QoS profile class configuration mode, use the
command no qos-profile.
Notes: When using the nest QoS profile, you should keep in mind:
l The application QoS can nest an IP QoS profile or role QoS profile, but can-
not nest an application QoS profile.
l The bandwidth of the nested IP QoS profile and role QoS profile must be
shared, and these profiles can only contain up to sixteen classes (including the
default class).
l IP QoS profile and role QoS profile cannot be mutually nested.
l The nested application QoS profile can only contain up to sixteen classes
(including the default class); the bandwidth and priority parameters of the nes-
ted application QoS profile must be configured in form of percentage.
Specifying a QoS Operation for the Egress Interface
You can specify a QoS operation for the egress interface, including policing and shaping. This
function only applies to IP QoS and role QoS. By default the system will perform policing on the

egress interfaces with QoS enabled. To perform shaping on the egress interface, in the QoS pro-
shaping-for-egress
To restore to the default operation, in the QoS profile configuration mode, use the command no
shaping-for-egress.
Disabling a Class
By default all the classes in the QoS profile are enabled. To disable a specific class in the QoS pro-
file, in the QoS profile class configuration mode, use the following command:
disable
To restore to the default status, in the QoS profile class configuration mode, use the command
no disable.
Notes: The disabled classes still exist in the QoS profile. To delete the specified
class from the QoS profile, use the command no class class-name.
Binding to an Interface
The configured QoS profiles will not take effect until being bound to an interface. To bind a QoS
profile to an interface, in the interface configuration mode, use the following command:
qos-profile [1st-level | 2nd-level] {input | output} qos-profile-name
l 1st-level | 2nd-level – Applicable to multi-level QoS. 1st-level indicates the first level, and
2nd-level indicates the second level. If this parameter is not specified, the profile will be
bound to the second level.
l input | output – Specifies the interface direction (either input or output) the QoS profile
will be bound to.
l qos-profile-name – Specifies the name of the QoS profile that will be bound.

To cancel the binding, in the interface configuration mode, use the command no qos-profile [1st-
level | 2nd-level] {input | output} .
Notes: IP QoS profile and role QoS profile should not be bound to the different
levels of one single interface.
Viewing QoS Information of an Interface
After configuring QoS for the interface, to view the QoS configuration and statistics, use the fol-
lowing command:
show qos interface interface-name [1st-level-input | 1st-level-output | 2nd-level-input | 2nd-
level-output] [detail]
l interface-name – Specifies the interface.
l 1st-level-input – Only shows the QoS statistics of the first level of the input interface.
l 1st-level-output - Only shows the QoS statistics of the first level of the output interface.
l 2st-level-input – Only shows the QoS statistics of the second level of the input interface.
l 2st-level-output - Only shows the QoS statistics of the second level of the output interface.
l detail – Shows the statistics and the corresponding QoS configuration information.
Viewing QoS Profile Information
To view the QoS profile configuration, in any mode, use the following command:
show qos-profile [qos-profile-name]
l qos-profile-name – Shows the configuration of the specified QoS profile. If this parameter is
not specifies, the command will show the configurations of all the QoS profiles.

FlexQoS
FlexQoS is applicable to IP-based QoS and role-based QoS. If the system is configured with QoS,
the maximum bandwidth available to different IP addresses is typically restricted to a specified
range. In such a case, even if the interface has some free bandwidth available, the restricted IP can-
not make use of it, leading to resource waste. To solve this problem, StoneOS provide FlexQoS
to make full use of bandwidth resources. The configuration of FlexQoS includes global FlexQoS
and Class Flex QoS which can implement specific FlexQoS control over different IP queues and
roles. The global FlexQoS is disabled by default. In such a case, no matter whether the Class
FlexQoS is enabled, both the global and Class FlexQoS are disabled. The Class FlexQoS is only
valid when both the global and Class FlexQoS are enabled.
You can set a lower threshold and upper threshold for the global FlexQoS. The default lower
threshold is 75, and the default upper threshold is 85. If FlexQoS is enabled with the default val-
ues, when the utilization of output bandwidth is less than 75%, the available bandwidth will
increase linearly (you can specify the flex factor); when the utilization reaches 85%, the available
bandwidth will decrease exponentially to the specified lower threshold; when the utilization is
between the upper and lower threshold, the FlexQoS is stable, i.e., the available bandwidth will
neither increase nor decrease.
Configuring Global FlexQoS
To configure global FlexQoS, in the global configuration mode, use the following command:
flex-qos low-water-mark value high-water-mark value
l low-water-mark value – Specifies the upper threshold. The value range is 50 to 80. The
l high-water-mark value – Specifies the lower threshold. The value range is 81 to 90. The
To disable global FlexQoS, in the global configuration mode, use the command no flex-qos.
When global FlexQoS is enabled, if the bandwidth utilization of the egress interface is lower than
the upper threshold, the available bandwidth will increase. To configure the flex factor, in the
flex-qos-up-rate rate

l rate – Specifies the flex factor. The value range is 1 to 16 times/min. The default value is 1.
The calculation formula of available bandwidth is flex factor multiplies IP bandwidth.
To restore to the default flex factor, in the global configuration mode, use the following com-
mand:
no flex-qos-up-rate
Notes: A large flex factor might lead to tremendous bandwidth changes.
Configuring FlexQoS for a Class
By default the FlexQoS for class is enabled. To enable or disable this function for a class, in the
QoS profile class configuration mode, use the following commands:
l Enable: flex-qos
l Disable: no flex-qos
After enabling FlexQoS for a class, to specify the maximum FlexQoS bandwidth for each IP of
the class, in the QoS profile class configuration mode, use the following command:
flex-qos max-bandwidth bandwidth
l bandwidth – Specifies the maximum FlexQoS bandwidth. The value range is 64 to 1000000
kbps. The default value is 100 times of the IP bandwidth.
To cancel the specified maximum FlexQoS bandwidth, in the QoS profile class configuration
no flex-qos max-bandwidth bandwidth
Multi-level QoS
The application QoS and IP QoS are two independent data stream control mechanisms. The
application QoS is a global control that is used to re-organize the data stream passing through the
device, and provide faster and better service for the data with higher priority; while the IP QoS
focuses on each individual IP, and controls the bandwidth available to each IP. The combination

of the two QoS mechanisms is known as multi-level QoS. With multi-level QoS configured, the
traffic passing through the device will be controlled by the two QoS mechanisms respectively.
The recommendation for the multi-level QoS is: the application QoS is applied to the first level
and the IP QoS is applied to the second level. After the traffic is processed by the 1st-level QoS,
important data such as game or VoIP will be accelerated, while the non-important data like P2P
will be dropped or delayed. Thus, the traffic passing through the device will be marked with pri-
orities after the 1st-level QoS, and then the bandwidth will be further controlled by the 2nd-level
QoS.
Examples of Configuring QoS
This section describes some QoS configuration examples, including:
l Example 1: Matching priority
l Example 2: Classification and marking
l Example 3: Policing and shaping
l Example 4: Application QoS
l Example 5:CBWFQ
l Example 6: LLQ
l Example 7: IP QoS (1)
l Example 8: IP QoS (2)
l Example 9: Multi-VR Application in IP QoS
l Example 10: IP QoS Priority
l Example 11: Role QoS
l Example 12: Nest QoS profile
l Example 13: Multi-level QoS

Example 1: Configuring a Matching Priority
The QoS profile of Profile1 contains two classes: class1 and class2. The matching condition for
class1 is HTTP service, and the matching condition for class2 is QoS tag 2. Take the following
steps:
Step 1: Configure class1 and class2
hostname(config)# class-map class1
hostname(config-class-map)# match ap p licatio n h ttp
hostname(config-class-map)# match p o licy-qo s-tag 2
hostname(config)#class trash match address 1m
Step 2: Configure Profile1
hostname(config)# qo s-p ro file p ro file1
hostname(config-qos-profile)# class class1
hostname(config-qos-prof-cmap)# set dscp 20
hostname(config-qos-prof-cmap)# match -p rio rity 1
hostname(config-qos-prof-cmap)# exit
hostname(config-qos-prof-cmap)# set dscp 35
hostname(config-qos-profile)# exit
hostname(config)#
Step 3: Bind Profile1 to ethernet0/3

hostname(config-if-eth0/3)# qo s-p ro file in p ut p ro file1
hostname(config)#
After the above configurations, for the traffic that is destined to the device on ethernet0/3, the
DSCP of the traffic whose application type is HTTP and Policy QoS tag is 2 will be marked 20
instead of 35. Since the priority of class1 is higher than that of class2, the traffic is matched to
class1.
Example 2: Classification and Marking
The ingress interface is bound with a QoS profile. Mark the DSCP of af11 to the HTTP traffic,
mark the DSCP of cs7 to the packets with QoS tag 1 (the QoS tag is configured during the cre-
ation of policy rules and P2P profile), and mark the DSCP of ef to the FTP packets. The system
and Internet will process the DSCP values of af11, cs7 and ef according the RFC standards.
Step 1: Configure classes named http, ftp and trash to classify the traffic
hostname(config)# class-map h ttp
hostname(config)# class-map ftp
hostname(config-class-map)# match ap p licatio n ftp
hostname(config)# class-map trash
hostname(config-class-map)# match p o licy-qo s-tag 1
hostname(config)#
Step 2: Configure a QoS profile to mark applications of different types
hostname(config)# qo s-p ro file classificatio n
hostname(config-qos-profile)# class h ttp
hostname(config-qos-prof-cmap)# set dscp af11

hostname(config-qos-profile)# class ftp
hostname(config-qos-prof-cmap)# set dscp ef
hostname(config-qos-profile)#
hostname(config-qos-prof-cmap)# set dscp cs7
hostname(config)#
Step 3: Bind the QoS profile to ethernet0/0 to classify the traffic on ethernet0/0 according to the
QoS profile
hostname(config-if-eth0/0)# qo s-p ro file in p utclassificatio n
hostname(config)#
Example 3: Policing and Shaping
This example shapes the HTTP traffic to 12.8M, and regulates the P2P traffic to 6.4M. In
Example 2, the HTTP traffic is marked af11, and the P2P traffic is marked cs7. This example is
based on the classification and marking in Example 2.
Step 1: Configure classes named af11 and cs7
hostname(config)# class-map af11
hostname(config-class-map)# match dscp af11
hostname(config)# class-map cs7
hostname(config-class-map)# match dscp cs7

hostname(config)#
Step 2:Configure a QoS profile to police and shape the HTTP and P2P traffic
hostname(config)# qo s-p ro file co n tro l
hostname(config-qos-profile)# class af11
hostname(config-qos-prof-cmap)# sh ap e 12800
hostname(config-qos-profile)# class cs7
hostname(config-qos-prof-cmap)# p o lice 6400 8000 8000co n fo rm-actio n tran smit

exceed-actio n dro p
hostname(config)#
Step 3: Bind the QoS profile to ethernet0/1 to control the outbound HTTP and P2P traffic on
ethernet0/1 according to the QoS profile
hostname(config-if-eth0/1)# qo s-p ro file o utp ut co n tro l
hostname(config)#
Example 4: Application QoS
This section describes an application QoS configuration example. The requirement is: restricting
the P2P traffic transmitting on ethernet0/0 to 1M/sec. In Example 2, the P2P traffic is marked
cs7. This example is based on the classification and marking in Example 2.
Step 1: Configure a class named cs7

hostname(config)#
Step 2: Configure a profile named p2p, and control the traffic that is matched to cs7 (P2P). The
maximum bandwidth is restricted to 1000 kbps, and the Exceed action is Drop
hostname(config)# qo s-p ro file p 2p
hostname(config-qos-prof-cmap)# p o lice 1000 co n fo rm-actio n tran smit exceed-actio n

dro p
Step 3: Bind the QoS profile to ethernet0/0 to control the outbound P2P traffic on ethernet0/0
hostname(config-if-eth0/0)# qo s-p ro file o utp ut p 2p
hostname(config)#
Example 5: CBWFQ
This example illustrates how to assure the bandwidth available to different classes in the QoS pro-
file based on CBWFQ. In Example 2, the HTTP traffic is marked af11, and the P2P traffic is
marked cs7. This example is based on the classification and marking in Example 2.
Step 1: Configure classes named af11 and cs7
hostname(config)#

Step 2: Create a QoS profile named qos-profile1, and configure the minumun bandwidth for af11
abd cs7
hostname(config)# qo s-p ro file qo s-p ro file1
hostname(config-qos-prof-cmap)# b an dwidth 5000
hostname(config)#
Step 3: Configure the upstream bandwidth for ethernet0/2, and bind policy1 to ethernet0/2
hostname(config-if-eth0/2)# b an dwidth up stream 10000000
hostname(config-if-eth0/2)# qo s-p ro file o utp ut qo s-p ro file1
hostname(config)#
After the configuration, if the upstream bandwidth of ethernet0/2 is 10M, the available band-
width to class-default will be 2.5M (10-5-2.5), and the default queue is CBWFQ.
When processing traffic based on the above configuration, if the available bandwidth for class1 is
20M, the available bandwidth for class2 is 15M, and the available bandwidth for class-default is 0,
the device will allocate the 2.5M bandwidth of class-default to class1 and class2 proportionally.
Example 6: LLQ & Congestion Avoidance
The goal for this example is to reserve 3M bandwidth for VoIP traffic, set the minimum band-
width for HTTP traffic to 4M, police the bandwidth for P2P traffic to 6.4M, and drop the
exceeded P2P traffic. In Example 2, the VoIP traffic is marked ef, the HTTP traffic is marked

af11, and the P2P traffic is marked cs7. This example is based on the classification and marking in
Example 2.
Step 1: Configure classes named af11, cs7 and ef
hostname(config)# class-map ef
hostname(config-class-map)# match dscp ef
hostname(config)#
Step 2: Create a QoS profile named llq and configure the bandwidth for ef, af11 and cs7
hostname(config)# qo s-p ro file llq
hostname(config-qos-profile)# class ef
hostname(config-qos-prof-cmap)# p rio rity 3000
hostname(config-qos-prof-cmap)# ran do m-detect
hostname(config-qos-prof-cmap)# p o lice 6400 8000 8000 co n fo rm-actio n tran smit

exceed-actio n dro p
hostname(config-qos-profile)# class class-default

hostname(config-qos-prof-cmap)# ran do m-detect
hostname(config)#
Step 3: Configure the upstream bandwidth of ethernet0/3, and bind the QoS profile to eth-
ernet0/3 to control the outbound bandwidth on ethernet0/3
hostname(config-if-eth0/3)# b an dwidth up stream10000000
hostname(config-if-eth0/3)# qo s-p ro file o utp ut llq
hostname(config)#
In the example, the bandwidth of ethernet0/3 is 10M. Class cs7 is policed, so its bandwidth will
not be calculated. Therefore, the bandwidth available to class-default is 3M (10-3-4). When there
is no traffic for class-default, the bandwidth available to class cf11 will be 7M (5+2). The band-
width available to class ef will always be 3M.
Example 7: IP QoS (1)
The goal is to set maximum bandwidth available for each IP in Class ip-range1 to 2M and set the
maximum bandwidth shared by all the IPs in class ip-range2 to 10M.
Step 1: Configure a class
hostname(config)# class-map ip -ran ge1
hostname(config)#

Step 2: Configure a QoS profile
hostname(config)# qo s-p ro file p ro file1
hostname(config-qos-profile)# class ip -ran ge1
hostname(config-qos-prof-cmap)# ip -qo s p er-ip max-b an dwidth 2000
hostname(config-qos-profile)# class ip-range2
hostname(config-qos-prof-cmap)# ip -qo s sh ared-b an dwidth max-b an dwidth 10000
hostname(config)#
Step 3: Bind the QoS profile to an interface
hostname(config-if-eth0/2)# qo s-p ro file in p ut p ro file1
hostname(config-if-eth0/2)# qo s-p ro file o utp ut p ro file1
hostname(config)#
Example 8: IP QoS (2)
The available bandwidth shared by all the IPs in class ip-range1 is 2M, while the bandwidth avail-
able to each IP should not exceed 800 KB.
The device is connected to the Internet on ethernet0/1, and ethernet0/0 is connected to the
Intranet. The requirement is: the IP segment of 1.1.1.1 to 1.1.1.255 in the Intranet share 2M
bandwidth, while the bandwidth available to each IP should not exceed 800 KB. You can imple-
ment the requirement by two approaches:
Solution 1
This solution reaches the goal by configuring two IP QoS profiles. Take the following steps:

Step 1: Create a class named ip-range:
hostname(config)# class-map ip -ran ge
hostname(config)#
Step 2: Create a QoS profile named ipq-share and allow all the IPs within the range to share 2M
bandwidth
hostname(config)# qo s-p ro file ip q-sh are
hostname(config-qos-profile)# class ip -ran ge
hostname(config-qos-prof-cmap)# ip -qo s sh are max-b an dwidth 2000
hostname(config)#
hostname(config)# qo s-p ro file ip q-p er
hostname(config)#
Step 3: Bind the QoS profiles to an interface (first restrict the individual bandwidth, and then
restrict the total bandwidth)
Output bandwidth:
hostname(config-if-eth0/0)# qo s-p ro file in p ut ip q-p er

hostname(config-if-eth0/1)# qo s-p ro file o utp ut ip q-sh are
hostname(config)#
Input bandwidth:
hostname(config-if-eth0/0)# qo s-p ro file o utp ut ip q-sh are
hostname(config)#
Solution 2
Configure an application QoS profile and an IP QoS profile. Take the following steps:
Step 1: Create a class named ip-range
hostname(config)#
Step 2: Create a QoS profile named appq, and allow all the IPs within the range to share 2M band-
width
hostname(config)# qo s-p ro file ap p q
hostname(config-qos-prof-cmap)# p o lice 2000co n fo rm-actio n tran smit exceed-actio n

dro p

hostname(config)#
Step 3: Create a QoS profile named ipq-per, and restrict the bandwidth available to each IP within
the range to 800 KB
hostname(config)# qo s-p ro file ip q-p er
hostname(config)#
Step 4: Bind the QoS profiles to an interface (first restrict the individual bandwidth, and then
restrict the total bandwidth)
Output bandwidth:
hostname(config-if-eth0/1)# qo s-p ro file o utp ut ap p q
hostname(config)#
Input bandwidth:
hostname(config-if-eth0/0)# qo s-p ro file o utp ut ap p q

hostname(config)#
Example 9: Multi-VR Application in IP QoS
There are 200 IP segments: ip-range1 (1.1.1.1 to 1.1.1.10), ip-range2 (2.1.1.1 to 2.1.1.10) … ip-
range200 (200.1.1.1 to 200.1.1.10). The requirement is: restricting the maximum bandwidth avail-
able to each IP segment to a specified value (such as 1M, 4M, 10M…) by IP QoS.
One QoS profile can only support up to 64 classes, so in order to restrict bandwidth for 200 IP
segments, you need to combine multi-VR to the IP QoS, as shown the figure below:
As shown above, there are two VRs: trust-vr and VR1. SNAT is implemented in VR1, so the 200
IP segments can be translated to individual IPs, i.e., translating ip-range1, ip-range2 … ip-
range200 to IP1, IP2 … IP200 respectively; then classify the 200 IPs according to the band-
width, and in trust-vr restrict the bandwidth available to the IPs, specifically depending on the IP
QoS configuration.
Step 1: Enable multi-VR on the device

hostname# reb o o t
Step 2: After rebooting, create VR1
hostname(config)#
Step 3: Configure a security zone
hostname(config-zone-trust)# vro uter VR1
hostname(config-zone-trust)# exit
hostname(config)#
Step 4: Create 200 address ranges that contain the above 200 segments respectively
hostname(config)# address ip -ran ge1
……
hostname(config)#
Step 5: Create 200 address entries that contain the above 200 IPs respectively
hostname(config)# address ip 1

……
hostname(config)#
Step 6: Create 200 SNAT rules in VR1 to translate the 200 segments to 200 IPs respectively
hostname(config-vrouter)# sn atrule id 1 fro m ip -ran ge1 to an y evr trust-vr tran s-to

ip 1
hostname(config-vrouter)# sn atrule id 2 fro m ip -ran ge2 to an y evr trust-vr tran s-to

ip 2
……
hostname(config-vrouter)# sn atrule id 200 fro m ip -ran ge200 to an y evr trust-vr tran s-

to ip 200
hostname(config)#
Step 7: After SNAT, classify the 200 IPs according to the bandwidth; create address entries, each
entry contains IPs of the equal bandwidth
hostname(config)# address 1m
hostname(config-addr)# memb er ip 1
……

hostname(config)# address 4m
……
……
hostname(config)#
Step 8: Create classes, and configure each class with an address entry matching condition
hostname(config)# class-map 1m
hostname(config-class-map)#
hostname(config)# class-map 4m
hostname(config-class-map)# match address 4m
……
hostname(config)#
Step 9: Create a QoS profile named ipq
hostname(config)# qo s-p ro file ip q
hostname(config-qos-profile)# class 1m
hostname(config-qos-profile)# class 4m
……

hostname(config)#
hostname(config-if-eth0/2)# qo s-p ro file in p ut ip q
hostname(config-if-eth0/2)# qo s-p ro file o utp ut ip q
hostname(config)#
Example 10: IP QoS Priority
The goal of this example is to assure that the webpage browsing and webgame have the highest pri-
ority. The device is connected to the Internet on ethernet0/0 (176.133.13.8); PC1 (10.200.2.2)
and PC2 (10.200.1.2) are connected to ethernet0/1 (10.200.2.1) and ethernet0/2 (10.200.1.1)
respectively.
Step 1: Configure classes
hostname(config)# class-map game
hostname(config-class-map)# match ap p licatio n game_kart
hostname(config-class-map)# match ap p licatio n game_dan ce

hostname(config)#
hostname(config)# qo s-p ro file ip -p rio rity-mark
hostname(config-qos-profile)# class game
hostname(config-qos-prof-cmap)# set ip -qo s-p rio rity 1
hostname(config)# qo s-p ro file ip -qo s
hostname(config-if-eth0/1)# qo s-p ro file in p ut ip -p rio rity-mark
hostname(config)# interface eth ern et0/2
hostname(config-if-eth0/2)# qo s-p ro file in p ut ip -p rio rity-mark

hostname(config-if-eth0/0)# qo s-p ro file o utp ut ip -qo s
hostname(config)#
Example 11: Role QoS
The requirement is: The maximum bandwidth available to each user (user11 and user12) cor-
responding to role1 is 1M, and maximum bandwidth shared by all the users (user21, user 22 and
user23) corresponding to role2 is 4M. The maximum bandwidth available to each user of class-
default is 200 KB.
Step 1: Configure roles and users
hostname(config-role-mapping)# match user user11 ro le ro le1

hostname(config)#
Step 2: Configure an appropriate management method which can be WebAuth, SCVPN or

802.1X.
Step 3: Configure classes
hostname(config-class-map)# match ro le ro le1
hostname(config)#
hostname(config)# qo s-p ro file ro le-p ro file
hostname(config-qos-prof-cmap)# ro le-qo s p er-user max-b an dwidth 1000
hostname(config-qos-prof-cmap)# ro le-qo s sh are max-b an dwidth 4000

hostname(config-qos-profile)# class class-default
hostname(config)#
hostname(config-if-eth0/2)# qo s-p ro file in p ut ro le-p ro file
hostname(config-if-eth0/2)# qo s-p ro file o utp ut ro le-p ro file
hostname(config)#
Example 12: Nest QoS Profile
Configure a nest QoS profile based on Example 10 to implement the following QoS controls:
l For the users that can be matched to a role, guarantee the HTTP and FTP application band-
width, but restrict the P2P application bandwidth;
l For the users that cannot be matched any role, do not implement QoS control.
For more information about how to configure a role, user, role-related class, and how to bind the
QoS profile to an interface, see Example 10: IP QoS Priority.
Step 1: Configure application classes
hostname(config)# ap p licatio n -gro up p 2p
hostname(config-svc-group)# ap p licatio n b t
hostname(config-svc-group)# ap p licatio n emule
hostname(config-svc-group)# ap p licatio n xun lei
hostname(config-svc-group)# ap p licatio n vagaa
hostname(config-svc-group)# ap p licatio n p p live
hostname(config-svc-group)# ap p licatio n kugo o

hostname(config-svc-group)# exit
hostname(config)# class-map ftp
hostname(config-class-map)# match ap p licatio n ftp
hostname(config)# class-map p 2p
hostname(config-class-map)# match ap p licatio n p 2p
hostname(config)#

hostname(config-role-mapping)# match user user2 ro lero le1
Step 2: Configure QoS profiles
hostname(config)# qo s-p ro file ap p -qo s
hostname(config-qos-prof-cmap)# b an dwidth p ercen t 40
hostname(config-qos-profile)# class ftp

hostname(config-qos-profile)# class p 2p
hostname(config-qos-prof-cmap)# p o lice 32 co n fo rm-actio n tran smit exceed-actio n

dro p
hostname(config)# qo s-p ro file ro le-p ro file
hostname(config-qos-prof-cmap)# qo s-p ro file ap p -qo s
hostname(config-qos-prof-cmap)# ro le-qo s sh are max-b an dwidth 4000
hostname(config-qos-prof-cmap)# qo s-p ro file ap p -qo s
hostname(config)#
Example 13: Multi-level QoS
This section describes a multi-level QoS example.

Requirement
The total bandwidth available to users is 600 M. During the peak hours, the amount of active PCs
in the Intranet can reach 5000. The requirement for QoS is:
l When the bandwidth utilization reaches 85%, restrict the maximum bandwidth available to
each user to 100 KB; when the network link is free, cancel the restriction. Besides, the band-
width occupied by P2P traffic should not exceed 200 MB.

l Intelligent bandwidth allocation: When users are only downloading files by P2P software, all
the bandwidth should be allocated to P2P, such as BT; however, if users are trying to browse
WebPages later, the priority is to guarantee the HTTP bandwidth. The P2P download will still
continue, but the available bandwidth will decrease.
The network topology is shown in the figure below:
Configuring First-level Application QoS
The first-level application QoS restricts the bandwidth for P2P traffic to 200M.
Step 1: In the policy rule, mark the P2P traffic with QoS tag 16
hostname(config)# servgro up p 2p
hostname(config-svc-group)# service b t*
hostname(config-svc-group)# service emule*
hostname(config-svc-group)# service xun lei*
hostname(config-svc-group)# service vagaa*
hostname(config-svc-group)# service p p live*

hostname(config-svc-group)# service kugo o *
hostname(config-svc-group)# exit
hostname(config-policy-rule)# p o licy-qo s-tag 16
hostname(config-policy-rule)# service p 2p
hostname(config)#
Step 2: Configure a QoS profile to restrict the P2P traffic
hostname(config)# class-map match-p2p
hostname(config-class-map)# match policy-qos-tag 16

hostname(config)# qos-profile p2p-limit
hostname(config-qos-profile)# class match-p2p
hostname(config-qos-prof-cmap)# police 200000 conform-action transmit exceed-

action drop
Step 3: Bind the P2P QoS profile to the ingress interface of WAN
hostname(config-if-eth0/0)# qo s-p ro file 1st-level in p ut p 2p -limit
hostname(config)#
Configuring Second-level IP QoS
Step 1: Configure an IP QoS priority. The priority of HTTP should be higher than that of P2P
hostname(config)# qo s-p ro file ip -p rio rity
hostname(config-qos-profile)# class match -p 2p
hostname(config)#
Step 2: Bind the priority QoS profile to interfaces

hostname(config-if-eth0/1)# qo s-p ro file 2n d-level in p ut ip -p rio rity
hostname(config)# interface eth ern et0/2
hostname(config)#
Step 3: Configure IP QoS
hostname(config)# qo s-p ro file ip -qo s-limit
hostname(config-if-eth0/0)# qo s-p ro file 2n d-level o utp ut ip -qo s-limit
hostname(config-if-eth0/0)# qo s-p ro file 2n d-level in p ut ip -qo s-limit
hostname(config)#
Step 4: Configure FlexQoS
hostname(config)# flex-qos low-water-mark 75 high-water-mark 85

Example 14: Comprehensive QoS Application
This section describes a comprehensive QoS application example. The goal is to control all the
applications in the system, and restrict the total bandwidth and application bandwidth available to
different users and applications.
Requirement
The total bandwidth available to users is 600M. The requirement for QoS is:
l Control the application bandwidth: the VoIP bandwidth ≥ 15%, key business bandwidth ≥
30%, webpage browsing bandwidth ≥ 20%; the P2P bandwidth should be 20M to 300M, spe-
cifically depending on the schedule.
l Control the bandwidth available to each user in the Intranet: the maximum bandwidth avail-
able to each user in Group1 is 1M; to each user in Group2 is 1.5M; to each user in Group3 is
2M.
l Implement fine-grained control on the bandwidth available to each user in the Intranet: the
VoIP bandwidth = 15%, key business bandwidth = 30%, webpage browsing bandwidth =
20%, P2P bandwidth = 10%.
The network topology is shown in the figure below:

The requirement needs to be implemented by configuring multi-level QoS: the first-level QoS is
used to control the applications, and the second-level QoS is used to control each user.
Configuration Steps

hostname(config-zone-trust)# ap p licatio n -iden tify
hostname(config)#
Step 2: Configure users, user groups and roles
hostname(config-aaa-server)# user-gro up gro up 1
hostname(config-user-group)# memb er user user1

hostname(config-role-mapping)# match user-gro up gro up 1 ro le ro le1
hostname(config)#
Step 3: Configure a route and NAT rule
hostname(config-vrouter)# ip ro ute 0.0.0.0 0.0.0.0 176.133.13.1
hostname(config-vrouter)# sn atrule fro m an y to 176.133.13.8 tran s-to eif-ip mo de

dyn amicp o rt
hostname(config)#
Step 4: Configure WebAuth and policy rules

hostname(config)# address auth addr
hostname(config)# address gro up 1
hostname(config-webauth)# en ab le
hostname(config-policy-rule)# src-addr auth addr
hostname(config-policy-rule)# ro le un kn o wn
hostname(config-policy-rule)# actio n web auth lo cal

hostname(config-policy-rule)# src-addr gro up 1
hostname(config-policy-rule)# ro le ro le1

hostname(config)#
Step 5: Configure schedules
hostname(config)# sch edule wo rkin g
hostname(config)# sch edule even in g
hostname(config)# sch edule n igh t
hostname(config)#
Step 6: Configure QoS classes (The key businsess may vary from different environments. This sec-
tion takes POP3 as the example)
hostname(config)# class-map vo ip
hostname(config-class-map)# match ap p licatio n SIP*
hostname(config-class-map)# match ap p licatio n SIP
hostname(config)# class-map critical
hostname(config-class-map)# match ap p licatio n PO P3
hostname(config)# class-map web surf
hostname(config-class-map)# match ap p licatio n HTTP

hostname(config)# class-map p 2p
hostname(config-class-map)# match ap p licatio n APP_P2P
hostname(config-class-map)# match ap p licatio n APP_P2P_STREAM
hostname(config)# class-map gro up 1
hostname(config)#
Step 7: Configure application QoS profiles
hostname(config)# qo s-p ro file p 2p -fin e-co n tro l
hostname(config-qos-profile)# class gro up 1
hostname(config-qos-prof-cmap)# ro le-qo s sh are max-b an dwidth 8000 sch edule wo rk-

in g
hostname(config-qos-prof-cmap)# ro le-qo s sh are max-b an dwidth 80000 sch edule

even in g

n igh t

in g

even in g

n igh t

in g

even in g

n igh t
hostname(config)# qo s-p ro file ap p licatio n
hostname(config-qos-profile)# class vo ip
hostname(config-qos-profile)# class critical
hostname(config-qos-profile)# class web surf
hostname(config-qos-prof-cmap)# sh ap e 20000 sch edule wo rkin g
hostname(config-qos-prof-cmap)# sh ap e 150000 sch edule even in g

hostname(config-qos-prof-cmap)# sh ap e 300000 sch edule n igh t
hostname(config-qos-prof-cmap)# qo s-p ro file p 2p -fin e-co n tro l
hostname(config)#
Step 8: Configure User QoS profiles
hostname(config)# qo s-p ro file user-ap p -fin e-co n tro l
hostname(config-qos-profile)# class vo ip
hostname(config-qos-profile)# class critical
hostname(config-qos-profile)# class web surf
hostname(config)# qo s-p ro file user-qo s
hostname(config-qos-prof-cmap)# qo s-p ro file user-ap p -fin e-co n tro l

hostname(config)#
Step 9: Bind the QoS profiles
hostname(config-zone-untrust)# qo s 1st-level o utp ut ap p licatio n
hostname(config-zone-untrust)# qo s 2n d-level in p ut user-qo s
hostname(config-zone-untrust)# qo s 2n d-level o utp ut user-qo s
hostname(config-zone-untrust)# exit
hostname(config)# zone trust
hostname(config-zone-trust)# qo s 1st-level o utp ut ap p licatio n
hostname(config)#
Configuration Recommandations
The table below recommends different QoS configurations for different types of applcations to
help you better understanduse the QoS function.

Application Characteristics Example Configuration Recommendation
Important real-time applications that VoIP, interactive Reserve sufficient bandwidth by

occupy some bandwidth video using the command priority to assure
that the reserved bandwidth will not
be occupies by other applications.
Important real-time applications that SNMP, Telnet Guarantee the minumun bandwidth
occupy a little bandwidth by the command bandwidth.
Non-important real-time applications Email, file trans- Guarantee the minumun bandwidth
that occupy most bandwidth fer by using the command bandwidth,
and also allow using the free band-
width.
Non-important applications that P2P Restrict the maximum bandwidth by

occupy most bandwidth using the command police.
Applications that occupy some band- webgame Important: Guarantee the minumun
width, but the importance may vary bandwidth by using the command
depending on different situations. bandwidth. Non-important: Restrict
the maximum bandwidth by using
the command police.
Load Balancing
l server load balancing
l link load balancing

Server Load Balancing
The SLB function uses the load balancing algorithm to distribute the traffic and this utilizes the
resources of the intranet servers. You can use the following methods to perform the server load
balance:
l Distribute the traffic to the specified port of each intranet server. This is applicable to the
scenario that different intranet servers meanwhile and individually provide the same service
via specified port.
l Distribute the traffic to different ports of an intranet server. This is applicable to the scenario
that an intranet server provides the same service by running the same process at different
ports.
l Combine the above two methods.
Adding/Deleting SLB Server Pool
A glocal SLB server pool is a database which stores the internal server IP ranges and the server
names. The mapping between a server IP and the server name is called an SLB server pool entry.
The gobal SLB server pool includes SLB server pool entries. To add an entry into the global SLB
server pool, under configuraiotn mode, use the following command:
slb-server-pool pool-name [ipv6]
l pool-name - Specify a name for SLB server pool entry.
l ipv6 - Specify the type of SLB server pool entry is IPv6.
To delele an entry, use the command:

no slb-server-pool pool-name
Notes: Before deleting an entry, make sure this entry has not binding with any other
items.

Configuring Parameters for SLB Server Pool Entry
Parameters of an SLB Server Pool Entry includes IP range, port, weight, and maximum con-
nections. There are two types of IP range in SLB server pool
l IP address/netmask, e.g. 10.100.2.0/24
l IP address range, e.g. 10.100.2.3 – 10.100.2.100
l IPv6 address/Mask, e.g. 2000::2/127
l IPv6 address range, e.g. 2000::2 - 2000::5
To add members and configure detailed parameters for an SLB server pool entry of IPv4, under
SLB server pool configuration mode, use the following command. You can add up to 256 mem-
bers.
server {ip ip/netmask | ip-range min-ip [max-ip]} [port port-num ]{weight-per-server weight-
num} [max-connection-per-server max-num]
l ip ip-address – Specify IPv4 address and netmaks.
l ip-range start-ip [max-ip] – Specify IPv4 address range, start-ip is start IP address and end-ip
is end IP address.
l port port-num – Specify port number.
l weight-per-server weight-num – Specify the weight in load balance. The range is from 1 to
255.
l max-connection-per-server max-num – Specify the maximum connection number for a

server. The range is from 1 to 1,000,000,000 and default value is 0, which mean no limit on
maximum connection.
To delete an entry in SLB server pool of IPv4, use the following command:
no server {ip ip/netmask | ip-range min-ip [max-ip]} [port port-num ]{weight-per-serverweight-
num} [max-connection-per-server max-num]

To add members and configure detailed parameters for a SLB server pool entry of IPv6, under
SLB server pool configuration mode, use the following command. You can add up to 256 mem-
bers.
server {ipv6 ipv6-address/Mask | ipv6-rangemin-ipv6-address [max-ipv6-address]} [portport-num
]{weight-per-serverweight-num} [max-connection-per-servermax-num]
l ipv6 ipv6-address/Mask – Specify IPv6 address and prefix length.
l ipv6-rangemin-ipv6-address [max-ipv6-address] – Specify IPv6 address range, min-ipv6-

address is start IP address and max-ipv6-address is end IP address.
l port port-num – Specify port number.
l weight-per-serverweight-num – Specify the weight in load balance. The range is from 1 to

255.
l max-connection-per-server max-num – Specify the maximum connection number for a

server. The range is from 1 to 1,000,000,000 and default value is 0, which mean no limit on
maximum connection.
To delete an entry in SLB server pool of IPv6, use the following command:
no server {ipv6 ipv6-address/Mask | ipv6-rangemin-ipv6-address [max-ipv6-address]} [portport-
num ]
Assigning an Algorithm for SLB
The system supports three types of SLB algorithms: weighted hash algorithm, weighted round
robin, and weighted least connection. By default, weight hash algorithm is used.
To apply an algorithm, in the SLB server pool configuration mode, use the following command:
load-balance-algorithm {weighted-hash | weighted-round-robin [sticky] | weighted-least-con-
nection [sticky]}
l weighted-hash - Specify weighted hash as SLB algorithm.
l weighted-round-robin - Specify weighted round robin as SLB algorithm.

l weighted-least-connection - Specify weighted least connection as SLB algorithm.
l sticky– If you use sticky, all sessions from the same source IP will be mapped to one
server.timeoutvalueSpecify the keepalive time of the session mapping, that is, during the spe-
cified time, sticky is effective.
Adding/Deleting Track Rule for SLB
To add a track rule for SLB, under SLB server pool configuration mode, use the following com-
mand:
monitor{track-ping | {track-tcp |track-udp }[port port-num]} [src-interfaceinterface_name] inter-
val interval-value threshold number weight weight-num
l track-ping - Specify the track protocol type as PING.
l track-tcp - Specify the track protocol type as TCP.
l track-udp - Specify the track protocol type as UDP.
l port port-num - Specify the track port number. The range is from 0 to 65535.
l When the members in the SLB server pool have the same IP address and different
ports, you don’t need to specify the port when configuring the track rule. The system
will track each IP address and its port in the SLB server pool.
l When there is a member whose port is not configured exists in the SLB sever pool, you
must specify the port when configuring the track rule. The system will track the spe-
cified port of the IP addresses in the SLB server pool.
l When the members in the SLB server pool are all configured with IP addresses and
ports and these configured IP addresses are different from each other, you can select
whether to specify the port when configuring the track rule. If specified, the system
will track the specified port of these IP addresses. If not, the system will track the con-
figured ports of the IP addresses of the members.

l src-interfaceinterface_name - Specify the source interface of the track rule. The system will
use the IP address of the specified interface as the source IP address to send Ping/TCP/UDP
messages. To cancel the specification of the source interface of the track rule, delete the cor-
responding parameters of src-interface and interface_name, and then execute again the com-
mand for adding track rule for SLB .
l interval interval-value - Specify the interval of track packets. The range is 1 to 255.
l threshold number - Specify the threshold which determines if track object failes or not. If
the system cannot get respond within the threshold packet number, the track object will be
deemed as failure, i.e. the object cannot be reached. The range of threshold is 1 to 255. The
default number is 3.
l weight weight-num - Specify the weight of the current track object. The weight determines
if the whole track is failed or not when this object fails. The weight range is 1 to 255.
To delete an SLB track rule, use the no command below:

no monitor{track-ping | {track-tcp |track-udp }[port port-num]}
Configuring Threshold Value
When the weight sum of all track objects exceed the threshold, the server is deemed as failed. To
specify the threshold, under SLB server pool configuration mode, use the following command:
monitor threshold number
l number - Specify threshold value. The range is from 1 to 255.
Binding SLB Server Pool Entry to DNAT Rule
SLB server pool entry can be bound to DNAT rule to achieve server load balancing.
To bind an SLB server pool entry to a DNAT rule, under VRouter configuration mode, use the
following command:

trans-to trans-to-address [slb-server-pool pool-name][port port] [load-balance] [track-tcp port]
[track-ping] [log] [group group-id] [description description]
l slb-server-pool pool-name – Specify the name of SLB server pool entry, you can refer to the
IPv4 or IPv6 type SLB server pool entry.
Tip: For information about how to set up DNAT rules, see “Creating a DNAT
Rule” in the “Firewall”
Viewing SLB Status
To view SLB server pool entry and track rule, under any mode, use the following command:
show slb-server-pool pool-name
l pool-name – Specify SLB server pool entry name.
To view SLB server, under any mode, use the following command:
show load-balance server
To view SLB DNAT:
show load-balance slb-server-pool pool-name
To view SLB DNAT rule, under any mode, use the following command:
show load-balance rule
Load Balancing
l server load balancing
l link load balancing

Inbound LLB
After enabling LLB for inbound traffic, the system will resolve domains to different IPs based on
the sources of DNS requests, and return IPs for different ISPs to the corresponding users who ini-
tiate the requests, thus reducing accesses across ISPs. Such a resolution method is known as
SmartDNS.
You can enable inbound LLB by the following steps:
1. Enable SmartDNS. This is the prerequisite for the implementation of inbound LLB.
2. Configure a SmartDNS rule table. The smart domain-to-IP resolution is implemented based
on the rule table.
Enabling SmartDNS
SmartDNS is enabled by default. To disable or enable the function, in the global configuration
llb in b o un d smartdn s {disab le | en ab le}
l disable – Disables SmartDNS.
l enable – Enables SmartDNS.
Configuring a SmartDNS Rule Table
The configuration of SmartDNS rule table includes creating a rule table, specifying the domain
name, return IP and matching rule. The system resolves domains names into IPs of different ISP
links based on the matching rule.
Creating a SmartDNS Rule Table
To create a SmartDNS rule table, in the global configuration mode, use the following command:
llb inbound smartdns name

l name – Creates a SmartDNS rule table, and enters SmartDNS rule table configuration mode.
If the specified name already exists, the system will directly enters the SmartDNS rule table
configuration mode. The system supports up to 2500 SmartDNS rule tables.
To delete the specified SmartDNS rule table, in the global configuration mode, use the following
command:
no llb inbound smartdns name
Specifying the Domain Name
To specify the domain name that will be resolved smartly, in the SmartDNS rule table con-
domain domain-name
l domain-name – Specifies the domain name that will be resolved smartly. The length is 1 to
255 characters.
Repeat the above command to add multiple domain names to the SmartDNS rule table. Each rule
table supports up to 64 domain names (case insensitive).
To delete the specified domain name, in the SmartDNS rule table configuration mode, use the fol-
lowing command:
no domain domain-name
Specifying the Return IP
You can specify different return IPs for requests originating from different ISP links. The system
determines the request sources based on the addresses in the ISP route (ISP static address). If the
address of request source matches any entry of the above addresses, then the system will return
the specified IP. In the SmartDNS rule table configuration mode, use the following command:
ip ip-address isp isp-name [in terface interface-name ] [weigh t value ]

l ip-address – Specifies the return IP. You can configure up to 64 IPs for a domain name.
l isp isp-name – Specifies the ISP to which the request source address will be matched. If the
source address matches any address entry of the ISP, the system will return the specified IP
(ip ip-address). isp-name should be a predefined or user-defined ISP profile in the sys-
tem. Each ISP can correspond to up to 16 IPs.
l interface interface-name – Specifies the inbound interface for the return IP address. System
will judge whether the return IP address is valid according to the track result or the protocol
status of the inbound interface. Only the valid IP address will be returned to the request
source. When there’s track object configured on the inbound interface, if the track status is
successful, the return IP address is valid. Otherwise the IP address is invalid. When there’s
no track object configured on inbound interface, if the protocol state of the interface is UP,
the return IP address is valid. Otherwise the IP address is invalid. If you don’t specify the
inbound interface for the return IP address, the return IP address is always valid.
l weight value – Specifies the weight of the return IP. The value range is 1 to 100. The default
value is 1. In the SmartDNS rule table, one domain name might correspond to multiple IPs.
The system will sort the IPs based on the weight and then return to the users.
To delete the specified return IP address, in the SmartDNS rule table configuration mode, use the
following command:
no ip ip-address
Notes:
l The ISP route being referenced by the SmartDNS rule table cannot be
deleted. For more information about ISP route, see “ISP Route” in the
“Route”.
l Before completing the configuration of domain name, return IP, etc., the new
SmartDNS rule table will be disabled.

Outbound LLB
By monitoring the delay, jitter, packet loss rate and bandwidth utilization of each link in real-time,
the system can intelligently route and dynamically adjust the traffic load of each link.You can con-
figure a flexible LLB profile to bind to the route (the current system only supports DBR and
PBR), forming LLB rules to implement outbound dynamic link load balancing, and thus make effi-
cient use of network bandwidth.
Configuring LLB Profile
The LLB profile contains the parameters of the load balancing algorithm, such as bandwidth util-
ization threshold, probe switch, probe mode, and equalization direction.
To create or configure an LLB profile, use the following command in the global configuration
mode:
llb profile llb-profile-name[ipv6]
l llb-profile-name – Specifies the name of the LLB profile. After you execute this command,
the system creates an LLB profile with the specified name and enters the LLB profile con-
figuration mode. If the specified name already exists, the system will directly enter the LLB
profile configuration mode.
l ipv6–Specifies the type of the LLB Profile as IPv6. If not specified, the type of the LLB Pro-
file is IPv4.
To delete the specified LLB profile, in the global configuration mode, use the command: no llb
profile llb-profile-name.
Notes: The LLB Profile name in the IPv4 should be different from that in IPv6.
In LLB profile configuration mode, the detect function is enabled by default. To enable or disable
it, use the following command:
detect {disab le | en ab le}

l disable –Disables the detect function, the system adjusts the routing link according to the
bandwidth occupancy of each egress link, and the link with low bandwidth occupation rate is
preferred.
l enable –Enables the detect function. When the detect function is enabled, the system
detects the network link status according to the parameters configured by the user and then
selects the optimal route. The priority is as follows:
1. When the link bandwidth occupancy rate is lower than the specified bandwidth
threshold specified, the system will only calculate the link quality based on delay,
packet loss and jitter, and select the link with high quality first.
2. When the link bandwidth occupation rate is higher than the specified bandwidth
threshold, the system will combine delay, packet loss, jitter and bandwidth occu-
pation rate to calculate the link quality, and select the link with high quality first.
When the type of the LLB Profile is specified as IPv4, , you can configure the related parameters
as required. In LLB profile configuration mode, use the following command:
detect { netmask {A.B.C.D | num} | thresholdvalue | max-entry-numbernum | weight-update-
intervalinterval | weight-factorsdelay-factorjitter-factorloss-rate-factorbw-rate-factor}
l netmask {A.B.C.D | num} - Specifies the detection subnet. The system will monitor the
traffic in real time based on the subnet. The traffic of the same subnet will choose the same
link. The system supports two formats, A.B.C.D or num. The value of A.B.C.D ranges from
255.0.0.0 to 255.255.255.255, and the default value is 255.255.240.0; num ranges from 8 to
32 and defaults to 28.
l threshold value – Specifies the bandwidth utilization threshold of the interface. When the
rate does not exceed the threshold by the interface bandwidth, the system will only analysis
delay, jitter and packet loss rate to dynamically adjust the routing link; when the rate exceeds
the threshold by the interface bandwidth, system will analysis of each link bandwidth util-
ization rate of the parameters at the same time to adjust the routing method. Value ranges
from 0 to 100 (0% to 100%) and defaults to 60.

l max-entry-numbernum - Specify the maximum value of the subnet entry. The lower range
limit is 2000, and the upper range limit is determined according to different platforms. . Sub-
net entry is an entry that contains the detection results and weight values for all links in each
destination subnet. When the specified maximum value is exceeded, the saved subnet entry is
deleted dynamically.
l weight-update-intervalinterval - Specifies the update cycle for the subnet entry weight, which
ranges from 1 to 300 seconds, with a default of 10 seconds.
l weight-factorsdelay-factorjitter-factorloss-rate-factorbw-rate-factor - Specifies the proportion

of the delay, jitter, packet loss rate and bandwidth utilization of each link, the range is 0 to 15,
the default value are: delay-factor:1, jitter-factor: 2, loss-rate-factor:4, bw-rate-factor:1.
To restore the default values of the related parameters, use the command nodetect { netmask |
threshold | max-entry-number | weight-update-interval | weight-factors }.
When the type of the LLB Profile is specified as IPv6, you can configure the related parameters as
required. In LLB Profile configuration mode, use the following commands:
detect { prefixprefix-len | thresholdvalue | max-entry-numbernum | weight-update-intervalinter-
val | weight-factorsdelay-factorjitter-factorloss-rate-factorbw-rate-factor}
l prefixprefix-len–Specifies prefix length. The system will monitor the traffic in real time
based on the prefix length. The traffic with the same prefix length will choose the same link.
The value range of prefix len is 64 to 96, and the default value is 64.
l thresholdvalue – Specifies the bandwidth utilization threshold of the interface. When the
rate does not exceed the threshold by the interface bandwidth, the system will only analysis
delay, jitter and packet loss rate to dynamically adjust the routing link; when the rate exceeds
the threshold by the interface bandwidth, system will analysis of each link bandwidth util-
ization rate of the parameters at the same time to adjust the routing method. Value ranges
from 0 to 100 (0% to 100%) and defaults to 60.

l max-entry-numbernum - Specify the maximum value of the subnet entry. The lower range
limit is 2000, and the upper range limit is determined according to different platforms. Subnet
entry is an entry that contains the detection results and weight values for all links in each des-
tination subnet. When the specified maximum value is arrived, the saved subnet entry is
deleted dynamically.
l weight-update-intervalinterval - Specifies the update cycle for the subnet entry weight, which
ranges from 1 to 300 seconds, with a default of 10 seconds.
l weight-factorsdelay-factorjitter-factorloss-rate-factorbw-rate-factor - Specifies the proportion

of the delay, jitter, packet loss rate and bandwidth utilization of each link, the range is 0 to 15,
the default value are: delay-factor:1, jitter-factor: 2, loss-rate-factor:4, bw-rate-factor:1.
To restore the default values of the related parameters, use the command nodetect { prefix |
threshold | max-entry-number | weight-update-interval | weight-factors }.
When the bandwidth utilization of the link exceeds the specified limit, the system will record the
logs. To record the logs, use the following command:
log enable [utilization-limitutilization-limit]
l utilization-limitutilization-limit - Specifies the limit value of link bandwidth utilization, the

Use the command no log enable to cancel recording logs.

To configure the load balancing direction, use the following command:
b an dwidth -b alan ce-directio n {b idirectio n | do wn stream | up stream}
l bidirection – The system will compare the maximum bandwidth utilization ratio with the
bandwidth utilization threshold in the two directions of data flow into and out, and then
adjust the routing method.
l downstream – The system will compare the bandwidth utilization of the data stream into the
bandwidth utilization threshold, and then adjust the routing method.

l upstream - The system will compare the bandwidth utilization of the data stream out the band-
width utilization threshold, and then adjust the routing method.
To restore the default mode of the load balancing direction, use the command no bandwidth-bal-
ance-direction.
To configure the load balancing mode, use the following command:
mode {compatibility [upper-limitupper-limit-valuelower-limitlower-limit-value]| performance}
l compatibility – Configure the load balancing mode to work in high compatibility mode.
When the link load changes, the system does not switch the link frequently, but ensures that
the service is as far as possible on the previous link, such as banking services.
l upper-limitupper-limit-valuelower-limitlower-limit-value- In the high compatibility

mode, the system records the source, destination, output interface and other inform-
ation into the cache. If the bandwidth of the link exceeds upper-limit-valueand the
other links are lower than lower-limit-value, the system will delete all caches of the
link. The default value of upper-limitis 95, and the default value of lower-limitis 90.
l performance – Configure the load balancing mode for high-performance. In this mode, the
system adjusts link to keep the link balance as fast as possible.
To restore the default mode of the load balancing mode, use the command no mode.
For more information about configuring load balancing, use the following command:
descriptiondescription
l description – Configure Additional details of llb profile.
To cancel the configuration description, use the command: no description.

The active link detection interval is the interval at which the system sends detection packets to
the specified host. To configure the link detection interval, use the following command:
host-detect intervalinterval

l interval- Specifies the link detection interval. The range is 60 to 86400s. The default value is
600s.
To restore the default value of the link detection interval, use the following command:
no host-detect interval
Viewing the Link Detection Result for a Specified Domain Name
To view the link detection result for a specified domain name, in any mode, use the following
command:
sh o w llb rule [ rule-name ] spec-host task { all | host-name } [ slot slot-number ]
l rule [rule-name] – Specifies the LLB rule name.
l spec-host task { all | host-name} - View the link detection result for a specified domain name
l all- View link detection results of all domain names in the LLB rule.
l host-name- Specify the domain name and view the link detection result of this domain
name.
l slotslot-number - Specify the slot number of the module card. View the link detection result
of all domain names (all) or the specified domain name (host-name) on the module card. This
parameter is only supported on X-Series devices.
Configuring LLB Rule
LLB Profile and the route is bound to the formation of LLB rules, it can really take effect, cur-
rently support binding destination routing (DBR) and policy-based routing (PBR). To configure
LLB rules, use the following command in global mode:
llb rulerule-name[ipv6] {pbrpbr-nameidmatch-id | dbr [vroutervr-name] {{X:X:X:X::X/M} |
{A.B.C.D/M | A.B.C.D A.B.C.D }} {profileprofile-name} [host host-book-name]

l rule-name – Specify the name of llb rule.
l ipv6–Specifies the type of the LLB Rule as IPv6. If not specified, the type of the LLB Rule
is IPv4.
l pbr pbr-name – Specify the name of PBR.
l idmatch-id – Specify the match id of PBR. The IP type of PBR rule should be the same as
the LLB Rule. If the IP tyoe of LLB Rule is IPv6, the IP type of PBR rule should be IPv6 as
well.
l dbrvroutervr-name – Specify the vroute’s name of DBR.
l {} | {A.B.C.D/M | A.B.C.D A.B.C.D }– Specifies the Vrouter destination address. When

the type of the LLB Rule is specified as IPv6, use X:X:X:X::X/M to configure the destination
address of Vrouter. When the type of the LLB Rule is specified as IPv4, the device supports
two modes, A.B.C.D / M or A.B.C.D A.B.C.D, for example, 1.1.1.0/24 or 1.1.1.0
255.255.255.0.
l profileprofile-name – Specifies the bound LLB profile. The IP type of the LLB Profile
should be the same as the LLB Rule.
l host host-book-name - Specifies the bound host book.
To delete the specified LLB rule,in the global configuration mode, use the command：no llb
rulellb-rule-name.
Notes: The LLB Rule name in the IPv4 should be different from that in IPv6.
Viewing LLB Configuration
To view the outbound LLB configuration, in any mode, use the following command:
sh o w llb {p ro file [ profile-name ]| rule [ rule-name ]}

l profile [profile-name] – Shows the profile of outbound LLB.
l rule [rule-name] – Shows the rule of outbound LLB.
To view the configuration of inbound or the specified SmartDNS rule table, in any mode, use the
following command:
show llb inbound [ smartdns name ]
l inbound – Show the configuration of inbound LLB.
l smartdnsname – Specifies the name of SmartDNS rule table.
For example, to view the configuration of SmartDNS rule table named test, use the command
show llb inbound smartdnstest. Below is a return example:
hostname# sh o w llb in b o un d smartdn s test
TRACK: track object name; W: ip weight; S:ip status;A:active; I: inactive
====================================================-
=====================
-------------------------------------------------------------------------
table name: test
table status: enable
domain count: 1
rule count: 1
ip addresses:
-------------------------------------------------------------------------
IP ISP IF PROX TRACK W S
1.1.1.1 China-telecom ethernet0/1 E 1 I

====================================================-
===================
l For more information about the track object under TRACK, see “Configuring a Track
Object” in the “System Management”
l The rule status displayed under S can be active or inactive, specifically relying on the con-
figured interface and track object on the interface:
l If only ISP (isp isp-name) is configured while interface (interface interface-name) is

not configured, then the rule status will always be active;
l If interface (interface interface-name) is configured but it is not configured with track

object, then the rule status will be active when the protocol status of the interface is
UP, and will be inactive when the protocol status is DOWN;
l If interface (interface interface-name) is configured and it is configured with track

object, then the rule status will be active when track succeeds, and will be inactive
when track fails.
Example of Configuring LLB
This section describes an inbound LLB configuration example.
Requirement
Ethernet0/6 and ethernet0/7 are connected to telecom and netcom links respectively. With
inbound LLB enabled, the device will return the IP address defined in the ISP static address
named telecom after receiving a DNS request from netcom users, and will return the IP address

defined in the ISP static address named telecom after receiving a DNS request from telecom
users. The network topology is shown below:
Configuration Steps
Configurations of interfaces are omitted. Only the configurations of ISP information and inbound
LLB are provided.
Step 1: Configure ISP information
hostname(config)# isp -n etwo rk teleco m
hostname(config)# isp -n etwo rk n etco m
Step 2: Enable SmartDNS and configure SmartDNS rules
hostname(config)# llb in b o un d smartdn s en ab le
hostname(config)# llb in b o un d smartdn s test
hostname(config-llb-smartdns)# do main www.test.co m
hostname(config-llb-smartdns)# ip 100.1.1.2 isp teleco m in terface eth ern et0/0 weigh t

10
hostname(config-llb-smartdns)# ip 200.1.1.2 isp n etco m in terface eth ern et0/1 weigh t

10
hostname(config-llb-smartdns)# exit
Step 3: Confirm the above configurations have taken effect by command show
hostname(config)# sh o w isp -n etwo rk all
ISP telecom status: Active
101.1.1.0/24
ISP netcom status: Active
201.1.1.0/24
hostname(config)# sh o w llb in b o un d smart test
TRACK: track object name; W: ip weight; S:ip status;A:active;
I: inactive
===================================================-
===============
-------------------------------------------------------------------------
name: test
domain count: 1
rule count: 2
status: enable
ip addresses:

-------------------------------------------------------------------------
ID IP ISP IF PROX TRACK W S
1 100.1.1.2 telecom ethernet0/0 D 10 A
3 200.1.1.2 netcom ethernet0/1 D 10 A
===================================================-
================
When PC1 requests www.test.com, the device will return the IP address for telecom link
(100.1.1.2); when PC2 requests www.test.com, the device will return the IP address for netcom
link (200.1.1.2).

Session Limit
Hillstone devices support the zone-based session limit function. You can limit the session num-
ber and control the new session ramp-up rate for the source IP address, destination address, spe-
cified IP address,protocol,application,role or userin the security zone, thereby to protect against
DoS attacks and control the bandwidth of applications, such as IM or P2P.
Creating a Session Limit Rule

To create a session limit rule, in the security zone configuration mode, use the following com-
mand:
ad session-limit [ id id ] { {src-ip address-entry dst-ip address-entry | ip address-entry }
[ protocol protocol-id ] [ap p licatio n application-name ] [ro le role-name | user aaa-server-
name user-name | user-gro up aaa-server-name user-group-name ]} {sessio n {un limit |
max number [p er-srcip | p er-dstip | p er-ip ] | p er-user} | ramp -rate max number } [sch ed-
ule schedule-name ][lo g]
l id id – Specifies the ID of the session limit rule.
l src-ip address-entry – Limits the session number of the source IP address in the security
zone. address-entry is the IP range of src-ip. This parameter should be an address entry
defined in the address book.
l dst-ip address-entry – Limits the session number of the destination IP address in the security
zone. address-entry is the IP range of dst-ip. This parameter should be an address entry
defined in the address book.
l ip address-entry – Limits the session number of the specified IP address in the security zone.
address-entry is the IP range of ip. This parameter should be an address entry defined in the
address book.
l protocol protocol-id – Limits the session numbers of the specified protocol in the security
zone.

l application application-name – Limits the session numbers of the specified application in the
security zone.
l role role-name – Limits the session number of the specified role in the security zone.
l user aaa-server-name user-name – Limits the session number of the specified user in the
security zone. aaa-server-name is the AAA server the user belongs to.
l user-group aaa-server-name user-group-name – Limits the session number of the specified

user group in the security zone. aaa-server-name is the AAA server the user group belongs to.
l session {unlimit | max number [per-srcip | per-dstip | per-ip] | per-user} – Specifies the
maximum session number for the IP address or role. unlimit indicates no session limit. session
max number specifies the maximum session number for all the IP addresses defined in the
address entry or all the users defined in the role; if per-srcip, per-dstip, per-ip or per-user is
used, session max number specifies the maximum session number for each IP address or each
user defined in the role. per-srcip, per-dstip, per-ip and per-user should be correspond to src-
ip, dst-ip, ip and role respectively. For example, only when src-ip is specified can you choose
per-srcip.
l ramp-rate max number – Specifies the maximum new sessions that can be established every
5 seconds for the IP address or role.
l schedule schedule-name – Specifies an schedule during which the session limit rule will take
effect.
l log - Record the session limit log.
Notes: Session limit function support IPv4 address and IPv6 address. If the IPv6
function for interface is enabled, you can configure the address of IPv6 type. The
type of the source address entry and the destination address entry must keep same.

To delete the session limit rule, in the security zone configuration mode, use the following com-
mand:
no ad session-limit id id
l id id – The session limit rule ID of the security zone. To view the rule ID, use the command
show session-limit.
With session limit configured, StoneOS will drop the sessions that exceeds the maximum session
number. To view the statistics on the dropped sessions, use the command show session-
limit. To clear the statistics on the dropped sessions in the specified session limit rule, in any
clear session-limit id id statistics
l id id – Specifies the rule ID. The statistics on the dropped session in the specified session
limit rule will be cleared.
Notes: After Full-cone NAT is enabled on the device, the destination IP address in
the session limit refers to the IP address before DNAT translation. For more inform-
ation about Full-cone NAT, see “Full-cone NAT” in the “Firewall”
Viewing Session Limit

To view the configuration information of the session limit after configuring session limit, in any
show session-limit
Pre-discarding Packets of Receiving Queue

When data packets enter system, they may wait in the receiving queue for a long time if system
resources are insufficient, which may delay networking and degrade user’s experience. At this
time, you can enable the Pre-discarding Packets of Receiving Queue function to drop part packets

waiting in the receiving queue in advance, helping system release resources and applications re-
transmit messages.
Configuring Pre-discarding Packets of Receiving Queue

To pre-discard packets of the receiving queue, under the global configuration mode, use the fol-
lowing command:
flow head-drop-packet low-water-mask value interval time
l low-water-mask value - Specify the low water level threshold for pre-discarding packets.
When the packets processed by system is bigger than the specified value, system will pre-dis-
card some packets to reduce networking delay; when the processed packets is smaller than the
specified value, system will not discard the packets, preventing system from discarding pack-
ets by mistake when the traffic is very low. The range of Value is 0 to 500000, and the default
value is 8192.
l interval time - The default is 100 ms. Specify the interval for calculating the number of pack-
ets processed by system. The unit of time is milliseconds, ranging from 100 to 1000 mil-
liseconds. The default value is 100 ms.
To disable the pre-discarding packets of receive queue, under global configuration mode, use the
following command no head-drop-packet.
Viewing the Information of Pre-discarding Packets of Receiving Queue

To view the information of pre-discarding packets of receiving queue, in any mode, use the com-
mand:
show flow head-drop-packet
Traffic Quota
System supports the traffic quota function, which can limit and control the allowable flow quota
of users/user groups per day or per month. When the user traffic reaches the daily or monthly
quota defined by the traffic quota profile, the system will block the user traffic.

Configuring Traffic Quota
To configure the traffic quota via CLI, take the following steps:
l Configure the traffic quota profile and specify the daily quota and monthly quota of user
traffic in the traffic quota profile.
l Create a user/user group traffic quota rule, specify the restricted user/user group in the user-
/user group traffic quota rule, and bind the specified traffic quota profile to the traffic quota
rule.
l Enable the traffic quota function in the specified zone.
Creating a Traffic Quota Profile
To create a traffic quota profile, in the global configuration mode, use the following command:
user-quota profileprofile-name
l profile-name - Specifies the traffic quota profile name and enters the traffic quota profile con-
figuration mode. If the specified name exists, then the system will directly enter the traffic
quota profile configuration mode.
To delete the specified traffic quota profile, in the global configuration mode, use the command
no user-quota profileprofile-name.
Specifying the Daily Quota/ Monthly Quota
To specify the daily quota, in the traffic quota profile configuration mode, use the following com-
mand:
daily daily-value un it {KB |MB | GB | TB}
l daily-value – Specifies the daily quota, the range is 1 to 65535.
l unit {KB |MB | GB | TB}– Specifies the unit of the daily quota.

To delete the specified daily quota, in the traffic quota profile configuration mode, use the com-
mand no daily.
To specify the monthly quota, in the traffic quota profile configuration mode, use the following
command:
monthly daily-value unit { KB |MB | GB | TB}
l daily-value – Specifies the monthly quota, the range is 1 to 65535.
l unit {KB |MB | GB | TB}– Specifies the unit of the monthly quota.
To delete the specified monthly quota, in the traffic quota profile configuration mode, use the
command no monthly .
Creating a User Traffic Quota Rule
To create a user traffic quota rule, in the global configuration mode, use the following command:
user-quota user-rulerule-name
l rule-name - Specifies the user traffic quota rule name and enters the user traffic quota rule con-
figuration mode. If the specified name exists, then the system will directly enter the user
traffic quota rule configuration mode.
To delete the specified user traffic quota rule, in the global configuration mode, use the command
no user-quota user-rulerule-name.
Specifying the User of User Traffic Quota Rule
To specify the user of the user traffic quota rule, in the user traffic quota rule configuration mode,
useraaa-server-nameuser-name
l aaa-server-name– Specifies the name of the AAA server already configured in the system.
l user-name - Specifies the name of user.
To delete the specified user, in the user traffic quota rule configuration mode, use the following
command:

no useraaa-server-name user-name
Binding a Traffic Quota Profile to a User Traffic Quota Rule
To bind the specified traffic quota profile to a user traffic quota rule, in the user traffic quota rule
profileprofile-name
l profile-name - Specifies the name of the traffic quota profile that will be bound to the user
traffic quota rule.
To cancel the binding, in the user traffic quota rule configuration mode, use the following com-
mand:
no profile
Creating a User Group Traffic Quota Rule
To create a user group traffic quota rule, in the global configuration mode, use the following com-
mand:
user-quota group-rulegroup-name
l group-name - Specifies the name of the user group traffic quota rule and enters the user group
traffic quota rule configuration mode. If the specified name exists, then the system will dir-
ectly enter the user group traffic quota rule configuration mode.
To delete the specified user group traffic quota rule, in the global configuration mode, use the
command no user-quota group-rulegroup-name.
Specifying the User Group of User Group Traffic Quota Rule
To specify the user group of the user group traffic quota rule, in the user group traffic quota rule
user-groupaaa-server-name group-name

l aaa-server-name– Specifies the name of the AAA server already configured in the system.
l group-name - Specifies the name of user group.
To delete the specified user group, in the user group traffic quota rule configuration mode, use
no user-groupaaa-server-name group-name
Binding a Traffic Quota Profile to a User Group Traffic Quota Rule
To bind the specified traffic quota profile to a user group traffic quota rule, in the user traffic
quota rule configuration mode, use the following command:
profileprofile-name
l profile-name - Specifies the name of the traffic quota profile that will be bound to the user
group traffic quota rule.
To cancel the binding, in the user group traffic quota rule configuration mode, use the following
command:
no profile
Adjusting Traffic Quota Rule Priority
To adjust the user traffic quota rule priority, in the global configuration mode, use the following
command:
user-quo ta user-rule rule-name [ mo ve] { b efo re n ame rule-name | after n ame rule-name | to p
| b o tto m }
l rule-name – Specifies the name of the user traffic quota rule that you want to adjust.
l before namerule-name – Adjust the priority of the user traffic quota rule before the specified
rule.
l after namerule-name – Adjust the priority of the user traffic quota rule after the specified
rule.

l top – Adjust the priority of the user traffic quota rule to the top of all rules.
l bottom – Adjust the priority of the user traffic quota rule to the bottom of all rules.
To adjust the user group traffic quota rule priority, in the global configuration mode, use the fol-
lowing command:
user-quo ta gro up -rule group-name [ mo ve] { b efo re n ame group-name | after n ame group-
name | to p | b o tto m }
l group-name – Specifies the name of user group traffic quota rule that you want to adjust.
l before namegroup-name – Adjust the priority of user group traffic quota rule before the spe-
cified rule.
l after namegroup-name – Adjust the priority of user group traffic quota rule after the spe-
cified rule.
l top – Adjust the priority of user group traffic quota rule to the top of all rules.
l bottom – Adjust the priority of user group traffic quota rule to the bottom of all rules.
Enabling/Disabling the Traffic Quota Function in the Zone
To enable or disable the traffic quota function in the specified zone, in the zone configuration
l Enable the traffic quota function: user-quota enable
l Disable the traffic quota function: no user-quota enable
Resetting the User Used Traffic
You can reset the user used traffic as needed, in the global configuration mode, use the following
command:
user-quo ta reset [ user-name ]{ daily | monthly | all }

l user-name - Specifies the name of user who needs to reset the used traffic.
l daily - Reset the daily used traffic.
l monthly - Reset the monthly used traffic.
l all - Reset the all used traffic.
Viewing the Traffic Quota Profile Information

To view the traffic quota profile information, in any mode, use the following command:
show user-quota profile
Viewing the User Traffic Quota Rule Information

To view the user traffic quota rule information, in any mode, use the following command:
show user-quota user-rule
Viewing the User Group Traffic Quota Rule Information

To view the user group traffic quota rule information, in any mode, use the following command:
show user-quota group-rule
Viewing the Zone with Traffic Quota Function Enabled

To view the zone with traffic quota function enabled, in any mode, use the following command:
show user-quota zone
Viewing the Traffic Quota Statistics

To view the traffic quota statistics, in any mode, use the following command:
show user-quota { user | user-group }[ aaa-server-name user-name ]

Chapter 12 Threat Prevention
l "Host Defense" on Page 1812 explains how to configure the host defense function to protect
the proxy host from ARP attacks.
l "Attack Defense" on Page 1827 describes the common network attack concepts, how to con-
figure Attack Defense, and examples of Attack Defense.
l "Sandbox" on Page 1881 describes sandbox protection function and how to configure sandbox
protection rules and how to update the domain name whitelist used by the sandbox.
l "IPS" on Page 1896 explains how to detect and protect mainstream application layer protocols
(DNS, FTP, POP3, SMTP, TELNET, MYSQL, MSSQL, ORACLE, NETBIOS), against
web-based attacks and common Trojan attacks.
l "Abnormal Behavior Detection" on Page 2000 describes how to configure the zone-based
abnormal behavior detection function to determine the abnormal behavior of the detection
object and how to update the abnormal behavior model database.
l "Advanced Threat Detection" on Page 2005 describes how to intelligently analyze host-based
suspicious traffic to determine whether it is malware and how to update the malware behavior
model database.
l "Perimeter Traffic Filtering" on Page 2009 describes how to filter the perimeter traffic based
on known IP of black/white list, take block action on the malicious traffic that hits the black-
list, and how to update the IP reputation database.
l "Mitigation" on Page 2026 describes how to configure the mitigation rules to identify the
potential risks and network attacks dynamically, and take action on the risk , and how to
update the mitigation rule database.

l "Correlation Analysis" on Page 2030 describes how to use the correlation analysis engine and
makes the correlation analysis of the threat events generated by each modules of threat pre-
vention.
l "Critical Assets" on Page 2031 describes how to configure the critical assets.
l "Geolocation Information Database" on Page 2035 describes how to update the geolocation
information database.
l "Botnet Prevention" on Page 2040describes how to configure the botnet prevention function
based on security zones or policies.
l Encrypted Traffic Detection describes how to configure the encrypted traffic detection func-
tion to detect encrypted attack traffic.
l "Antispam" on Page 2056 describes how to filter the mails transmitted by SMTP and POP3
protocol through the cloud server, and discover the mail threats.
l "End Point Protection" on Page 2062: Obtain the endpoint data monitored by the endpoint
security control center by interacting with it, and then specify the corresponding processing
action according to the security status of endpoint, so as to control the endpoint network
behavior.
l "IoT" on Page 2070: Identify the network video monitoring devices, like IPC (IP Camera)
and NVR (Network Video Recorder) via the flowing traffic, then monitor the identified
devices and block illegal behaviors according to the configurations.
1811 Chapter 12 Threat Prevention

Host Defense
With this function enabled, StoneOS can send gratuitous ARP packets for different hosts to pro-
tect them against ARP attacks. To configure the host defense function, in the global configuration
gratuito us-arp -sen d ip ip-address mac mac-address switch -in terface interface-name excep t-
in terface interface-name rate rate-value
l ip ip-address – Specifies the IP address of the host that uses the device as a proxy.
l mac mac-address – Specifies the MAC address of the host that uses the device as a proxy.
l switch-interface interface-name – Specifies the interface that sends gratuitous ARP packets.
It can be either a VSwitch or BGroup interface.
l except-interface interface-name – Specifies the excluded port, i.e., the port that does not
send gratuitous ARP packets. Typically it is the port connected to the host that uses the
device as a proxy.
l raterate-value - Specifies a gratuitous ARP packet send rate. The value range is 1 to 10 pack-
ets/sec. The default value is 1.
Repeat the command to configure the gratuitous ARP packets for more hosts. You can configure
the Hillstone device to send gratuitous ARP packets for up to 16 hosts.
n o gratuito us-arp -sen d ip ip-address switch -in terface interface-name
Host Blacklist
The host blacklist function of the Hillstone devices is designed to prevent users from accessing
the network during the specified period. To enable the function, you need to add the MAC or IP
address of the host to the blacklist, and then bind a schedule.

If the host IP address is added to the blacklist, while its IP is configured as an unrestricted IP and
the unrestricted IP function is also enabled, the system will still block that host from accessing
the network.
Adding a Blacklist Entry
To add the host to the blacklist, in the global configuration mode, use the following command:
h o st-b lacklist {mac mac-address | ip fro m ip-address to ip-address vro uter vrouter-name }
[sch edule schedule-name ] [en ab le | disab le]
l mac-address - Specifies the MAC address of the host that will be added to the blacklist.
l ip-address - Specifies the IP address of the host to be added to the blacklist. Overlapped IP
address range is not allowed.
l vrouter-name - Specifies the name of VRouter the IP address belongs to.
l schedule-name - Specifies the schedule that has been configured in the system. If this para-
meter is specified, the system will block the host from accessing the network during the spe-
cified period; if this parameter is not specified, the system will permanently block the host
from accessing the network. For more information about how to create a schedule, see Creat-
ing a Schedule.
l enable | disable – Enables or disables the host blacklist entry. By default, all the entries in
the host blacklist are enabled.
For example, to add the host with the MAC address of 001c.f096.f1ea to the blacklist and bind
the schedule named night to the blacklist so that the host cannot access the network during night,
hostname(config)# sch edule n igh t
hostname(config)# h o st-b lacklist mac 001c.f096.f1ea sch edule n igh t

Modifying a Schedule
To modify the schedule for the specified host blacklist entry, in the global configuration mode,
h o st-b lacklist {mac mac-address | ip fro m ip-address to ip-address vro uter vrouter-name }
sch edule new-schedule-name
l schedule new-schedule-name – Specifies the name of the new schedule.
For example, to modify the schedule for the host blacklist entry with MAC address
001c.f096.f1ea, and replace its existing schedule named schedule1 with the new schedule named
schedule2, use the following commands:
hostname(config-schedule)# p erio dic mo n day 9:00 to 18:00
hostname(config-schedule)# ab so lute start 01/01/2009 9:00 en d 05/01/2009 9:00
hostname(config)# host-blacklist mac 001c.f096.f1ea sch edule sch edule1
hostname(config)# h o st-b lacklist mac 001c.f096.f1ea sch edule sch edule2
Enabling or Disabling a Blacklist Entry
The created host blacklist entries can be identified by the MAC addresses or IDs. To enable or dis-
able the specified host blacklist entry, in the global configuration mode, use the following com-
mand:
h o st-b lacklist mac { mac-address | id id-number }{en ab le | disab le}
The created host blacklist entries can be identified by the IP addresses or IDs. To enable or dis-
able the specified host blacklist entry, in the global configuration mode, use the following com-
mand:

h o st-b lacklist ip {fro m ip-address to ip-address vro uter vrouter-name | id id-number }
{en ab le | disab le}
For example, to disable the host blacklist entry identified by MAC address with the ID of 1, use
hostname(config)# h o st-b lacklist mac id 1 disab le
After disabling the entry, the entry is not deleted, and still exists in the blacklist. To enable the
entry again, use the following command:
hostname(config)# h o st-b lacklist mac id 1 en ab le
Enabling or Disabling Blacklist Logs
System supports logging when the traffic hit the blacklist. By default, system does not record
blacklist logs. To enable or disable blacklist logs, in the global configuration mode, use the fol-
lowing command:
blacklist log { enable | disable }
l enable - Enable the blacklist logs. System will record logs when the traffic hit the blacklist.
l disable - Disable the blacklist logs. System will not record logs of blacklist.
Viewing the Host Blacklist Content
To view the host blacklist content, in any mode, use the following commands:
l Show all the host blacklist entries identified by MAC address: show host-blacklist mac
l Show all the host blacklist entries identified by IP address: show host-blacklist ip
Deleting a Host Blacklist Entry
To delete the host blacklist entry identified by MAC address, in global configuration mode, use
n o h o st-b lacklist mac { mac-address | id id-number | all}

l mac-address – Deletes the host blacklist entry identified by the specified MAC address.
l id id-number – Deletes the host blacklist entry identified the specified ID number.
l all – Deletes all the host blacklist entries identified by all the MAC addresses.
To delete the host blacklist entry identified by IP address, in the global configuration mode, use
n o h o st-b lacklist ip {fro m ip-address to ip-address vro uter vrouter-name | id id-number |
vro uter vr-name }
l from ip-address to ip-address vrouter vr-name – Deletes the host blacklist entry by identified
by the IP address range of the specified VRouter.
l id id-number - Deletes the host blacklist identified by the ID number.
l vrouter vrouter-name – Deletes all the host blacklist entries identified by all the IP addresses
of the specified VRouter.
Notes: When you delete the VRouter by the command no ip vrouter vrouter-name ,
you'll also delete all the records related to this VRouter from the IP blacklist.
IP-MAC Binding
Hillstone devices support IP-MAC binding, MAC-port binding and IP-MAC-port binding to rein-
force network security control. The bindings obtained from ARP/MAC learning and ARP scan
are known as dynamic bindings, and those manually configured are known as static bindings.
Besides, the Hillstone devices are also designed with the ARP inspection function.
Static Binding
You can add static IP-MAC bindings and MAC-port bindings; you can also prevent the hosts that
are enabled with dynamic ARP learning from accessing the Internet, and only allow the hosts with
static IP-MAC bindings to access the Internet.

Adding a Static IP-MAC Binding
To add a static IP-MAC binding, in the global configuration mode, use the following command:
arp ip-address mac-address [in co mp atib le-auth -arp ] [vro uter vrouter-name ]
l ip-address – Specifies the IP address for static binding.
l mac-address – Specifies the MAC address for static binding.
l incompatible-auth-arp – If this parameter is configured, ARP authentication will not be

implemented on the IP address.
l vrouter vrouter-name – Adds the static IP-MAC binding to the specified VR. Parameter
vrouter-name is used to specify the name of the VR. If the parameter is not specified, the
static IP-MAC binding configured will belong to the default VR trust-vr.
To delete a static IP-MAC binding, in the global configuration mode, use the following command:
n o arp {all | ip-address } [vro uter vrouter-name ]
l all – Deletes all the static IP-MAC bindings in the system.
l ip-address – Deletes the static IP-MAC binding for the specified IP address in the system.
l vrouter vrouter-name – Deletes the static IP-MAC binding for the specified VR. Parameter
vrouter-nameis used to specify the name of the VR. If the parameter is not specified, the sys-
tem will delete all the static IP-MAC bindings configured in the default VR or for the spe-
cified IP address.
Adding a Static IP-Port Binding
To add a static IP-port binding, in the global configuration mode, use the following command:
mac-address-static mac-address in terface interface-name
l mac-address – Specifies the MAC address for static binding.
l interface interface-name – Specifies the interface for static binding.

To delete a static IP-port binding, in the global configuration mode, use the following commands:
l Delete all the static MAC-port bindings in the system:

no mac-address-static all
l Delete all the static MAC-port bindings for the specified interface:
no mac-address-static interface interface-name
l Delete the specified static MAC-port binding:

no mac-address-static mac-address {interface interface-name | vid vlan-id}
Only Allowing Hosts with Static IP-MAC Binding Accessing the Internet
By default, the system allows hosts with dynamic ARP learning enabled to access the Internet. To
only allow the hosts with IP-MAC binding enabled to access the Internet, in the interface con-
arp -disab le-dyn amic-en try
To disable the function, in the interface configuration mode, use the following command:
n o arp -disab le-dyn amic-en try
Dynamic IP-MAC-Port Binding
Devices can obtain dynamic IP-MAC-port binding information from:
l ARP learning
l MAC learning
ARP Learning
Devices can obtain IP-MAC bindings in an Intranet from ARP learning, and add them to the ARP
list. By default this function is enabled. Hillstone devices will always keep ARP learning on, and
add the learned IP-MAC bindings to the ARP list. If any IP or MAC address changes during the
learning process, Hillstone devices will add the updated IP-MAC binding to the ARP list. If this
function is disabled, only IP addresses in the ARP list can access Internet.

To configure the ARP learning function, in the VSwitch or BGroup interface configuration mode,
l Enable ARP learning: arp-learning
l Disable ARP learning: no arp-learning
ARP Learning Limit
After the ARP learning function is enabled, when a user host that connects to the interface ini-
tiates ARP attacks, ARP entry resources may be exhausted, making other interfaces unable to per-
form ARP learning. To avoid this issue, the system allows you to enable ARP learning limit and
specify the maximum number of ARP entries that can be learned on the interface. After a limit is
specified, the interface can no longer perform ARP learning when the maximum number of ARP
entries is reached.
To enable the ARP learning limit function and specify the limit, in interface configuration mode,
arp-learning-limit number
l number - Specifies the maximum number of IP-MAC bindings that can be learned on the inter-
face. Valid values: 1 to capacity. The capacity varies based on device platforms.
In interface configuration mode, use the no arp-learning-limit command to disable the ARP learn-
ing limit function.
MAC Learning
Devices can obtain MAC-port bindings in an Intranet from MAC learning, and add them to the
MAC list. By default this function is enabled. Devices will always keep MAC learning on, and add
the learned MAC-port bindings to the MAC list. If any MAC address or port changes during the
learning process, devices will add the updated MAC-port binding to the MAC list.
To configure the MAC learning function, in the VSwitch or BGroup interface configuration

l Enable MAC learning: mac-learning
l Disable MAC learning: no mac-learning
Viewing IP-MAC-Port Binding Information
To view the IP-MAC binding information (static and dynamic) and the MAC-port binding inform-
ation (static and dynamic) in the system, use the following commands:
l IP-MAC binding information:show arp [vrouter vrouter-name]
l • MAC-port binding information: show mac
Clearing ARP Binding Information
To clear the ARP binding information (dynamic), use the following command:
clear arp [in terface interface-name [ A.B.C.D ] | vro uter vrouter-name ]
l interface interface-name – Clears the ARP binding information of the specified interface.
Parameter interface-name is used to specify the interface name.
l A.B.C.D - Clears the ARP binding information of the specified IP address of the interface.
l vrouter vrouter-name – Clears the ARP binding information of the specified VRouter. Para-
meter vrouter-nameis used to specify the VRouter name. If this parameter is not specified, the
system will clear the ARP binding information of the default VRouter trust-vr.
Forcing Dynamic MAC-Port Binding
You can force to bind the dynamic MAC-Port binding information learned from the MAC learning
function. To force to bind dynamic MAC-port binding, in any mode, use the following command:
exec mac-address dyn amic-to -static

DHCP Snooping
DHCP (Dynamic Host Configuration Protocol) is designed to allocate appropriate IP addresses
and related network parameters for sub networks automatically. DHCP snooping can create bind-
ing relationship between the MAC address of the DHCP client and the allocated IP address by ana-
lyzing the packets between the DHCP client and server. When ARP inspection is also enabled,
StoneOS will check if an ARP packet passing through can be matched to any binding of the list. If
not, the ARP packet will be dropped. In the network that allocates addresses via DHCP, you can
prevent against ARP spoofing attacks by enabling ARP inspection and DHCP Snooping.
DHCP clients look for the server by broadcasting, and only accept the network configuration para-
meters provided by the first reachable server. Therefore, an unauthorized DHCP server in the net-
work might lead to DHCP server spoofing attacks. Hillstone devices can prevent against DHCP
server spoofing attacks by dropping DHCP response packets on related ports.
Besides, some malicious attackers send DHCP requests to a DHCP server in succession by for-
ging different MAC addresses, and eventually result in IP address unavailability to legal users by
exhausting all the IP address resources. This kind of attacks is commonly known as DHCP star-
vation. Hillstone devices can prevent against such attacks by dropping request packets on related
ports, setting rate limit or enabling validity check.
Enabling/Disabling DHCP Snooping
The BGroup interface, VSwitch interface and VLAN interface of StoneOS all support DHCP
snooping. By default, this function is disabled. To enable DHCP snooping for the BGroup inter-
face or VSwitch interface, in the VSwitch interface or BGroup interface configuration mode, use
dh cp -sn o o p in g
To disable the function, in the VSwitch interface or BGroup interface configuration mode, use
n o dh cp -sn o o p in g
To enable DHCP snooping for the VLAN interface, in the global configuration mode, use the fol-
lowing command:
dh cp -sn o o p in g vlan vlan-list

l vlan-list – Specifies the VLAN ID that will be enabled with DHCP snooping. The value
range is 1 to 4094, such as 1, 2-4, or 1, 2, 5. StoneOS reserves 32 VLAN IDs (from
VLAN224 to VLAN255) for BGroup.
n o dh cp -sn o o p in g vlan vlan-list
Configuring DHCP Snooping
You can configure the DHCP snooping function on the device, including the processing methods
of DHCP request and response packets, and the validity check. By default, all the DHCP request
and response packets are permitted, and the validity check is disabled. To enable the DHCP
snooping function, in the Ethernet interface (physical interface of the BGroup, VSwitch or
VLAN interface) configuration mode, use the following command:
dh cp -sn o o p in g {den y-request | den y-resp o n se | validity-ch eck}
l deny-request – Drops all the request packets sent by the client to the server.
l deny-response – Drops all the response packets returned by the server to the client.
l validity-check – Checks if the client's MAC address of the DHCP packet is the same with
the source MAC address of the Ethernet packet. If not, the packet will be dropped.
To disable the function, in the Ethernet interface configuration mode, use the following com-
mand:
n o dh cp -sn o o p in g {den y-request | den y-resp o n se | validity-ch eck}
Configuring DHCP Packet Rate Limit
To configure the DHCP packet rate limit, in the Ethernet interface (physical interface of the
BGroup, VSwitch or VLAN interface) configuration mode, use the following command:
dh cp -sn o o p in g rate-limit number

l number – Specifies the number of DHCP packets received per second on the interface. If
the number exceeds the specified value, StoneOS will drop the excessive DHCP packets. The
value range is 0 to 10000. The default value is 0, i.e., no rate limit.
To cancel the DHCP packet rate limit, in the Ethernet interface configuration mode, use the fol-
lowing command:
n o dh cp -sn o o p in g rate-limit
Viewing DHCP Snooping Configuration Information
To view the DHCP snooping configuration information, in any mode, use the following com-
mand:
sh o w dh cp -sn o o p in g co n figuratio n
DHCP Snooping List
With DHCP Snooping enabled, StoneOS will inspect all the DHCP packets passing through the
interface, and create and maintain a DHCP Snooping list that contains IP-MAC binding inform-
ation during the process of inspection. Besides, if the VSwitch, VLAN interface or any other
Layer 3 physical interface is configured as a DHCP server, StoneOS will create IP-MAC binding
information automatically and add it to the DHCP Snooping list even if DHCP Snooping is not
enabled. The bindings in the list contain information like legal users' MAC addresses, IPs, inter-
faces, ports, lease time, etc. To view the DHCP snooping list, in any mode, use the following
command:
sh o w dh cp -sn o o p in g b in din g
To clear all or the specified DHCP snooping list entry, in any mode, use the following command:
clear dh cp -sn o o p in g b in din g [in terface interface-name [ A.B.C.D ] | vlan vlan-id [ A.B.C.D ]]
l clear dhcp-snooping binding – Deletes all bindings in the DHCP snooping list.
l interface interface-name – Specifies the interface name to delete the bindings of the inter-
face.

l interface interface-name [A.B.C.D] – Specifies the IP address under an interface to delete
the bindings of the IP address.
l vlan vlan-id – Specifies the VLAN ID to delete the bindings of the VLAN.
l vlan vlan-id [A.B.C.D] –Specifies the IP address under a VLAN to remove the bindings of
the IP address.
ARP Inspection
Devices support ARP Inspection for interfaces. With this function enabled, System will inspect
all the ARP packets passing through the specified interfaces, and compare the IP addresses of the
ARP packets with the static IP-MAC bindings in the ARP list and IP-MAC bindings in the
DHCP Snooping list:
l If the IP address is in the ARP list and the MAC address is matched, the ARP packet will be
forwarded;
l If the IP address is in the ARP list but the MAC address is not matched, the ARP packet will
be dropped;
l If the IP address is not in the ARP list, continue to check if the IP address is in the DHCP
snooping list;
l If the IP address is in the DHCP Snooping list and the MAC address is also matched, the
ARP packet will be forwarded;
l If the IP address is in the DHCP snooping list but the MAC address is not matched, the ARP
packet will be dropped;
l If the IP address is not in the DHCP snooping, the ARP packet will be dropped or forwarded
according to the specific configuration.

Enabling/Disabling ARP Inspection
The BGroup, VSwitch and VLAN interface of StoneOS all support ARP inspection. By default,
the function is disabled. To enable the function for BGroup or VSwitch interface, in the VSwitch
or BGroup interface configuration mode, use the following command:
arp -in sp ectio n {dro p | fo rward}
l drop – Drops the ARP packets whose IP address is not in the ARP table.
l forward – Forwards the ARP packets whose IP address is not in the ARP table.
To disable the function, in the VSwitch or BGroup interface configuration mode, use the fol-
lowing command:
n o arp -in sp ectio n
To enable ARP Inspection for the VLAN interface, in the global configuration mode, use the fol-
lowing command:
arp -in sp ectio n vlan vlan-list {dro p | fo rward}
l vlan-list – Specifies the VLAN ID that will be enabled with ARP Inspection. The value
range is 1 to 4094, such as 1, 2-4, or 1, 2, 5. StoneOS reserves 32 VLAN IDs (from
VLAN224 to VLAN255) for BGroup.
n o arp -in sp ectio n vlan vlan-list
Configuring a Trusted Interface
You can configure a device interface (physical interface of the BGroup, VSwitch or VLAN inter-
face) as the trusted interface. The packets passing through the trusted interface will not be
checked by ARP inspection. By default, none of the device interfaces is the trusted interface. To
configure a device interface as the trust interface, in the interface configuration mode, use the fol-
lowing command:
arp -in sp ectio n trust

To cancel the trust interface, in the interface configuration mode, use the following command:
n o arp -in sp ectio n trust
Configuring an ARP Rate
To configure the ARP rate, in the interface configuration mode, use the following command:
arp -in sp ectio n rate-limit number
l number –Specifies the number of ARP packets received per second on the interface. If the
number exceeds the specified value, system will drop the excessive ARP packets. The value
range is 0 to 10000. The default value is 0, i.e., no rate limit.
To cancel the ARP rate, in the interface configuration mode, use the following command:
n o arp -in sp ectio n rate-limit
Notes: You can only configure ARP rate on physical interfaces that are bound to
Layer 2 zones.
ARP Defense
Powered by the ARP learning, MAC learning, authenticated ARP and ARP inspection functions,
system is capable of providing defense against ARP spoofing attacks. Besides, system can also
gather statistics on the ARP spoofing attacks. To view the ARP spoofing attacks statistics, in any
sh o w arp -sp o o fin g-statistics [ number ]
l number – Shows the statistics of the top numberrecords.
To clear the ARP spoofing attacks statistics, in the execution mode, use the following command:
clear arp -sp o o fin g-statistics

Attack Defense
There are various inevitable attacks in networks, such as compromise or sabotage of servers, sens-
itive data theft, service intervention, or even direct network device sabotage that causes service
anomaly or interruption. Security gates, as network security devices, must be designed with attack
defense functions to detect various types of network attacks, and take appropriate actions to pro-
tect Intranet against malicious attacks, thus assuring the normal operation of the Intranet and sys-
tems. Devices provide attack defense functions based on security zones.
Common Network Attacks

This section describes some common network attacks. Devices can take appropriate actions
against network attacks to assure the security of your network systems.
IP Address Spoofing
IP address spoofing is a technology used to gain unauthorized accesses to computers. An attacker

sends packets with a forged IP address to a computer, and the packets are disguised as if they
were from a real host. For applications that implement validation based on IP addresses, such an
attack allows unauthorized users to gain access to the attacked system. The attacked system might
be compromised even if the response packets cannot reach the attacker.
ARP Spoofing
LAN transmission network traffic based on MAC addresses. ARP spoofing attack is by filling in
the wrong MAC address and IP address , to make a wrong corresponding relationship of the target
host's ARP cache table. Follow-up will lead to the wrong destination host IP packets , and packet
network unreasonable target resources are stolen.
Land Attack
In a land attack, the attacker carefully crafts a packet and sets its source and destination address to
the address of the server that will be attacked. In such a condition the victim server will send a
message to its own address, and this address will also return a response and establish a Null

connection. Each of such connections will be maintained until timeout. Many servers will crash
under Land attacks.
Smurf Attack
Smurf attacks consist of two types: basic attack and advanced attack. A basic Smurf attack is used
to attack a network by setting the destination address of ICMP ECHO packets to the broadcast
address of the attacked network. In such a condition all the hosts within the network will send
their own response to the ICMP request, leading to network congestion. An advanced Smurf
attack is mainly used to attack a target host by setting the source address of ICMP ECHO packets
to the address of the attacked host, eventually leading to host crash. Theoretically, the more hosts
in a network, the better the attacking effect will be.
Fraggle Attack
A fraggle attack is quite similar to a Smurf attack. The only difference is the attacking vector of
fraggle is UDP packets.
Teardrop Attack
Teardrop attack is a denial of service attack. Is based on the method of attack morbid fragmented
UDP packets, which works by sending multiple fragmented IP packets to the attacker is (IP frag-
mented packets include the fragmented packets belong to which the packet and the packet the loc-
ation and other information ) , some operating systems contain overlapping offset when received
fragmented packets will forge a system crash , reboot and so on.
WinNuke Attack
A WinNuke attack sends OOB (out-of-band) packets to the NetBIOS port (139) of a Windows
system, leading to NetBIOS fragment overlap and host crash. Another attacking vector is ICMP
fragment. Generally an ICMP packet will not be fragmented; therefore many systems cannot prop-
erly process ICMP fragments. If your system receives any ICMP fragment, it's almost certain that
the system is under attack.

SYN Flood
Due to resource limitations, a server will only permit a certain number of TCP connections. SYN
Flood just makes use of this weakness. During the attack an attacker will craft a SYN packet, set
its source address to a forged or non-existing address, and initiate a connection to a server. Typ-
ically the server should reply the SYN packet with SYN-ACK, while for such a carefully crafted
SYN packet, the client will not send any ACK for the SYN-ACK packet, leading to a half-open
connection. The attacker can send large amount of such packets to the attacked host and establish
equally large number of half-open connections until timeout. As a result, resources will be
exhausted and normal accesses will be blocked. In the environment of unlimited connections,
SYN Flood will exhaust all the available memory and other resources of the system.
ICMP Flood and UDP Flood
An ICMP Flood/UDP Flood attack sends huge amount of ICMP messages (such as ping)/UDP
packets to a target within a short period and requests for response. Due to the heavy load, the
attacked target cannot complete its normal transmission task.
ICMP Redirect Attack
An ICMP redirect message is an out-of-band message that is designed to inform a host of a more
optimal route through a network, but possibly used maliciously for attacks that redirect traffic to a
specific system. In this type of an attack, the hacker, posing as a router, sends an ICMP redirect
message to a host, which indicates that all future traffic must be directed to a specific system as
the more optimal route for the destination.
IP Address Sweep and Port Scan
This kind of attack makes a reconnaissance of the destination address and port via scanners, and
determines the existence from the response. By IP address sweep or port scan, an attacker can
determine which systems are alive and connected to the target network, and which ports are used
by the hosts to provide services.

Ping of Death Attack
Ping of Death is designed to attack systems by some over-sized ICMP packets. The field length
of an IP packet is 16 bits, which means the max length of an IP packet is 65535 bytes. For an
ICMP response packet, if the data length is larger than 65507 bytes, the total length of ICMP
data, IP header (20 bytes) and ICMP header (8 bytes) will be larger than 65535 bytes. Some
routers or systems cannot properly process such a packet, and might result in crash, system down
or reboot.
IP Fragment Attack
An attacker sends the victim an IP datagram with an offset smaller than 5 but greater than 0,
which causes the victim to malfunction or crash.
IP Option Attack
An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to
probe the network topology. The target system will break down if it is incapable of processing
error packets.
Huge ICMP Packet Attack
An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory
allocation error and crash the protocol stack.
TCP Flag Attack
An attacker sends packets with defective TCP flags to probe the operating system of the target
host. Different operating systems process unconventional TCP flags differently. The target system
will break down if it processes this type of packets incorrectly.

DNS Query Flood Attack
The DNS server processes and replies all DNS queries that it receives. A DNS flood attacker
sends a large number of forged DNS queries. This attack consumes the bandwidth and resources
of the DNS server, which prevents the server from processing and replying legal DNS queries.
DNS Reply Flood Attack
When the DNS server receives the reply message, it will process the message regardless whether
it is valid. DNS reply flood is that the attacker sends a large number of DNS reply message to the
DNS cache server, causing the cache server to run out of resources by processing these reply mes-
sages.
TCP Split Handshake Attack
When a client establishes TCP connection with a malicious TCP server, the TCP server responses
with a fake SYN package and uses this fake one to initialize the TCP connection with the client.
After establishing the TCP connection, the malicious TCP server switches its role and becomes
the client side of the TCP connection. Thus, the malicious traffic might enter into the intranet.
SIP Flood
SIP (Session Initiation Protocol) is an application-layer signaling control protocol. It is used to ini-
tiate, modify and terminate interactive multimedia sessions, such as multimedia meetings and
Internet telephone. The attacker of the SIP flood attack sends a large number of INVITE mes-
sages to the target SIP server in a short time. Therefore, the target SIP server exhausts its
resources and fails to respond to the call requests from valid users.
Configuring Attack Defense

By default only part of the attack defense functions in the untrust zone of the device are enabled,
including IP address spoofing attack defense, IP address sweep attack defense, IP protocol scan
attack defense, TCP port scan attack defense, UDP port scan attack defense, ICMP Flood attack
defense, SYN Flood attack defense, UDP flood attack defense, WinNuke attack defense, Ping of

Death attack defense, Teardrop attack defense, IP Option attack defense, IP Fragment attack
defense, IP Directed Broadcast attack defense, Land attack defense and SIP Flood attack defense.
To enable all the attack defense functions, in the security zone configuration mode, use the fol-
lowing command:
ad all
To disable all the attack defense functions in the security zone, in the security zone configuration
mode, use the command no ad all.
You can configure the parameters of the above attack defense functions as needed. The attack
defense configurations of Hillstone devices include:
l Configuring IP address sweep attack defense
l Configuring ICMP redirect attack defense
l Configuring IP protocol scan attack defense
l Configuring TCP port scan attack defense
l Configuring UDP port scan attack defense
l Configuring IP address spoofing attack defense
l Configuring SYN Flood attack defense
l Configuring SYN-Proxy
l Configuring SIP Flood attack defense
l Configuring ICMP Flood attack defense
l Configuring UDP Flood attack defense
l Configuring Flood protection threshold learning
l Configuring Large ICMP packet attack defense
l Configuring WinNuke attack defense

l Configuring Ping of Death attack defense
l Configuring Teardrop attack defense
l Configuring IP Option attack defense
l Configuring TCP option anomaly attack defense
l Configuring Land attack defense
l Configuring IP fragment attack defense
l Configuring Smurf and fraggle attack defense
l Configuring ARP spoofing attack defense
l Configuring DNS Query Flood attack defense
l Configuring DNS Reply Flood attack defense
l Configuring AD Whitelist
l Viewing the attack defense configurations of the security zone and statistics
Configuring IP Address Sweep Attack Defense
You can individually enable or disable IP address sweep attack defense for each security zone and
configure the time threshold and action for IP address sweep attacks. To configure the IP sweep
scan attack defense for the specified security zone, in the security zone configuration mode, use
ad ip-sweep [ threshold value | action { alarm | drop } | tcp ]
l ad ip-sweep – Enables IP address sweep attack defense for the security zone. To disable the
function, in the security zone configuration mode, use the command no ad ip-sweep.
l threshold value – Specifies the time threshold for IP address sweep. If over 10 ICMP pack-
ets from one single source IP address are sent to different hosts within the period specified by

the threshold, system will identify them as an IP address sweep attack. The value range is 1 to
1,800,000 milliseconds. The default value is 1. To restore to the default value, use the com-
mand no ad ip-sweep threshold.
l action {alarm | drop} – Specifies the action for IP address sweep attacks. alarm– Gives an
alarm but still allows the packets to pass through; drop – Only permits 10 IMCP/TCP pack-
ets originating from one single source IP address while destined to different hosts to pass
through during the specified period (threshold value), and also give an alarm. All the excessive
packets of the same type will be dropped during this period. The default action is drop. To
restore to the default action, use the command no ad ip-sweep action.
l tcp- Specifies the device to detect TCP packets. If over 10 TCP packets from one single
source IP address are sent to different hosts within the period specified by the threshold (
thresholdvalue), system will identify them as an IP address sweep attack. Disable the detec-
tion function for TCP packets, use the command no ad ip-sweep tcp.
Configuring ICMP Redirect Attack Defense
You can individually enable or disable ICMP redirect attack defense for each security zone and
configure the action for ICMP redirect attacks. To configure the ICMP redirect attack defense for
a security zone, in security zone configuration mode, use the following command:
ad icmp-redirect [action {alarm | drop}]
l ad icmp-redirect– Enables ICMP redirect attack defense for the security zone. To disable the
function, in security zone configuration mode, use the command no ad icmp-redirect. By
default, the function is disabled.
l action {alarm | drop}– Specifies the action for ICMP redirect attacks. alarm– Gives an
alarm but still allows the packets to pass through; drop – Gives an alarm and drops the pack-
ets. The default action is drop. To restore to the default action, use the command no ad icmp-
redirect action.

Configuring IP Protocol Scan Attack Defense
You can individually enable or disable IP protocol scan attack defense for each security zone and
configure the time threshold and action for IP protocol scan attacks. To configure the IP protocol
ad ip-proto-scan [thresholdvalue | action {alarm | drop}]
l ad ip-proto-scan – Enable the IP protocol scan attack defense. To disable this function, use
the command no ad ip-proto-scan.
l thresholdvalue – Specifies the time threshold for IP Protocol scan. If packets of over 10 dif-
ferent IP protocols from the same source IP address are sent to the same host within the spe-
cified time threshold, StoneOS will identify them as an IP protocol scan attack. The value
range is 1 to 1,800,000 milliseconds. The default value is 10. To restore to the default
threshold, use the command no ad ip-proto-scan threshold.
l action {alarm | drop} – Specifies an action for IP protocol scan attacks. alarm – Gives an
alarm but still allows the packets to pass through；drop – During the specified period
(thresholdvalue), StoneOS only permits packets of 10 different IP protocols (from the same
source IP address) destined to the same host to pass through and drop other IP protocol pack-
ets, and also generates an alarm. The default action is Drop. To restore to the default action,
use the command no ad ip-sweep action.
Configuring TCP Port Scan Attack Defense
You can individually enable or disable TCP port scan attack defense for each security zone and
configure the time threshold and action for the TCP port scan attacks. To configure the TCP port
ad p o rt-scan [th resh o ld value | actio n {alarm | dro p }]

l ad port-scan – Enables TCP port scan attack defense for the security zone. To disable the
function, in the security zone configuration mode, use the commandno ad port-scan.
l threshold value – Specifies the time threshold for TCP port scan. If over 10 TCP SYN pack-
ets are sent to different ports within the period specified by the threshold, system will identify
them as a port scan attack. The value range is 1 to 1,800,000 milliseconds. The default value
is 1. To restore to the default value, in the security zone configuration mode, use the com-
mand no ad port-scan threshold.
l action {alarm | drop} – Specifies the action for TCP port scan attacks. alarm– Gives an
alarm but still allows the packets to pass through; drop– Only permits 10 TCP SYN packets
destined to different ports to pass through and drops the other packets of the same type dur-
ing the specified period (threshold value), and also gives an alarm. The default action is Drop.
To restore to the default action, use the command no ad port-scan action.
Configuring UDP Port Scan Attack Defense
You can individually enable or disable UDP port scan attack defense for each security zone and
configure the time threshold and action for UDP port scan attacks. To configure the UDP port
ad udp-port-scan [ threshold value | action { alarm | drop }]
l ad udp-port-scan – Enable the UDP port scan attack defense. To disable this function, use
the command no ad udp-port-scan.
l thresholdvalue – Specifies an action for UDP port scan attacks. If over 10 UDP packets
from the same source IP address are sent to different ports within the specified time
threshold, StoneOS will identify them as a UDP port scan attack. The value range is 1 to
1,800,000 milliseconds. The default value is 5. To restore to the default threshold, use the
command no ad udp-port-scan threshold.

l action {alarm | drop} – Specifies the action for UDP port scan attacks. alarm – Gives an
alarm but still allows the packets to pass through; drop – During the specified period
(thresholdvalue), StoneOS only permits 10 UDP packets (from the same source IP address)
destined to different ports to pass through and drops the other packets of the same type, and
also gives an alarm. The default action is Drop. To restore to the default action, use the com-
mand no ad udp-port-scan action.
Configuring IP Address Spoofing Attack Defense
System can defend against Layer 3 IP address spoofing attacks. After enabling the Layer 3 IP
address spoofing attack defense function, when a packet is passing through the device, system
will trace out the source IP address, and take different actions based on the traceout results,
including:
l If the security zone of the packet destined to the device (with this IP as its source address) is
the same as the security zone of the packet originating from the device (with this IP as the des-
tination address), then system will permit the packet to pass through. You can identify secur-
ity zone of the packet originating from the device based on the traceout results.
l Vice versa, system will identify the packet as an abnormal packet, and give an alarm and drop
the packet.
To enable Layer 3 IP address spoofing attack defense for a security zone, in the Layer 3 security
zone configuration mode, use the following command:
ad ip-spoofing
To disable Layer 3 IP address spoofing attack defense for a security zone, in the Layer 3 security
zone configuration mode, use the command no ad ip-spoofing.
Configuring SYN Flood Attack Defense
You can enable or disable SYN flood attack defense for each security zone individually, and con-
figure the packet number threshold and actions for the SYN flood attacks. To configure SYN

flood attack defense for the specified security zone, in the security zone configuration mode, use
ad syn -flo o d [so urce-th resh o ld number | destin atio n -th resh o ld [ip -b ased | p o rt-b ased] num-
ber | destin atio n [ip -b ased | p o rt-b ased [address-b o o k address-entry | A.B.C.D/M ] | actio n
{alarm | dro p }]
l ad syn-flood – Enables SYN flood attack defense for the security zone. To disable the func-
tion, in the security zone configuration mode, use the command no ad syn-flood.
l source-threshold number – Specifies a threshold for outbound SYN packets (ignoring the
destination IP address and port number). If the number of outbound SYN packets originating
from one single source IP address per second exceeds the threshold, system will identify the
traffic as a SYN flood. The value range is 0 to 50000. The default value is 1500. The value of
0 indicates the source threshold is void. To restore to the default value, use the command no
ad syn-flood source-threshold.
l destination-threshold [ip-based | port-based] number – Specifies a threshold for inbound

SYN packets destined to one single destination IP address (ip-based) or one single destination
port of the IP address (port-based). If not specified, the system will use ip-based by default. If
the number of inbound SYN packets destined to one single destination IP address or one
single destination port per second exceeds the threshold, system will identify the traffic as a
SYN flood. The value range is 0 to 50000. The default value is 1500. The value of 0 indicates
the destination threshold is void. To restore to the default value, use the command no ad syn-
flood destination-threshold [ip-base | port-base].
l destination [ip-based | port-based [address-book address-entry | A.B.C.D/M] – Enables ip-

based or port-based SYN flood attack defense. If not specified, the system will use ip-based
by default. To enable port-based SYN Flood attack defense for a specific segment, use the
parameter address-book address-entry | A.B.C.D/M. The SYN Flood attack defense for other
segments will be based on the IP addresses. The value range of the destination IP mask is 24
to 32. To cancel the configuration, use the command no ad syn-flood destination.

l action {alarm | drop} – Specifies the action for SYN Flood attacks. alarm– Gives an alarm
but still allows the packets to pass through; drop – Only permits the specified number
(source-threshold number | destination-threshold number) of SYN packets to pass through,
and also give an alarm; if source threshold and destination threshold are also configured, sys-
tem will first detect if the traffic is a destination SYN flood attack: if so, system will drop the
packets and give an alarm, if not, system will continue to detect if the traffic is a source SYN
attack; if so, system will drop the packets and give an alarm. The default action is drop. To
restore to the default action, use the commandno ad syn-flood action.
Configuring SYN-Proxy
SYN-Proxy is designed to defend against SYN flood attacks in combination with ad syn-flood.
When both ad syn-flood and SYN proxy are enabled, SYN proxy will act on the packets that have
already passed the detections of ad syn-flood.
The Hillstone devices support SYN-Cookie, a stateless SYN-Proxy mechanism.
To configure the SYN-Proxy and the SYN-Cookie functions for the specified security zone, in
the security zone configuration mode, use the following command:
ad syn -p ro xy [min -p ro xy-rate number | max-p ro xy-rate number | p ro xy-timeo ut number |
cookie]
l ad syn-proxy – Enables SYN-Proxy for a security zone to defend against SYN Flood attacks.
To disable the function, in the security zone configuration mode, use the command no ad
syn-proxy.
l min-proxy-rate number – Specifies the minimum number for SYN packets that will trigger
SYN proxy or SYN-Cookie (if enabled by cookie). If the number of inbound SYN packets
destined to one single port of one single destination IP address per second exceeds the spe-
cified value, system will trigger SYN proxy or SYN-Cookie. The value range is 0 to 50000.
The default value is 1000. To restore to the default value, use the commandno ad syn-proxy
min-proxy-rate.

l max-proxy-rate number – Specifies the maximum number for SYN packets that are per-
mitted to pass through per second by SYN proxy or SYN-Cookie (if enabled by cookie). If the
number of inbound SYN packets destined to one single port of one single destination IP
address per second exceeds the specified value, system will only permit the specified number
of SYN packets to pass through during the current and the next second. All the excessive
packets of the same type will be dropped during this period. The value range is 1 to 1500000.
The default value is 3000. To restore to the default value, use the commandno ad syn-proxy
max-proxy-rate.
l proxy-timeout number – Specifies the timeout for half-open connections. The half-open con-
nections will be dropped after timeout. The value range is 1 to 180 seconds. The default value
is 30. To restore to the default value, use the command no ad syn-proxy proxy-timeout.
l cookie – Enables SYN-Cookie (the prerequisite is SYN-Proxy is enabled). This function

allows system to enhance its capacity of processing multiple SYN packets. Therefore, you are
advised to expand the range between min-proxy-rate and max-proxy-rate appropriately. To dis-
able SYN-Cookie, use the commandno ad syn-proxy cookie.
Configuring SIP Flood Attack Defense
You can enable or disable SIP flood attack defense for each security zone individually, and con-
figure the packet number threshold and actions for the SIP flood attacks. To configure SIP Flood
attack defense of the specified security zone, in the security zone configuration mode, use the fol-
lowing command:
ad sip -flo o d [destin atio n -th resh o ld number | actio n {alarm | dro p }]
l ad sip-flood - Enables SIP Flood attack defense for the security zone. To disable the function,
in the security zone configuration mode, use the command no ad sip-flood.
l threshold number - Specifies the threshold of the number of the SIP INVITE messages with
the same destination IP to be received by the device. That is to say, the device determines

that it is attacked by the SIP flood attack when it receives more SIP INVITE messages with
the same destination IP than the configured threshold. In this scenario, the device takes fur-
ther measures to deal with this attack. The value range is 0 to 800000000. The default value is
2000. To restore to the default value, use the command no ad sip-flood destination-threshold.
l action {alarm | drop} - Specifies the action of the system when it is attacked by the SIP
flood attack. When the system detects the attack, it inspects whether there is a real SIP client
behind the subsequent source IP address. If yes, the system bypasses the subsequent SIP
INVITE messages sent by this source IP. Otherwise, the system will perform the configured
action for the SIP INVITE messages sent by this source IP in three seconds. There are two
system actions: drop - Means dropping the INVITE messages. It is the default action. alarm -
Means that the system sends an alarm but still bypasses the INVITE messages. To restore to
the default action, use the command no ad sip-flood action.
Configuring ICMP Flood Attack Defense
You can enable or disable ICMP flood attack defense for each security zone individually, and con-
figure the packet number threshold and actions for the ICMP flood attacks. To configure ICMP
Flood attack defense of the specified security zone, in the security zone configuration mode, use
ad icmp -flo o d [th resh o ld number | actio n {alarm | dro p }]
l ad icmp-flood – Enables ICMP Flood attack defense for the security zone. To disable the
function, in the security zone configuration mode, use the command no ad icmp-flood.
l threshold number – Specifies a threshold for inbound ICMP packets. If the number of
inbound ICMP packets destined to one single IP address per second exceeds the threshold,
system will identify the traffic as an ICMP flood and take the specified action. The value range
is 1 to 50000. The default value is 1500. To restore to the default value, use the command no
ad icmp-flood threshold.

l action {alarm | drop} – Specifies the action for ICMP Flood attacks. alarm– Gives an
alarm but still allows the packets to pass through; drop– Only permits the specified number
(threshold number) of IMCP packets to pass through during the current and the next second,
and also gives an alarm. All the excessive packets of the same type will be dropped during this
period. The default action is drop. To restore to the default action, use the command no ad
icmp-flood action.
Configuring UDP Flood Attack Defense
You can enable or disable UDP flood attack defense for each security zone individually, and con-
figure the packet number threshold and actions for the UDP Flood attacks. To configure UDP
Flood attack defense of the specified security zone, in the security zone configuration mode, use
ad udp -flo o d [sessio n -state-ch eck] [so urce-th resh o ld number | destin atio n -th resh o ld number
| actio n {alarm | dro p }]
l ad udp-flood – nables UDP Flood attack defense for the security zone. To disable the func-
tion, in the security zone configuration mode, use the command no ad udp-flood.
l session-state-check – Enables the function of session state check. After the function is
enabled, system will not check whether there is UDP Flood attack in the backward traffic of
UDP packet of the identified sessions. To disable this function, use the command no ad udp-
flood session-state-check.
l source-threshold number – Specifies a threshold for outbound UDP packets. If the number
of outbound UDP packets originating from one single source IP address per second exceeds
the threshold, system will identify the traffic as a UDP flood and take the specified action.
The value range is 0 to 300000. The default value is 1500. To restore to the default value, use
the command no ad udp-flood source-threshold.

l destination-threshold number –Specifies a threshold for inbound UDP packets. If the num-
ber of inbound UDP packets destined to one single port of one single destination IP address
per second exceeds the threshold, system will identify the traffic as a UDP flood and take the
specified action. The value range is 0 to 300000. The default value is 1500. To restore to the
default value, use the command no ad udp-flood destination-threshold.
l action {alarm | drop} – Specifies an action for UDP flood attacks.alarm– Gives an alarm
but still allows the packets to pass through; drop– Only permits the specified number
(source-threshold number | destination-threshold number) of UDP packets to pass through
during the current and the next second, and also gives an alarm. All the excessive packets of
the same type will be dropped during this period. The default action is drop. To restore to the
default action, use the command no ad udp-flood action.
Configuring Flood Protection Threshold Learning
For flood attacks, the system supports the Flood Protection Threshold Learning function. Flood
protection threshold learning collects statistics on the maximum rate of traffic that passes through
a normal network environment. Then, this function provides a proper reference value for the
attack detection threshold. To configure this function, you need to configure flood protection
threshold learning parameters and enable flood protection threshold learning.
To configure flood protection threshold learning parameters, use the following command in secur-
ity zone mode:
ad threshold-learning {duration {day | hour | minute} number | learn-mode {one-time | peri-
odic {day | hour | minute} number} apply-mode {manual | auto} coefficient {default | loose |
strict | userdefinenumber}}
l duration {day | hour | minute} number– Specifies the duration of flood protection
threshold learning. The unit can be day, hour, or minute. To restore to the default learning dur-
ation, use the no ad threshold-learning duration command.

l day– Sets the time unit to day. Valid values: 1 to 365 days. Default value: 1 day.
l hour– Sets the time unit to hour. Valid values: 1 to 8760 hours. Default value: 1 hour.
l minute– Sets the time unit to minute. Valid values: 10 to 525600 minutes. Default
value: 1440 minutes.
l learn-mode {one-time | periodic {day | hour | minute} number– Specifies the type of
flood protection threshold learning. The type can be one-time or periodic. By default, one-
time is used. To restore to the default learning type, use the no ad threshold-learning learn-
mode command.
l one-time– Runs the learning task only once, which will be automatically stopped after
completion.
l periodic {day | hour | minute} number– Runs the learning task periodically based on
the interval. You need to manually stop the learning task. If you set the learning type to
periodic, you also need to specify the periodic interval, which indicates the interval
between the last time when the learning task ends and the next time when the learning
task starts. The unit can be day, hour, or minute.
l day– If the time unit is set to days, valid values of the interval are 1 to 365 days
and the default value is 7 days.
l hour– If the time unit is set to hours, valid values of the interval are 1 to 8760
hours and the default value is 1 hour.
l minute– If the time unit is set to minute, valid values of the interval are 10 to
525600 minutes and the default value is 1440 minutes.
l apply-mode {manual | auto}– Specifies the mode of applying the flood protection threshold
learning result. The mode can be manual or auto. By default, manual is used. To restore to the
default mode, use the no ad threshold-learning apply-mode command.

l manual– Applies the threshold learning result to the threshold configuration of a flood
attack defense item based on your requirements.
l auto– The threshold configuration of all enabled flood attack defense items will be
automatically configured with the threshold learning result and these threshold con-
figurations will be automatically applied.
l coefficient {predefine {default | loose | strict} | userdefinenumber}– Final threshold learn-

ing result=Maximum traffic rate within learning duration * Coefficient. Specifies the coef-
ficient of flood protection threshold learning. Unit: %. To restore to the default coefficient,
use the no ad threshold-learning coefficient command.
l default – Sets the coefficient to 200.
l loose– Sets the coefficient to 4000.
l strict– Sets the coefficient to 100.
l userdefinenumber– Customizes the coefficient, which ranges from 100 to 4000.
To start/stop flood protection threshold learning and apply the flood protection threshold learn-
ing result, use the following command in global mode:
exec ad-threshold-learning { apply { syn-flood | dns-query-flood | dns-query-recur-
sion-flood | dns-reply-flood | udp-flood | icmp-flood | sip-flood } | start | stop }
zone zone-name
l {apply {SYN flood | DNS Query flood | DNS Recursisve Query flood | DNS Reply flood |
UDP flood | ICMP flood | SIP flood} – Applies the flood protection threshold learning res-
ult to a specified flood attack defense item, including SYN flood attack item, DNS Query
flood attack item, DNS Recursive Query flood attack item, DNS Reply flood attack item,
UDP flood attack item, ICMP flood attack item, and SIP flood attack item.
l start – Starts flood protection threshold learning.

l stop – Stops flood protection threshold learning.
l zone zone-name – Specifies the name of zone that has Flood Attack Defense enabled.
Configuring Large ICMP Packet Attack Defense
You can enable or disable large ICMP packet attack defense for each security zone individually,
and configure the packet size threshold and actions for large ICMP packet attacks. To configure
large ICMP packet attack defense for the specified security zone, in the security zone con-
ad h uge-icmp -p ak [th resh o ld number | actio n {alarm | dro p }]
l ad huge-icmp-pak – Enables large ICMP packet attack defense for the security zone. To dis-
able the function, in the security zone configuration mode, use the command no ad huge-
icmp-pak.
l threshold number – Specifies the size threshold for ICMP packets. If the size of any
inbound ICMP packet is larger than the threshold, system will identify it as a large ICMP
packet and take the specified action. The value range is 1 to 50000 bytes. The default value is
1024. To restore to the default value, use the command no ad huge-icmp-pak threshold.
l action {alarm | drop} – Specifies the action for large ICMP packet attacks. alarm– Gives
an alarm but still allows the packet to pass through; drop– Gives an alarm and drop the
packet. The default action is drop. To restore to the default action, use the command no ad
udp-flood action.
Configuring WinNuke Attack Defense
With WinNuke attack defense enabled, system will drop the packets and give an alarm if any
WinNuke attack has been detected. To enable WinNuke attack defense for the specified security
zone, in the security zone configuration mode, use the following command:
ad win n uke

To disable the function, in the security zone configuration mode, use the command no ad win-
nuke.
Configuring Ping of Death Attack Defense
With Ping of Death attack defense enabled, system will drop the packets and give an alarm if any
Ping of Death attack has been detected. To enable Ping of Death attack defense for the specified
security zone, in the security zone configuration mode, use the following command:
ad p in g-o f-death
To disable the function, in the security zone configuration mode, use the command no ad ping-
of-death.
Configuring Teardrop Attack Defense
With Teardrop attack defense enabled, system will drop the packets and give an alarm if any
Teardrop attack has been detected. To enable Teardrop attack defense for the specified security
zone, in the security zone configuration mode, use the following command:
ad tear-dro p
To disable the function, in the security zone configuration mode, use the command no ad tear-
drop.
Configuring IP Option Attack Defense
With IP Option attack defense enabled, system will drop the packets and give an alarm if any IP
option attack has been detected. You can change the action for the attacks as needed. system will
defend against the following types of IP options: Security, Loose Source Route, Record Route,
Stream ID, Strict Source Route and Timestamp. To enable IP Option attack defense for the spe-
cified security zone, in the security zone configuration mode, use the following command:
ad ip -o p tio n [actio n {alarm | dro p }]
l ad ip-option – Enables IP Option attack defense for the specified security zone. To disable
the function, in the security zone configuration mode, use the command no ad ip-option.

l action {alarm | drop} – Specifies the action for IP Option attacks. alarm– Gives an alarm
but still allows the packets to pass through; drop– Gives an alarm and drops the packets. The
default action is drop. To restore to the default action, use the command no ad ip-option
action.
Configuring TCP Option Anomaly Attack Defense
With TCP option anomaly attack defense enabled, system will drop the packets and give an alarm
if any TCP option anomaly attack has been detected. You can change the action for the attacks as
needed. system identifies the following conditions as TCP option anomaly attack:
l SYN packets are fragmented
l TCP packets are only set with FIN flag
l TCP packets are not set with any flag
l TCP packets are set with both FIN and RST flag
l TCP packets are set with both SYN and URG flag
l TCP packets are set with both SYN and RST flag
l TCP packets are set with both SYN and FIN flag
To enable TCP option anomaly attack defense for the specified security zone, in the security zone
ad tcp -an o maly [actio n {alarm | dro p }]
l ad tcp-anomaly – Enables TCP option anomaly attack defense for the security zone. To dis-
able the function, in the security zone configuration mode, use the command no ad tcp-anom-
aly.
l action {alarm | drop} – Specifies the action for TCP option anomaly attacks. alarm– Gives
an alarm but still allows the packets to pass through; drop– Gives an alarm and drops the

packets. The default action is drop. To restore to the default action, use the command no ad
tcp-anomaly action.
Configuring Land Attack Defense
With Land attack defense enabled, system will drop the packets and give an alarm if any Land
attack has been detected. You can change the action for the attacks as needed. To enable Land
attack defense for the specified security zone, in the security zone configuration mode, use the fol-
lowing command:
ad lan d-attack [actio n {alarm | dro p }]
l ad land-attack – Enables Land attack defense for the security zone. To disable the function,
in the security zone configuration mode, use the command no ad land-attack.
l action {alarm | drop} – Specifies the action for the Land attacks.alarm– Gives an alarm but
still allows the packets to pass through; drop– Gives an alarm and drops the packets. The
default action is drop. To restore to the default action, use the command no ad land-attack
action.
Configuring IP Fragment Attack Defense
When being transmitted among different networks, sometimes the packets need to be fragmented
according to the MTU value. Attackers can modify the IP fragments and launch attacks by exploit-
ing the vulnerabilities occurring during reassembling. The modified IP fragments destined to the
victims might lead to improper reassembling, or even complete system crash.
system will drop the packets and give an alarm if any IP fragment attack has been detected. You
can change the action for the attacks as needed. To enable IP fragment attack defense for the spe-
cified security zone, in the security zone configuration mode, use the following command:
ad ip -fragmen t [actio n {alarm | dro p }]

l ad ip-fragment – Enables IP fragment attack defense for the security zone. To disable the
function, in the security zone configuration mode, use the command no ad ip-fragment.
l action {alarm | drop} – Specifies the action for IP fragment attacks. alarm– Gives an alarm
but still allows the packets to pass through; drop– Gives an alarm and drops the packets. The
default action is drop. To restore to the default action, use the command no ad ip-fragment
action.
Configuring Smurf and Fraggle Attack Defense
With Smurf and Fraggle attack defense enabled, system will drop the packets and give an alarm if
any Smurf or Fraggle attack has been detected. You can change the action for the attacks as
needed. To enable Smurf and Fraggle attack defense for the specified security zone, in the secur-
ity zone configuration mode, use the following command:
ad ip -directed-b ro adcast [actio n {alarm | dro p }]
l ad ip-directed-broadcast – Enables Smurf and Fraggle attack defense for the security zone.
To disable the function, in the security zone configuration mode, use the command no ad ip-
directed-broadcast.
l action {alarm | drop} – Specifies the action for the Smurf and Fraggle attacks. alarm–
Gives an alarm but still allows the packets to pass through; drop– Gives an alarm and drops
all the packets. The default action is drop. To restore to the default action, use the command
no ad ip-directed-broadcast action.
Configuring ARP Spoofing Attack Defense
ARP spoofing attack defense can protect the Intranet against ARP spoofing attacks. To configure
ARP spoofing attack defense of the specified security zone, in the security zone configuration
ad arp -sp o o fin g {reverse-query | ip -n umb er-p er-mac number [actio n [dro p | alarm]] | gra-
tuito us-arp -sen d-rate number }

l reverse-query – Enables reverse query. When system receives an ARP request, it will log the
IP address and reply with another ARP request; and then system will check if any packet with
a different MAC address will be returned, or if the MAC address of the returned packet is the
same as that of the ARP request packet. To disable the function, in the security zone con-
figuration mode, use the command no ad arp-spoofing reverse-query.
l ip-number-per-mac number – Specifies whether system will check the IP number per MAC
in ARP table. If the parameter is set to 0 (the default value), system will not check the IP
number; if set to a value other than 0, system will check the IP number, and if the IP number
per MAC is larger than the parameter value, system will take the action specified by action
[drop | alarm]. The available actions includedrop(give an alarm and drop the ARP packets)
andalarm(give an alarm but still allow the packets to pass through). The value range is 0 to
1024. To restore to the default value, use the command no ad arp-spoofing ip-number-per-
mac.
l gratuitous-arp-send-ratenumber– Specifies if system will send gratuitous ARP packet(s). If

the parameter is set to 0 (the default value), system will not send any gratuitous ARP packet;
if set to a value other than 0, system will send gratuitous ARP packet(s), and the number sent
per second is the specified parameter value. The value range is 0 to 10. To restore to the
default value, use the command no ad arp-spoofing gratuitous-arp-send-rate.
Configuring DNS Query Flood Attack Defense
DNS (Domain Name System) is used to convert a domain name to an IP address, and resolve an
IP address to a domain name. DNS is an application layer protocol, so it can be based on TCP or
UDP. DNS Query Flood attacks are based on UDP.
The DNS Query Flood attacks are launched by sending a large number of domain name resolution
requests to the target DNS server. Typically the requested domain name is randomly generated, or
does not exist at all. When the DNS server being attacked receives the resolution requests, it will
first look for the corresponding cache. If the cache is not found and the domain name can not be
resolved directly by the server, the DNS server will send a recursive query request to its upper

DNS server. The domain name resolution process will bring a heavy load to the DNS server. If
the DNS requests per second exceed a certain number, the workload will lead to domain name res-
olution timeout on the DNS server. .
Hillstone devices support DNS Query Flood attacks defense. You can enable or disable DNS
Query Flood attack defense for each security zone individually, and configure the packet number
threshold and the actions for DNS Query Flood attacks. To enable DNS Query Flood defense, in
ad dn s-query-flo o d [recursio n ] [so urce-th resh o ld number ] [destin atio n -th resh o ld number |
actio n {alarm | dro p }]
l ad dns-query-flood – Enables DNS Query Flood attack defense for the security zone. To dis-
able the function, in the security zone configuration mode, use the command no ad dns-
query-flood.
l recursion – Only limits recursive DNS query packets. If this parameter is not specified, sys-
tem will limit all the DNS query packets.
l source-threshold number – Specifies a threshold for outbound DNS query packets or recurs-
ive DNS query packets. If the number of outbound DNS query packets originating from one
single IP address per second exceeds the threshold, system will identify the traffic as a DNS
query flood and take the specified action. The value range is 0 to 300000. The default value is
1500. To restore to the default value, use the command no ad dns-query-flood source-
threshold.
l destination-threshold number – Specifies a threshold for inbound DNS query packets or

recursive DNS query packets. If the number of inbound DNS query packets destined to one
query flood and take the specified action. The value range is 0 to 300000. The default value is
1500. To restore to the default value, use the command no ad dns-query-flood destination-
threshold.

l action {alarm | drop} – Specifies the action for DNS Query Flood attacks. alarm–Gives an
(threshold number) of recursive DNS query packets to pass through during the current and
next second, and also give an alarm. All the excessive packets of the same type will be
dropped during this period. The default action is drop. To restore to the default action, use
the command no ad dns-flood action.
Notes: DNS Query Flood attack defense is only applicable to UDP DNS query
packets.
Configuring DNS Reply Flood Attack Defense
Hillstone devices support DNS Reply Flood attacks defense. You can enable or disable DNS
Reply Flood attack defense for each security zone individually, and configure the packet number
threshold and the actions for DNS Reply Flood attacks. To enable DNS Reply Flood defense, in
ad dn s-rep ly-flo o d [so urce-th resh o ld number ] [destin atio n -th resh o ld number | actio n {alarm
| dro p }]
l ad dns-reply-flood – Enables DNS Reply Flood attack defense for the security zone. To dis-
able the function, in the security zone configuration mode, use the command no ad dns-reply-
flood.
l source-threshold number – Specifies a threshold for outbound DNS replypackets or recurs-

ive DNS replypackets. If the number of outbound DNS reply packets originating from one
Reply Flood and take the specified action. The value range is 0 to 300000. The default value
is 1500. To restore to the default value, use the command no ad dns-reply-flood source-
threshold.

l destination-thresholdnumber – Specifies a threshold for inbound DNS reply packets or
recursive DNS reply packets. If the number of inbound DNS reply packets destined to one
Reply Flood and take the specified action. The value range is 0 to 300000. The default value
is 1500. To restore to the default value, use the command no ad dns-reply-flood destination-
threshold.
l action {alarm | drop} – Specifies the action for DNS Reply Flood attacks. alarm–Gives an
(thresholdnumber) of recursive DNS reply packets to pass through during the current and
next second, and also give an alarm. All the excessive packets of the same type will be
dropped during this period. The default action is drop. To restore to the default action, use
the command no ad dns-flood action.
Notes: DNS Reply Flood attack defense is only applicable to UDP DNS reply pack-
ets.
Configuring TCP Split Handshake Attack Defense
After enabling the TCP split handshake attack defense and this attack is detected, the device will
drop the packet and give an alarm by default. You can change the defaul action. To configure the
TCP split handshake attack defense, use the following command in the security zone con-
figuration mode:
ad tcp -sp lit-h an dsh ake [actio n {alarm | dro p }]
l ad tcp-split-handshake – Enable the TCP split handshake attack defense for the security
zone. To disable it, use the command no ad tcp-split-handshake.
l action {alarm | drop} – Specifies the action for the TCP split handshake attacks. alarm-
Gives an alarm but still allows the packets to pass through; drop- Gives an alarm and drops all

the packets. The default action isdrop. To restore to the default action, use the command no
ad land-attack action.
Configuring an Attack Defense Whitelist
With attack defense enabled, the system will check all the traffic in the zone. In practical scenario,
possibly you do not want to check the traffic originating from certain hosts for test purpose. To
solve this problem, you can add the addresses (source address or destination address ) to an attack
defense whitelist, so that the addresses can be exempted from the attack defense check.
To configure an attack defense whitelist, in the zone configuration mode, use the following com-
mand:
ad wh itelist [id id ] { source-ip | destination-ip } { IPv4-address/M | IPv6-address/prefix |
address-entry }
l id – Specifies an ID for the whitelist rule. The value differs according to different models. If
not specified, the system will assign an ID automatically for the rule.
l source-ip | destination-ip- Specifies the address type in the whitelist: source address(source-
ip) or destination address (destination-ip).
l IPv4-address/M– Specifies the IPv4 address and network that will be added to the whitelist
rule.
l IPv6-address/prefix - Specifies the IPv6 address and prefix length(value: 120-128) that will
be added to the whitelist rule.
l address-entry– Specifies the address entry that will be added to the whitelist rule.
To delete the specified whitelist rule, in the zone configuration mode, use the following com-
mand:
n o ad wh itelist [id id ] { source-ip | destination-ip } { IPv4-address/M | IPv6-address/prefix
| address-entry }

Viewing the Attack Defense Configuration and Statistics of the Security Zone
To view the attack defense configuration and statistics of the specified security zone, in any
sh o w ad zo n e zone-name {statistics | co n figuratio n | wh itelist | threshold-clearning { con-
figuration | status | result }}
l zone-name – Specifies the name of the security zone.
l statistics – Shows the attack defense statistics of the specified security zone.
l configuration – Shows the attack defense configurations of the specified security zone.
l whitelist – Shows the attack defense whitelist configurations of the specified security zone.
l threshold-clearning {configuration | status | result}– Shows the flood protection threshold

learning configuration, learning status, and learning result of the specified security zone.
Examples of Configuring Attack Defense

This section describes several attack defense configuration examples for your better under-
standing and helps you configure the attack defense function of the devices.
Example of Configuring Land Attack Defense
This section describes a Land attack defense configuration example.
Requirement
Device's ethernet 0/0 is bound to the trust zone, ethernet 0/2 is bound to the untrust zone, and
ethernet 0/1 is bound to the DMZ zone. The goal is to protect the server in the DMZ zone
against Land attacks. The network topology is shown below.

Configuration Steps
Step 1: Configure ethernet0/0.
hostname(config)#
hostname(config)#

hostname(config)#
Step 4: Configure a policy rule.
hostname(config)#
Step 5: Enable Land attack defense for the untrust zone.
hostname(config-zone)# ad lan d-attack
hostname(config)#
Step 6: Test the Land attack defense configured for the server. Craft a packet with identical
source and destination IP address, and send it to 10.110.1.1. The Hillstone device will detect a
Land attack, and then give an alarm and drop the packet.
Example of Configuring SYN Flood Attack Defense
This section describes a SYN Flood attack defense configuration example.

Requirement
against SYN Flood attacks.
Configuration Steps
Step 1: Configure ethernet0/0:
hostname(config)#
hostname(config)#
hostname(config)#

hostname(config)#
Step 5: Enable SYN Flood attack defense for the untrust zone:
hostname(config-zone)# ad syn -flo o d
hostname(config)#
Step 6: Test the SYN Flood attack defense configured for the server. Send over 1500 packets per
second to 10.110.1.1. The Hillstone device will detect a SYN Flood attack, and then give an
alarm and drop the packets.
Example of Configuring IP Address Sweep Attack Defense
This section describes an IP address sweep attack defense configuration example.
Requirement
against IP address sweep attacks.
Configuration Steps

hostname(config)#
hostname(config)#
hostname(config)#

hostname(config)#
Step 5: Enable IP address sweep attack defense for the untrust zone:
hostname(config-zone)# ad ip -sweep
hostname(config)#
Step 6: Test the IP address sweep attack defense configured for the server. Craft packets via
smartbits and launch an IP address sweep attack against ethernet0/2. Send over 10 packets per
millisecond to 202.1.0.1. The device will detect an IP address sweep attack, and then give an
alarm and drop the packets.

Anti-Virus
System is designed with Anti-Virus that is controlled by licenses to provide AV solution featuring
high speed, high performance and low delay. With this function configured in system, Hillstone
devices can detect various threats including worms, Trojans, malware, malicious websites, etc.,
and proceed with the configured actions.
Anti Virus function can detect the common file types and protocol types which are most likely to
carry the virus and protect. Hillstone device can detect protocol types of FTP, HTTP, SMTP,
IMAP4, POP3, SMB and the file types of archives (including GZIP, BZIP2, TAR, ZIP and RAR-
compressed archives), PE、HTML、MAIL、RIFF、ELF、PDF、MS OFFICE、Raw Data
and Others. Others means scans the other file, including GIF, BMP, PNG, JPEG, FWS, CWS,
RTF, MPEG, Ogg, MP3, wma, WMV, ASF, RM, etc. If SMB protocol type is used, the system
supports the detection and controlling of files in break-point resumption scenarios
The virus signature database includes over 10 million signatures, and supports both daily auto
update and real-time local update.
If IPv6 is enabled, Anti Virus funtion will detect files and protocols based on IPv6. How to
enable IPv6, see IPv6.
Configuring Anti-Virus
To enable the anti-virus function on system, take the following steps:
1. Define an AV profile, and specify the file types, protocol types, the actions for the viruses,
and the e-mail label function in the profile.
2. Bind the AV profile to an appropriate policy rule or security zone. To perform the Anti-
Virus function on the HTTPS traffic, see Binding an AV Profile to a Policy Rule.
The system also supports binding the anti-virus profile to a ZTNA policy to perform virus detec-
tion and processing on the traffic matching the ZTNA policy. For configuration information, refer
to Configuring ZTNA Policy.

Notes: You need to update the anti-virus signature database before enabling the
function for the first time. For more information about how to update, see Updating
AV Signature Database. To assure a proper connection to the default update server,
you need to configure a DNS server for system before updating.
After installing the anti-virus license and rebooting the device, the anti-virus function will be
enabled on the system. To view the status of anti-virus, use the command show version. To
enable or disable Anti-Virus, in any mode, use the following command:
exec av {en ab le | disab le}
l enable – Enables Anti-Virus.
l disable – Disables Anti-Virus.
After executing the above commands, you need to reboot the system to make the modification
take effect. After rebooting, system's max concurrent sessions might decrease if the function is
enabled, or restore to normal if the function is disabled. For more information about the max-
imum concurrent sessions, see "The Maximum Concurrent Sessions" on Page 698.
Configuring Log Aggregation and Aggregation Time
The system can merge anti-virus logs of the same source and destination IP based on the specified
time granularity. This way, logs are reduced to prevent the log server from receiving redundant
logs. To configure log aggregation and aggregation time granularity, in the global configuration
av agg-log enable [aggregation-timevalue]
l value - Specifies the time granularity of log aggregation. With this parameter specified, at the
same time granularity, the system stores anti-virus logs of the same merging type in the data-
base only once. Value ranges from 10 to 600 seconds. The default value is 10 seconds.
In the global configuration mode, use the command no av agg-log enable to specify the log aggreg-
ation type as Do Not Merge. This way, the system stores each anti-virus log in the database and
does not merge any logs.

Creating an AV Profile
The AV profile specifies the file types, protocol types and the actions for viruses. To create an
AV Profile, in the global configuration mode, use the following command:
av-p ro file av-profile-name
l av-profile-name - Specifies the AV profile name and enters the AV profile configuration
mode. If the specified name exists, then the system will directly enter the AV profile con-
figuration mode. To delete the specified AV profile, in the global configuration mode, use the
commandno av-profile av-profile-name.
To control the scan accurately, in the AV profile configuration mode, specify the protocol types,
actions and file types. Among the above options, the protocol types must be specified, while the
file types can be configured as needed. If only the protocol types are configured, but the file types
are not configured, the system will only scan the text files transferred over specified protocol; if
the scan object is the specified file type transferred over the specified protocol type (for example,
a HTML document transferred over the HTTP protocol), you need to specify the HTTP protocol
type and HTML file type in the AV profile.
Enabling Malicious Website Detection
System provides the malicious website detection function to protect against attacks from mali-
cious websites if you click maliciously URLs accidentally. With this function enabled, System will
detect Trojans, phishing and other malicious behaviors when you are trying to visit URLs, and pro-
cess malicious URLs according to the actions specified by system.
The Malicious Website Detection is enabled by default. To enable the function, in the global con-
an ti-malicio us-sites
n o an ti-malicio us-sites

Specifying Malicious Website Detection Action
To specify the action for Malicious Website Detection, in the AV profile configuration mode, use
an ti-malicio us-sites [actio n { lo g-o n ly | reset-co n n | warn in g}| p acp ]
l action {log-only | reset-conn | warning} – Specifies the action for the Malicious Website
Detection
l log-only – Only generates log.
l reset-conn – If virus has been detected, system will reset connections to the files.
l warning – Pops up a warning page to prompt that a virus has been detected. This
option is only effective to the messages transferred over HTTP.
To view the reason for the block, click Why blocks this website, and you will be redir-
ected to the Google Safe Browsing page. To ignore the page and continue to visit the
website, click Ignore. In the following hour, you will not be prompted anymore if you
visit the website again.
l pcap – Enable the Capture Packet function.
To cancel the the action for Malicious Website Detection, in the AV profile configuration mode,
n o an ti-malicio us-sites [actio n { lo g-o n ly | reset-co n n | warn in g}| p acp ]
Notes: In 5.5R9, only A200, K6280, K2680, K2380, and K3280 support PCAP
function.

To specify a protocol type, in the AV profile configuration mode, use the following command:
protocol-type {{ftp | imap 4 | p o p 3 | smtp } [p cap | actio n {fill-magic | lo g-o n ly | reset-
co n n } ] | h ttp [p cap |actio n {fill-magic | lo g-o n ly | reset-co n n | warn in g}]|smb [p cap |
actio n {lo g-o n ly | reset-co n n }] }
l ftp – Scans the files transferred over FTP.
l http – Scans the files transferred over HTTP.
l imap4 – Scans the files transferred over IMAP4.
l pop3 – Scans the Emails transferred over POP3.
l smtp – Scans the Emails transferred over SMTP.
l pcap – Capture the packet for protocol scanning.
l smb – Scans the files transferred over SMB.
l action {fill-magic | log-only | reset-conn | warning} – Specifies the action for the viruses.
l fill-magic – Processes the virus file by filling magic words, i.e., fills the file with the
magic words (Virus is found, cleaned) from the beginning to the ending part of the infec-
ted section.
l log-only – Generates logs. This is the default action for FTP, IMAP4, POP3 ,SMTP
and SMB.
l reset-conn – Resets the connection if any virus has been detected.
l warning – Pops up a warning page to prompt that a virus or malicious website down-
load has been detected. There are two kinds of pages: the virus warning page , and mali-
cious website warning page (the malicious website detection is enabled), as shown
below. This option is only effective to the messages transferred over HTTP, and is also

the default action if any virus or malicious website download has been detected.
To ignore the page and continue to visit the website, click Ignore. In the following one
hour, you will not be prompted anymore if you visit the website again.
To ignore the page and continue to visit the website, click Ignore. In the following
hour, you will not be prompted anymore if you visit the website again.
Repeat the above command to specify more protocol types.

To cancel the specified protocol type, in the AV profile configuration mode, use the following
command:
n o p ro to co l-typ e {ftp | imap 4 | p o p 3 | smtp | h ttp | smb }
SMTP, POP3 and IMAP4 are all mail transfer protocols that are used to send Email files. To scan
Emails, you must configure to scan SMTP, POP3 or IMAP4 protocol, and also configure the file
types that will be scanned; besides, as the body of the message and attachments are embedded in
the mail file, you also need to configure the file types for the attachment.
Specifying a File Type
To specify a file type, in the AV Profile configuration mode, use the following command:
file-typ e {b zip 2 | gzip | h tml | jp eg | mail | p e | rar | riff | tar | zip | elf | p df | o ffice |
raw-data | o th ers }
l bzip2 – Scans BZIP2 compressed files.
l gzip – Scans GZIP compressed files.

l html – Scans HTML files.
l jpeg – Scans JPEG files.
l mail – Scans mail files.
l pe – Scans PE files. PE (Portable Executable) is an executable file format supported by

Win32 environment. This file format can be used across Win32 platforms. Even if Windows
is running on a non-Intel CPU, the PE loader of any Win32 platform can identify and use the
file format. Besides, system also supports packed PE files. The supported packing types
include ASPack 2.12, UPack 0.399, UPX (all versions), and FSG v1.3, 1.31, 1.33, 2.0.
l rar – Scans RAR compressed files.
l riff – Scans RIFF files. RIFF (Resource Interchange File Format) is a class of multimedia file
formats designed by Microsoft for Windows, mainly consisting of WAV and AVI types.
l tar – Scans TAR compressed files.
l zip – Scans ZIP compressed files.
l elf – Scans the ELF files.
l pdf – Scans the PDF files.
l office – Scans the Office files.
l raw-data – Scans the txt file and unrecognized file.
l others– Scans the other file, including GIF, BMP, PNG, JPEG, FWS, CWS, RTF, MPEG,
Ogg, MP3, wma, WMV, ASF, RM, etc.
Repeat the above command to specify more protocol types.

To cancel the specified protocol type, in the AV profile configuration mode, use the following
command:

n o file-typ e { b zip 2 | gzip | h tml | jp eg | mail | p e | rar | riff | tar | zip | elf | p df | o ffice
| raw-data | o th ers }
Label Email
If an Email transferred over SMTP is scanned, you can enable label Email to scan the Email and
its attachment(s). The scanning results will be included in the mail body, and sent with the Email.
If no virus has been detected, the message of "No virus found" will be labeled, as shown below:
Body
No virus found.
Checked by Hillstone AntiVirus
Otherwise information related to the virus will be displayed in the Email, including the filename,
path, result and action, as shown below:
Body
Here are the AntiVirus scanning results:
Body: Found virus: virusname1, action: log;

Attachment1.zip/virustest1.exe: Found virus: virusname2,
action: log; Attachment2.tar/subfolder/file1.doc: Found virus: virusname3,
action: log;
Checked by Hillstone AntiVirus
Notes: The Email will display the scan information of up to 3 virus file (including
the message body and attachments). You can view all the scan information in the
log.

Enabling/Disabling Label Email
By default the label Email function is disabled. To enable the function, in the AV Profile con-
lab el-mail
To disable the function, in the AV Profile configuration mode, use the following command:
no label-mail
Configuring Email Signature
After enabling the label Email function, you can customize your own Email signature. By default,
the signature of the labeled Email is "Checked by Hillstone AntiVirus". To configure an Email sig-
nature, in the AV profile configuration mode, use the following command:
mail-sig signature-string
l signature-string – Configures the signature of the labeled Email.
To restore to the default value, in the AV profile configuration mode, use the following com-
mand:
no mail-sig
Binding an AV Profile to a Security Zone
If the AV profile is bound to a security zone, the system will perform detection on the traffic that
is matched to the binding zone specified in the rule, and then do according to what you specified.
If the policy rule is bound with an AV Profile, and the destination zone of the policy rule is also
bound with an AV profile, then the AV profile bound to the policy rule will be valid, while the
AV profile bound to the security zone will be void.
To bind the AV profile to a security zone, in the security zone configuration mode, use the fol-
lowing command:
av en ab le av-profile-name

l av-profile-name – Specifies the name of the AV profile that will be bound to the security
zone. One security zone can only be bound with one AV profile.
To cancel the binding, in the security zone configuration mode, use the following command:
no av enable
To view the binding between the security zones and AV Profiles, use the command show av
zone-binding.
Binding an AV Profile to a Policy Rule
If the AV profile is bound to a policy rule, the system will detect the traffic matched to the spe-
cified policy rule based on the profile configuration. To bind the AV profile to a policy rule, in
the policy rule configuration mode, use the following command:
av { av-profile-name | n o -av}
l av-profile-name – Specifies the name of the AV profile that will be bound to the policy rule.
l no-av – Specifies the predefined AV profile named no-av, which means the anti-virus is dis-
abled. If this profile is bound to any policy rule, even if there are other matched AV profiles,
the system still will not detect the traffic.
To cancel the binding, in the policy rule configuration mode, use the following command:no av
To perform the Anti-Virus function on the HTTPS traffic, you need to enable the SSL proxy func-
tion for the above specified security policy rule. The system will decrypt the HTTPS traffic
according to the SSL proxy profile and then perform the Anti-Virus function on the decrypted
traffic. According to the various configurations of the security policy rule, the system will perform
Policy Rule Con-

Actions
figurations
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy pro-
enabled file but it does not perform the Anti-Virus function on the decrypted
Anti-Virus dis- traffic.

Policy Rule Con-
Actions
figurations
abled
enabled file and performs the Anti-Virus function on the decrypted traffic.
Anti-Virus
enabled
SSL proxy dis- The system performs the Anti-Virus function on the HTTP traffic
abled according to the Anti-Virus profile. The HTTPS traffic will not be
Anti-Virus decrypted and the system will transfer it.
enabled
If the destination zone or the source zone specified in the security policy rule are configured with
Anti-Virus as well, the system will perform the following actions:
Policy Rule Con- Zone Con-

Actions
figurations figurations
SSL proxy Anti-Virus The system decrypts the HTTPS traffic according to
enabled enabled the SSL proxy profile and performs the Anti-Virus
Anti-Virus dis- function on the decrypted traffic according to the
abled
Anti-Virus rule of the zone.
SSL proxy Anti-Virus The system decrypts the HTTPS traffic according to
enabled enabled the SSL proxy profile and performs the Anti-Virus
Anti-Virus function on the decrypted traffic according to the
enabled
Anti-Virus rule of the policy rule.
SSL proxy dis- Anti-Virus The system performs the Anti-Virus function on the
abled enabled HTTP traffic according to the Anti-Virus rule of the
Anti-Virus policy rule. The HTTPS traffic will not be decrypted
enabled
and the system will transfer it.

Tip: For more information about SSL proxy, see the SSL Proxy chapter.
Viewing AV Profile Information
To view the AV profile information, in any mode, use the following command:
show av-profile
Configuring Decompression Control Function
After configuring the decompression control function, StoneOS can decompress the transmitted
compressed files, and can handle the files that exceed the max decompression layer as well as the
encrypted compressed files in accordance with the specified actions. This function supports to
decompress the files in type of RAR, ZIP, TAR, GZIP, and BZIP2. For configuration commands
of the decompression global parameters, refer to Configuring Decompression Control Function.
Updating AV Signature Database
By default system updates the AV signature database everyday automatically. You can change the
update configuration as needed. The configurations of updating AV signature database include:
l Configuring an AV Signature Update Mode
l Configuring an Update Protocol
l Configure an Update Server
l Specifying an HTTP Proxy Server
l Specifying an Update Schedule
l Updating Now
l Importing an AV Signature File

l Viewing AV Signature Information
l Viewing AV Signature Update Information
Configuring an AV Signature Update Mode
System supports both manual and automatic update modes. To configure an AV signature update
mode, in the global configuration mode, use the following command:
av sign ature up date mo de {auto | man ual}
l auto – Specifies the automatic AV signature update mode. This is the default mode.
l manual – Specifies the manual AV signature update mode.
To restore to the default mode, in the global configuration mode, use the following command:
no av signature update mode
av signature update protocol HTTP
In the global configuration mode, use the command no av signature update protocol HTTP to
Configure an Update Server
System provides two default update servers: update1.hillstonenet.com and update2.hill-

stonenet.com. You can also configure another up to three update servers to download the latest
AV signatures as needed. To configure the update the server, in the global configuration mode,
av sign ature up date {server1 | server2 | server3} { ip-address | domain-name }

l server1 | server2 | server3 – Specifies the update server you want to configure. The IPv4
and IPv6 address are supported for configuring the update server address. The default value of
server1 is update1.hillstonenet.com, and the default value of server2 is update2.hill-
stonenet.com.
l ip-address | domain-name – Specifies the name of the update server. It can be an ip-
addressor a domain-name, for example, update1.hillstonenet.com.
To cancel the specified update the server, in the global configuration mode, use the following
command:
n o av sign ature up date {server1 | server2 | server3}
Specifying an HTTP Proxy Server
To specify the HTTP proxy server for the Antivirus signature database updating, use the fol-
av sign ature up date p ro xy-server {main | b ackup } ip-address port-number
To cancel the proxy server configurations, use the no av signature update proxy-server {main |
backup}.
By default, system automatically updates the AV signature database every day. To reduce the
update server’s workload, the time of daily update is random. To specify the schedule and spe-
cific time for the update, in the global configuration mode, use the following command:

av sign ature up date sch edule {daily | weekly {mo n | tue | wed | th u | fri | sat | sun } |
mo n th ly date } [ HH:MM ]
meter mon | tue | wed | thu | fri | sat | sunis used to specify the specific date in a week.
there is no 30th in February), the database will not be automatically upgraded this month.
Updating Now
For both manual and automatic update modes, you can update the AV signature database imme-
diately as needed. To update the AV signature database now, in any mode, use the following com-
mand:
exec av signature update
l exec av signature update – Only updates the incremental part between the current AV sig-
nature database and the latest AV signature database released by the update server.
Importing an AV Signature File
In some cases, your device may be unable to connect to the update server to update the AV sig-
nature database. To solve this problem, system provides the AV signature file import function,
i.e., importing the AV signature files to the device from an FTP, TFTP server or USB disk, so
that the device can update the AV signature database locally. To import the AV signature file, in
the execution mode, use the following command:
imp o rt av sign ature fro m {ftp server ip-address [user user-name p asswo rd password ] | tftp
server ip-address } [vro uter vr-name ] file-name

server.
l vrouter vr-name – Specifies the VRouter of the FTP or TFTP server.
l file-name – Specifies the name of the AV signature file that be imported.
Viewing AV Signature Information
You can view the AV signature database information of the device as needed, including the AV
signature database version, release dates, and the number of the AV signatures. To view AV sig-
nature database information, in any mode, use the following command:
show av signature info [slotslot-number]
l slotslot-number - Specifies the slot number,this parameter only support for Hillstone SX
series devices.
Viewing AV Signature Update Information
You can view the AV signature update information of the device as needed, including the update
server information, update mode, update frequency and time, as well as the status of the AV sig-
nature database update. To view the AV signature update information, in any mode, use the fol-
lowing command:
show av signature update
Examples of Configuring Anti-Virus

Before enabling anti-virus, make sure your device has already been installed with a corresponding
anti-virus license.
This section describes an anti-virus configuration example. Devices with this example configured
can:

l Scan Emails and its attachments, and display the anti-virus result in the Emails. The Emails are
transferred over SMTP and POP3, and the attachments may contain .exe and .jpeg files.
l Scan compressed files. RAR-compressed files contain .jpeg files, and all the compressed files
are transferred over FTP.
Configuration Steps
Step 1: Configure the AV profile, and specify the protocol types and file types:
hostname(config)# av-profile email-scan
hostname(config-av-profile)# p ro to co l-typ e smtp actio n fill-magic
hostname(config-av-profile)# p ro to co l-typ e p o p 3 actio n fill-magic
hostname(config-av-profile)# p ro to co l-typ e ftp actio n fill-magic
hostname(config-av-profile)# file-typ e p e
hostname(config-av-profile)# file-typ e jp eg
hostname(config-av-profile)# file-typ e mail
hostname(config-av-profile)# lab el-mail
hostname(config-av-profile)# mail-sig “Ch ecked b y Mail An tiVirus”
hostname(config-av-profile)# exit
hostname(config)#
Step 2: Create a policy rule, and reference the AV Profile to the rule:

hostname(config-policy-rule)# av email-scan
hostname(config)#
Step 3: View the anti-virus status by command show version. If the function is disabled, use fol-
lowing command to enable it and reboot the system to make it take effect:
hostname(config)# exec av en ab le

Sandbox
A sandbox executes a suspicious file in a virtual environment, collects the actions of this file, ana-
lyzes the collected data, and verifies the legality of the file.
The Sandbox function of the system uses the cloud sandbox and the local sandbox technology.
The suspicious file will be uploaded to the cloud sandbox or the local sandbox. The cloud sand-
box or the local sandbox will collect the actions of this file, analyze the collected data, verify the
legality of the file, give the analysis result to the system and deal with the malicious file with the
actions set by system.
The Sandbox function contains the following parts:
l Collect and upload the suspicious file: The Sandbox function parses the traffic, and extracts
the suspicious file from the traffic.
l If there are no analyze result about this file in the local database, system will upload
this file to the local sandbox or to the Hillstone cloud service platform, and the local
sandbox will analyze the file or the cloud service platform will upload the suspicious
file to the cloud sandbox for analysis. For how to connect to the Hillstone cloud ser-
vice platform, refer to Connecting to Hillsotne Cloud Service Platform.
l If this file has been identified as an illegal file in the local database of the Sandbox
function, system will generate corresponding threat logs and cloud sandbox logs.
Additionally, you can specify the criteria of the suspicious files by configuring a sandbox
profile.
l Check the analysis result and take actions: The Sandbox function checks the analysis results
of the suspicious file returned from the cloud sandbox or the local sandbox, verifies the leg-
ality of the file, saves the result to the local database. If this suspicious file is identified as
an illegal file, you need to deal with the file according to the actions (reset the connection
or report logs) set by system. If it's the first time to find malicious file by the cloud sandbox
or the local sandbox, system will record threat logs and cloud sandbox logs and cannot stop

the malicious link. When malicious file accesses the cached threat information in the local
device, the threat will be effective only by resetting connection.
l Maintain the local database of the Sandbox function: Record the information of the
uploaded files, including uploaded time and analysis result. This part is completed by the
Sandbox function automatically.
Notes: The cloud sandbox function is controlled by license. To use the cloud sand-
box function, install the cloud sandbox license.
Preparation for Configuring Sandbox

Before enabling the Sandbox function, make the following preparations:
1. Make sure your system version supports the Sandbox function.
2. The current device is registered to the Hillstone cloud service platform. For how to connect
to the Hillstone cloud service platform, refer to Connecting to Hillsotne Cloud Service Plat-
form.
3. Import the cloud sandbox license and reboot. The cloud sandbox function will be enabled
after rebooting.
Notes: After the Sandbox function is enabled, system's max concurrent sessions
might decrease. For more information about the maximum concurrent sessions, see
"The Maximum Concurrent Sessions" on Page 698.
Configuring Sandbox
The System supports the zone-based and policy-based Sandbox:

l If a security zone is configured with the Sandbox function, system will perform sandbox
detection on the traffic that is sourced from or destined to the binding zone specified in the
rule.
l If a policy rule is configured with the Sandbox filtering function, system will perform sand-
box detection on the traffic that is destined to the policy rule you specified.
l The sandbox configurations in a policy rule are superior to that in a zone rule if they are spe-
cified at the same time, and the sandbox configurations in a destination zone are superior to
that in a source zone if they are specified at the same time.
The system also supports binding the sandbox profile to a ZTNA policy to perform sandbox detec-
tion and processing on the traffic matching the ZTNA policy. For configuration information, refer
to Configuring ZTNA Policy.
To realize the policy-based or the zone-based Sandbox, take the following steps:
1. Enable the cloud sandbox or the local sandbox.
2. Define a sandbox profile, and configure white list settings and file filter settings.
3. Bind the sandbox profile to an appropriate zone or policy rule.
A sandbox profile contains the files types that device scanned, the protocols types that device
scanned, and the white list settings.
l File Type: Support to detect PE, APK, JAR, MS-Office, PDF, SWF, RAR, ZIP, ELFand
Script file.
l Protocol Type: Support to detect HTTP, FTP, POP3, SMTP, IMAP4 and SMB protocol.
l White list: A white list includes domain names that are safe. When a file extracted from the
traffic is from a domain name in the white list, this file will not be marked as a suspicious file
and it will not be upload to the cloud sandbox or the local sandbox.
There are five built-in sandbox rules with the files and protocols type configured, white list
enabled and file filter configured. The three default sandbox rules includes predef_low, predef_
middle, predef_high, predef_peand and no_sandbox.

l predef_low -- A loose sandbox detection rule, whose file type is PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4/SMB, with white list and file filter enabled.
l predef_middle -- A middle-level sandbox detection rule, whose file types are

PE/APK/JAR/MS-Office/PDF and protocol types are
l predef_high -- A strict sandbox detection rule, whose file types are PE/APK/JAR/MS-
Office/PDF/SWF/RAR/ZIP/ELF/Script and protocol types are
l predef_pe: A sandbox detection rule, whose file type is only PE and protocol types
areHTTP/FTP/POP3/SMTP/IMAP4, with white list and file filter enabled.
l no_sandbox: With this detection rule, the system does not perform any sandbox detection.
Enabling/Disabling the Cloud Sandbox or the Local Sandbox
To enable or disable the cloud sandbox or the local sandbox, in the global configuration mode, use
sandbox {cloud-server-check | local-server-check} enable
l cloud-server-check | local-server-check - Specifies to enable the cloud sandbox (cloud-

server-check) or the local sandbox (local-server-check).
To disable the cloud sandbox or the local sandbox, in the global configuration mode, use the com-
mand no sandbox {cloud-server-check | local-server-check} enable.
Configuring the Local Sandbox
To configure parameters of the local sandbox, in the global configuration mode, use the following
command:
sandbox local-server addressip-addressvroutervr-name [port port]

l address ip-address - Specifies the IP address of the local sandbox.
l vrouter vr-name - Specifies the VRouter of the local sandbox.
l port port- Specifies the port of the local sandbox, the default value is 443.
To delete the specified parameters, in the global configuration mode, use the command no sand-
box local-server address .
Creating a Sandbox Profile
To create a sandbox Profile, in the global configuration mode, use the following command:
san db o x-p ro file sandbox-profile-name
l sandbox-profile-name - Specifies the sandbox profile name and enters the sandbox profile con-
figuration mode. If the specified name exists, then the system will directly enter the sandbox
To delete the specified sandbox profile, in the global configuration mode, use the command no
sandbox-profile sandbox-profile-name.
Enabling White List
The white list includes domain names that are safe. When a file extracted from the HTTP traffic is
from a domain name in the white list, this file will not be marked as a suspicious file and it will
not be upload to the cloud sandbox or the local sandbox. To enable the white list function, in the
sandbox profile configuration mode, use the following command:
whitelist enable
To disable this function, use no whitelist enable.
Configuring Certificate Verification
System supports to enable the verification for the trusted certification. After enabling, system will
not detect the PE file whose certification is trusted.

To enable the certificate verification, in the sandbox profile configuration mode, use the following
command:
certificate-validation enable
To disable this function, use no certificate-validation enable.
Configuring File Filter
The file filter marks the file as a suspicious file if it satisfies the criteria configured in the file filter
settings. The analyze result from the cloud sandbox or form the local sandbox determines whether
this suspicious file is legal or not.
You can set the following criteria:
Mark the file of the specified file type as a suspicious file. The system can mark the PE, APK,
JAR, MS-Office, PDF, SWF, RAR, ZIP, Script, and Others file as a suspicious file now. Use the
following command in the sandbox profile to specify the file type:
file-typ e {p e | ap k | jar | swf | ms-o ffice | p df | rar | zip | elf | script | other } [ use-
server [ cloud-server | local-server ]
l pe - Mark the PE file as a suspicious file.
l apk - Mark the APK file as a suspicious file.
l jar - Mark the JAR file as a suspicious file.
l swf - Mark the SWF file as a suspicious file.
l ms-office - Mark the MS-Office file as a suspicious file.
l pdf - Mark the PDF file as a suspicious file.
l rar | zip - Mark the RAR or ZIP file as a suspicious file.
l elf - Mark the ELF file as a suspicious file.
l script - Mark the Script file as a suspicious file.
l other - Mark the file of all types other than the types above as a suspicious file.

l use-server [cloud-server | local-server] - Specifies to upload the suspicious file to the cloud
sandbox cloud-server) or to the local sandbox (local-server) for detection. By default, the sus-
picious file will be uploaded to the cloud sandbox for detection.
To cancel the file type setting, use no file-type {pe | apk | jar | swf | ms-office | pdf | rar | zip
| elf | script | other}.If no file type is specified, the Sandbox function will mark no file as a sus-
picious one.
Specifies the protocol to scan and directions of the detection. The system can scan the HTTP,
FTP, POP3, SMTP, IMAP4 and SMB traffic now. If SMB protocol type is used, the system sup-
ports the filtering and blocking of files in break-point resumption scenarios. Use the following
command in the sandbox profile to specify the protocol:
p ro to co l {h ttp | ftp | imap 4 | p o p 3 | smtp | smb } directio n {do wn lo ad | up lo ad | b o th }
l http | ftp | imap4 | pop3 | smtp | smb - Specifies the protocol to scan.
l download | upload | both - Specifies the direction of the detection. Upload means direction
from client to server. Download means direction from server to client.
If no protocol is specified, the Sandbox function will not scan the network traffic.
In the sandbox profile, use no protocol {http | ftp | imap4 | pop3 | smtp | smb}to delete the
protocol specifications.
Specifying Actions for a Sandbox Profile
When system identifies the suspicious files as malicious files, it will deal with them with set
actions. To specify the actions, in the Sandbox Profile configuration mode, use the following com-
mand:
actio n {reset | lo g-o n ly}
l reset - Specifies the actions as resetting connections. After detecting the malicious files, sys-
tem will reset connection of malicious link and record threat logs and cloud sandbox logs.
l log-only – Specifies the actions as recording logs. After detecting the malicious files, system
will release traffic and record logs (threat logs and cloud sandbox logs) only.

Disabling Suspicious File Uploading
By default, the file will be uploaded to the cloud sandbox when it marks it is classified as sus-
picious. You can disable the function of suspicious file uploading, which will prevent the sus-
picious file from being uploaded to the cloud sandbox. In the sandbox profile configuration mode,
file-upload-disable
In the global configuration mode, use no file-upload-disable command to restore the function of
suspicious file uploading.
Binding a Sandbox Profile to a Policy Rule
If the sandbox profile is bound to a policy rule, the system will detect the traffic matched to the
specified policy rule based on the profile configuration. To bind the sandbox profile to a policy
rule, in the policy rule configuration mode, use the following command:
san db o x { sandbox-profile-name | p redef_lo w | p redef_middle | p redef_h igh }
l sandbox-profile-name – Specifies the name of the sandbox profile that will be bound to the
policy rule.
l predef_low | predef_middle | predef_high - Bind the predef_low/ predef_middle/predef_

high sandbox profile。
To cancel the binding, in the policy rule configuration mode, use the following command: no
sandbox
Enabling Benign File
If you enable the Benign File function, system will record cloudsandbox logs of the file when it
marks it as a benign file. By default, system will not record logs for the benign files.
To enable the Benign File function, in the global configuration mode, use the following com-
mand:
sandbox benign-file report enable

In the global configuration mode, use no sandbox benign-file report enablecommand to disable
the Benign File function.
Enabling the Greyware File function
If you enable Greyware File function, system will record cloudsandbox logs of the file when it
marks it as a greyware file. A greyware file is the one system cannot judge it is a benign file or a
malicious file. By default, system will not record logs for the greyware files.
To enable the Greyware File function, in the global configuration mode, use the following com-
mand:
sandbox greyware report enable
In the global configuration mode, use no sandbox greyware report enablecommand to disable the
Greyware File function.
Configuring the File Size Limit
The file that is smaller than the specified file size will be marked as a suspicious file. To specify
the file size limit, in the global configuration mode, use the following command:
sandbox file-type{pe|apk|jar|swf|ms-office|pdf|rar|zip|elf|script| other} max-file-size size
l pe - Make the PE file as a detection object.
l apk - Make the APK file as a detection object.
l jar - Make the JAR file as a detection object.
l swf - Make the SWF file as a detection object.
l ms-office - Make the MS-Office file as a detection object.
l pdf - Make the PDF file as a detection object.
l rar | zip - Make the RAR or ZIP file as a detection object.
l elf- Make the ELF file as a detection object.

l script - Make the Script file as a detection object.
l other - Mark the file of all types other than the types above as a detection object.
l max-file-sizesize - Specify the file size. Mark the file that is small than the specified file size
as a detection object.
To cancel the file size limit setting, use the command no sandbox file-type {pe | apk | jar | swf
| ms-office | pdf | rar | zip | elf | script | other} max-file-size size.
Adding Items to the Trust List
The threat list means the list of threat items in the Hillstone device. There are three sources of
the threat items:
l The Hillstone device finds suspicious file and upload this file to the local sandbox or to the
cloud sandbox. After verifying the file is malicious, the cloud sandbox or the local sandbox
will send the analysis results and MD5 to the device, and the threat item will be listed in the
threat list.
l The Hillstone device finds suspicious file and successfully queries MD5 of the threat in the
cloud sandbox or the local sandbox, the threat item will be listed in the threat list.
l The Hillstone device receives the synchronous threat MD5 from the Hillstone cloud service
platform and matches the threat, the threat item will be listed in the threat list.
You can add the sandbox threat items to the trust list. Once the item in the trust list is matched,
the corresponding traffic will be released and not controlled by the actions of sandbox rule.
To add or remove a sandbox threat item, in any mode, use the following command:
exec san db o x-th reat value {trust | un trust}

l value – Specifies the name of the sandbox threat item.
l trust – Add the sandbox threat item to the trust list.
l untrust – Remove the sandbox threat item from the trust list.
Viewing Sandbox Information
To view the sandbox profile information, in any mode, use the following command:
sh o w san db o x-p ro file [ sandbox-profile-name ]
To view the sandbox status and statistic information, in any mode, use the following command:
show sandbox status
To view the sandbox threat items in the treat list, in any mode, use the following command:
show sandbox threat-entry info
To view the sandbox global configuration information, including , in any mode, use the following
command:
show sandbox configuration
Updating Sandbox Whitelist Database

By default system updates the sandbox whitelist database everyday automatically. You can change
the update configuration as needed. The configurations of updating sandbox whitelist database
include:
l Configuring a sandbox whitelist update mode
l Configuring an update server
l Specifying a HTTP proxy server
l Specifying an update schedule

l Updating now
l Importing a sandbox whitelist file
l Viewing sandbox whitelist information
l Viewing sandbox whitelist update information
Configuring a Sandbox Whitelist Update Mode
System supports both manual and automatic update modes. To configure a sandbox whitelist
update mode, in the global configuration mode, use the following command:
san db o x wh itelist up date mo de {auto | man ual}
l auto – Specifies the automatic sandbox whitelist update mode. This is the default mode.
l manual – Specifies the manual sandbox whitelist update mode.
no sandbox whitelist update mode
sandbox whitelist update protocol HTTP
In the global configuration mode, use the command no sandbox whitelist update protocol HTTP
to restore the default value.


sandbox whitelist as needed. To configure the update the server, in the global configuration
san db o x wh itelist up date {server1 | server2 | server3} { ip-address | domain-name }
server1is update1.hillstonenet.com, and the default value of server2is update2.hill-
stonenet.com.
l ip-address | domain-name – Specifies the name of the update server. It can be an ip-address,
or a domain-name, for example, update1.hillstonenet.com.
command:
n o san db o x wh itelist up date {server1 | server2 | server3}
To specify the HTTP proxy server for the sandbox whitelist signature database updating, use the
following command in the global configuration mode:
san db o x wh itelist up date p ro xy-server {main | b ackup } ip-address port-number
To cancel the proxy server configurations, use the no sandbox whitelist update proxy-server
{main | backup}command.

By default, system automatically updates the sandbox whitelist database every day. To reduce the
update server’s workload, the time of daily update is random. To specify the schedule and spe-
cific time for the update, in the global configuration mode, use the following command:
san db o x wh itelist up date sch edule {daily | weekly {mo n | tue | wed | th u | fri | sat | sun } |
mo n th ly date } [ HH:MM ]
Updating Now
For both manual and automatic update modes, you can update the sandbox whitelist database
immediately as needed. To update the sandbox whitelist database now, in any mode, use the fol-
lowing command:
exec sandbox whitelist update
l exec sandbox whitelist update – Only updates the incremental part between the current
sandbox whitelist database and the latest sandbox whitelist database released by the update
server.

Importing a Sandbox Whitelist File
In some cases, your device may be unable to connect to the update server to update the sandbox
whitelist database. To solve this problem, StoneOS provides the sandbox whitelist file import
function, i.e., importing the sandbox whitelist files to the device from an FTP, TFTP server or
USB disk, so that the device can update the sandbox whitelist database locally. To import the
sandbox whitelist file, in the execution mode, use the following command:
import sandbox whitelist from { ftp server ip-address [ user user-name password pass-
word ] | tftp server ip-address } [vro uter vr-name ] file-name
server.
l file-name – Specifies the name of the sandbox whitelist file that be imported.
Viewing Sandbox Whitelist Information
You can view the sandbox whitelist database information of the device as needed, including the
sandbox whitelist database version, and release dates. To view sandbox whitelist database inform-
ation, in any mode, use the following command:
show sandbox whitelist info
Viewing Sandbox Whitelist Update Information
You can view the sandbox whitelist update information of the device as needed, including the
update server information, update mode, update frequency and time, as well as the status of the
sandbox whitelist database update. To view the sandbox whitelist update information, in any
show sandbox whitelist update

IPS
IPS (Intrusion Prevention System) is designed to monitor various network attacks in real time and
take appropriate actions (like block) against the attacks according to your configuration. StoneOS
supports license-controlled IPS, i.e., the IPS function will not work unless an IPS license or TP
license has been installed on a StoneOS that supports IPS.
The IPS on StoneOS can implement a complete state-based detection which significantly reduces
the false positive rate. Even if the device is enabled with multiple application layer detections,
enabling IPS will not cause any noticeable performance degradation. Besides, StoneOS will update
the signature database automatically everyday to assure its integrity and accuracy.
IPS Detection and Submission Procedure

The protocol detection procedure of IPS consists of two stages: protocol parsing and signature
matching.
l Protocol parsing: IPS analyzes the protocol part of the traffic. If the analyze results shows the
protocol part contains abnormal contents, the system will process the traffic according to the
action configuration. And it can generate logs for the administrator if any anomaly has been
detected. Each Threat log contains "Threat ID", the signature ID in the signature database.
You can view detailed information in Threat log details.
l Signature matching: IPS abstracts the interested protocol elements of the traffic for signature
matching. If the elements are matched to the items in the signature database, the system will
process the traffic according to the action configuration and it can generate logs for the admin-
istrator. Each Threat log contains "Threat ID", the signature ID in the signature database. You
can view detailed information about the error according to the ID.
Signatures
The IPS signatures are categorized by protocols, and identified by a unique signature ID. The sig-
nature ID consists of two parts: protocol ID (1st bit or 1st and 2nd bit) and attacking signature
ID (the last 5 bits). For example, in ID 605001, "6" identifies a Telnet protocol, and "00120" is

the attacking signature ID. 1st bit in signature ID identify protocol anomaly signatures, the others
identify attacking signatures. The mappings between IDs and protocols are shown in the table
below:
ID Protocol ID Protocol ID Protocol ID Protocol
1 DNS 7 Other-TCP 13 TFTP 19 NetBIOS
2 FTP 8 Other-UDP 14 SNMP 20 DHCP
3 HTTP 9 IMAP 15 MySQL 21 LDAP
4 POP3 10 Finger 16 MSSQL 22 VoIP
5 SMTP 11 SUNRPC 17 Oracle - -
6 Telnet 12 NNTP 18 MSRPC - -
In the above table, other-TCP identifies all the TCP protocols other than the standard TCP pro-
tocols listed in the table, and other-UDP identifies all the UDP protocols other than the standard
UDP protocols listed in the table.
Updating IPS Signature Database

By default StoneOS updates the IPS signature database everyday automatically. You can change
the update configuration as needed. Hillstone devices provide two default update servers:
update1.hillstonenet.com and update2.hillstonenet.com. StoneOS supports auto update and local
update. Non-root VSYS does not support this feature. For more information about the signature
database configurations, please refer to the table below.
Configuration CLI
To configure an In the global configuration mode, use the following command:
update mode l Specifying the update mode: ips signature update mode {auto |
(auto by default) manual}
l Restoring to the default: no ips signature update mode
To configure an In the global configuration mode, use the following command:

Configuration CLI
update protocol l Specifying the update protocol: ips signature update protocol
(HTTPS by HTTP
default)
l Restoring to the default: no ips signature update protocol HTTP
To configure an In the global configuration mode, use the following command. The
update server IPv4 and IPv6 address are supported for configuring the update
server address.
l Specifying the update server: ips signature update {server1 |

server2 | server3} {ip-address | domain-name}
l Canceling the server: no ips signature update {server1 | server2

| server3}
To configure an In the global configuration mode, use the following command to
update schedule make the IPS signature database update daily or weekly:
ips signature update schedule {daily | weekly {mon | tue | wed |
thu | fri | sat | sun} | monthly date} [HH:MM]
In the global configuration mode, use the following command to
make the IPS signature database update hourly:
ips signature update schedule hourly minute
l minute – Specifies the minute that the update starts.
To update now In the execution mode, use the following command:

exec ips signature update
To update loc- In the execution mode, use the following command:
ally import ips signature from {ftp server ip-address [user user-name
password password | vrouter vr-name] | tftp server ip-address
[vrouter vr-name]} file-name
To view sig- show ips signature info

nature statistics

Configuration CLI
To view sig- show ips signature update

nature database
configurations
Specifing the HTTP Proxy Server
To specify the HTTP proxy server for the IPS signature database updating, use the following com-
ip s sign ature up date p ro xy-server {main | b ackup } ip-address port-number
To cancel the proxy server configurations, use the command no ips signature update proxy-server
{main | backup}.
IPS Working Modes

System supports two IPS working modes: log only mode and IPS mode. In log only mode, system
only generates protocol anomaly alarms and attacking behavior logs, but will not block attackers or
reset connections; while in IPS mode, system not only generates protocol anomaly alarms and
attacking behavior logs, but also blocks attackers or resets connections. By default, system works
in IPS mode.
To switch to the IPS mode, in the global configuration mode, use the command ips mode {ips-
logonly | ips}.

Configuring IPS
Before enabling IPS, make the following preparations:
1. Make sure your StoneOS version supports IPS.
2. Import an IPS license or TP license and reboot. The IPS will be enabled after the rebooting.
The configuration of IPS includes the following contents:
l Signature set configurations: IPS abstracts the interested protocol elements of the traffic for
signature matching. If the elements are matched to the items in the signature database, the sys-
tem will process the traffic according to the action configuration.
l Protocol configurations: IPS abstracts the interested protocol elements of the traffic for sig-
nature matching. If the elements are matched to the items in the signature database, the sys-
tem will process the traffic according to the action configuration.
l IPS profile: contains signature set configurations, protocol configurations, and packet capture
configurations. You can bind an IPS profile to different directions of the security zone
(inbound, outbound, bi-direction) to apply the IPS function to the specified direction, or bind
an IPS profile to a policy rule to apply the IPS function to the traffic that matches the spe-
cified policy rule.
If a policy rule is bound with an IPS profile and the source and destination security zone are also
bound with an IPS Profile, the priority of the IPS detection will be: IPS profile for the policy rule
> IPS profile for the destination zone > IPS profile for the source zone.
The system also supports binding the IPS profile to a ZTNA policy to perform IPS detection and
processing on the traffic matching the ZTNA policy. For configuration information, refer to Con-
figuring ZTNA Policy.
With IPS configured, StoneOS will generate an Threat log if any intrusion has been detected.
Each Threat log contains a signature ID. You can view detailed information about the signature

according to the ID in IPS online help pages. To view Threat logs, use the command show log-
ging ips.
Configuration Suggestions
All the IPS rules configured for different attacks and intrusions will eventually affect the final
actions. When determining the final action, the system will follow the principles below:
l The IPS working mode has the highest priority. When the working mode is set to log only, no
matter what action is specified in other related configurations, the final action will always be
log only.
l If you create several signature sets and some of them contain a particular signature. If the
actions of these signature sets are different and the attack matches this particular signature ,
the system will adopt the following rules:
l Always perform the stricter action on the attack. The signature set with stricter action
will be matched. The strict level is: Block IP > Block Service > Rest > Log Only. If
one signature set is Block IP with 15s and the other is Block Service with 30s, the final
action will be Block IP with 30s
l If one signature set is configured with Capture Packet, the system will capture the pack-
ets.
l The action of the signature set created by Search Condition has high priority than the
action of the signature set created by Filter.
l For the IPS Profile that is bound to a security zone or policy rule, you can modify the sig-
nature sets for the IPS Profile, or a specific signature and its corresponding action. If any IPS
profile has been modified, the system will process the related sessions following the principles
below:

l If the IPS profile reference has been changes, the modification will not take effect on
the existing sessions immediately. For example, if the IPS profile bound to the trust
zone is IPS-pro1 and then is replaced by IPS-pro2, the existing session will continue to
use IPS-pro1, and only new sessions will use IPS-pro2. To make the IPS profile ref-
erence take effect on the existing sessions immediately, use the command clear session.
l If the signature set of the referenced IPS profile has been changed, the modification will
take effect on the existing sessions immediately.
Performing IPS Detection on HTTPS Traffic
To perform the IPS detection on the HTTPS traffic, you need to enable the SSL proxy function
for the security policy rule that the HTTPS traffic is matched. The system will decrypt the
HTTPS traffic that matches the security policy rule according to the SSL proxy profile and then
perform the IPS detection on the decrypted traffic.
According to the various configurations of the security policy rule, the system will perform the fol-
lowing actions:
Policy Rule Con-

Actions
figurations
enabled file but it does not perform the IPS detection on the decrypted traffic.
IPS disabled
enabled file and performs the IPS detection on the decrypted traffic.
IPS enabled
SSL proxy dis- The system performs the IPS detection on the HTTP traffic according
abled to the IPS profile. The HTTPS traffic will not be decrypted and the
IPS enabled system will transfer it.
If the destination zone or the source zone specified in the security policy rule are configured with
IPS as well, the system will perform the following actions:

Policy Rule Con-
Zone Configurations Actions
figurations
SSL proxy enabled IPS enabled The system decrypts the HTTPS
IPS disabled traffic according to the SSL proxy
profile and performs the IPS detec-
tion on the decrypted traffic
according to the IPS profile of the
zone.
SSL proxy enabled IPS enabled The system decrypts the HTTPS
IPS enabled traffic according to the SSL proxy
profile and performs the IPS detec-
tion on the decrypted traffic
policy rule.
SSL proxy disabled IPS enabled The system performs the IPS
IPS enabled detection on the HTTP traffic
policy rule. The HTTPS traffic will
not be decrypted and the system
will transfer it.
Tip: For more information about SSL proxy, see the SSL Proxy chapter.

IPS Commands
action
When the traffic matches the signatures configured by filter rule and/or search rule, specify the
corresponding actions.
Command:
action {block-ip {permanent | second timeout | hour timeout |day timeout}| block-service
{permanent |second timeout | hour timeout | day timeout}| log-only | reset | default}
Description:
block-ip {permanent|second timeout |hour timeout | day timeout} - Specifies that when the sig-
nature is hit, the system blocks the IP address of the attacker, and also specifies the block time.
l permanent - Specifies that the attacker IP is permanently blocked.
l second timeout | hour timeout | day timeout - Specifies the duration (by second/hour/day)
for blocking the attacker IP. The value range is 60 to 3,600 seconds/ 1 to 24 hours/ 1 to 15
days.
block-service {permanent | second timeout | hour timeout | day timeout } - Spe-

cifies that when the signature is hit, the system blocks the service of the attacker, and also spe-
cifies the block time.
l permanent - Specifies that the attacker service is permanently blocked.
l secondtimeout | hourtimeout | day timeout - Specifies the duration (by second/hour/day)

for blocking the attacker service. The value range is 60 to 3,600 seconds/ 1 to 24 hours/ 1 to
15 days.
log-only- Record a log.

reset- Reset connections (TCP) or sends destination unreachable packets (UDP) and also gen-
erates logs.
default- Execute the action specified in the signature rule.

Default values:
log-only
Mode:
Filter rule configuration mode;
Search rule configuration mode.
Guidance:
None
Example:
hostname(config)# ip s p ro file test
hostname(config-ips-profile)# filter-class 1
hostname(config-ips-filter-class)# actio n lo g-o n ly
affected-software
Configure the affected-software parameter to include signatures, related to the specified software,
in the filter rule.
Command:
affected-so ftware {Ap ach e | IE | Firefo x | …}
n o affected-so ftware {Ap ach e | IE | Firefo x | …}
Description:
Apache | IE | Firefox | … – Enter the name of the software. You can press the Tab key after
theaffected-softwareparameter to see the entire software list.
Default values:
None
Mode:
Guidance:
None

Example:
hostname(config)# ips profile test
hostname(config-ips-filter-class)# affected-software Apache
attack-type
Configure the attack-type parameter to include signatures, related to the specified attack type, in
the filter rule.
Command:
attack-typ e {Access-Co n tro l | SPAM | Mail | …}
n o attack-typ e {Access-Co n tro l | SPAM | Mail | …}
Description:
Access-Control | SPAM | Mail | … - Enter the name of the attack type. You can press the Tab
key after the attack-typeparameter to see the entire attack type list.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-ips-filter-class)# attack-type WEB-PHP
banner-protect enable
Enable the function that protects the banner information of FTP/Web/POP3/SMTP servers and
set the new banner information to replace the original one. Use the no form of the command to

disable the function.
Command:
banner-protect enable replace-with string
no banner-protect enable
Description:
string - Specifies the banner information.
Default values:
None
Mode:
protocol configuration mode
Guidance:
None
Example:
hostname(config)# ips sigset test template ftp
hostname(config-ftp-sigset)# banner-protect enable replace-with vsftp2.0
brute-force
Enter the brute-force configuration mode, where you can make configurations to block brute-
force attacks on FTP/MSRPC/POP3/SMTP/SUNRPC/Tel-
net/IMAP/SSH/LDAP/SMB/VNC/RDP protocol.
Command:
brute-force
{ftp | imap | ldap | msrpc | pop3 | rdp | smb | smtp | ssh | sunrpc | telnet | vnc} timesblock
{ip | service}{permanent | second timeout | hourtimeout | daytimeout}
Description:
ftp | imap | ldap | msrpc | pop3 | rdp | smb | smtp | ssh | sunrpc | telnet | vnc - Specifies
the name of the protocol on which the system blocks brute-force attacks.

times - Specifies the number of authentication/login failures allowed within the default five
minutes. The value range is from 1 to 100000.
ip | service - Specifies the IP address or service of the attacker whose authentication/login
attempts fail more than the specified limits. The system will block this specified IP address or ser-
vice.
permanent - Specifies that the IP address or service of the attacker is blocked permanently.
second timeout | hourtimeout | daytimeout - Specifies the duration (by second/hour/day) for
blocking the IP address or service of the attacker. The value range is 60 to 3600 seconds/ 1 to 24
hours/ 1 to 15 days.
Default:
None
Mode:
brute-force configuration mode
Guidance:
None
Examples:
hostname(config-ips-profile)# brute-force
hostname(config-ips-profile-bruteforce)# ftp 100 block ip second 61 (Block the IP address of the

attacker, whose authentication/login attempts over the FTP protocol fail more than 100 times,
for 61 seconds)
brute-force lookup
Enable the brute lookup function and configure the corresponding settings. Use the no form to
disable this function.
Command:
b rute-fo rce lo o kup times b lo ck {ip | service} timeout
no brute-force lookup
Description:

times - Specifies the allowed times of lookup in one minute. The value ranges from 1 to 100000.
ip | service - Blocks the IP of the attacker or the service that exceeds the allowed times of
lookup.
timeout - Specifies the period (in seconds) of blocking the IP of the attacker or the server. The
value ranges from 60 to 3600.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config)# ip s sigset msrp c-cus temp late msrp c
hostname(config-msrpc-sigset)# brute-force lookup 20 block service 120
bulletin-board
Configure the bulletion-board parameter to include signatures, related to the specified bulletin
board, in the filter rule.
Command:
b ulletin -b o ard {CVE | BID | O SVDB | …}
n o b ulletin -b o ard {CVE | BID | O SVDB | …}
Description:
CVE | BID | OSVDB | … Enter the name of the bulletin board. You can press the Tab key
after the bulletin-boardparameter to see the entire bulletion board list.
Default values:
None
Mode:

Guidance:
None
Example:
hostname(config-ips-filter-class)# b ulletin -b o ard CVE
command-injection-check
Enable the function of detecting the HTTP protocol command injection attack. Use the no form
to disable this function.
Command:
command-injection-check enable
no command-injection-check enable
Description:
None
Default values:
None
Mode:
Guidance:
None.
Example:
hostname(config)# ip s sigset h ttp 1 temp late h ttp
hostname(config-http-sigset)# co mman d-in jectio n -ch eck en ab le
confidence
Configure the confidence parameter to include signatures, related to the specified confidence
level, in the filter rule.

Command:
co n fiden ce {lo w | medium | h igh }
n o co n fiden ce {lo w | medium | h igh }
Description:
low | medium | high – Enter the level of the confidence.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-ips-filter-class)# confidence low
cc-url
Configure the URL path for the CC URL constraint. After the configuration, the system will make
statistics on the frequency of the HTTP requests that access the path. If the frequency exceeds
the threshold, the system will block the source IP of the request and the IP will not be able to
access the Web server. Use the no form to delete the url configuration.
Command:
cc-url url_string
no cc-url url_string
Description:
url_string - Specifies the URL path of CC URL constraint. System will check the frequency of the
HTTP requests that access the specified paths, includingthe whole or part of the paths. For
example, if the configuration is /home/ab, system will check and calculate the HTTP requests

like /home/ab/login and /home/abc/login. If the frequency of requests exceeds the threshold,
system will block the source IP of the request and deny its access to the web server. URL path
does not support the path format which contains the host name or domain name, for example: the
configuration should be / home / login.html, instead of www.baidu.com/home/login.html, while
www.baidu.com should be configured in the domain name settings of the Web server. System
allows up to 32 URL paths configuration. The length range of each path is 1 to 255 characters.
Default values:
None
Mode:
Web server configuration mode
Guidance:
None
Example:
hostname(config)# ip s sigset test_h ttp temp late h ttp
hostname(config-http-sigset)# web -server web _server1
hostname(config-web-server)# do main www.ab c.co m
hostname(config-web-server)# cc-url /h o me/lo gin .p h p
cc-url-limit
Configure t threshold value of visiting frequency of URL path and the time to block IP for the CC
URL constraint. After the configuration, the system will make statistics on the frequency of the
HTTP requests that access the path. If the frequency exceeds the threshold, the system will block
the source IP of the request and the IP will not be able to access the Web server. The system will
release the blocked IP and the IP can revisit the Web server after the blocking time.Use the no
form to delete the domain name configuration.
Command:
cc-url-limit th resh o ld value actio n b lo ck-ip { permanent | second timeout | hour timeout |
day timeout }
no cc-url-limit

Description:
value-Specifies the maximum number of times a single source IP accesses the URL path per
minute. When the frequency of a source IP address exceeds this threshold, the system will block
the flow of the IP. The value ranges from 1 to 65535 times per minute.
action block-ip {permanent|second timeout |hour timeout | day timeout} - Specifies the pro-
tection action is to block the IP address of the attacker, and specifies the block time.
l permanent - Specifies that the attacker IP is blocked permanently.
days.
Default values:
value – 1 times per minute.
block-ip_time – 60 seconds
Mode:
Guidance:
None
Example:
hostname(config-web-server)# cc-url /h o me/lo gin .p h p
hostname(config-web-server)# cc-url-limit th resh o ld 1500 actio n b lo ck-ip 100
check-weakpassword
When configuring an IPS rule, with the Weak Password Detection function, the system checks
the strength of the plaintext password which is set under the FTP/Telnet/POP3/IMAP/SMTP

protocols in this profile. The password is detected as weak if it meets the conditions configured
in the Weak Password Detection section. In this case, the system issues an alarm log to prevent
potential security risks caused by a weak password. Use this command to enter the Weak Pass-
word Detection configuration mode to configure parameters including Password Length, Pass-
word Character Type, User Name Equals Password, Continuous Character Detection, FTP
Anonymous Login Detection, and Specify Weak Password.
Use the no form of this command to restore to the default Weak Password Detection con-
figurations. Default configurations: password length criterion is 6 characters; two character types
are covered in a password; User Name Equals Password is enabled; Continuous Character Detec-
tion is enabled; FTP Anonymous Login Detection is disabled; Specify Weak Password has no
default value.
Commands:
check-weakpassword
no check-weakpassword
Description:
None
Default values:
None
Mode:
IPS Profile configuration mode
Guidance:
Weak password detection function is enabled by default.
Examples:
hostname(config-ips-profile)# ch eck-p asswo rd
hostname(config-ips-profile-weakpass)#

custom-password add
Add a specified weak password to the weak password dictionary of the Weak Password Detection
function. If a password matches the specified weak password, the system will consider it as a
weak one. You can specify up to 100 weak passwords.
Command
custom-password add weakpassword
Description
weakpassword - Specifies the weak password to be added into the weak password dictionary.
Default values:
None
Mode:
Weak Password Detection configuration mode
Guidance:
None
Examples:
hostname(config-ips-profile)# ch eck-weakp asswo rd
hostname(config-ips-profile-weakpass)# en ab le
hostname(config-ips-profile-weakpass)# custo m-p asswo rd add p asswo rd123
custom-password delete
Delete a specified weak password from the weak password dictionary of the Weak Password
Detection function.
Command:
custom-password delete weakpassword
Description:
weakpassword - Specifies the weak password to be deleted from the weak password dictionary.

Default values:
None
Mode:
Guidance:
None
Examples:
hostname(config-ips-profile-weakpass)# custo m-p asswo rd delete p asswo rd123
deny-method
Specify the HTTP method that is refused by the system. Use the no form to allow the specified
HTTP method.
Command:
den y-meth o d {co n n ect | delete | get | h ead | o p tio n s | p o st | p ut | trace | web dav|
others }
n o den y-meth o d {co n n ect | delete | get | h ead | o p tio n s | p o st | p ut | trace | web dav| oth-
ers }
Description:
connect | delete | get | head | options | post | put | trace | webdav | others- Specifies the
refused/allowed HTTP method.
Default values:
All methods are allowed by default.
Mode:
Guidance:

When the system discovers the requested method is not allowed, it will disconnect the con-
nection.
Example:
hostname(config-http-sigset)# den y-meth o d p o st
disable
Disable the Weak Password Detection function.

Command:
disable
Description:
None
Default values:
By default, the Weak Password Detection function is enabled.
Mode:
Guidance:
None
Examples:
hostname(config-ips-profile-weakpass)# disab le
disable protocol-anomaly
Disable a signature rule in a profile. Use the no form to re-enable this signature rule.
Command:
disable protocol-anomaly id
no disable protocol-anomaly id

Description:
id - Specifies the ID of the enabled/disabled signature rule.
Default values:
None
Mode:
Protocol configuration mode
Guidance:
Example:
hostname(config-http-sigset)# disab le p ro to co l-an o maly 360002
disable signature
Disable a certain signature in a profile. Use the no form to re-enable this signature.
Command:
disable signature id
no disable signature id
Description:
id - Specifies the ID of the enabled/disabled signature.
Default values:
None
Mode:
IPS profile configuration mode
Guidance:
Example:
hostname(config-ips-profile)# disab le sign ature 160009

domain
Configure the domain name for the Web server. Use the no form to delete the domain name con-
figuration.
Command:
domain domain_name
no domain domain_name
Description:
domain_name -Specifies the domain name of the Web server. You can specify up to 255 char-
acters.
Default values:
None
Mode:
Guidance:
Cannot configure the domain name for the default Web server.
You can configure up to 5 domain names for each Web server.
The domain name of the Web server follows the longest match principle as shown below:
hostname(config-web-server)# do main ab c.co m
hostname(config-web-server)# exit
hostname(config-web-server)# do main email.ab c.co m
With the above configurations, the traffic that accesses the news.abc.com will be matched to the
web_server1, the traffic that accesses the www.email.abc.com will be matched to the web_
server2, and the traffic that accesses the www.abc.com.cn will be matched to the default Web
server.
Example:

dst-ip
Configure the destination IP address for the IPS white list. Use the no form to delete the IP
address.
Command:
dst-ip A.B.C.D | A.B.C.D/M
no dst-ip
Description:
A.B.C.D | A.B.C.D/M-Specifies the destination address IP address for the IPS white list to
match.
Default values:
None
Mode:
IPS white list configuration mode
Guidance:
None
Example:
hostname(config)# ips whitelist white1
hostname(config-ips-whitelist)# dst-ip 10.1.1.2
enable
Enable the Web server. Use the no form to disable the Web server.
Command:
enable
no enable

Description:
None
Default values:
Enable the Web server.
Mode:
Guidance:
The default Web server is enabled by default and it cannot be disabled
Example:
hostname(config-web-server)# en ab le
enable
Enable the Weak Password Detection function.

Command:
enable
Description:
None
Default values:
By default, he Weak Password Detection function is enabled.
Mode:
Guidance:
None
Examples:

equal-username-check
Enable/disable the weak password detection function of User Name Equals Password. With this
function enabled, the password that equals the user name will be detected as a weak password.
Commands:
Enable: equal-username-check enable
Disableequal-username-check disable
Description:
None
Default values:
None
Mode:
Guidance:
By default, User Name Equals Password function is enabled.
Examples
hostname(config-ips-profile-weakpass)# equal-usern ame-ch eck en ab le
exec block-ip add
Add an IP address that will be able to be blocked.

Command:
exec b lo ck-ip add {ip ipv4-address |ip v6 ipv6-address } [vro uter vr-name ] timeo ut timeout
Description:

ip ipv4-address | ipv6 ipv6-address - Add a specified IP address that will be able to be blocked.
timeout timeout -Specifies the period (in seconds) of blocking the IP of the attacker. The value
ranges from 60 to 1,296,000 seconds. Once the time expired, the IP address will automatically be
deleted from the blocked IP list.
vr-name -Specifies the VR where the IP address locates.
Default values:
vr-name – trust-vr
Mode:
execution mode
Guidance:
Non-root VSYS does not support this command.
Example:
hostname# exec b lo ck-ip add ip v4 100.10.10.1 timeo ut 60
exec block-ip remove
Delete the IP address that are blocked from the blocked IP list.
Command:
exec b lo ck-ip remo ve {all | ip v4 ipv4-address |ip v6 ipv6-address } [vro uter vr-name ]}
Description:
all - Deletes all blocked IP addresses.
ipv4 ipv4-address|ipv6 ipv6-address - Deletes the specified blocked IP address.
vr-name - Specifies the VR where the IP address locates.
Default values:
Mode:
execution mode
Guidance:

Example:
hostname# exec b lo ck-ip remo ve ip v4 100.10.10.1
exec block-service add
Add a service item that will be able to be blocked.

Command:
exec b lo ck-service add {src-ip v4 src-ipv4-address dst-ip v4 dst-ipv4-address |src-ip v6 src-
ipv6-address dst-ip v6 dst-ipv6-address } [vro uter vr-name ] dst-p o rt port-number p ro to pro-
tocol
Description:
src-ipv4 src-ipv4-address - Specifies the source IPv4 address of the service.
dst-ipv4 dst- ipv4-address - Specifies the destination IPv4 address of the service.
src-ipv6 src-ipv6-address - Specifies the source IPv6 address of the service.
dst-ipv6 dst-ipv6-address - Specifies the destination IPv6 address of the service.
vrouter vr-name - Specifies the name of the VRouter.
dst-port port-number - Specifies the destination port of the service. The value ranges from 1
to65535.
proto protocol - Specifies the protocol of the service. The value ranges from 1 to 255.
Default values:
Mode:
execution mode
Guidance:
Example:
hostname# exec b lo ck-service add src-ip v4 100.10.10.1 dst-ip v4 100.20.10.4 dst-p o rt 1025
p ro to 23

exec block-service remove
Delete the service items that are blocked.

Command:
exec b lo ck-service remo ve {all | {src-ip v4 src-ipv4-address dst-ip v4 dst-ipv4-address |src-
ip v6 src-ipv6-address dst-ip v6 dst-ipv6-address } [vro uter vr-name ] dst-p o rt port-number
p ro to protocol }
Description:
all - Deletes all blocked services.
src-ipv4 src-ipv4-address dst- ipv4 dst- ipv4-address - Specifies the source IPv4 address and des-
tination IPv4 address of the service.
src-ipv6 src-ipv6-address dst-ipv6 dst-ipv6-address - Specifies the source IPv6 address of the ser-
vice.
vrouter vr-name - Specifies the name of the VRouter.
dst-port port-number - Specifies the destination port of the service. The value ranges from 1
to65535.
proto protocol - Specifies the protocol of the service. The value ranges from 1 to 255.
Default values:
Mode:
execution mode
Guidance:
Example:
hostname# exec b lo ck-service remo ve all
exec ips
Enable/disable the IPS function.

Command:

Enable the function: exec ips enable
Disable the function: exec ips disable
Description:
None
Default values:
None
Mode:
execution mode
Guidance:
l This command is valid for the platforms with the IPS license installed.
l After executing the exec ips enablecommand or theexec ips disablecommand, you must
restart the device to enable or disable the IPS function. After restarting, system's max con-
current sessions might decrease if the function is enabled, or restore to normal if the function
is disabled. For more information about the maximum concurrent sessions, see "The Max-
imum Concurrent Sessions" on Page 698.
l Non-root VSYS does not support this command.
Example:
hostname# exec ip s en ab le
external-link
Configure the URL of external link. The URL must be an absolute path, which indicates that you
must enter the protocol, i.e. http://, https:// or ftp://. For example, http://www.-
abc.com/script represents that all files located under this path can be referenced by the Web
server. Use the no form to delete the specified URL of the external link.
Command:
external-link url
no external-link url

Description:
url - Specifies the URL of external link.
Default values:
None
Mode:
Guidance:
For each Web server, you can configure up to 32 URLs of external link.
Example:
hostname(config)# ips sigset http1 template http
hostname(config-http-sigset)# web-server www.abc.com
hostname(config-web-server)# external-link http://www.abc.com/script
external-link-check
Enable the function of external link check to control the referenced actions performed by the
Web server. Use the no form to disable this function.
Command:
extern al-lin k-ch eck en ab le actio n {reset | lo g}
no external-link-check enable
Description:
reset | log - Specifies the actions performed to the behavior of Web site external link.
l reset - If discovering the behavior of Web site external link, reset the connection (TCP) or
send the packets (UDP) to notify the unreachable destination and generate the logs.
l log - If discovering the behavior of Web site external link, only generate the logs.
Default values:
None
Mode:

Guidance:
None.
Example:
hostname(config-http-sigset)# web -server www.ab c.co m
hostname(config-http-web-server)# extern al-lin k-ch eck en ab le actio n reset
filter-class
When configuring a signature set, you can create a filter rule. And in this filter rule, you can spe-
cify the desired signatures by using filter conditions. Use the following command to create a filter
rule and enter into the filter rule configuration mode. Use the no form to delete this rule.
Command:
filter-class id [n ame name ]
n o filter-class id
Description:
id - Specifies the ID of the filter rule.
name name- Specifies the name of the filter rule.
Default values:
None
Mode:
IPS Profile configuration mode.
Guidance:
None
Example:
hostname(config-http-sigset)# filter-class 1 n ame test2

ftp-anonymous-login-check
Enable / disable FTP Anonymous Login Detection. When you log in anonymously through FTP,
the system identifies your password as a weak password.
Commands:
Enable: ftp-anonymous-login-check enable
Disable: ftp-anonymous-login-check disable
Description:
None
Default values:
None
Mode:
Guidance:
By default, FTP Anonymous Login Detection is disabled.
Examples:
hostname(config-ips-profile-weakpass)# ftp -an o n ymo us-lo gin -ch eck en ab le
http-request-flood auth
Configure the authentication method for the HTTP request flood protection. The system judge
whether the source IP address of the HTTP request is valid or not by authentication, thus identi-
fying the attack traffic and executing the protection. If it is failed to authenticate a certain source
IP address, the system will block the HTTP request generated by the source IP address. Use the
no form to cancel the configurations.
Command:

h ttp -request-flo o d auth {auto -js-co o kie | auto -redirect | man ual-CAPTCHA | man ual-co n -
firm} [crawlers-frien dly]
no http-request-flood auth
Description:
auto-js-cookie | auto-redirect | manual-CAPTCHA | manual-confirm
Specifies the authentication method:
l auto-js-cookie – Automatic (JS Cookie). This authentication method is automatically com-

pleted by the Web browser.
l auto-redirect – Automatic (Redirect). This authentication method is automatically completed

by the Web browser.
l manual-CAPTCHA – Manual (Access confirmation). When using this authentication

method, the user that initiates the HTTP requests must click the OK button to complete the
authentication.
l manual-confirm– Manual (Verification code). When using this authentication method, the
user that initiates the requests must enter the verification code to complete the authen-
tication.
crawlers-friendly - With this parameter entered, the system will not authenticate the crawlers.
Default values:
None
Mode:
Guidance:
None
Example:

hostname(config-web-server)# h ttp -request-flo o d auth auto -js-co o kie
http-request-flood enable
Enable the HTTP request flood protection function and set the request threshold. When the
HTTP request rate reaches the configured threshold, the system concludes that the HTTP
request flood happens and it enable the HTTP request flood protection function. Use the no form
to disable the function.
Command:
http-request-flood enable [th resh o ld request value ]
no http-request-flood enable
Description:
threshold request value - Specifies the request threshold. The value ranges from 0 to 1000000 per
second.
Default values:
The default value is 1500 per second.
Mode:
Guidance:
None
Example:
hostname(config-web-server)# h ttp -request-flo o d en ab le
http-request-flood proxy-limit
Configure the proxy rate limit. After configuring the proxy rate limit, the system checks whether
each source IP belongs to the proxy server. If it belongs to the server, the system limits the proxy
rate based on the proxy rate limit. Use the no form to cancel the proxy rate limit.
Command:

h ttp -request-flo o d p ro xy-limit th resh o ld value {b lo ckip timeo ut{ permanent | second
timeout | hour timeout | day timeout }| reset} [n o lo g]
no http-request-flood proxy-limit
Description:
threshold value - Specifies the threshold for the request rate. If the received request rate exceeds
the configured threshold and the http request flood protection is enabled, the system will perform
the corresponding limitations. The value ranges from 0 to 1000000.
blockip timeout{permanent|second timeout |hour timeout | day timeout} | reset - Specifies the
limitations that the system is to perform when the request rate exceeds the configured threshold.
l second timeout |hour timeout | day timeout - Specifies the duration (by second/hour/day)
days.
l reset– Reset the requests that exceed the configured threshold.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-http-sigset)# web-server web_server1
hostname(config-web-server)# http-request-flood proxy-limit threshold 10000 reset

nolog

http-request-flood request-limit
Configure the access rate limit. After configuring the access rate limit, the system limits the access
rate for each source IP address. Use the no form to cancel the access rate limit.
Command:
h ttp -request-flo o d request-limit th resh o ld value {b lo ckip timeo ut{ permanent | second
timeout | hour timeout | day timeout }| reset} [n o lo g]
no http-request-flood request-limit
Description:
threshold value - Specifies the threshold for the access rate. If the received request rate exceeds
the configured threshold and the http request flood protection is enabled, the system will perform
the corresponding limitations. The value ranges from 0 to 1000000.
blockip timeout{permanent|second timeout |hour timeout | day timeout}| reset - Specifies the
limitations that the system is to perform when the request rate exceeds the configured threshold.
l permanent - Specifies that the IP address or service of the attacker is blocked permanently.
l second timeout |hour timeout | day timeout - Specifies the duration (by second/hour/day)
for blocking the IP or service of the attacker. The value range is 60 to 3,600 seconds/ 1 to 24
l reset– Reset the requests that exceed the configured threshold.
nolog - Do not record logs.

Default values:
None
Mode:
Guidance:
None
Example:

hostname(config-web-server)# h ttp -request-flo o d request-limit th resh o ld 10000 b lo ckip

timeo ut 60
http-request-flood statistics
Enable the URL request statistics function. Use the no form to cancel the URL request statistics
function.
Command:
http-request-flood statistics enable
no http-request-flood statistics enable
Description:
None
Default values:
None
Mode:
Guidance:
Only after executing the http-request-flood statistics enablecommand, the show ips sigset sigset-
name web-server server-name http-request-flood req-stat topcommand can take effect.
Example:
hostname(config-web-server)# http-request-flood statistics enable
http-request-flood white-list
Configure the white list for the HTTP request flood protection function. The system will not
check the source IP addresses that are added to the white list. Use the no form to cancel the

white list configurations.
Command:
http-request-flood white-list address_entry
no http-request-flood white-list
Description:
address_entry - Specifies the address entry that will not be checked.
Default values:
None
Mode:
Guidance:
l The address entry cannot be domain names and IPv6 addresses
l If the traffic of the source IP addresses in the white list exceeds the request threshold, the
HTTP request flood protection function will be enabled
Example:
hostname(config-web-server)# h ttp -request-flo o d wh ite-list addr1
http-request-flood x-forward-for
Configure the value of the x-forward-for field of HTTP for HTTP request flood protection. After
the configuration, the system will make a statistics of the access frequency of the above field.
When the number of HTTP connecting request per second towards this URL reaches the
threshold and this lasts 20 seconds, the system will treat it as a HTTP request flood attack.Use
the no form to cancel the value configuration of the x-forward-for field.
Command:
http-request-flood x-forward-for { first | last | all}

no http-request-flood x-forward-for
Description:
first | last | all - Specifies the value of the x-forward-for field of HTTP for HTTP request flood
protection. first is the first value of the x-forwarded-for field, and lastis the last value of the x-for-
warded-for field, and allis the all value of the x-forwarded-for field.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-web-server)# http-request-flood x-forward-for first
http-request-flood x-real-ip
Enable the x-real-for field statistics for HTTP request flood protection. When enabled, the system
calculates the value of the x-real-for field.Use the no form to cancel the configuration.
Command:
http-request-flood x-real-ip enable
no http-request-flood x-real-ip
Description:
None
Default values:
None
Mode:

Guidance:
None
Example:
hostname(config-web-server)# http-request-flood x-real-ip enable
iframe-check
Enable the function of hides iframe check and configure the function. Through the iframe check,
the system recognizes whether there is a hidden iframe HTML page, so as to log or reset the con-
nection. Use the no form to disable this function.
Command:
iframe-check enable action {log | reset}
no iframe-check enable
Description:
reset | log - Specify the action for the HTTP request that hides iframe behavior.
l reset– If discovering the behavior of hides iframe, reset the connection (TCP) or send the
packets (UDP) to notify the unreachable destination and generate the logs.
l log– If discovering the behavior of hides iframe, only generate the logs.
Default values:
None
Mode:
Guidance:
None.
Example:

hostname(config-web-server)# iframe-ch eck en ab le actio n lo g
iframe width
Configure the limits of height and width for the iframe check function. Then System will check
the iframe of HTML page according to the given height and width.When one value of the height
or width in HTML page is less than or equal to the given value, system will identify the happening
of hidden iframe attack. and then log or reset the connection. Use the no form to cancel the con-
figurations.
Command:
iframe width width_value h eigh t height_value
no iframe
Description:
width width_value - Specifies the height value for the iframe, range from 0 to 4096.
height height_value - Specifies the width value of the iframe, range from 0 to 4096.
Default values:
None
Mode:
Guidance:
None.
Example:
hostname(config-web-server)# iframe width 0 h eigh t 1

ips buffer-capture enable
For threats detected by the Intrusion Prevention System, the system can capture the threat data
and you can view how the threats occur in threat logs. By default, the function is disabled. After
this function is enabled, you can click Download next to the Threat Data option to download the
threat data on the threat log details page of the WebUI.
Command:
ip s b uffer-cap ture en ab le
n o ip s b uffer-cap ture en ab le
Description:
None
Default values:
Disabled
Mode:
global configuration mode
Guidance:
None
Example:
hostname(config)# ip s b uffer-cap ture en ab le
hostname(config)#
ips enable
Enable the IPS function for a certain security zone and specify the IPS Profile to be used. Use the
no form to disable the IPS function.
Command:
ips enable {n o -ip s | p redef_default | p redef_lo o se | predef_critical | profile-name }
{egress | in gress | b idirectio n al}
no ips enable
Description:

no-ips - Use the predefined IPS profile named no ips. Theno ips includes no IPS signatures.
predef_default - Use the predefined IPS profile named predef_default. The predef_default rule is
configured with IPS signatures of medium and high confidence levels, this rule can be used to
detect threats and perform the default rule action.
predef_loose - Use the predefined IPS profile named predef_loose. Thepredef_loose rule is con-
figured with all the IPS signatures and its default action is log only.
predef_critical - Use the predefined IPS profile named predef_critical. The predef_critical rule is
configured with IPS signatures of the latest high-risk attacks and its default action is reset.
profile-name - Specifies a IPS profile for the current security zone.
egress - Performs the IPS check for the egress traffic of the current security zone.
ingress - Performs the IPS check for the ingress traffic of the current security zone.
bidirectional - Performs the IPS check for both the ingress and egress traffic of the current secur-
ity zone.
Default values:
None
Mode:
security zone configuration mode
Guidance:
l If the policy rule has been bound with an IPS Profile and the source and destination security
zones have been bound with an IPS Profile simultaneously, the system will perform the IPS
check according to the following order of priority: IPS Profile bound to the policy rule, IPS
Profile bound to the destination security zone, IPS Profile bound to the source security zone.
l For each security zone, you can only bind one IPS Profile with it.
Example:
hostname(config-zone-trust)# ip s en ab le test b idirectio n al

ips log aggregation
System can merge IPS logs which have the same protocol ID, the same VSYS ID, the same Sig-
nature ID, the same log ID, and the same merging type.Thus it can help reduce logs and avoid to
receive redundant logs.
Command:
ips log aggregation { by-src | by-dst | by-src-dst }
Description:
by-src - Merge the IPS logs with the same Source IP.
by-dst - Merge the IPS logs with the same Destination IP.
by-src-dst - Merge the IPS logs with the same Source IP and the same Destination IP.
Default values:
Disabled
Mode:
Guidance:
l Only support to merge IPS logs.
Example:
hostname(config)# ips log aggregation by-src
ips log http-proxy-ip
System will only record the IP address of the HTTP proxy and not the real IP address of the
threat source in threat log. After disabled, system will parse the HTTP header to obtain the real IP
address of the threat source, and display the real IP address of the threat source in threat log.
Command:
ips log http-proxy-ip { enable | disable }
Description:

enable - Enable the device to record HTTP proxy IP.
disable - Disable the device to record HTTP proxy IP.
Default values:
Enabled
Mode:
Guidance:
Example:
hostname(config)# ips log http-proxy-ip enable
ips mode
Specify the IPS work mode. The system supports the IPS online emulation mode and IPS mode.
Command:
ip s mo de {ip s | ip s-lo go n ly}
Description:
ips - Uses the IPS mode. Besides providing the warnings and logs for the abnormal protocols and
network attacks, the system can perform the block or reset operation to the discovered attacks.
ips-logonly - Uses the IPS online emulation mode. The system provides the warnings and logs for
the abnormal protocols and network attacks, and cannot perform the block or reset operation to
the discovered attacks.
Default values:
IPS mode
Mode:
Guidance:
Example:
hostname(config)# ip s mo de ip s-lo go n ly

ips profile
Create an IPS profile and enter the IPS Profile configuration mode. If the specified name already
exists, the system will enter the IPS Profile configuration mode directly. Use the no form to
delete the specified IPS Profile.
Command:
ip s p ro file {n o -ip s | p redef_default | p redef_lo o se | predef_critical | profile-name }
n o ip s p ro file profile-name
Description:
no-ips - Use the predefined IPS profile named no ips. Theno ips includes no IDS signatures
predef_default - Use the predefined IPS profile named predef_default. The predef_default rule is
configured with IPS signatures of medium and high confidence levels, this rule can be used to
detect threats and perform the default rule action.
predef_loose - Use the predefined IPS profile named predef_loose. Thepredef_loose rule is con-
figured with all the IPS signatures and its default action is log only.
predef_critical - Use the predefined IPS profile named predef_critical. The predef_critical rule is
configured with IPS signatures of the latest high-risk attacks and its default action is reset.
profile-name - Specifies the name of the IPS Profile. The system supports up to 64 user-defined
IPS rules and each non-root VSYS supports up to 4 user-defined IPS rules.
Default values:
None
Mode:
Guidance:
Non-root VSYS also supports predefined IPS Profiles.
Example:
hostname(config-ips-profile)#

ips signature
Disable a certain signature. Use the no form to re-enable this signature.

Command:
ips signature id disable
no ips signature id disable
Description:
id - Specifies the ID of the enabled/disabled signature.
Default values:
None
Mode:
Guidance:
l When a certain signature is disabled, it is the disabled status in the signature set as well.
Example:
hostname(config)# ip s sign ature 160009 disab le
ips sigset
Use the existing pre-defined protocol as a template and create a user-defined protocol based on
this template. Enter the protocol configuration mode. If the specified name already exists, the sys-
tem will enter the protocol configuration mode directly. Use the no form to delete the specified
protocol.
Command:
ip s sigset sigset-name [temp late {dh cp | dn s | fin ger | ftp | h ttp | imap | ldap | msrp c |
mssql | mysql | n etb io s | n n tp | o racle | o th er-tcp | o th er-udp | p o p 3 | smtp | sn mp | sun -
rp c | teln et | tftp | vo ip }]
no ips sigset sigset-name

Description:
sigset-name - Specifies the name of the protocol.
dhcp | dns … | voip - Selects a predefined protocol as the template.
Default values:
None
Mode:
Guidance:
l The predefined protocol cannot be deleted and edited.
l The user-defined protocol cannot have the same name as the predefined protocol.
l Cannot create signature set based on the user-defined signature set.
l Protocols of the same type cannot be added to one IPS Profile. For example, two protocols
created based on the HTTP template cannot be added to one IPS Profile.
Example:
hostname(config-http-sigset)#
ips suspicious-ua-detection whitelist
Create the UA whitelist entry for the Suspicious UA Detection function. When a whitelist entry
is created, the system will not perform suspicious UA detection for traffic matching the UA string
in the whitelist. You can add both predefined and user-defined UA strings to the UA whitelist.
Use the no form of the command to delete specified UA whitelist entry.
Commands:
ips suspicious-ua-detection whitelist string
no ips suspicious-ua-detection whitelist string
Description:

string - Specifies the UA string that is to add to the whitelist. The value range is 1-31 characters.
Default values:
None
Mode:
Guidance:
None
Command:
hostname(config)# ips suspicious-ua-detection whitelist abc
ips suspicious-ua-detection user-define
Add the customized User-Agent string for the Suspicious UA Detection function. When a user-
defined UA string is added, the system checks for the added UA string and applies corresponding
action if it is detected as suspicious. You can add up to 16 pieces user-defined UAs. Use the no
form of the command to delete specified user-defined UA string.
Commands:
ips suspicious-ua-detection user-define string
no ips suspicious-ua-detection user-define string
Description:
string - Specifies the customized UA string. The value range is 1-31 characters.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config)# ips suspicious-ua-detection user-define abc

ips whitelist
Configure the white list for IPS. The system will release data packets that match the IPS whitelist,
no longer detect and defend, thereby reducing the rate of false reports of threats. IPS whitelist
matching criteria include source address, destination address, signature ID, and VRouter. The user
needs to configure at least one condition; when the user configure multiple conditions, the data
packets need to meet all the conditions and then the system will release. Use the no form to
delete the specified white list.
Command:
ips whitelist list-name
no ips whitelist list-name
Description:
list-name- Specifies the name of IPS whitelist.The length of it ranges from 1 to 255.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config)# ip s wh itelist wh ite1
hostname(config-ips-whitelist)#
issue-date
Configure the issue-date parameter to include signatures, issued in the specified year, in the filter
rule.
Command:
issue-date year
no issue-date year

Description:
year - Enter the year when the vulnerability was issued. The range varies from 2000 to 2004.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-ips-filter-class)# issue-date 2006
length
Specify the length criterion of the password. If a password is shorter than the length criterion, it
will be detected as a weak password.
Command:
lengthnumber
Description:
number - Specify the length criterion of the password. The range of length criterion is from 6 to
50 characters.
Default values:
number - 6 characters
Mode:
Guidance:
None

Examples:
hostname(config-ips-profile-weakpass)# len gth 8
max-arg-length
Specify the maximum length for the POP3 client command parameters and the action performed
when discovering this kind of anomaly. Use the no form to restore the length setting to the
default value.
Command:
max-arg-len gth length action { block-ip { permanent | second timeout | hour timeout
| day timeout }| block-service { permanent | second timeout | hour timeout | day
timeout }| log-only | reset }
no max-arg-length (Restore the length to the default value)
Description:
length - Specifies the maximum length for the POP3 client command parameters (in byte).
block-ip {permanent|second timeout |hour timeout | day timeout} - Specifies the protection
action is to block the IP address of the attacker, and specifies the block duration.
for blocking the IP address of the attacker. The value range is 60 to 3,600 seconds/ 1 to 24

cifies the protection action is to block the service of the attacker, and specifies the block dur-
ation.

l permanent - Specifies that the service of the attacker is blocked permanently.

for blocking the service of the attacker. The value range is 60 to 3600 seconds/ 1 to 24

erates logs.
Default values:
length - 40 bytes
Mode:
Guidance:
None
Example:
hostname(config)# ips sigset pop3-cus template pop3
hostname(config-pop3-sigset)# max-arg-length 30 action log-only
max-bind-length
Specify the allowed maximum length for the MSRPC binding packet and the action performed
when discovering this kind of anomaly . Use the no form to restore the length setting to the
default value.
Command:
max-bind-length length action { block-ip { permanent | second timeout | hour timeout
no max-bind-length- Restore the length to the default value.
Description:

length - Specifies the maximum length for the binding packet (in byte). The value ranges from 16
to 65535.

ation.
l permanent - Specifies that the attacker service is blocked permanently.

for blocking the service of the attacker. The value range is 60 to 3,600 seconds/ 1 to 24

erates logs.
Default values:
length - 2048 bytes
Mode:
Guidance:
None
Example:

hostname(config-msrpc-sigset)# max-b in d-len gth 3000 actio n lo g-o n ly
max-black-list
Specify the maximum number of URLs that a Web server black list can contain. When a user
accesses a statistic page, the system will add the URL of this page to the black list if the system
discovers that the contents in this page violate the external link check and the uploading path
check. When a user accesses this statistic page again, the URL will hit the black list, thus, improv-
ing the processing speed of the system. Use the no form to cancel the above setting.
Command:
max-black-list size
no max-black-list
Description:
size - Specifies the maximum length of URLs that a Web server black list can contain.
Default values:
0
Mode:
Guidance:
None
Example:
hostname(config-http-web-server)# max-b lack-list 4096
max-cmd-line-length
Specify the maximum length of the FTP command line/POP3 client command line/SMTP client
command line and the action performed when discovering this kind of anomaly . When calculating
the length, both the line feed and carriage return are calculated. Use the no form to restore the
length setting to the default value.

Command:
max-cmd-line-length length action { block-ip { permanent | second timeout | hour
timeout | day timeout }| block-service { permanent | second timeout | hour timeout |
day timeout }| log-only | reset }
no max-cmd-line-length- Restore the length to the default value.
Description:
length - Specifies the maximum length of the command line (in byte). The maximum length of
FTP command line ranges from 5 to 1024. The maximum length of POP/SMTP client command
line ranges from 64 to 1024.

ation.


erates logs.
Default values:
length - 512 bytes

Mode:
Guidance:
None
Example:
hostname(config)# ip s sigset test1 temp late ftp
hostname(config-ftp-sigset)# max-cmd-lin e-len gth 80 actio n lo g-o n ly
max-content-filename-length
Specify the allowed maximum length of the attachment name of SMTP emails and the action per-
formed when discovering this kind of anomaly. Use the no form to restore the length setting to
the default value.
Command:
max-content-filename-length length action { block-ip { permanent | second timeout |
hour timeout | day timeout }| block-service { permanent | second timeout | hour
timeout | day timeout }| log-only | reset }
no max-content-filename-length- Restore the length to the default value.
Description:
length - Specifies the maximum length of the attachment name of SMTP emails (in byte). The

ation.

log-onlyRecord a log.
resetReset connections (TCP) or sends destination unreachable packets (UDP) and also generates
logs.
Default values:
length - 128 bytes
Mode:
Guidance:
None
Example:
hostname(config)# ip s sigset smtp -cus temp late smtp
hostname(config-smtp-sigset)# max-co n ten t-filen ame-len gth 512 actio n lo g-o n ly
max-content-type-length
Specify the allowed maximum length of the SMTP Content-Type value and the action performed
when discovering this kind of anomaly. Use the no form to restore the length setting to the
default value.
Command:
max-co n ten t-typ e-len gth length action { block-ip { permanent | second timeout | hour

no max-content-type-length- Restore the length to the default value.
Description:
length - Specifies the maximum length of the SMTP Content-Type value (in byte). The value

ation.


resetReset connections (TCP) or sends destination unreachable packets (UDP) and also generates
logs.
Default values:
length - 128 bytes
Mode:
Guidance:
None

Example:
hostname(config-smtp-sigset)# max-co n ten t-typ e-len gth 256 actio n lo g-o n ly
max-failure
For each POP3/SMTP session, specify the allowed maximum number of times of errors returned
from POP3/SMTP server and the action performed when discovering this kind of anomaly. Use
the no form to restore the setting to the default value.
Command:
max-failure times action { block-ip { permanent | second timeout | hour timeout | day
timeout }| block-service { permanent | second timeout | hour timeout | day timeout }|
log-only | reset }
no max-failure- Restore the number of times to the default value.
Description:
times - For each POP3 session, specifies the allowed maximum number of times of errors
returned from the POP3 server. The value ranges from 0 to 512.

ation.



erates logs.
Default values:
times – 0 (no limitation)
Mode:
Guidance:
For each POP3/SMTP session, specifying the allowed maximum number of times of errors
returned from POP3/SMTP server can prevent the invalid attempts effectively.
Example:
hostname(config)# ip s sigset p o p 3-cus temp late p o p 3
hostname(config-pop3-sigset)# max-failure 8 actio n lo g-o n ly
max-input-length
Specify the allowed maximum length of Telnet username and the action performed when dis-
covering this kind of anomaly. Use the no form to restore the setting to the default value.
Command:
max-in p ut-len gth length action { block-ip { permanent | second timeout | hour timeout
no max-input-length- Restore the number of times to the default value
Description:

length - Specifies the maximum length of Telnet username and password (in byte). The value

ation.


erates logs.
Default values:
length - 128 bytes
Mode:
Guidance:
None
Example:
hostname(config)# ip s sigset teln et-cus temp late teln et

hostname(config-telnet-sigset)# max-in p ut-len gth 30 actio n lo g-o n ly
max-path-length
Specify the allowed maximum length of two SMTP client commands, i.e. reverse-path and for-
ward path and the action performed when discovering this kind of anomaly. Use the no form to
restore the setting to the default value.
Command:
max-p ath -len gth length action { block-ip { permanent | second timeout | hour timeout
no max-path-length- Restore the length setting to the default value
Description:
length - Specifies the maximum length of two SMTP client commands, i.e. reverse-path and for-
ward path (in byte). The value ranges from 16 to 512, including punctuation marks.

ation.


erates logs.
Default values:
length - 256 bytes
Mode:
Guidance:
None
Example:
hostname(config)# ips sigset smtp-cus template smtp
hostname(config-smtp-sigset)# max-path-length 128 action log-only
max-reply-line-length
Specify the allowed maximum length of SMTP server responses and the action performed when
discovering this kind of anomaly. When calculating the length, both the carriage return and line
feed are calculated. Use the no form to restore the setting to the default value.
Command:
max-rep ly-lin e-len gth length action { block-ip { permanent | second timeout | hour
no max-reply-line-length- Restore the length setting to the default value
Description:
length - Specifies the maximum length of SMTP server responses (in byte). The value ranges from
64 to 1024.


ation.


erates logs.
Default values:
length - 512 bytes
Mode:
Guidance:
None
Example:
hostname(config)# ips sigset smtp-cus template smtp
hostname(config-smtp-sigset)# max-reply-line-length 1024 action log-only

max-request-length
Specify the allowed maximum length of MSRPC request packets and the action performed when
discovering this kind of anomaly. Use the no form to restore the setting to the default value.
Command:
max-request-len gth length action { block-ip { permanent | second timeout | hour timeout
no max-request-length- Restore the length setting to the default value
Description:
length - Specifies the maximum length of MSRPC request packets (in byte). The value ranges
from 16 to 65535.

ation.


erates logs.
Default values:
length - 65535 bytes
Mode:
Guidance:
None
Example:
hostname(config-msrpc-sigset)# max-request-len gth 60000 actio n lo g-o n ly
max-rsp-line-length
Specify the allowed maximum length of FTP responses and the action performed when dis-
Command:
max-rsp-line-length lengthaction {block-ip {permanent | second timeout | hour timeout |day
timeout}| block-service {permanent |second timeout | hour timeout | day timeout}| log-only |
reset}
no max-rsp-line-length- Restore the length setting to the default value.
Description:
length - Specifies the maximum length of FTP responses (in byte). The value ranges from 5 to
1024.


ation.


erates logs.
Default values:
length - 512 bytes
Mode:
Guidance:
None
Example:
hostname(config)# ip s sigset test1 temp late ftp
hostname(config-ftp-sigset)# max-rsp -lin e-len gth 100 actio n lo g-o n ly

max-scan-bytes
Specify the maximum length of scanning. Use the no form to restore the setting to the default
value.
Command:
max-scan-bytes length
no max-scan-bytes
Description:
length - Specifies the maximum length of scanning (in byte).
Default values:
length – 4096
Mode:
Guidance:
None
Example:
hostname(config)# ip s sigset test1 temp late o th er-tcp
hostname(config-other-tcp-sigset)# max-rsp -lin e-len gth 1000
max-text-line-length
Specify the allowed maximum length of the email text in SMTP client and the action performed
when discovering this kind of anomaly. When calculating the length, both the carriage return and
line feed are calculated. Use the no form to restore the setting to the default value.
Command:
max-text-lin e-len gth length action { block-ip { permanent | second timeout | hour
no max-text-line-length- Restore the length setting to the default value
Description:

length - Specifies the allowed maximum length of the email text in SMTP client (in byte). The

ation.


erates logs.
Default values:
length – 1000 byte
Mode:
Guidance:
None
Example:

hostname(config-smtp-sigset)# max-text-lin e-len gth 1024 actio n lo g-o n ly
max-uri-length
Specify the allowed maximum length of the HTTP URL and the action performed when dis-
Command:
max-uri-len gth length action { block-ip { permanent | second timeout | hour timeout
no max-uri-length- Restore the length setting to the default value
Description:
length - Specifies the allowed maximum length of URL (in byte). The value ranges from 64 to
4096.

ation.


erates logs.
Default values:
length - 4096bytes
Mode:
Guidance:
None
Example:
hostname(config-http-sigset)# max-uri-length 1000 action log-only
max-white-list
Specify the maximum number of URLs that a Web server white list can contain. When a user
accesses a statistic page, the system will add the URL of this page to the white list if the system
discovers that the contents in this page do not violate the external link check and the uploading
path check. When a user accesses this statistic page again, the URL will hit the white list, thus,
improving the processing speed of the system. Use the no form to cancel the above setting.
Command:
max-white-list size
no max- white-list
Description:
length- Specify the maximum number of URLs that a Web server white list can contain. The value
Default values:
0
Mode:

Guidance:
None
Example:
hostname(config-http-web-server)# max-wh ite-list 4096
min-character-type
Specify how many character types should be covered in the password. If the character types
covered in a password are less than the specified number, the password will be detected as a weak
password.
Command:
min-character-typenumber
Description:
number - Specify how many character types should be covered in the password. Value range is
from 1 to 4 types.
Default values:
number - 2 types
Mode:
Guidance:
None
Examples:
hostname(config-ips-profile-weakpass)# min -ch aracter-typ e 3

pcap
When the traffic matches the signatures configured in a filter rule or a search rule, the system will
capture the packets of the traffic.
Command:
pcap enable
pcap disable
Description:
enable - Capture the abnormal packets. You can view them in the threat log.
disable -Do not capture the abnormal packets.
Default values:
disable。
Mode:
search rule configuration mode.
Guidance:
None
Example:
hostname(config-ips-profile)# p cap en ab le
protocol-check
Enable the protocol legality check for the signature set and configure the strictness level for the
protocol legality check.
Command:
protocol-check disable

protocol-check enable action {{ block-service { permanent | second timeout |
hour timeout | day timeout }| b lo ck-ip { permanent | second timeout | hour timeout |
day timeout }| lo g-o n ly | reset} p cap {disab le | enable }
Description:
enable -Enable the protocol legality check.

ation.


reset -Reset connections (TCP) or sends destination unreachable packets (UDP) and also gen-
erates logs.
pcap {disable | enable} enable- Use enable to capture the abnormal packets. You can view them
in the threat log. Use disableto not capture the abnormal packets.
Default values:
The system disables the protocol legality check.
Mode:
protocol configuration mode.

Guidance:
None
Example:
hostname(config-http-sigset)# p ro to co l-ch eck strict
hostname(config-http-sigset)# p ro to co l-ch eck en ab le actio n lo g-o n ly
protocol
Configure the protocol parameter to include signatures, related to the specified protocol, in the fil-
ter rule.
Command:
p ro to co l {DNS | FTP | HTTP | …}
n o p ro to co l { DNS | FTP | HTTP | …}
Description:
DNS | FTP | HTTP | … - Enter the protocol name. You can press the Tab key after the pro-
tocolparameter to see the entire protocol list.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-ips-filter-class)# p ro to co l Teln et

referer-white-list
Configure the exception URL for the Web server. Once configured, the URL can refer to the Web
site, and the other unadded cannot reference the Web site. Use the no form to delete the URL.
Command:
referrer-white-list url_string
no referrer-white-list url_string
Description:
url_string - Specifies tht exception URL for Web server. The length of URL is in the range of 1-
255 characters.
Default values:
None
Mode:
Guidance:
You can configure up to 32 URL paths.
Example:
hostname(config)# ips sigset test_http template http
hostname(config-web-server)# referrer-white-list www.abc.com
referer-white-list-check
Enable the referer checking function and configure it. After the configuration, the system can
reset the connection or record log for the HTTP Request of the hotlinking and CSRF (Cross Site
Request Forgery) attack.Use the no form to disable the function.
Command:
referrer-white-list-check enable action {log | reset}
no referrer-white-list-check enable

Description:
reset | log Specifies the action for the hotlinking and CSRF attack check for HTTP protocol:
l reset: If discovering the hotlinking and CSRF attack, the system resets the connection (TCP)
or sends the packets (UDP) to notify the unreachable destination and generate the logs.
l log: If discovering the hotlinking and CSRF attack, the system only generates the logs.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-web-server)# referrer-wh ite-list-ch eck en ab le actio n lo g
response-bypass
Specify does not scan the HTTP server data packets.

Command:
response-bypass
no response-bypass
Description:
None
Default values:
None
Mode:

Guidance:
Only for HTTP protocol
Example:
hostname(config-http-sigset)# resp o n se-b yp ass
reverse-shell
Enable the rebound shell detection function. With this function enabled, the system detects and
defends against rebound shell attacks. If a rebound shell attack is detected, the system will defend
it based on user-defined actions. Use the no form of this command to disable the rebound shell
detection function.
Command:
reverse-shell enable
no reverse-shell enable
Description:
None
Default values:
By default, this function is disabled.
Mode:
Guidance:
None
Examples:
hostname(config-ips-profile)# reverse-shell enable

reverse-shell action
Specifies the defend action against the rebound shell attacks. With the rebound shell detection
function enabled, the system detects and defends against rebound shell attacks. If a rebound shell
attack is detected, the system will defend it based on user-defined actions.
Command:
reverse-shellaction {log-only | reset | block-ip {permanent | secondtimeout | hourtimeout |
daytimeout}}
Description:
action {log-only | reset | block-ip {permanent | secondtimeout | hourtimeout | daytimeout}}-
Specifies the defend action against the rebound shell attacks.
l log-only - With this parameter specified, the system only generate logs when it detects the
rebound shell attacks.
l reset - With this parameter specified, when a rebound shell attack is detected, the system
resets connection (TCP) or sends destination unreachable packets (UDP), and then generates
logs.
l block-ip {permanent | secondtimeout | hourtimeout | daytimeout} - With this parameter

specified, the system blocks the IP address of the rebound shell attacker and the block time is
configured.permanent - Specifies that the attacker IP is blocked permanently. secondtimeout
| hourtimeout | daytimeout - Specifies the duration (by second/hour/day) for blocking the
attacker IP. The value range is 60 to 3600 seconds/ 1 to 24 hours/ 1 to 15 days.
Default values:
log-only
Mode:
Guidance:

After configuring the defense action against the rebound shell attacks, make sure the rebound
shell detection function is enabled. Otherwise, the configuration is only saved but will not take
effect.
Examples:
hostname(config-ips-profile)# reverse-shell action log-only
reverse-shell level
Specifies the defend mode for the rebound shell attacks. With the rebound shell detection func-
tion enabled, the system scans to detect keywords of the rebound shell attack and you need to spe-
cify the defend mode for the rebound shell attacks.
Command:
reverse-shelllevel {high | low}
Description:
level {high | low}- Specifies the defend mode for the rebound shell attacks.
l high - With this parameter specified, when the system scans to detect keywords of the
rebound shell attack, logs are reported when the keywords are hit more than twice. This mode
can be used in scenarios with high requirements for attack detection.
l low - With this parameter specified, when the system scans to detect keywords of the
rebound shell attack, logs are reported only when the keywords are hit more than four time.
This mode can be used in scenarios where high system performance is required.
Default values:
low
Mode:
Guidance:

After configuring the defense action against the rebound shell attacks, make sure the rebound
shell detection function is enabled. Otherwise, the configuration is only saved but will not take
effect.
Examples:
hostname(config-ips-profile)# reverse-shell level high
search-class
When configuring a signature set, you can create a search rule. And in this search rule, you can spe-
cify the desired signatures by using search conditions. Use the following command to create a
search rule and enter into the search rule configuration mode. Use the no form to delete this rule.
Command:
search-class id name name
no search-class id
Description:
id -Specifies the ID of the search rule.
name name -Specifies the name of the search rule.
Default values:
None
Mode:
IPS Profile configuration mode.
Guidance:
None
Example:
hostname(config-ips-profile)# search -class 1 n ame test1

search-condition
When using a search condtion to search signatures, you can specify the information of the sig-
nature. The system will perform the fuzzy searching among the following fields: signature ID, sig-
nature name, CVE-ID, and signature description:
Command:
search-condition description
no search-condition description
Description:
description - Enter the information of the desired signatures.
Default values:
None
Mode:
Search rule configuration mode.
Guidance:
None
Example:
hostname(config-ips-profile)# search -class 1
hostname(config-ips-filter-class)# search -co n ditio n DNS
sensitive-file-scan action
Specify the protection action against the Sensitive File Scan attacks on Web servers. If an attacker
attempts to scan sensitive files on the Web server, the Web server returns a large number of
response packets with the status code "404". In this case, the system counts the number of 404
responses returned by the Web server per minute and conduct corresponding protection actions.
Command:
sensitive-file-scan action {block-ip{permanent|second timeout|hourtimeout|daytimeout} |
block-service{permanent|secondtimeout|hourtimeout| daytimeout} | log-only | reset}

Description:
block-ip {permanent|second timeout|hourtimeout|daytimeout}- Specifies the protection action
is to block the IP address of the attacker, and specifies the block duration.
l secondtimeout | hourtimeout| daytimeout- Specifies the duration (by second/hour/day) for

blocking the IP address of the attacker. The value range is 60 to 3,600 seconds/ 1 to 24
block-service{permanent|second timeout |hour timeout | day timeout } - Specifies the

protection action is to block the service of the attacker, and specifies the block duration.
l permanent - Specifies that the service of the attacker is blocked permanently.
l secondtimeout | hourtimeout| daytimeout- Specifies the duration (by second/hour/day) for

blocking the service of the attacker. The value range is 60 to 3,600 seconds/ 1 to 24 hours/ 1
to 15 days.
log-only - Only generate logs when the signature of Sensitive File Scan is matched.
reset - When the signature of Sensitive File Scan is matched, reset the connection (TCP) or send
unreachable destination packets, and then generate logs.
Default value:
log-only。
Mode:
Guidance:
If the Sensitive File Scan function for Web servers is enabled following the configurations made
with this command, the configuration still takes effect. However, if the Sensitive File Scan func-
tion for Web servers is disabled, you can make configurations with this command but the con-
figuration does not take effect.
Examples:

hostname(config-web-server)# sensitive-file-scan action block-ip second 61
sensitive-file-scan enable
Enable the Sensitive File Scan function for Web servers. In Sensitive File Scan attacks, an
attacker traverses the sites in the Web server by using a file scanning tool. This way, the attacker
can obtain sensitive information of the Web server, such as the directory structure, background
files, and backup files. Use the no form of this command to disable the Sensitive File Scan func-
tion for Web servers.
Commands:
sensitive-file-scan enable
no sensitive-file-scan enable
Description:
None
Default values:
The Sensitive File Scan function for Web servers is disabled by default.
Mode:
Guidance:
None
Examples:
hostname(config-web-server)# sensitive-file-scan enable
sensitive-file-scan warning-value
Specifies the threshold for the system to defend against sensitive file scanning attacks. If the num-
ber of times that URL paths match sensitive file dictionaries per minute exceeds the threshold,
the system performs the user-specified protection actions.

Command:
sensitive-file-scan warning-valuevalue
Description:
value - Specifies the threshold for URL paths to match sensitive file dictionaries per minute. The
value range is from 10 to 100 times/min.
Default values:
10 times/ min
Mode:
Guidance:
If the Sensitive File Scan function for Web servers is enabled following the configurations made
with this command, the configuration still takes effect. However, if the Sensitive File Scan func-
tion for Web servers is disabled, you can make configurations with this command but the con-
figuration does not take effect.
Examples:
hostname(config-web-server)# sensitive-file-scan warning-value 20
serial-character-check
Enable /disable Continuous Character Detection. After this detection is enabled, a password that
has less than 10 characters, among which at least 8 characters are the same or in consecutive
sequence, will be detected as a weak password, such as 1aaaaaaaa, 1abcdefgh, a87654321.
Commands:
Enable: serial-character-check enable
Disable: serial-character-check disable
Description:
None

Default values:
None
Mode:
Guidance:
By default, Continuous Character Detection is enabled.
Examples:
hostname(config-ips-profile-weakpass)# serial-ch aracter-ch eck en ab le
severity
Configure the severity parameter to include signatures, related to the specified severity, in the fil-
ter rule.
Command:
severity {L o w | Medium | High }
n o severity {L o w | Medium | High }
Description:
Low | Medium | High - Enter the severity.
Default values:
None
Mode:
Guidance:
None
Example:

hostname(config-ips-filter-class)# severity L o w
signature id
Configure the signature id parameter to include signatures, related to the specified id, in the
search rule.
Command:
signature id id
no signature id id
Description:
id - Enter the signature ID.
Default values:
None
Mode:
search rule configuration mode
Guidance:
None
Example:
hostname(config-ips-profile)# search -class 1
hostname(config-ips-filter-class)# sign ature id 105001
signature-id
Configure the signature ID for the IPS white list. Use the no form to delete the signature ID.
Command:
signature-id id
no signature-id id

Description:
id - Specifies the signature ID for the IPS white list to match.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config)# ip s wh itelist wh ite1
hostname(config-ips-whitelist)# sign ature-id 105002
sigset
Add the protocol configurations to the IPS Profile. Use the no form to delete the protocol congur-
ations from the IPS Profile.
Command:
sigset user-defined-profile
no sigset user-defined-profile
Description:
user-defined-profile - Adds the user-defined signature set to the IPS Profile.
Default values:
None
Mode:
Guidance:
None
Example:

hostname(config)# ip s p ro file ip s-p ro file1
hostname(config-profile)# sigset test
sql-injection
Disable the SQL injection check. Use the no form to enable the SQL injection check.
Command:
sql-in jectio n {co o kie | p o st | referer | uri} disab le
n o sql-in jectio n {co o kie | p o st | referer | uri } disable
Description:
{cookie | post | referer | uri} disable - Disables the specified SQL injection check, namely
HTTP Cookie, HTTP Post, HTTP Refer, or HTTP URI.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-web-server)# sql-in jectio n co o kie disab le
sql-injection-check
Enable the SQL injection check for HTTP protocol.

Command:
sql-injection-check enableaction {block-ip {permanent | second timeout | hour timeout |day
timeout}| block-service {permanent |second timeout | hour timeout | day timeout}| log-only |
reset}

sql-injection-check disable
Description:

ation.

log-only - Only generate logs when the signature of SQL injection is matched.
reset - When the signature of SQL injection is matched, reset the connection (TCP) or send
unreachable destination packets, and then generate logs.
Default values:
By default, the sensitivity level is low.
Mode:
Guidance:
The severity level of the SQL injection attack is critical. Without configuring actions, the system
will only generate logs when discovering SQL injection attack.
Example:

hostname(config-web-server)# sql-injection-check enable
src-ip
Configure the source IP address for the IPS white list. Use the no form to delete the IP address.
Command:
src-ip A.B.C.D | A.B.C.D/M
no src-ip
Description:
A.B.C.D | A.B.C.D/M - Specifies the source IP address for the IPS white list to match.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-ips-whitelist)# src-ip 10.1.1.1
suspicious-ua-detection
Enable /disable Suspicious UA Detection function. With this function enabled, the system can
detect suspicious information by identifying the User-Agent string in the HTTP packet.
Commands:
Enable: suspicious-ua-detection enable
Disable: suspicious-ua-detection disable
Description:

None
Default values:
This function is disabled by default.
Mode:
Guidance:
None
Examples:
hostname(config-ips-profile)# susp icio us-ua-detectio n en ab le
suspicious-ua-detection action
With the Suspicious UA Detection function enabled, use this command to specify corresponding
actions when the User-Agent string in the HTTP packet is detected as suspicious.
Command:
suspicious-ua-detection action {block-ip {permanent | secondtimeout | hourtimeout |
daytimeout} |block-service {permanent | secondtimeout | hourtimeout | daytimeout} | log-
only | reset}
Description:
block-ip - Specifies the protection action is to block the IP address of the attacker.
block-service - Specifies the protection action is to block the service of the attacker.
permanent - Specifies that the IP address or service of the attacker is blocked permanently.
secondtimeout | hourtimeout | daytimeout - Specifies the duration (by second/hour/day) for
blocking the IP address or service of the attacker. The value range is 60 to 3,600 seconds/ 1 to
24 hours/ 1 to 15 days.
log-only - Record a log.
reset - Reset connections (TCP) or sends destination unreachable packets (UDP) and also gen-
erates logs.

Default values:
log-only
Mode:
Guidance:
If Suspicious UA Detection function is enabled following the configuration of this command, the
configuration still takes effect. If Suspicious UA Detection function is disabled, you can con-
figure this command but the configuration does not take effect.
Examples:
hostname(config-ips-profile)# susp icio us-ua-detectio n actio n b lo ck-ip day 1
system
Configure the system parameter to include signatures, related to the specified system, in the filter
rule.
Command:
system {Windows | Linux | FreeBSD | …}
no system { Windows | Linux | FreeBSD | …}
Description:
Windows | Linux | FreeBSD | … - Enter the OS name. You can press the Tab key after the sys-
temparameter to see the entire system list.
Default values:
None
Mode:
Guidance:
None
Example:

hostname(config-ips-filter-class)# system L in ux
vr
Configure the VRouter for the IPS white list. Use the no form to delete the IP address.
Command:
vr vr-name
no vr
Description:
vr-name - Specifies the VRouter for the IPS white list to match.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-ips-whitelist)# src-ip 10.1.1.1
hostname(config-ips-whitelist)# vr trust-vr
web-acl
Configure the Web site path and specify the attributes. Use the no form to disable the function.
Command:
web-acl url {static | deny}
no web-acl url
Description:

url- Specifies Web site path.
static | deny - Specifies the attributes of Web site path:
l static- With this attribute specified, the resources in this Web site path can only be accessed
as static resources (pictures and text). Otherwise, the system will perform the actions based
on the configurations of the uploading path check function (web-acl-check enable action
{reset | log}).
l deny- With this attribute specified, the resources in this Web site path cannot be accessed.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-http-web-server)# web-acl www.eee.com deny
web-acl-check
Enable the uploading path check function to prevent the attacker from uploading malicious codes
to the Web server. Use the no form to disable the function.
Command:
web-acl-check enable action {reset | log}
no web-acl-check enable
Description:
reset | log - Specifies the control action for the Web site uploading behavior:

l reset- If discovering the Web site uploading behavior, the system resets the connection (TCP)
or sends the packets (UDP) to notify the unreachable destination and generate the logs.
l log– If discovering the Web site uploading behavior, the system only generates the logs.
Default values:
None
Mode:
Guidance:
The severity level of the Web site uploading behavior is warnings.
Example:
hostname(config-http-web-server)# web -acl-ch eck en ab le actio n reset
web-server
Create a Web server and enters the Web server configuration mode. If the name already exists, the
system will enter the Web server configuration mode directly. Use the no form to delete the Web
server.
Command:
web-server {default | server_name}
no web-server server_name
Description:
default - Configure the default Web server. When creating a HTTP signature set, the system will
create a default Web server.
server_name - Specifies the name for the created Web server. You can specify up to 21 characters.
Default values:
None

Mode:
Guidance:
l The default Web server cannot be deleted or edited.
l You can configure up to 32 Web servers (excluding the default Web server) for each signature
set.
Example:
hostname(config-web-server)#
xss-injection
Disable the XSS injection check. Use the no form to enable the XSS injection check.
Command:
xss-ch eck {co o kie | p o st | referer | uri} disab le
n o xss-in jectio n {co o kie | p o st | referer | uri} disab le
Description:
{cookie | post | referer | uri} disable - Disables the specified XSS injection check, namely
HTTP Cookie, HTTP Post, HTTP Refer, or HTTP URI.
Default values:
None
Mode:
Guidance:
None
Example:

hostname(config-web-server)# xss-in jectio n uri disab le
xss-check enable
Enable the XSS injection check for HTTP protocol.

Command:
xss-ch eck en ab le action { block-ip { permanent | second timeout | hour timeout | day
timeout }| block-service { permanent | second timeout | hour timeout | day timeout }|
log-only | reset }
xss-check disable
Description:

ation.

log-only - Only generate logs when this signature is matched.

reset - When this signature is matched, reset the connection (TCP) or send destination unreach-
able packets (UDP), and then generate logs.

Default values:
None
Mode:
Guidance:
The severity level of the XSS injection attack is Critical. If you configure no action, the system
will only record the logs.
Example:
hostname(config-web-server)# xss-check enable
show ips
Display the configurations about IPS.

Command:
show ips configuration– Shows all information of IPS configurations.( Non-root VSYS does not
support this command)
show ips profile [profile-name] [signature-class signature-class-id]- Shows all information of IPS
Profile.
show ips sigset [sigset-name]– Shows all information of IPS protocol configurations.
show ips sigset sigset-name web-server server-name http-request-flood auth-ck– Shows the cor-
responding information of the authentication of HTTP request flood protection.
show ips sigset sigset-name web-server server-name http-request-flood ip-top {max-rate |
total}– For HTTP request flood protection, shows the maximum rate ranking of the source IP
addresses and the total number ranking.
show ips sigset sigset-name web-server server-name http-request-flood req-stat {overview {by-
day | by-hour | by-minute | by-second} | protect {by-day | by-hour | by-minute | by-second}
| top} – For HTTP request flood protection, shows the overview, protection information, and
requested URL ranking.

show ips status– Shows the status of IPS.
show ips zone-binding– Shows the binding between the security zones and IPS Profiles.
Description:
sigset-name - Specifies the name of the protocol that you want to display.
profile-name - Specifies the name of the IPS profile that you want to display.
signature-class-id - Specifies the ID of the search rule or filter rule that you want to display.
web-server server-name - Specifies the name of the Web server that you want to display.
ip-top {max-rate | total} - Shows the maximum rate ranking of source IP addresses and the total
number ranking.
req-stat {overview {by-day | by-hour | by-minute | by-second} - Shows the overview of the
packets, including request numbers, request numbers of different methods (GET and POST),
response numbers, response numbers of different status number (4XX and 5XX). You can show
the information by days, hours, minutes, or seconds.
protect {by-day | by-hour | by-minute | by-second} - Shows the protection information of the
packets, including request numbers, response numbers, and other information.
top - Shows the requested URL ranking.
Default values:
None
Mode:
any mode
Guidance:
After executing the http-request-flood statistics enablecommand, the show ips sigset sigset-name
web-server server-name http-request-flood req-stat topcommand can take effect.
Example:
hostname(config)# show ips sigset
Total count: 53
=======================================================-
=====

IPS signature set dhcp
Default actions:
Attack-level Action Block Seconds
INFO log noblock 0
WARNING log noblock 0
CRITICAL log noblock 0
Max scan bytes per direction: 0(Unlimited)
Used by 1 IPS profiles:
test
-----------------------------------------------------------

Abnormal Behavior Detection
Overview
There are various threat attacks in networks, such as Web server attacks ,DoS Flood attacks,
application layer attacks , Port/Server scan attacks , Amplification attacks, SSL attacks etc. These
threats have demonstrated a wide variety of abnormal behaviors. System provide an abnormal beha-
vior detection function based on security zones. This function inspects the sessions of the detec-
ted object in multiple factors. When one detected object has multiple abnormal parameters,
system will analyze the relationship among the abnormal parameters to see whether an abnormal
behavior formed. If there is an abnormal behavior, system will send the alarm message and gen-
erate the threat log(s).
The followings are the concept description of the Abnormal Behavior Detection:
l Detected object: The protected objects configured in the Host Defender in this chapter and
the protected objects configured in critical assets.
l Parameter: The basic statistical factor of a session, for example, the received bytes of inbound
sessions per second. The statistical values of the parameters are used by the system to judge
whether the detected object is abnormal or not.
l Baseline: The baseline is the benchmark for the parameters. Value of the baseline is calculated
by the system according to the historical data.
l Abnormal behavior model database: The abnormal behavior model database includes the abnor-
mal information of the traffic, which are detecting rules, description of the abnormalities, the
reason for the abnormalities, and the suggestions. The information in the database helps you
analyze and resolve the abnormal problems. By default, System will update the database at the
certain time everyday, and you can modify the update the updating settings according to your
own requirements. For more information about how to update, see Updating Abnormal Beha-
vior Model Database. To assure a proper connection to the default update server, you need to
configure a DNS server for system before updating

Configuring Abnormal Behavior Detection
To enable the abnormal behavior detection function on system, take the following steps:
1. Make sure your system version supports abnormal behavior detection.
2. Import a StoneShield license and reboot. The abnormal behavior detection will be enabled
after the rebooting.
Enabling/Disabling Abnormal Behavior Detection
To enable the zone-based abnormal behavior detection function, in the zone configuration mode,
use the following command. By default, the abnormal behavior detection function will detect the
entire network covered by this security zone.
anomaly-detection [ host-enable [ advanced-protection ] [ ddos-protection ]] | [ forensic ]
l host-enable – Enable the Host Defender function for the specific zone, for each host which
is identified host name, establish a data model for each host which is identified host name, ana-
lyze the network behavior of host, and define the corresponding signature dimension for dif-
ferent network behavior, and then detect the abnormal behavior of the host based on the
signature dimension, to find the more hidden threat attack. When enabling the Host Defender
function, both the DDoS protection function and the abnormal behavior detection of the
HTTP factor are not enabled by default. To enable the abnormal behavior detection of the
HTTP factor, use the advanced-protection parameter. To enable the DDoS protection, use
the ddos-protection parameter, currently, you can defend against the following types of DDoS
attacks: Zip of Death, SSL DDoS, DDoS Flood, DDoS Sockstress, DDoS Reflect, Applic-
ation DDoS, and DNS Query Flood.
l forensic – Capture packets. If this parameter is specified, the system will save the evidence
messages.
To disable the function, in the zone configuration mode, use the following command:
n o an o maly-detectio n [h o st-en ab le [advan ced-p ro tectio n | ddo s-p ro tectio n ]][fo ren sic]

DNS Mapping
DNS as the domain name resolution protocol,is designed to resolve fixed domain names to IP
addresses.Due to the use of domain name is convenient, and is widely used, so the attacker will
take different means to use the domain name to generate attack. For example, A IP address can
correspond to multiple domain name, the server according to the Host field of HTTP packet to
find the Goal URL, the malware will use this feature by modifying the Host field to disguise the
domain name, and generate the abnormal behavior. DGA, is the domain generation algorithm, this
algorithm will generate a large number of pseudo random domain name, and will be used by mal-
ware. ISP DNS hijack, add some of the malicious domain name used by the malicious software to
its blacklist.
To solve these problem, DNS domain name analysis can be used as an important basis to determ-
ine the malicious behavior. System will monitor the DNS response packets after the abnormal
behavior detection function function is enabled, and establish the DNS mapping list, The DNS
mapping list is used to store domain names and IP addresses, the pseudo random domain name
generated by DGA algorithm, and the black and white domain name updated from the cloud. The
device can detect the malware and abnormal behavior attack according the DNS mapping, and gen-
erate the threat logs.
Viewing the Entry of DNS Mapping
To view the number of domain name entries in DNS mapping, in any mode,use the following
commands:
show dns-mapping
Viewing Detection Status of Dos Attacks
To view the detection status of DOS attacks, in any mode,use the following commands:
show anomaly-detection ddos status
Updating Abnormal Behavior Model Database
By default system updates the abnormal behavior model database everyday automatically. You can
change the update configuration as needed. The configurations of updating abnormal behavior

model database include:
l Configuring an abnormal behavior model update mode
l Specifying an automatic update period
l Updating now
l Importing an abnormal behavior model file
l Viewing abnormal behavior model update information
Configuring an Abnormal Behavior Model Update Mode
System supports both manual and automatic (periodicity) update modes. To configure an abnor-
mal behavior model update mode, in the global configuration mode, use the following command:
on mode {1 | 2}
l 1 – manual, Specifies the manual update mode.
l 2 – period, Specifies the automatic (periodicity) update mode.
Specifying an Automatic Update Period
To specify an automatic update period, in the global configuration mode, use the following com-
mand:
cloud abnormal-behavior-detection period period
l period - Specifies the automatic update period, the range is 600 to 86400 seconds.
Updating Now
For both manual and automatic update modes, you can update the abnormal behavior model data-
base immediately as needed. To update the abnormal behavior model database now, in any mode,
exec cloud abnormal-behavior-detection update

l exec cloud abnormal-behavior-detection update – Only updates the incremental part
between the current abnormal behavior model database and the latest abnormal behavior
model database released by the update server.
Importing an Abnormal Behavior model File
In some cases, your device may be unable to connect to the update server to update the abnormal
behavior model database. To solve this problem, system provides the abnormal behavior model
file import function, i.e., importing the abnormal behavior model files to the device from an FTP,
TFTP server or USB disk, so that the device can update the Abnormal Behavior model database
locally. To import the abnormal behavior model file, in the execution mode, use the following
command:
import cloud abnormal-behavior-detection from { ftp server ip-address [ user user-
name password password ] | tftp server ip-address } [ vrouter vr-name ] file-name
server.
l vrouter vr-name – Specifies the username and password of the FTP server.
l file-name – Specifies the name of the abnormal behavior model file that be imported.
Viewing Abnormal Behavior Model Update Information
To view the abnormal behavior model update information, in any mode, use the following com-
mand:
show cloud abnormal-behavior-detection update

Advanced Threat Detection
Overview
Advanced Threat Detection , is on the basis of learning advanced threat detection signatures, to
analysis the suspicious traffic of host, detect malicious behavior to identify APT (Advanced Per-
sistent Threat) attack and generate the threat logs.
You need to update the malware behavior model database before enabling the function for the
first time. For more information about how to update, see Updating Malware Behavior Model
Database.
Configuring Advance Threat Detection

To enable the advance threat detection function on system, take the following steps:
1. Make sure your system version supports advance threat detection.
2. Import a StoneShield license and reboot. The advance threat detection will be enabled after
the rebooting.
To configure the advance threat detection based on zone, in zone configuration mode, use the fol-
lowing command:
malware-detection [ forensic ]
l malware-detection – Enabling the advance threat detection for specific zone.
l forensic – Capture packets. If this parameter is specified , the system will save the evidence
messages, and support to download it.
To disable the function, in the zone configuration mode, use the following command:
no malware-detection [ forensic ]

Updating Malware Behavior Model Database
By default system updates the malware behavior model database everyday automatically. You can
change the update configuration as needed. The configurations of updating malware behavior
model database include:
l Configuring a malware behavior model update mode
l Specifying a automatic update period
l Updating now
l Importing a malware behavior model file.
l Viewing malware behavior model update information.
Configuring a Malware Behavior Model Update Mode
System supports both manual and automatic (periodicity) update modes. To configure a malware
behavior model update mode, in the global configuration mode, use the following command:
cloud advanced-threat-detection mode {1 | 2}
mand
cloud advanced-threat -detection period period

Updating Now
For both manual and automatic update modes, you can update the malware behavior model data-
base immediately as needed. To update the malware behavior model database now, in any mode,
exec cloud advanced-threat -detection update
l exec cloud advanced-threat-detection update – Only updates the incremental part between
the current malware behavior model database and the latest malware behavior model database
released by the update server.
Importing a Malware Behavior Model File
In some cases, your device may be unable to connect to the update server to update the malware
behavior model database. To solve this problem, system provides the malware behavior model file
import function, i.e., importing the malware behavior model files to the device from an FTP,
TFTP server or USB disk, so that the device can update the malware behavior model database loc-
ally. To import the malware behavior model file, in the execution mode, use the following com-
mand:
imp o rt clo ud advan ced-th reat -detectio n fro m {ftp server ip-address [user user-name p ass-
wo rd password ] | tftp server ip-address } [vro uter vr-name ] file-name
server.
l file-name – Specifies the name of the malware behavior model file that be imported.

Viewing Malware Behavior Model Update Information
To view the malware behavior model update information, in any mode, use the following com-
mand:
show cloud advanced-threat -detection update

Perimeter Traffic Filtering
Overview
Perimeter Traffic Filtering can filter the perimeter traffic based on known risk IP, MAC or Service
list, and take logging/block action on the malicious traffic that hits the risk IP, MAC or Service
list.
The risk IP list includes the following three types:
l IP Blacklist: The system supports Static IP Blacklist, Blacklist Library, Dynamic IP Blacklist,
Real IP Blacklist, and Hit Statistics.
l Service Blacklist: After adding the services to the service blacklist, system will perform the
block action to the service until the block duration ends.
l MAC Blacklist: After adding the MAC of the host to the blacklist to prevent users from
accessing the network during the specified period.
l IP Reputation list: Retrieve the risk IP (such as Botnet, Spam, Tor nodes, Compromised,
Brute-forcer, and so on.) list from the Perimeter Traffic Filtering signature database.
l Configuration: Blacklist global configuration, including Blacklist Log and Session Rematch.
You need to update the IP reputation database before enabling the IP Reputation function for the
first time. For more information about how to update, see Updating IP Reputation Database.
Configuring Perimeter Traffic Filtering

Before enabling the Perimeter Traffic Filtering function on system, make sure your StoneOS ver-
sion supports Perimeter Traffic Filtering.
Enabling/Disabling Perimeter Traffic Filtering
To enable the perimeter traffic filtering and enter the perimeter traffic filtering configuration
mode, in config configuration mode, use the following command:

perimeter-traffic-filtering
Configuring Static IP Blacklist
The static IP blacklist will block specified IP address or prevent hosts from accessing the net-
work during the specified period.
To configure the static IP blacklist, in the perimeter traffic filtering configuration mode, use the
following command:
blacklist ip id id{ address { address-book address-book | start-ip end-ip |ip-prefix/mask } |user
[ user | user-group | role ] server-nameuser-name } [vrouter vrouter-name] | [zone zone-name]
[schedule schedule-name] [enable | disable]
l id id - Specify the ID of static IP blacklist.
l address-book address-book - Specify the reference address book name of the static IP black-
list.
l start-ip end-ip - Specify the IPv4/IPv6 address range of the static IP blacklist.
l ip-prefix/mask - Specifies the IP address and the netmask of the static IP blacklist.
l user [ user | user-group | role ]- Specifies the user type of the static IP blacklist, include user,
user group or role.
l server-name- Specifies the AAA server name that the user belongs to.
l user-name- Specifies the user name of the static IP blacklist.
l vrouter vrouter-name] | [zonezone-name - Specify the blacklist applied to zone or Virtual

Router. If not specified, the blacklist will apply to global.
l schedule schedule-name - Specifies the schedule that has been configured in the system. If
this parameter is specified, the system will block the host from accessing the network during
the specified period; if this parameter is not specified, the system will permanently block the

host from accessing the network. For more information about how to create a schedule, see
“Creating a Schedule” of “System Management”.
l enable | disable – Enables or disables the static IP blacklist. By default, all the entries in the
static IP blacklist are enabled.
To delete the static IP blacklist entry, in the perimeter traffic filtering configuration mode, use the
following command:
no blacklist ip id id
To view the static IP blacklist information, in any mode, use the following command:
show perimeter-traffic-filtering blacklist ip
Configuring Redundancy Check of Static IP Blacklist
The system supports to check the conflicts among blacklists. You can check whether the black-
lists overshadow each other.
To configure redundancy check ofthe static IP blacklist, in any mode,use the following command:
exec perimeter-traffic-filtering blacklist-ip redundancy-check start
To stop redundancy check of the static IP blacklist, in any mode, use the following command:
exec perimeter-traffic-filtering blacklist-ip redundancy-check stop
To view the result of redundancy check, in any mode, use the following command:
show perimeter-traffic-filtering blacklist-ip redundancy
To clear the the result of redundancy check, in any mode, use the following command:
exec perimeter-traffic-filtering blacklist-ip redundancy-check clear
Configuring MAC Blacklist
After adding the MAC of the host to the blacklist to prevent users from accessing the network dur-
ing the specified period.

To configure the MAC blacklist, in the perimeter traffic filtering configuration mode, use the fol-
lowing command:
blacklist mac id id address address [schedule schedule-name] [enable | disable]
l id id - Specify the ID of MAC blacklist.
l address address - Specifies the MAC address of the host that will be added to the blacklist.
l schedule schedule-name - Specifies the schedule that has been configured in the system. If
this parameter is specified, the system will block the host from accessing the network during
the specified period; if this parameter is not specified, the system will permanently block the
host from accessing the network. For more information about how to create a schedule, see
“Creating a Schedule” of “System Management”.
l enable | disable – Enables or disables the MAC blacklist. By default, all the entries in the
MAC blacklist are enabled.
To delete the blacklist entry, in the perimeter traffic filtering configuration mode, use the fol-
lowing command:
no blacklist macidid
To view the MAC blacklist information, in any mode, use the following command:
show perimeter-traffic-filtering blacklist ip
Configuring Blacklist Library
The system support to import/export the blacklist library file or update the blacklist from the spe-
cified server, and specify the rule of the blacklist library.
To configure the blacklist library, in the perimeter traffic filtering configuration mode, use the fol-
lowing command:
blacklist lib [vroutervrouter-name] | [zonezone-name] [enable | disable]

l vrouter vrouter-name] | [zonezone-name - Specify the blacklist applied to zone or Virtual
Router. If not specified, the blacklist will apply to global.
l enable | disable – Enables or disables the blacklist library. By default, the blacklist library are
enabled.
To import the blacklist library file , in the perimeter traffic filtering configuration mode, use the
following command:
import blacklist lib {add | cover} from {ftp server ip-address [user user-namepassword password]
| tftp server ip-address} [vrouter vrouter-name] file-name
l add | cover - Specify the update mode of blacklist library, add means Incremental Import,
cover means Overwrite Import.
l ftp serverip-address [useruser-namepasswordpassword] - Specifies the IP address, username

and password of the FTP server.
l tftp serverip-address - Specifies the IP address of the TFTP server.
l vrouter vrouter-name] - Specifies the VRouter of the FTP and TFTP server.
l file-name – Specifies the name of the blacklist library file that will be imported by using the
FTP or TFTP server.
l http | https – Specifies to use the HTTP or HTTPS server to update the blacklist library.
l url url– Specifies the URL of the HTTP or HTTPS server. The URL needs to be 1 to 255
characters in length. The URL of the HTTP server needs to start with "http://" and the URL
of the HTTPS server needs to start with "https://".
l vrouter vrouter-name - Specifies the VRouter to which the HTTP or HTTPS server belongs.

Notes:
l The blacklist library file to be imported or automatically updated needs to be
in the TXT or CSV format. (This limit applies only to the FTP or TFTP
server).
l The size of the blacklist file to be imported or automatically updated cannot

be larger than 20 MB.
l The blacklist library files to be imported or automatically updated will be

checked for redundancy in the order of import. If the imported entries are
completely covered by the first imported entries, the import will be failed.
To export the blacklist library file , in the perimeter traffic filtering configuration mode, use the
following command:
export blacklist lib to {ftp server ip-address [user user-namepassword password] | tftp server ip-
address} [vrouter vrouter-name] file-name

l file-name – Specifies the name of the blacklist library file that will be exported.
To configure an blacklist library auto update mode, in the perimeter traffic filtering configuration
blacklist lib update {add | cover} from {ftp serverip-address [useruser-namepasswordpassword]
| tftp serverip-address} [vrouter vrouter-name] file-name

l add | cover - Specify the update mode of blacklist library, add means Incremental Import,
cover means Overwrite Import.

l file-name – Specifies the name of the blacklist library file that will be imported.
To configure the frequency and time of auto update of the blacklist library, in the perimeter traffic
filtering configuration mode, use the following command:
blacklist lib update schedule {daily [HH:MM] | weekly {mon | tue | wed | thu | fri | sat | sun}
[HH:MM] | interval time-value}
l daily – Updates the blacklist library every day.
l weekly {mon | tue | wed | thu | fri | sat | sun}– Updates the blacklist library every week.
Parameter mon | tue | wed | thu | fri | sat | sun is used to specify the specific date in a
week.
l interval– Updates the blacklist library according to the specified period.
l time-value– Specifies the period, the range is 30 to 10080 mins.
To clear the current blacklist library file and the current VSYS blacklist library loaded in memory,
clear perimeter-traffic-filtering blacklist lib
To view the blacklist library information, in any mode, use the following command:
show perimeter-traffic-filtering blacklist lib

To view the configuration information of auto updating blacklist library, in any mode, use the fol-
lowing command:
show blacklist lib update
Configuring Dynamic IP Blacklist
After adding the IP addresses to the global blacklist, system will perform the block action to the
IP address and service until the block duration ends.
To configure the dynamic IP blacklist, in the perimeter traffic filtering configuration mode, use
exec block-ip add {{ip | ipv6} ip-address| user [ user | user-group | role ] server-name user-
name} [vrouter vrouter-name] [timeout timeout-value]
l {ip | ipv6} ip-address - Specifies the IP address to be blocked. Both IPv4 and IPv6 addresses
are supported.
l user [ user | user-group | role ] user-name - Specifies the user type to be blocked, including
user, user group, or role.
l server-name- Specifies the AAA server name to which the user belongs.
l user-name- Specifies the user name.
l vroutervrouter-name - Specifies the virtual router to which the IP address belongs.
l timeouttimeout-value - Specifies the duration during which the IP address will be blocked.
The value ranges from 60 to 1,296,000 seconds. If block duration is not configured, by
default, the IP address will be blocked permanently.
To delete the blacklist entry, in the perimeter traffic filtering configuration mode, use the fol-
lowing command:
exec block-ip remove {ip | ipv6} ip-address [vroutervrouter-name]
To view the dynamic IP blacklist information, in any mode, use the following command:
show block-ip {ip | ipv6} ip-address

Configuring Real IP Blacklist
Generally, you can determine the IP address of the client by checking the HTTP packet.
However, if the proxy is configured on the client, the source IP contained in the HTTP packet
will be the IP address of the proxy server, rather than the real client IP address. In this case, when
an attack is detected, the system blocks the IP address of the proxy server, making all services
unavailable. To solve this problem, you can determine the real IP address of the client by parsing
the X-Forwarded-For and X-Real-IP fields in the HTTP packet. The X-Forwarded-For field is
used to record the real IP address of the client and the IP addresses of the proxy servers of dif-
ferent levels. The X-Real-IP field is only used to record the real IP address of the client.
After adding the real IP address of the client to the Real IP Blacklist, the system will perform the
block action to that IP address until the block duration ends.
To configure the real IP blacklist, in the global configuration mode, use the following command:
exec block-real-ip add {ip | ipv6} ip-address [vroutervrouter-name] [timeouttimeout-value]
l {ip | ipv6} ip-address - Specifies the IP address to be blocked. Both IPv4 and IPv6 addresses
are supported, but the IPv6 address can be specified only when the system version is IPv6.
l vroutervrouter-name - Specifies the virtual router where the blocked IP belongs.
l timeouttimeout-value - Specifies the duration during which the IP address will be blocked.
The value ranges from 60 to 1,296,000 seconds. If block duration is not configured, by
default, the IP address will be blocked permanently.
To delete the real IP blacklist entry, in the global configuration mode, use the following com-
mand:
exec block-real-ip remove {ip | ipv6} ip-address [vroutervrouter-name]
To view information about the real IP blacklist, in the global configuration mode, use the fol-
lowing command:
show block-real-ip [{ip | ipv6} ip-address]

l {ip | ipv6} ip-address - Displays the real IP blacklist entry of the specified IP address. Both
IPv4 (ip) and IPv6 (ipv6) addresses are supported, but the IPv6 address can be specified only
when the system version is IPv6. If this parameter is not specified, all real IP blacklist entries
will be displayed.
Configuring Service Blacklist
After adding the services to the service blacklist, system will perform the block action to the ser-
vice until the block duration ends.
To configure the service blacklist, in the perimeter traffic filtering configuration mode, use the fol-
lowing command:
exec block-service add [src-ipsrc-ip | src-ipv6 src-ipv6 ] [dst-ipdst-ip | dst-ipv6 dst-ipv6 ]
[vroutervrouter-name] drt-portport-numberprotoprotocol[timeouttimeout-value]
l src-ipsrc-ip | src-ipv6 src-ipv6 - Specify the source IP address of the blocked service.
l dst-ipdst-ip | dst-ipv6 dst-ipv6 - Specify the destination IP address of the blocked service.
l vroutervrouter-name - Specify the virtual router that the IP address belongs to.
l drt-portport-number - Specify the port number of the blocked service. range is 1 to 65535.
l protoprotocol - Specify the protocol of the blocked service.
l timeouttimeout-value - Specify the blocking duration of the blacklist. The value range is 60 to
1296000 seconds. When the duration is not configured, the default is permanent.
To delete the service blacklist, in the perimeter traffic filtering configuration mode, use the fol-
lowing command:
exec block-service remove [src-ipsrc-ip | src-ipv6 src-ipv6 ] [dst-ipdst-ip | dst-ipv6 dst-ipv6 ]
[vroutervrouter-name] drt-portport-numberprotoprotocol
To view the service blacklist information, in any mode, use the following command:
show block-servicevroutervrouter-name

Enabling Log of Blacklist
To enable log of blacklist, in the perimeter traffic filtering configuration mode, use the following
command:
l Enable: log enable
l Disable: log disable
Configuring Session Rematch of Blacklist
When you add, modify or delete the blacklist, the session will match the optimal blacklist again.
To configure session rematch of blacklist, in the perimeter traffic filtering configuration mode,
l Enable: session rematch ptf enable
l Disable: session rematch ptf disable
Viewing the Hit Count Statistics of Blacklist
To view the hit count statistics information of blacklist, in any mode, use the following com-
mand:
show perimeter-traffic-filtering blacklist hit-info {all | ip ip-address [vroutervrouter-name |
zonezone-name]}
Clearing the Hit Count Statistics of Blacklist
To clear the hit count statistics information of blacklist, in any mode, use the following command:
clear perimeter-traffic-filtering blacklist hit-info {all | ip ip-address [vroutervrouter-name |
zonezone-name]}

Viewing the Blacklist Log
To view the blacklist log information, in any mode, use the following command:
show perimeter-traffic-filtering blacklist log
Enabling/Disabling IP BlackList TCP Reset
After the IP BlackList TCP Reset function is enabled, the system will send a TCP-RST packet to
the IP address of TCP traffic that hits the blacklist, thus blocking the IP address
To enable the IP BlackList TCP Reset function, in the perimeter traffic filtering configuration
blacklist ip tcp-reset enable
To disable the IP BlackList TCP Reset function, in the perimeter traffic filtering configuration
no blacklist ip tcp-reset enable
Viewing the Status of IP BlackList TCP Reset
To view the status of the IP BlackList TCP Reset function, in any mode, use the following com-
mand:
show perimeter-traffic-filtering blacklist ip tcp-reset
Configuring IP Reputation Filtering
By default StoneOS updates the IP reputation database everyday automatically. You can change
the update configuration as needed. The configurations of updating IP reputation database
include:
l Enablign IP Reputation Filtering
l Configuring an IP reputation update mode

l Updating now
l Importing an IP reputation file
l Viewing IP reputation information
l Viewing IP reputation update information
Notes: To upgrade the IP reputation database, install the IP reputation license and
reboot. The IP reputation database upgrade function is available only after the
device is reboot.
Enablign IP Reputation Filtering
To enable the IP reputation filtering and enter the IP reputation filtering configuration mode, in
the perimeter traffic filtering configuration mode, use the following command:
ip-reputation
To enable the IP reputation filtering function and specifies an action for the malicious traffic that
hits the blacklist. In the IP reputation filtering configuration mode, use the following command:
category {bot | brute-forcer | compromised | ddos-attacker | proxy | scanner | spam |
tornode} action [drop | log-only | block-iptimeout}
l bot | brute-forcer | compromised | ddos-attacker | proxy | scanner | spam | tornode– Spe-

cify IP reputation categories, including Botnet, Brute-forcer, Compromised, ddos-attacker ,
Proxy, Scanner, Spam, Tor nodes.
l drop – Drop packets if the malicious traffic hits the IP Reputation list.
l log-only– Only generates logs if the malicious traffic hits the IP Reputation list.

l block-iptimeout- Block the IP address and specify a block duration if the malicious traffic hits
the IP Reputation list.
To disable IP reputation filtering function, in the IP reputation filtering configuration mode,, use
no category {bot | brute-forcer | compromised | ddos-attacker | proxy | scanner | spam |
tornode}
Configuring an IP Reputation Update Mode
System supports both manual and automatic update modes. To configure an IP reputation update
mode, in the global configuration mode, use the following command:
ip-reputation update mode { auto | manual }
l auto – Specifies the automatic IP reputation update mode. This is the default mode.
l manual – Specifies the manual IP reputation update mode.
no ip-reputation update mode
geolocation-IP-signature update protocol HTTP
In the global configuration mode, use the command no geolocation-IP-signature update protocol
HTTP to restore the default value.

IP reputation as needed. To configure the update the server, in the global configuration mode, use

ip-reputation update { server1 | server2 | server3 } { ip-address | domain-name }
stonenet.com.
l ip-address | domain-name –Specifies the name of the update server. It can be an ip-addresss,
command:
n o ip -rep utatio n sign ature up date {server1 | server2 | server3}
To specify the HTTP proxy server for the IP reputation signature database updating, use the fol-
ip -rep utatio n up date p ro xy-server {main | b ackup } ip-address port-number
To cancel the proxy server configurations, use the no perimeter-traffic-filter update proxy-server
{main | backup}command.
By default, system automatically updates the IP reputation database every day. To reduce the
update server's workload, the time of daily update is random. To specify the schedule and specific
time for the update, in the global configuration mode, use the following command:

ip -rep utatio n up date sch edule {daily [ HH:MM ] | weekly { mon | tue | wed | th u | fri | sat
| sun } [ HH:MM ] | h o urly minute | mo n th ly date [ HH:MM ] }
l daily [HH:MM] – Updates the database every day.
l hourly minute – Updates the database every three hours. This option is the default update
schedule minuteis used to specify the specific minute in one hour.
Importing an IP Reputation File
In some cases, your device may be unable to connect to the update server to update the IP repu-
tation database. To solve this problem, system provides the IP reputation file import function,
i.e., importing the IP reputation files to the device from an FTP, TFTP server or USB disk, so
that the device can update the IP reputation database locally. To import the IP reputation file, in
imp o rt ip -rep utatio n fro m {ftp server ip-address [user user-name p asswo rd password ] | tftp
server ip-address } [vro uter vr-name ] file-name
server.
l file-name – Specifies the name of the IP reputation file that be imported.

Viewing IP Reputation Information
You can view the IP reputation database information of the device as needed, including the IP
reputation database version, release dates, and the number of the IP reputation. To view IP repu-
tation database information, in any mode, use the following command:
show ip-reputation info
Viewing IP Reputation Update Information
You can view the IP reputation update information of the device as needed, including the update
server information, update mode, update frequency and time, as well as the status of the IP repu-
tation database update. To view the IP reputation update information, in any mode, use the fol-
lowing command:
show ip-reputation update

Mitigation
Overview
The system can identify the potential risks and network attacks dynamically, and take action on
the risk that hits the mitigation rules.
Mitigation Rule
Tack auto mitigation action on the risk that hits the mitigation rules.
Mitigation rules includes the following two types:
l Predefined rule: this rule is retrieved from the Mitigation signature database. The predefined
rules may vary by different mitigation signature databases. About updating the signature data-
base, see Updating Mitigation Rule Database.
l User-defined rule: According to user needs, specify the trigger condition and action.
Notes:
l Mitigation rules only for the threat types of Scan,Dos and Spam
l Predefined rule can not be edited or deleted.
The configurations of auto mitigation rule include:
l Enabling/Disabling auto mitigation
l Configuring the mitigation rule
l Viewing the status of auto mitigation
Enabling/Disabling Auto Mitigation
After enabling auto mitigation , mitigation rules (user-defined rule and predefined rule) to be able
to take effect.

To enable/disable auto mitigation, in global command mode, use the following command:
mitigatio n -status {en ab le | disab le}
l enable – Enable the auto mitigation.
l disable – Disable the auto mitigation.
Configuring the Mitigation Rule
Only supports to use WebUI to configuring the mitigation rule, see StoneOS_WebUI_User_
Guide.
Viewing the Status of Auto Mitigation
To view the status of auto mitigation, in any mode, use the following command:
show mitigation-status
Updating Mitigation Rule Database

By default system updates the mitigation rule database everyday automatically. You can change the
update configuration as needed. The configurations of updating malware behavior model database
include:
l Configuring a mitigation rule update mode
l Specifying a automatic update period
l Updating now
l Importing a mitigation rule file
l Viewing mitigation rule update information

Configuring a Mitigation Rule Update Mode
System supports both manual and automatic (periodicity) update modes. To configure a mitigation
rule update mode, in the global configuration mode, use the following command:
clo ud mitigatio n mo de {1 | 2}
mand:
cloud mitigation period period
Updating Now
For both manual and automatic update modes, you can update the mitigation rule database imme-
diately as needed. To update the mitigation rule database now, in any mode, use the following
command:
exec cloud mitigation update
l exec cloud mitigation update – Only updates the incremental part between the current mit-
igation rule database and the latest mitigation rule database released by the update server.
Importing a Mitigation Rule File
In some cases, your device may be unable to connect to the update server to update the mit-
igation rule database. To solve this problem, StoneOS provides the malware behavior model file
import function, i.e., importing the mitigation rule files to the device from an FTP, TFTP server

or USB disk, so that the device can update the A mitigation rule database locally. To import the
mitigation rule file, in the execution mode, use the following command:
imp o rt clo ud mitigatio n fro m {ftp server ip-address [user user-name p asswo rd password] |
tftp server ip-address } [vro uter vr-name ] file-name
server.
l file-name – Specifies the name of the mitigation rule file that be imported.
Viewing Mitigation Rule Update Information
To view the mitigation rule update information, in any mode, use the following command:
show cloud mitigation update

Correlation Analysis
System provides the correlation analysis engine and this engine makes the correlation analysis of
the threat events generated by each modules of threat prevention. According to the defined cor-
relation analysis rules, this engine analyzes the happened threat events, try to find the correlation
of these threat events and the threats that crosss hosts, and discover the potential threats with
high severity. You view the correlation analysis results in WebUI > iCenter > Threat.
Updating Correlation Analysis Engine/Rules

The updating of correlation analysis engine/rule is merged into the updating of abnormal behavior
model database. For information of updating abnormal behavior model database, see the Updating
Abnormal Behavior Model Database section.

Critical Assets
Critical assets refer to IT assets owned by a company that are essential to its ability to operate and
make profit. Those assets include key servers, networking devices, data storage server etc. Since
critical assets are essential for business day-to-day operations, they are grown to targets of cyber-
attacks. Therefore, the critical assets in a company need to be secured and protected with even
stronger defense mechanisms comparing with other individual host machines.
After configuring critical asset object, the system will automatically enable the advanced threat
detection and abnormal behavior detection functions in the select security zone, protect the pri-
ority and resource for critical asset monitoring, and display the related threat and traffic of the crit-
ical asset in the Critical Assets page in iCenter.
Configuring critical assets includes the following items:
l Specifying the name of the critical asset
l Specifying the IP address of the critical asset
l Speicifying the security zone of the critical asset
l View the critical asset configurations
Specifying Critical Asset Name

To specify the critical asset name, in the global configuration mode, use the following command:
critical-asset name name
l name – Specify the critical asset name and enter into the critical asset object configuration
mode. If the name already exists, the system will enter into the critical asset object con-
figuration mode directly.
To delete a critical asset, use the command no critical-asset name name.

Specifying Critial Asset IP Address
To specify the critical asset IP address, in the critical asset object configuration mode, use the fol-
lowing command:
ip ip-address
l ip-address – Specify the IP address of the critical asset.
To cancel the IP setting, use the command no ip.
Specifying Critial Asset Zone

To specify the security zone where the critical asset locates, in the critical asset object con-
zone zone-name
l zone-name – Specify the security zone where the critical asset locates. The system will auto-
matically enable the advanced threat detection and abnormal behavior detection functions of
this security zone.
To cancel the security zone setting, use the command no zone.
Enabling/Disabling Web Server Advanced Protection

Web Server Advanced Protection function to detect HTTP protocol type of Web server attacks,
and find the abnormal behavior immediately and correctly. Enable this function, can detect the fol-
lowing types of attacks and behavior:
l Web Vulnerability Scan: A web vulnerability scanner is a program which communicates with a
web application through the web front-end in order to identify potential security vul-
nerabilities in the web application and architectural weaknesses.
l Http-based DoS Attack: Denial of service (DoS) usually refers to an attack that attempts to
make a computer resource unavailable to its intended users by flooding a network or server

with requests and data. As the name suggests, Http-Based DoS Attack is based on http pro-
tocol.
l Web Spider : A Web spider is an internet bot that systematically browses the World Wide
Web, typically for the purpose of Web indexing. Web search engines and some other sites use
web spider to update their web content or indexes of others sites' web content. Web spider s
can copy all the pages they visit for later processing by a search engine that indexes the down-
loaded pages so that users can search them much more quickly.
To enable the function, in the critical asset object configuration mode, use the following com-
mand:
mark-webserver
To disable the function, in the critical asset object configuration mode, use the following com-
mand:
no mark-webserver
Renaming a Critical Asset

To rename a critical asset, in the critical asset object configuration mode, use the following com-
mand:
rename new-name
l new-name – Specifies the new name for the critical asset.
Viewing Critical Asset Object Configurations

Use the show critical-asset objectcommand to view the critical asset object configurations.
Hot Threat Intelligence

Hillstone Cloud server can push the latest hot threat intelligence to system. Hot threat intel-
ligence page displays this intelligence of hot threats, including IPS vulnerability, virus and threats
detected by the cloud sandbox. You can view the details of the hot threats, or carry out protection
operations to prevent them via WebUI in iCenter Page.

Enabling /Disabling Hot Threat Intelligence Pushing
Hillstone Cloud server can push the latest hot threat intelligence to system , and once system gets
threat intelligence from the Hillstone Cloud server, it will notice and update the list of threat intel-
ligence in WebUI. When the pushing is disabled, Hillstone cloud platform will no longer push the
latest hot threat intelligence. Meanwhile, the previously received threat intelligence can only be
viewed, and relevant protective operations are not allowed.
To enable the Hot Threat Intelligence Pushing , in the global configuration mode, use the fol-
lowing commands:
l threat-intelligence push enable
To disable the Hot Threat Intelligence Pushing , in the global configuration mode, use the fol-
lowing commands:
l threat-intelligence push disable
Updating Hot Threat Intelligence Manually

You can manual update the hot Threat Intelligence. System will immediately synchronizes the hot
threat intelligence information on the Hillstone cloud platform, and downloads and updates the
latest information to the local hot Threat Intelligence list. To update the hot threat intelligence
manually, in any mode, use the following command:
exec threat-intelligence update

Geolocation Information Database
Overview
System can display the incoming threat map via WebUI. You can view the selected threat or risky
host region. You need to update the geolocation information database before use this function for
the first time.
Notes: Only support to update the geolocation information database via CLI cur-
rently.
Updating Geolocation Information Database

By default StoneOS updates the geolocation information database everyday automatically. You can
change the update configuration as needed. The configurations of updating geolocation inform-
ation database include:
l Configuring a geolocation information database update mode
l Updating now
l Importing a geolocation information database file
l Viewing geolocation information database information
l Viewing geolocation information database update information

Configuring a Geolocation Information Database Update Mode
System supports both manual and automatic update modes. To configure a geolocation inform-
ation database update mode, in the global configuration mode, use the following command:
geolocation-IP-signature update mode { auto | manual }
l auto – Specifies the automatic geolocation information database update mode. This is the
default mode.
l manual – Specifies the manual geolocation information database update mode.
no geolocation-IP-signature update mode
geolocation-IP-signature update protocol HTTP
In the global configuration mode, use the command no geolocation-IP-signature update protocol
HTTP to restore the default value.

geolocation informations as needed. To configure the update the server, in the global con-
geo lo catio n -IP-sign ature up date {server1 | server2 | server3} { ip-address | domain-name }

stonenet.com.
command:
no geolocation-IP-signature update { server1 | server2 | server3 }
To specify the HTTP proxy server for the geolocation information database updating, use the fol-
geolocation-ip-signature update proxy-server { main | backup } ip-address port-num-
ber
To cancel the proxy server configurations, use the no geolocation-ip-signature update proxy-
server {main | backup} command.
By default, system automatically updates the geolocation information database every day. To
reduce the update server’s workload, the time of daily update is random. To specify the

schedule and specific time for the update, in the global configuration mode, use the following
command:
geolocation-IP-signature update schedule { daily | weekly { mon | tue | wed | thu |
fri | sat | sun } | mo n th ly date } [ HH:MM ]
Updating Now
For both manual and automatic update modes, you can update the geolocation information data-
base immediately as needed. To update the geolocation information database now, in any mode,
exec geolocation-IP-signature update [full]
l exec geolocation-IP-signature update – Only updates the incremental part between the cur-
rent geolocation information database and the latest geolocation information database released
by the update server.
l full – Force to upgrade the current geolocation information database
Importing a Geolocation Information Database File
In some cases, your device may be unable to connect to the update server to update the geo-
location information database. To solve this problem, StoneOS provides the geolocation inform-
ation database file import function, i.e., importing the geolocation information database files to

the device from an FTP, TFTP server or USB disk, so that the device can update the geolocation
information database locally. To import the geolocation information database file, in the execution
import geolocation-IP-signature from { ftp server ip-address [ user user-name pass-
word password ] | tftp server ip-address } [vro uter vr-name ] file-name
server.
l file-name – Specifies the name of the geolocation information database file that be imported.
Viewing Geolocation Information Database Information
You can view the geolocation information database information of the device as needed, including
the geolocation information database version, release dates, and the number of the geolocation
informations. To view geolocation information database information, in any mode, use the fol-
lowing command:
show geolocation-IP-signature info
Viewing Geolocation Information Database Update Information
You can view the geolocation information database update information of the device as needed,
including the update server information, update mode, update frequency and time, as well as the
status of the geolocation information database update. To view the geolocation information data-
base update information, in any mode, use the following command:
show geolocation-IP-signature update

Botnet Prevention
Botnet refers to a kind of network that uses one or more means of communication to infect a
large number of hosts with bots, forming a one-to-many controlled network between the con-
troller and the infected host, which will cause a great threat to network and data security.
The botnet prevention function can detect botnet host in the internal network timely, as well as
locate and take other actions according to the configuration, so as to avoid further threat attacks.
The botnet prevention configurations are based on security zones or policies. If the botnet pre-
vention profile is bound to a security zone, the system will detect the traffic destined to the spe-
cified security zone based on the profile configuration. If the botnet prevention profile is bound
to a policy rule, the system will detect the traffic matched to the specified policy rule based on
the profile configuration.
Notes: The botnet prevention function is controlled by license. To use the botnet
prevention function, install the Botnet C&C Prevention license.
Preparing
Before enabling botnet prevention, make the following preparations:
1. Make sure your system version supports botnet prevention.
2. Import a botnet C&C prevention license and reboot. The botnet prevention will be enabled
after the rebooting.
To view the status of the botnet prevention function, use the command show version. To enable
or disable the botnet prevention function, in any mode, use the following command:
exec botnet-c2-prevention { enable | disable }
l enable – Enables the botnet prevention function.
l disable – Disables the botnet prevention function.

Configuring Botnet Prevention
To configure the botnet prevention function, take the following steps:
1. Enable the botnet prevention function.
2. Define a botnet prevention profile, and specify the protocol types, the actions for the bot-
net in the profile.
3. Bind the botnet prevention profile to an appropriate policy rule or security zone.
Notes: You need to update the botnet prevention signature database before enabling
the function for the first time. For more information about how to update, see
Updating Botnet Prevention Signature Database. To assure a proper connection to
the default update server, you need to configure a DNS server for system before
updating.
Creating a Botnet Prevention Profile
The botnet prevention profile specifies the protocol types and the actions for botnet. To create a
botnet prevention Profile, in the global configuration mode, use the following command:
botnet-c2-prevention profile profile-name
l profile-name - Specifies the botnet prevention profile name and enters the botnet prevention
profile configuration mode. If the specified name exists, then the system will directly enter
the botnet prevention profile configuration mode.
To delete the specified botnet prevention profile, in the global configuration mode, use the com-
mand no botnet-c2-prevention profile-name.
To specify a protocol type, in the botnet prevention profile configuration mode, use the following
command:

b o tn et-c2-p reven tio n p ro to co l {tcp | h ttp | dn s }actio n {reset| lo g-o n ly | sin kh o le-
rep lace}
l tcp – Check for information transferred over TCP.
l http – Check for information transferred over HTTP.
l dns – Check for information transferred over DNS.
l action { reset | log-only } – Specifies the action for the botnets.
l reset – Resets the connection if any botnet has been detected.
l log-only – Generates logs if any botnet has been detected.
l sinkhole-replace - When the protocol type is DNS, you can specify the processing
action as "Sinkhole Address Replacement". After the threat is discovered, the system
will replace the IP address in the DNS response packet with the Sinkhole IP address.
To cancel the specified protocol type, in the botnet prevention profile configuration mode, use
n o b o tn et-c2-p reven tio n p ro to co l {tcp | h ttp | dn s }
Enabling/Disabling DGA Detection
DNS as the domain name resolution protocol, is designed to resolve fixed domain names to IP
addresses. Due to the use of domain name is convenient, and is widely used, so the attacker will
take different means to use the domain name to generate attack. For example, A IP address can
correspond to multiple domain name, the server according to the endpoint field of HTTP packet
to find the Goal URL, the malware will use this feature by modifying the endpoint field to dis-
guise the domain name, and generate the abnormal behavior. DGA, is the domain generation
algorithm, this algorithm will generate a large number of pseudo random domain name, and will be
used by malware.
To solve these problem, system supports to enable DGA detection function to detect DNS
response messages and detect whether the device is attacked by DGA domain name. If a DGA
domain name is detected, the system will perform the specified processing actions on the

detected DGA domain name according to the configuration of the botnet prevention rules (record
the related threat log or reset the connection).
To enable the DGA detection, in the botnet prevention profile configuration mode, use the fol-
lowing command:
dga-detect enable [ action {reset| log-only }]
l enable - Enable the DGA detection function.
l action { reset | log-only} – Specifies the action for the DGA domain name.
l reset – Resets the connection if any DGA domain name has been detected.
l log-only – Generates logs if any DGA domain name has been detected.
To disable the DGA detection, in the botnet prevention profile configuration mode, use the fol-
lowing command:
dga-detect disable
Notes: DGA detection function only supports X series devices, A series devices
and K9180 devices.
Enabling/Disabling the DNS Tunnel Detection
DNS tunnel is a kind of covert channel, which establishes communication by encapsulating other
protocols in DNS protocol for transmission. However, most firewalls and detection devices
release DNS traffic, and DNS tunnel attacks formally use the features of the release to implement
operations such as remote control and file transfer, which cause harm to users' network security
and data security. Therefore, the detection, warning, and processing of DNS tunnels are par-
ticularly important.
System provides the DNS tunnel detection function. Through the detection of DNS request mes-
sages and the monitoring of DNS traffic, the feature extraction and comprehensive analysis of the
DNS tunnel can be realized. At the same time, the specified processing action can be performed
on the detected DNS tunnel ( Record the relevant threat log or reset the connection) to prevent
the threat brought by the DNS tunnel.

By default, the DNS tunnel detection function is disabled.
To enable the DNS tunnel detection function, in the botnet prevention profile configuration
dns-tunnel-detect enable [ action {reset| log-only }]
l enable - Enable the DNS tunnel detection function
l action { reset | log-only} – Specifies the action for the DNS tunnel.
l reset – Resets the connection if any DNS tunnel has been detected.
l log-only – Generates logs if any DNS tunnel has been detected.
To disable DNS tunnel detection function, in the botnet prevention profile configuration mode,
dns-tunnel-detect disable
Specifying Log Aggregation Type and Aggregation Time
The system can merge botnet prevention logs of the same merging type based on the specified
time granularity. This way, logs are reduced to prevent the log server from receiving redundant
logs. To configure log aggregation and aggregation time granularity, in the global configuration
botnet-c2-prevention agg-log enable { by-src | by-dst | by-src-dst | by-src-ioc | by-
dst-ioc | by-src-dst-ioc } [ aggregation-time value ]
l by-src - Merges botnet prevention logs of the same source IP.
l by-dst - Merges botnet prevention logs of the same destination IP.
l by-src-dst - Merges botnet prevention logs of the same source and destination IP.
l by-src-ioc - Merges botnet prevention logs of the same source IP and IOC. IOC indicates
threat intelligence, that is to say, the malicious domain name, IP address, or URL detected by
the botnet prevention function.

l by-dst-ioc - Merges botnet prevention logs of the same destination IP and IOC. IOC indic-
ates threat intelligence, that is to say, the malicious domain name, IP address, or URL detec-
ted by the botnet prevention function.
l by-src-dst-ioc - Merges botnet prevention logs of the same source IP, destination IP, and
IOC. IOC indicates threat intelligence, that is to say, the malicious domain name, IP address,
or URL detected by the botnet prevention function.
l value - Specifies the time granularity of log aggregation. With this parameter specified, at the
same time granularity, the system stores botnet prevention logs of the same merging type in
the database only once. Value ranges from 10 to 600 seconds. The default value is 10
seconds.
In the global configuration mode, use the command no botnet-c2-prevention agg-log enable to
specify the log aggregation type as Do Not Merge. This way, the system stores each botnet-pre-
vention log in the database and does not merge any logs.
Configuring the DNS Tunnel Log Interval
To specify the minimum time interval for logging after the system detects the DNS tunnel, in the
dns-tunnel-detect log-intervaltime-interval
l time-interval - Specifies the minimum time interval for logging after the system detects the
DNS tunnel. The range is 1 to 3600 seconds, the default value is 60 seconds.
To restore the default value, in the global configuration mode, use the following command:
no dns-tunnel-detect log-interval
Notes: DNS tunnel detection function only supports X series devices, A series
devices and K9180 device.

Address Liberary Management
The address library includes a predefined address library and a custom address library, each of
which contains a block list and an exclude list, which are described as follows:
l Predefined exclude list: It contains domains automatically obtained through the botnet pre-
vention signature database. When the traffic matches to the domain name in the list, system
will not control the traffic with botnet prevention function.
l Custom exclude list: It contains IPs, domains and URLs manually added by the user. When
the traffic matches to the IP address, domain name or URL in the list, system will not control
the traffic with botnet prevention function.
l Predefined block list: It contains IPs, domains and URLs automatically obtained through the
botnet prevention signature database. When the traffic matches to the IP address, domain
name or URL in the list, system will control the traffic with botnet prevention function.
l Custom block list: It contains IPs, domains and URLs manually added by the user. When the
traffic matches to the IP address, domain name or URL in the list, system will control the
traffic with botnet prevention function.
The traffic matching sequence will be: Custom exclude list > Custom block list > Predefined
exclude list > Predefined block list.
Configuring the Custom Block List
To configure a custom blocklist entry, in the global configuration mode, use the following com-
mand:
botnet-c2-prevention signature {ipip-address [portport-number | domaindomain-name [wildcard]
| urlurl}

l ipip-address [portport-number - Specifies the IP address of the custom blocklist entry. If not
specified the port,it will be any port.
l domaindomain-name [wildcard] - Specifies the domain name of the custom blocklist entry.
wildcard means the domain is a wildcard domain.
To delete the custom blocklist entry, in the global configuration mode, use the following com-
mand:
no bot net-c2-prevention signature {ipip-address [portport-number | domaindomain-name [wild-
card] | urlurl}
Configuring the Custom Exclude List
To configure a custom exclude list entry, in the global configuration mode, use the following com-
mand:
botnet-c2-prevention whitelist {ipip-address [portport-number | domaindomain-name [wildcard]
| urlurl}
l ipip-address [portport-number - Specifies the IP address of the custom exclude list entry.If
not specified the port,it will be any port.
l domaindomain-name [wildcard] - Specifies the domain name of the custom exclude list entry.
wildcard means the domain is a wildcard domain.
To delete the custom exclude list entry, in the global configuration mode, use the following com-
mand:
no bot net-c2-prevention whitelist {ipip-address [portport-number | domaindomain-name [wild-
card] | urlurl}
Viewing Custom Signature Entry
To view the custom blocklist entry, in any mode, use the following command:
show botnet-c2-prevention blacklist [ip ip-address [p o rt port-number ]| do main domain-
name [ wildcard ] | url url ]

Description:
l entry: Indicates the IP address, domain name, or URL of the blacklist.
l type: Indicates the type of the blacklist. 1 indicates IP, 2 indicates the exact domain name, 3
indicates the wildcard domain name, 4 indicates IP+Port, and 5 indicates the URL.
l define_type: Indicates in which type the blacklist is defined. 1 indicates the predefined black-
list and 2 indicates the user-defined blacklist.
l tag: Indicates the Botnet tag related to the Botnet C&C IOC Blacklist. If there are multiple
tags, only the first 5 tags are displayed.
l malware_family: Indicates the name of the APT group associated with the IOC blacklist.
l APT_group: Indicates the name of the APT group associated with the IOC blacklist.
Example
hostname# show botnet-c2-prevention bl ip 118.0.0.2

Botnet Prevention blacklist
Total num: 0
==========================================
entry type define type tag malware family APT group
--------------------------------------------------------
----------------------------
==========================================
To view the custom exclude list entry, in any mode, use the following command:
show botnet-c2-prevention whitelist [ip ip-address [p o rt port-number ]| do main domain-
name [ wildcard ] | url url ]

Configuring the Sinkhole IP address
You can select the system's predefined Sinkhole IP address or specify a user-defined Sinkhole IP
address to replace the IP address in the DNS response message
To configure the Sinkhole IP address, in the global configuration mode, use the following com-
mand:
botnet-c2-prevention sinkhole {ipv4 IPv4-address | ipv6 IPv6-address | predefined-sinkhole}
l ipv4 IPv4-address - Specifies a custom IPv4 address. If only the IPv4 address is configured,
the system will automatically map the configured IPv4 address to the corresponding IPv6
address when the DNS server communicates by using the IPv6 protocol.
l ipv6 IPv6-address - Specifies a custom IPv6 address.
l predefined-sinkhole -Specifies to use a predefined sinkhole IP address.
Binding a Botnet Prevention Profile to a Security Zone
If the botnet prevention profile is bound to a security zone, the system will detect the traffic
destined to the specified security zone based on the profile configuration. If the policy rule is
bound with a botnet prevention Profile, and the destination zone of the policy rule is also bound
with a botnet prevention profile, then the botnet prevention profile bound to the policy rule will
be valid, while the botnet prevention profile bound to the security zone will be void.
To bind the botnet prevention profile to a security zone, in the security zone configuration mode,
botnet-c2-prevention enable profile-name
l profile-name – Specifies the name of the botnet prevention profile that will be bound to the
security zone. One security zone can only be bound with one botnet prevention profile.
no botnet-c2-prevention enable

Binding a Botnet Prevention Profile to a Policy Rule
If the botnet prevention profile is bound to a policy rule, the system will detect the traffic
matched to the specified policy rule based on the profile configuration. To bind the botnet pre-
vention profile to a policy rule, in the policy rule configuration mode, use the following com-
mand:
botnet-c2-prevention profile-name
l profile-name – Specifies the name of the botnet prevention profile that will be bound to the
policy rule.
To cancel the binding, in the policy rule configuration mode, use the following command: no bot-
net-c2-prevention
Viewing Botnet Prevention Profile Information
To view the botnet prevention profile information, in any mode, use the following command:
show botnet-c2-prevention-profile profile-name
Viewing Botnet Prevention Status
To view the botnet prevention status, in any mode, use the following command:
show botnet-c2-prevention status
Updating Botnet Prevention Signature Database

By default system updates the botnet prevention signature database everyday automatically. You
can change the update configuration as needed. The configurations of updating botnet prevention
signature database include:
l Configuring the botnet prevention signature update mode

l Specifying a HTTP Proxy Server
l Updating now
l Importing a botnet prevention signature file
l Viewing botnet prevention signature information
l Viewing botnet prevention signature update information
Configuring the Botnet Prevention Signature Update Mode
System supports both manual and automatic update modes. To configure a botnet prevention sig-
nature update mode, in the global configuration mode, use the following command:
b o tn et-c2-p reven tio n sign ature up date mo de {auto | man ual}
l auto – Specifies the automatic botnet prevention signature update mode. This is the default
mode.
l manual – Specifies the manual botnet prevention signature update mode.
no botnet-c2-prevention signature update mode
botnet-c2-prevention signature update protocol HTTP

In the global configuration mode, use the command no botnet-c2-prevention signature update
protocol HTTP to restore the default value.

botnet prevention signatures as needed. To configure the update the server, in the global con-
b o tn et-c2-p reven tio n sign ature up date {server1 | server2 | server3} { ip-address | domain-
name }
stonenet.com.
command:
no botnet-c2-prevention signature update { server1 | server2 | server3 }
To specify the HTTP proxy server for the botnet prevention signature database updating, use the
botnet-c2-prevention signature update proxy-server { main | backup } ip-address
port-number

backupparameter to specify the backup proxy server.
To cancel the proxy server configurations, use the command no botnet-c2-prevention signature
update proxy-server {main | backup}.
By default, system automatically updates the botnet prevention signature database every day. To
reduce the update server’s workload, the time of daily update is random. To specify the sched-
ule and specific time for the update, in the global configuration mode, use the following com-
mand:
b o tn et-c2-p reven tio n sign ature up date sch edule { {daily | weekly {mo n | tue | wed | th u |
fri | sat | sun } | mo n th ly date } [ HH:MM ] | h o urly MM }
l hourly MM– Updates the database every three hours. Minute is used to specify the specific
minute in one hour.
Updating Now
For both manual and automatic update modes, you can update the botnet prevention signature
database immediately as needed. To update the botnet prevention signature database now, in any

exec botnet-c2-prevention signature update
l exec botnet-c2-prevention signature update – Only updates the incremental part between
the current botnet prevention signature database and the latest botnet prevention signature
database released by the update server.
Importing a Botnet Prevention Signature File
In some cases, your device may be unable to connect to the update server to update the botnet
prevention signature database. To solve this problem, system provides the botnet prevention sig-
nature file import function, i.e., importing the botnet prevention signature files to the device from
an FTP, TFTP server or USB disk, so that the device can update the botnet prevention signature
database locally. To import the botnet prevention signature file, in the execution mode, use the
following command:
imp o rt b o tn et-c2-p reven tio n sign ature fro m {ftp server ip-address [user user-name p ass-
wo rd password ] | tftp server ip-address | usb 0 | usb 1 } [vro uter vr-name ] file-name
server.
l file-name – Specifies the name of the botnet prevention signature file that be imported.
Viewing Botnet Prevention Signature Information
To view botnet prevention signature database information, in any mode, use the following com-
mand:
show botnet-c2-prevention signature info

Viewing Botnet Prevention Signature Update Information
You can view the botnet prevention signature update information of the device as needed, includ-
ing the update server information, update mode, update frequency and time, as well as the status
of the botnet prevention signature database update. To view the botnet prevention signature
update information, in any mode, use the following command:
show botnet-c2-prevention signature update

Antispam
Overview
The system is designed with an Antispam function, which enables user to identify and filter mails
transmitted by SMTP and POP3 protocol through the cloud server, timely discover the mail
threats, such as spam, phishing and worm mail, and then process the found spam according to the
configuration, so as to protect the user's mail client or mail server.
The Antispam function will not work unless an antispam license has been installed on a system
that supports Antispam.
Notes:
l SG-6000-A200 and SG-6000-A200W do not support Antispam function.
l To assure a proper connection to the cloud server, you need to configure a

DNS server for system before configuring the Antispam.
Configuring Antispam
The Antispam configurations are based on security zones or policies.
To configure antispam via CLI, take the following steps:
1. Create an Antispam profile, and specify the mail protocol, spam category, action and black-
list /whitelist of sender in the profile.
2. Bind the Antispam profile to a security zone or policy rule.
Creating an Antispam Profile
You need to specify the mail protocol, spam category, action and exempt domain of sender of the
Antispam profile. To create an Antispam profile, in the global configuration mode, use the fol-
lowing command:
antispam-profile antispam-profile-name

l antispam-profile-name - Specifies the name of the Antispam profile, and enter the con-
figuration mode of the Antispam profile. If the specified name exists, the system will directly
enter the Antispam profile configuration mode. Up to 32 new Antispam profile can be cre-
ated.
To delete the specified Antispam profile, in the global configuration mode, use the commandno
antispam-profile antispam-profile-name.
Specifying a Mail Protocol Type
To specify a protocol type and enter the protocol configuration mode, in the Antispam profile con-
p ro to co l {p o p 3 | smtp }
l pop3 – Scans the Emails transferred over POP3.
l smtp – Scans the Emails transferred over SMTP.
To cancel the specified protocol type, in the Antispam profile configuration mode, use the fol-
lowing command:
n o p ro to co l{ p o p 3 | smtp }
Specifying the Spam Category
To specify the spam category and action, in the protocol configuration mode, use the
following command:
sp am-class {b ulk | co n firmed | susp ected | validb ulk} actio n { lo g-o n ly | reset }
l bulk – Specifies the action for the bulk spam.
l confirmed – Specifies the action for the confirmed spam.
l suspected – Specifies the action for the suspected spam.
l validbulk – Specifies the action for the valid bulk mails.

l action { log-only | reset } – Specifies the action for the spam.
l log-only – Generates logs. This is the default action. The spams transferred over POP3 only
supports generate logs action.
l reset – Resets the connection if any spams has been detected.
To cancel the specified spam category, in the protocol configuration mode, use the following com-
mand:
n o sp am-class {b ulk | co n firmed | susp ected | validb ulk}
Specifying the Whitelist of Sender
The whitelist of sender is used to specify the mail domains or email that will not be filtered by
antispam. Each antispam profile can specify up to 16 exempt domains of sender.
To specify the whitelist of sender, in the Antispam profile configuration mode, use the following
command:
sender-whitelist {domain domain-name | mailbox email-address }
l email-address - Specifies the demail address. The length is 1 to 255 characters.
To delete the specified whitelist of sender, in the Antispam profile configuration mode, use the
following command:
no sender-whitelist {domain domain-name | mailbox email-address}
User-defined Blacklist Spam
You can add the sender's domain name or email address to the User-defined Blacklist. When Anti-
Spam User-defined Blacklist function is enabled, system will directly identify the email from the
User-defined Blacklist as spam, and reset the link or record to the threat log.

Enabling/Disabling User-defined Blacklist
To enable or disable user-defined blacklist spam, in the Antispam profile configuration mode, use
l Enable: user-defined-blacklist enable
l Disable: no user-defined-blacklist enable
Adding/Deleting User-defined Blacklist
To add the user-defined blacklist spam, in the Antispam profile configuration mode, use the fol-
lowing command:
exec antispam user-defined-blacklist add {domain domain-name | mailbox email-address}
To delete the user-defined blacklist spam, in the Antispam profile configuration mode, use the fol-
lowing command:
exec antispam user-defined-blacklist delete {domain domain-name | mailbox email-address}
l email-address - Specifies the demail address. The length is 1 to 255 characters.
Binding an Antispam Profile to a Security Zone
If the Antispam profile is bound to a security zone, the system will detect the traffic destined to
the specified security zone based on the profile configuration. If the policy rule is bound with an
antispam Profile, and the destination zone of the policy rule is also bound with an Antispam pro-
file, then the Antispam profile bound to the policy rule will be valid, while the Antispam profile
bound to the security zone will be void.
To bind the Antispam profile to a security zone, in the security zone configuration mode, use the
following command:
antispam antispam-profile-name

l antispam-profile-name – Specifies the name of the Antispam profile that will be bound to the
security zone. One security zone can only be bound with one Anti-Spam profile.
no antispam
Binding an Antispam Profile to a Policy Rule
If the Antispam profile is bound to a policy rule, the system will detect the traffic matched to the
specified policy rule based on the profile configuration. To bind the Antispam profile to a policy
rule, in the policy rule configuration mode, use the following command:
antispam antispam-profile-name
l antispam-profile-name – Specifies the name of the Antispam profile that will be bound to the
policy rule.
To cancel the binding, in the policy rule configuration mode, use the following command: no anti-
spam
Configuring the Mail Scan Maximum Limit
To configure the mail scan maximum limit, in the global configuration mode, use the following
command:
antispam max-mail-size max-mail-size-value
l max-mail-size-value – Specifies the mail scan maximum limit. The range is 512 Kb to 2048
Kb, the default value is 1024 Kb.
To restore to the default value, in the global configuration mode, use the following command:no
antispam max-mail-size
Viewing Antispam Profile Information
To view the Antispam profile information, in any mode, use the following command:
show antispam-profile [ antispam-profile-name ]

l antispam-profile-name – Shows the specified antispam profile information. If this parameter
is not specified, the command will show the information of all the Anti-Spam profiles.
Viewing the Antispam Status Information
To view the Antispam status information, in any mode, use the following command:
show antispam status
Viewing the Global Configuration
To view the global configuration of Antispam, in any mode, use the following command:
show antispam configuration

End Point Protection
The endpoint security control center is used to monitor the security status of each access end-
point and the system information of the endpoint.
When the end point protection function is enabled, the device can obtain the endpoint data mon-
itored by the endpoint security control center by interacting with it, and then specify the cor-
responding processing action according to the security status of endpoint, so as to control the
endpoint network behavior.
Notes:
l At present, end point protection function only supports linkage with
"JIANGMIN" endpoint security control center.
l End point protection is controlled by license. To use end point protection,

apply and install the EPP license.

Configuring the End Point Protection
Preparation for Configuring End Point Protection
Before enabling end point protection, make the following preparations:
1. Make sure your system version supports end point protection.
2. Import an EPP license and reboot.
Configuring End Point Protection
To configure the end point protection function, take the following steps:
1. Enable the end point protection function.
2. Define an end point protection profile, and specify the protection action corresponding to
the endpoint status in the profile.
3. Bind the end point protection profile to an appropriate policy rule or security zone.
Configuring Endpoint Security Control Center Parameters
The configurations of endpoint security control center include:
l Specifying the Name of the Endpoint Security Control Center Server
l Specifying the Address of the Endpoint Security Control Center Server
l Specifying the Port of the Endpoint Security Control Center Server
l Specifying the Synchronization Period
Specifying the Name of the Endpoint Security Control Center Server
To specify the name of endpoint security control center server and enters the endpoint security
control center server configuration mode, in the global configuration mode, use the following

command:
epp serverserver-name
l server -name - Specifies the the name of endpoint security control center server and enters
the endpoint security control center server configuration mode. If the specified name exists,
then the system will directly enter the endpoint security control center server configuration
mode. System only allows 1 endpoint security control center server to be configured.
To delete the specified endpoint security control center server, in the global configuration mode,
use the command no epp server.
Specifying the Address of the Endpoint Security Control Center Server
To specify the address of the endpoint security control center server, in the endpoint security con-
trol center server configuration mode, use the following command:
hosthostname
l hostname - Specifies the address or domain name of the endpoint security control center
server. The range is 1 to 255 characters.
To delete the specified address, in the endpoint security control center server configuration
mode, use the command no host.
Specifying the Port of the Endpoint Security Control Center Server
To specify the the port of the endpoint security control center server, in the endpoint security
control center server configuration mode, use the following command:
portport-number
l port-number - Specifies the port number. The range is 1 to 65535.
To delete the specified port number, in the endpoint security control center server configuration
mode, use the command no port.

Specifying the Synchronization Period
To specify the synchronization period of endpoint data information, in the endpoint security con-
trol center server configuration mode, use the following command:
syncsync-cycle
l sync-cycle - Specifies the synchronization period. The range is 1 to 60 minutes. The default
value is 10 minutes.
To restore the default value, in the endpoint security control center server configuration mode,
use the command no sync.
Enabling/Disabling the Timeout Entry
By default, when the endpoint security control center is disconnected, the endpoint data inform-
ation that the system has synchronized will be invalid, and the synchronized endpoint data inform-
ation will be cleared. To enable/disable the timeout entry, in the global configuration mode, use
l Enable: epp timeout-used
l Disable: no epp timeout-used
Creating an End Point Protection Profile
The end point protection profile specifies the the protection action corresponding to the end-
point status. To create an end point protection profile, in the global configuration mode, use the
following command:
epp-profileprofile-name
l profile-name - Specifies the end point protection profile name and enters the end point pro-
tection profile configuration mode. If the specified name exists, then the system will directly
enter the end point protection profile configuration mode.
To delete the specified end point protection profile, in the global configuration mode, use the
command no epp-profileprofile-name.

Specifying the Protection Action
To specify the protection action for the endpoint which doesn’t install an anti-virus client. In
the end point protection profile configuration mode, use the following command:
status uninstall { log-only | redirect url | block [ block-interval ]}
l log-only – System will pass traffic and record logs only.
l redirecturl – Redirects the endpoint to the specified url.
l block [block-interval] – Block the endpoint connection, and specifies the block interval
block-interval.
To cancel the protection action for the endpoint which doesn’t install an anti-virus client, in the
end point protection profile configuration configuration mode, use the following command:
no status uninstall
Specifies the protection action for the unhealthy endpoint, infected endpoint and abnormal end-
point. In the end point protection profile configuration mode, use the following command:
status { un h ealth y | in fected | ab n o rmal } { lo g-o n ly | b lo ck [ block-interval ]}
l unhealthy – Specifies the protection action for the unhealthy endpoint.
l infected – Specifies the protection action for the infected endpoint.
l abnormal – Specifies the protection action for the abnormal endpoint.
l log-only – System will pass traffic and record logs only.
l block [block-interval] – Block the endpoint connection, and specifies the block interval
block-interval. The value range is 60 to 65535 seconds. The default value is 60.
To cancel the protection action for the unhealthy endpoint, infected endpoint and abnormal end-
point, in the end point protection profile configuration configuration mode, use the following
command:
n o status { un h ealth y | in fected | ab n o rmal }

Specifying the Exception Address
The exception address is not controlled by the end point protection rule. To specify the excep-
tion address, in the end point protection profile configuration configuration mode, use the fol-
lowing command:
addressaddress-name
l address-name - Specifies the address book name.
To cancel the specified exception address, in the end point protection profile configuration con-
no address
Notes: Before selecting the exception address, you need to add the exception end-
point address to the address book. For configuration, see Configuring an Address
Book.
Binding an End Point Protection Profile to a Security Zone
If the end point protection profile is bound to a security zone, the system will detect the traffic
destined to the specified security zone based on the profile configuration.
To bind the end point protection profile to a security zone, in the security zone configuration
epp enableprofile-name
l profile-name – Specifies the name of the end point protection profile that will be bound to
the security zone. One security zone can only be bound with one end point protection profile.
no epp enable

Binding an End Point Protection Profile to a Policy Rule
If the end point protection profile is bound to a policy rule, the system will detect the traffic
matched to the specified policy rule based on the profile configuration. To bind the end point pro-
tection profile to a policy rule, in the policy rule configuration mode, use the following command:
eppprofile-name
l profile-name – Specifies the name of the end point protection profile that will be bound to
the policy rule.
To cancel the binding, in the policy rule configuration mode, use the following command: no epp.
Manually Synchronizing the Endpoint Data Information
To synchronize the endpoint data information manually, in any mode, use the following com-
mand:
exec epp server-flush
Viewing End Point Protection Profile Information
To view the end point protection profile information, in any mode, use the following command:
sh o w ep p -p ro file [ profile-name ]
Viewing the End Point Status
To view the end point status, in any mode, use the following command:
show epp ep-status
Viewing the End Point Information Synchronization Status
To view the synchronization status of endpoint, in any mode, use the following command:
show epp sync-status

Viewing the Endpoint Security Control Center Information
To view the endpoint security control center information:

show epp server

IoT
IoT, the abbreviation of Internet of Things, is the extension of Internet connectivity into physical
devices and everyday objects.
The IoT policy in system can identify the network video monitoring devices, like IPC (IP Cam-
era) and NVR (Network Video Recorder) via the flowing traffic, then monitor the identified
devices and block illegal behaviors according to the configurations.
Notes:
l Only the IPC and NVR devices of Hikvision, Dahua and Uniview are sup-
ported currently.
l The IoT Policy function is available only when the IoT license is installed on
the system.
l The network video monitoring devices in the NAT scenario cannot be iden-
tified with the IoT policy.
Configuring IoT
Preparations
Before configuring the IoT, ensure the following conditions have been met.
1. The IoT function is supported for the system version.
2. The IoT license has been installed and you log in to the device again.
Configuring IoT
To enable the IoT function, take the following steps:

1. Configuring Admittance List
2. Configuring an IoT Monitor Profile
3. Binding the IoT Monitor Profile to the zone
Configuring Admittance List
For the traffic flowing through the zone bound with the IoT policy profile, systems supports to
control it by configuring the admittance list of the IP, MAC and IP/MAC types, that is, only the
traffic matches the type in the admittance list is allowed to pass. By default, all the traffic flowing
through the zone bound with the IoT policy profile is allowed to pass.
When the admittance lists of the IP/MAC, IP and MAC types are all configured, traffic matches
the admittance lists in the sequence of IP/MAC > IP > MAC. Traffic can pass in the following
conditions.
l Traffic first matches the admittance list of IP/MAC type, and both the IP and MAC types are
matched.
l Traffic first matches the admittance list of IP/MAC type, while only the IP type is matched.
Then traffic tries to match the admittance list of IP and MAC type in order, and both the IP
and MAC types are matched.
Notes: The maximum number of admittance lists that can be configured / imported
is different for different platforms. At the same time, the number of IP / Mac, IP
and MAC type addresses that can be added to the admittance list is also different.
Please refer to the actual situation. For example, the current device allows up to
1500 admittance lists to be configured/imported, and the ratio of IP/MAC, IP, and
MAC type addresses that can be added to the admittance list at most is 2:1:2, that
is, the IP/MAC type is up to 600, the IP type is up to 300, and the MAC type is up
to 600.

Creating Admittance List
To create an admittance list and enter the configuration mode of the IoT admittance list, in the
io t-mo n ito r admittan ce-list list-name
l list-name - Specifies the name of the admittance list and enter the configuration mode of
admittance list. If the specified name already exists, enter the configuration mode directly.
In the global configuration mode, use the command no iot-monitor admittance-list list-name to
delete the specified list.
Notes: For the admittance list bound to the IoT Profile, it cannot be deleted unless
it's unbound.
Configuring the IP/MAC Admittance List
To add the IPv4 address, MAC address, username and password of network video monitor
devices into the admittance list, in the IoT admittance list configuration mode, use the following
command:
ip -mac ipv4-address mac-address [o n vifusern ame username o n vifp asswo rd password ]
l ipv4-address - Specifies the IPv4 address of the network video monitor device.
l mac-address - Specifies the corresponded MAC address of the configured IP.
l username - Specifies the user name of the network video monitor device.
l password - Specifies the corresponded password of the user.
In the IoT admittance list configuration mode, use the command no ip-macipv4-address mac-
address to remove the IPv4 address and MAC address of the specified network video monitor
device from the admittance list.

To add the IPv6 address, MAC address, username and password of network video monitor
devices into the admittance list, in the IoT admittance list configuration mode, use the following
command:
ip v6-mac ipv6-address mac-address [o n vifusern ame username o n vifp asswo rd password ]
l ipv6-address - Specifies the IPv6 address of the network video monitor device.
l mac-address - Specifies the corresponded MAC address of the configured IP.
l password - Specifies the corresponded password of the user.
In the IoT admittance list configuration mode, use the command no ipv6-mac ipv6-address mac-
address to remove the IPv6 address and MAC address of the specified network video monitor
device from the admittance list.
Configuring the IP Admittance List
Specifying IP
To add the IPv4 address, user name and password of the network video monitor device to the
admittance listt, in the IoT admittance list configuration mode, use the following command:
ip n etwo rk { ip-prefix/mask | ip-address mask } [o n vifusern ame username o n vifp asswo rd
password ]
l ip-prefix/mask - Specifies the IP address and mask, such as 1.1.1.1/24.
l ip-address - Specifies the IP address, such as 1.1.1.1.
l mask - Specifies the mask, such as 255.255.255.0.
l password - Specifies the password of the user.

In the IoT admittance list configuration mode, use the command no ip network {ip-prefix/mask
| ip-address mask } to delete the IP address of the network video monitor device from the admit-
tance list.
To add the IPv6 address, user name and password of the network video monitor device to the
admittance list, in the IoT admittance list configuration mode, use the following command:
ip v6 p refix { ipv6-prefix / prefix-length } [o n vifusern ame username o n vifp asswo rd password ]
l ipv6-prefix/prefix-length - Specifies the IPv6 prefix and prefix length, the range is 1 to 128.
In the IoT admittance list configuration mode, use the command no ip prefix ipv6-prefix / prefix-
length to delete the IPv6 address of the network video monitor device from the admittance list.
Notes: When the specified IP already exists, system will pop up an error.
Specifying IP Range
To add the IPv4 address range, user name and password of the network video monitor device to
the admittance listt, in the IoT admittance list configuration mode, use the following command:
ip ran ge start-ip end-ip [o n vifusern ame username o n vifp asswo rd password ]
l start-ip - Specifies the start IP.
l end-ip - Specifies the end IP.
In the IoT admittance list configuration mode, use the command no ip network start-ip end-ip to
delete the IP range of network video monitor device from the admittance list.

To add the IPv6 address range, user name and password of the network video monitor device to
the admittance listt, in the IoT admittance list configuration mode, use the following command:
ipv6 range min-ipv6-address max-ipv6-address [onvifusername username onvifpassword
password]
l min-ipv6-address – Specifies the start IPv6 address.
l max-ipv6-address – Specifies the end IPv6 address.
In the IoT admittance list configuration mode, use the command no ipv6 range min-ipv6-address
max-ipv6-address to delete the IPv6 address range of network video monitor device from the
admittance list.
Notes: When the specified IP range already exists, system will pop up an error.
Configuring the MAC Admittance List
To add the MAC address of the network video monitor device to the admittance listt, in the IoT
admittance list configuration mode, use the following command:
mac mac-address
l mac-address- Specifies the MAC address.
In the IoT admittance list configuration mode, use the command no mac mac-address to
delete the MAC address of the network video monitor device from the admittance list.
Importing Admittance List
You can import the admittance list via the FTP or TFTP server. To import the admittance list, in
the execution mode, use the following commands:

imp o rt io t-mo n ito r admittan ce-list list-name fro m {ftp server ip-address user user-name p ass-
wo rd password [vro uter vrouter-name ] | tftp server ip-address [vro uter vrouter-name ] |
{usb 0 | usb 1} file-name
l list-name- Specifies the name of the target admittance list.
l ip-address- Specifies the IP address of FTP or TFTP server.
l user user-name password password - Specifies the user name and password of the FTP server.
l vrouter-name - Specifies the VRouter that the admittance list will be import to. If the para-
meter is not specified, VRouter will be specified as trust-vr.
l file-name - Specifies the name of the admittance list on the FTP or the TFTP server.
Configuring the IoT Monitor Profile
Creating IoT Monitor Profile
To create the IoT monitor profile and enter the configuration mode of IoT monitor profile, in the
io t-mo n ito r p ro file profile-name
l Profile-name - Specifies the name of the IoT monitor profile and enter the configuration
mode of IoT monitor profile. If the specified name already exists, enter the configuration
mode directly.
In the global configuration mode, use the command no iot-monitor profile profile-name to delete
the specified IoT monitor profile.
Notes: If the IoT monitor profile is bound to the zone, it cannot be deleted unless
it is unbound.

Binding Admittance List to the IoT Monitor Profile
To bind the created admittance list to the IoT monitor profile, in the configuration mode of IoT
monitor profile, use the following command:
io t-admittan ce-list list-name
l list-name - Specifies the name of the admittance list bound to the IoT monitor profile. Each
IoT monitor profile can only be bound with one admittance list.
In the configuration mode of IoT monitor profile, use the command no iot-admittance-list list-
name to unbind the admittance list.
Enabling/Disabling the End-point Identification
By default, the end-point identification is enabled. When the function is enabled, system will
probe the end-point IP in the IoT monitor list actively, and identify the information of man-
ufacturer and model of the network video monitoring devices according to the returned packets.
Then the information will be displayed in the IoT monitor list.
The end-point identification will be triggered
l when a new end-point IP adds into the IoT monitoring list.
l when the network video monitoring device logs in again.
l when the network video monitoring device has been online, and the function will be triggered
every 5 minutes.
To disable the end-point identification, in the configuration mode of IoT monitor profile, use the
following command:
ip c-mo n ito r io t-iden tify disab le
To restore the end-point identification, in the configuration mode of IoT monitor profile, use the
following command:
no ipc-monitor iot-identify disable

Enabling/Disabling the End-point Behavior Monitor
When the function is enabled, system can check whether the devices behaviors are illegal. If
illegal behaviors are detected, system can block or record logs of abnormal traffic. By default, the
function is enabled and system can block abnormal traffic.
To disable the end-point behavior monitor, in the configuration mode of IoT monitor profile, use
ip c-mo n ito r ab n o rmal-b eh avio r-mo n ito r disab le
To enable the end-point behavior monitor, and block or record logs of abnormal traffic, in the con-
figuration mode of IoT monitor profile, use the following command:
ip c-mo n ito r ab n o rmal-b eh avio r-mo n ito r en ab le actio n [lo g-o n ly | b lo ck-ip ]
l log-only - System will let the traffic flowing through the end-point device pass and record
logs.
l block-ip - System will block the traffic flowing through the end-point device.
To restore the function, in the configuration mode of IoT monitor profile, use the following com-
mand:
n o ip c-mo n ito r ab n o rmal-b eh avio r-mo n ito r disab le
Binding the IoT Monitor Profile to Zone
After the IoT monitor profile is bound to the zone, the traffic flowing through zone will be oper-
ated as the configurations of the IoT monitor profile. To bind the IoT monitor profile to the
zone, you need to enter the zone configuration mode first.
In the global configuration mode, use the following command to enter the zone configuration
mode:
zo n e zone-name
After entering the zone configuration mode, use the following command to bind the IoT monitor
profile to the zone:
io t-mo n ito r en ab le profile-name

l profile-name - Specifies the name of the IoT monitor profile bound to the zone. Each zone
can only be bound with one IoT monitor profile.
In the zone configuration mode, use the following command to unbind the IoT monitor profile:
n o io t-mo n ito r en ab le
Deleting IoT Monitor List Entry
To delete the whole or the specified IoT monitor list entries, in any mode, use the following com-
mand:
exec io t-mo n ito r delete io t-mo n ito r-list [ip ip-address | ip v6 ipv6-address ] [vro uter vr-name
| vswitch vs-name ] [man ufacturer {h ikiviso n | dah ua | un iview | o th er}] [typ e {n vr | ip c |
o th er}] [status {o n lin e | o fflin e}] [trust {y | n }]
l ip-address - Delete the IoT monitor list entries of the specified IP address.
l ipv6 ipv6-address - Delete the IoT monitor list entries of the specified IPv6 address.
l vr-name - Delete the IoT monitor list entries of the specified VRouter.
l vs-name - Delete the IoT monitor list entries of the specified VSwitch.
l manufacturer {hikivison | dahua | uniview | other} - Delete the IoT monitor list entries of
the specified manufacturers, including hikivison, dahua, uniview and other.
l type {nvr | ipc | other} - Delete the IoT monitor list entries of the specified device type,
including nvr, ipc and other.
l status {online | offline} - Delete the IoT monitor list entries of the specified status, includ-
ing online and offline.
l trust {y | n} - Delete the IoT monitor list entries of the specified trust status. y means trus-
ted and n means untrusted.

Modifying IoT Monitor List Entry
To modify the IoT Monitor list entries, in any mode, use the following command:
exec io t-mo n ito r mo dify io t-mo n ito r-list {ip ip-address | ip v6 ipv6-address }{vro uter vr-
name | vswitch vs-name } [man ufacturer {h ikiviso n | dah ua | un iview | o th er}] [typ e {n vr |
ip c | o th er}] [mo del model-name ] [trust {y | n }]
l ip-address - Modify the IoT monitor list entries of the specified IP address.
l ipv6 ipv6-address - Modify the IoT monitor list entries of the specified IPv6 address.
l vr-name - Specifies the VRouter name of the IP.
l vs-name - Specifies the VSwitch name of the IP.
l manufacturer {hikivison | dahua | uniview | other} - Modify the manufacturers of the IoT
monitor list entry of the specified IP address, including hikivison, dahua, uniview and other.
l type {nvr | ipc | other} - Modify the device type of the IoT monitor list entry of the spe-
cified IP address, including nvr, ipc and other.
l model-name - Modify the device model of the IoT monitor list entry of the specified IP
address.
l trust {y | n} - Modify the trust status of the IoT monitor list entry of the specified IP
address. ymeans trusted and n means untrusted.
Viewing Admittance List Information
To view the admittance list information, in any mode, use the following command:
sh o w io t-mo n ito r admittan ce-list list-name [ip -en try | ip -mac-en trty | mac-en try]
l list-name - Displays the admittance list information of the specified name.
l ip-entry - Displays the admittance list information of IP type.

l ip-mac-entrty - Displays the admittance list information of IP/MAC type.
l mac-entrty - Displays the admittance list information of MAC type.
Viewing IoT Monitor Profile Information
To view the IoT monitor profile information, in any mode, use the following command:
sh o w io t-mo n ito r p ro file profile-name
l profile-name - Displays the information of the specified IoT monitor profile. If the parameter
is not specified, all information related to IoT monitor profiles will be displayed.
Viewing the IoT Monitor List Information
To view the whole or the specified IoT monitor list information, in any mode, use the following
command:
sh o w io t-mo n ito r-list [ip ip-address | ip v6 ipv6-address ] [vro uter vr-name | vswitch vs-
name ] [man ufacturer {h ikiviso n | dah ua | un iview | o th er}] [typ e {n vr | ip c | o th er}]
[status {o n lin e | o fflin e}] [trust {y | n }]
l ip-address - Displays the IoT monitor list information of the specified IP address.
l ipv6 ipv6-address - Displays the IoT monitor list information of the specified IPv6 address.
l vr-name - Displays the IoT monitor list information of the specified VRouter.
l vs-name - Displays the IoT monitor list information of the specified VSwitch.
l manufacturer {hikivison | dahua | uniview | other} - Displays the IoT monitor list inform-
ation of the specified manufacturers, including hikivison, dahua, uniview and other.
l type {nvr | ipc | other} - Displays the IoT monitor list information of the specified device
type, including nvr, ipc and other.

l status {online | offline} - Displays the IoT monitor list information of the specified status,
including online and offline.
l trust {y | n} - Displays the IoT monitor list information of the specified trust status. ymeans
trusted and n means untrusted.
Viewing IoT Monitor List Statistics
To view the manufacturers and types distribution of network video monitoring devices, as well as
the detailed statistics, such as device number, IP address, MAC address, up/downstream traffic,
IoT profile and device status. In any mode, use the following command:
sh o w io t-mo n ito r-list statistic

Chapter 13 Data Security & URL Filtering
l "Data Security" on Page 2084 describes the data security functions included in the system,
including content filtering, file filtering, online behavior auditing, and log management.
l "Object Configuration" on Page 2133 describes the public Data Security configurations that
are used for configuring Data Security rules.
l "URL Filtering" on Page 2147 explains how to configure the URL filtering function to control
the access to some websites.
l "SSL Proxy" on Page 2156 describes how to configure the SSL proxy function in two typical
scenarios to decrypt HTTPS traffic.

Data Security
Overview
The booming and popularization of Internet bring significant convenience to people’s work and
life. However, problems caused by access to Internet, like bandwidth misuse, low efficiency,
information leakage, legal risks, security potentials, etc., are also becoming increasingly prominent.
For example, in some enterprises, online chatting and Internet forum browsing during the office
hours, or disclose some confidential information to the public in emails; in some public places
like net bar, netizens randomly visit illegal websites, post irresponsible topics, or even get
involved in illegal network movement.
To solve the above problems, system provides the Data Securityfunction to control and audit net-
work behaviors, and check the transmitted files,effectively optimizing the utilization of Internet
resources.
Introduction to Data Security

The Data Security function of StoneOS allows you to flexibly configure control rules for different
users, network behaviors and schedules, check the transmitted files, in order to perform com-
prehensive control and audit (by behavior logs) on users’ network behavior.
StoneOS Data Security includes the following features. The main functions and description is lis-
ted in the table below.
l Content filter
l File content filter
l Web Content
l Web posting
l Email filter
l APP behavior control
2084 Chapter 13 Data Security & URL Filtering

l Network Behavior Record
l IM
l Web Surfing Record
l File filter
l Log management
Function Description
Content Filter File Content Fil- Detect sensitive keywords carried in the file content
ter of the specified protocol type and file type, and can
log or block them.
URL keyword Controls the network behavior of visiting the

webpages (including the webpages encrypted by
HTTPS) that contain certain keywords, and log the
actions.
Web posting Controls the network behavior of posting on web-

sites (including the webpages encrypted by
HTTPS) and posting specific keywords, and logs
the posting.
Email filter Controls and audit SMTP/POP3/IMAP mails:
l Control and audit all the behaviors of sending

emails;
l Control and audit the behaviors of sending

emails that contain specific sender, recipient,
keyword or attachment.
APP behavior Controls and audits the actions of HTTP, FTP
control and TELNET applications:

Function Description
l FTP content and methods, including Login,

Get, and Put;
l HTTP methods, including Connect, Get, Put,

Head, Options, Post, and Trace;
l Request content initiated by the TELNET cli-

ent.
Network Beha- IM Audits the QQ, wechat and sinaweibo user beha-
vior Record viors.
Web Surfing Log the access behaviors.

Record
File filter Checks the files transported through HTTP, FTP,

SMTP, IMAP, POP3, SMBprotocols and control
them according to the file filter rules.
Log Rich Data Security log export and storage solution;

combined with HSM, allows in-depth log statistics
and audit analysis.

Content Filter
Security includes the following features.
l File Content Filter
l Web Content
l Web posting
l Email filter
l APP behavior control
If IPv6 is enabled, Content Filter function supports content detection and behavior control based
on IPv6. For more information about how to enable IPv6, see IPv6.
File Content Filter
The file content filtering function can detect sensitive keywords carried in the file content of the
specified protocol type and file type, and can log or block them. For example, the content of doc-
type files downloaded through the HTTP protocol is detected, and the log information is recor-
ded for the files containing the keyword content of the mobile phone number.
Configuring File Content Filter via CLI
The file content filter function is mainly implemented by binding a profile to a policy rule. Once
the Web content profile is bound to a policy rule, the system will process the traffic that is
matched to the rule according to the profile configuration. The system also supports binding the
file content filter profile to a ZTNA policy to perform file content detection and processing on
the traffic matching the ZTNA policy. For configuration information, refer to Configuring ZTNA
Policy.
To configure Web content via CLI, take the following steps:

1. Create a file content filter profile, and specify the file type, protocol type, direction,
keyword category and action in the profile.
2. Bind the file content filter profile to an appropriate policy rule or a zone.
Creating a File Content Filter Profile
You need to specify the file type, protocol type, direction, keyword category and action in the
Web content profile. To create a file content filter profile, in the global configuration mode, use
file-contentfilter-profile profile-name
l profile-name - Specifies the name of the file content filter profile, and enter the configuration
mode of the file content filter profile. If the specified name exists, the system will directly
enter the file content filter profile configuration mode. To delete the specified file content fil-
ter profile, in the global configuration mode, use the command no file-contentfilter-profile pro-
file-name.
Specifying the File Type
To specify the file type that will be filtered, in the file content filter profile configuration mode,
file-type {txt | doc | docx | ppt | pptx | xls | xlsx}
l txt | doc | docx | ppt | pptx | xls | xlsx - Specifies the file type that will be filtered. Cur-
rently supported file types are: txt, doc, docx, ppt, pptx, xls, xlsx.
Repeat the command to add more file types.

To cancel the specified the file type, in the file content filter profile configuration mode, use the
command no file-type {txt | doc | docx | ppt | pptx | xls | xlsx}.

Specifying the Keyword Category and Action
To specify the keyword category that will be filtered and the corresponding action, in the file con-
tent filter profile configuration mode, use the following command:
keywo rd-catego ry keyword-category-name actio n { block | log-only }
l keyword-category-name - Specifies the keyword category that will be filtered. It can be a cus-
tom keyword category or a predefined keyword category. For more information about
keyword category, see Keyword Category.
l block – Blocks the transmission of files containing the content of the corresponding
keywords and log records.
l log – Logs the behavior of transferring files containing corresponding keyword content.
Repeat the command to add more keyword categories and actions.

To cancel the specified the keyword category and action, in the file content filter profile con-
figuration mode, use the command no keyword-category keyword-category-name .
Specifying the Protocol Type and Direction
To specify the protocol type and direction, in the file content filter profile configuration mode,
protocol-type {ftp | http | imap4 | pop3 | smb | smtp } direction {both | download | upload}
l ftp | http | imap4 | pop3 | smb | smtp - Specifies the protocol type.
l direction {both | download | upload}- Specifies the direction, include bidirectional both,
download downloadand uploadupload. HTTP, FTP, and SMB protocols support Download,
Upload, and Bidirectional; SMTP protocol only supports select Upload; POP3 and IMAP pro-
tocols only support Download.
To cancel the specified the protocol type and direction, in the file content filter profile con-
figuration mode, use the commandno protocol-type.

Binding the File Content Filter Profile to a Policy Rule
After binding the file content filter profile to a policy rule, the system will process the traffic that
is matched to the rule according to the profile configuration. To bind the file content filter profile
to a policy rule, enter the policy rule configuration mode in two steps. First, in the global con-
figuration mode, use the following command to enter the policy configuration mode:
policy-global
Then, in the policy configuration mode, use the following command to enter the policy rule con-
figuration mode:
rule [ id id-number ]
To bind the file content filter profile to a policy rule, in the policy rule configuration mode, use
file-contentfilter profile-name
l profile-name - Specifies the name of file content filter profile that will be bound.
Binding the File Content Filter Profile to a Security Zone
If the file content filter profile is bound to a security zone, the system will detect the traffic
destined to the specified security zone based on the profile configuration. If the policy rule is
bound with a file content filter profile, and the destination zone of the policy rule is also bound
with a file content filter profile, then the file content filter profile bound to the policy rule will be
valid.
To bind the file content filter profile to a security zone, in the security zone configuration mode,
file-contentfilter enable profile-name
l profile-name – Specifies the name of the file content filter profile that will be bound to the
security zone. One security zone can only be bound with one file content filter profile.
To cancel the binding settings, in the security zone configuration mode, use the following com-
mand:
no file-contentfilter enable

Viewing File Content Filter Profile Information
To view the file content filter profile information, in any mode, use the following command:
show file-contentfilter-profile [ profile-name ]
l profile-name – Shows the specified file content filter profile information. If this parameter is
not specified, the command will show the information of all the file content filter profiles.
Web Content
The web content function is designed to control the network behavior of visiting the webpages
that contain certain keywords, and log the actions. For example, you can configure to block the
access to webpage that contains the keyword "gamble", and record the access action and content
in the log.
Configuring Web Content via CLI
The Web content function is mainly implemented by binding a profile to a policy rule. Once the
Web content profile is bound to a policy rule, the system will process the traffic that is matched
to the rule according to the profile configuration.
To configure Web content via CLI, take the following steps:
1. Create a Web content profile, and specify the keyword category, action and control range in
the profile. You can also configure to exclude HTML tags from the Web content.
2. Bind the Web content profile to an appropriate policy rule or a zone.
Creating a Web Content Profile
You need to specify the keyword category, action and control range in the Web content profile.
To create a Web content profile, in the global configuration mode, use the following command:
contentfilter-profile profile-name
l profile-name - Specifies the name of the Web content profile, and enter the configuration
mode of the Web content profile. If the specified name exists, the system will directly enter

the Web content profile configuration mode. To delete the specified Web content profile, in
the global configuration mode, use the command no contentfilter-profile profile-name.
To specify the keyword category that will be filtered and the corresponding action, in the Web
content profile configuration mode, use the following command:
keywo rd-catego ry keyword-category-name { [ block ] [ log ] }
l block – Blocks access to the website that contains the specified keyword.
l log – Logs access to the website that contains the specified keyword.
Repeat the command to add more keyword categories and actions.

To cancel the specified the keyword category and action, in the Web content profile configuration
mode, use the command no keyword-category keyword-category-name.
Specifying the Control Range
The system will only control the keyword within the specified websites. To specify the control
range, in the Web content profile configuration mode, use the following command:
url-category { all | url-category-name }
l all | url-category-name – Specifies the URL category that will be controlled. It can be all the
URL categories (all) or a specific URL category (url-category-name). For more information
about how to create a URL category, see Specifying a HTTP Proxy Server.
Repeat the command to add more URL categories.

To cancel the specified URL category, in the Web content configuration mode, use the command
no url-category {all | url-category-name}.

Excluding HTML Tags
By default the system with Web content enabled will not only filter the content displayed in the
webpage, but also filter the codes in the HTML tag. To exclude the HTML tags from the filtering,
in the Web content profile configuration mode, use the following command:
exclude-html-tag
To restore to the default value, in the Web content profile configuration mode, use the following
command:
no exclude-html-tag
Notes: This function only takes effect when the HTML content type is set to tex-
t/html, i.e., content="text/html".
Binding the Web Content Profile to a Policy Rule
After binding the Web content profile to a policy rule, the system will process the traffic that is
matched to the rule according to the profile configuration. To bind the Web content profile to a
policy rule, enter the policy rule configuration mode in two steps. First, in the global con-
policy-global
figuration mode:
To bind the Web content profile to a policy rule, in the policy rule configuration mode, use the
following command:
contentfilter profile-name
l profile-name - Specifies the name of Web content profile that will be bound.

Binding the Web Content Profile to a Security Zone
If the Web content profile is bound to a security zone, the system will detect the traffic destined
to the specified security zone based on the profile configuration. If the policy rule is bound with a
Web content profile, and the destination zone of the policy rule is also bound with a Web content
profile, then the Web content profile bound to the policy rule will be valid.
To bind the Web content profile to a security zone, in the security zone configuration mode, use
contentfilter enable profile-name
l profile-name – Specifies the name of the Web content profile that will be bound to the secur-
ity zone. One security zone can only be bound with one Web content profile.
mand:
no contentfilter enable
Viewing Web Content Profile Information
To view the Web content profile information, in any mode, use the following command:
show contentfilter-profile [ profile-name ]
l profile-name – Shows the specified Web content profile information. If this parameter is not
specified, the command will show the information of all the Web content profiles.
Web Posting
The web posting function is designed to control the network behavior of posting on websites and
posting specific keywords, and can log the posting action and posted content. For example, forbid
the users to post information containing the keyword X, and record the action log.
Configuring Web Posting via CLI
The Web posting can be configured via CLI by binding a profile to a policy rule. Once the Web
posting profile is bound to a policy rule, the system will process the matching traffic according to

the profile configuration.
To configure Web posting via CLI, take the following steps:
1. Create a Web posting profile, and specify the control type, action and control range in the
profile.
2. Bind the Web posting profile to an appropriate policy rule or a zone.
Creating a Web Posting Profile
You need to specify control type, action and control range in the Web posting profile. To create a
Web posting profile, in the global configuration mode, use the following command:
webpost-profile profile-name
l profile-name - Specifies the name of the Web posting profile, and enter the configuration
mode of the Web posting profile. If the specified name exists, the system will directly enter
the Web posting profile configuration mode.
Specifying the Control Type and Action of Web Posting
You can control all the posting information, or only control the posting information with specific
keyword.
To control all the posting information and specify the action, in the Web posting profile con-
web p o st all [b lo ck] [lo g]
l block – Blocks all the posting actions.
l log – Logs all the posting actions.
To cancel the specified control type, in the Web posting profile configuration mode, use the com-
mand no webpost all.
To control the posting information with specific keyword and specify the action, in the Web post-
ing profile configuration mode, use the following command:

l block – Blocks postings that contain the specified keywords.
l log – Logs postings that contain the specified keywords.
Repeat the command to specify more keyword categories and actions.

To cancel the specified keyword category and action, in the Web posting profile configuration
mode, use the command no keyword-category keyword-category-name.
Specifying the Control Range
The system will only control the postings within the specified websites. To specify the control
range, in the Web posting profile configuration mode, use the following command:
url-category { all | url-category-name }
l all | url-category-name – Specifies the URL category that will be controlled. It can be all the
URL categories (all) or a specific URL category (url-category-name. For more information
about how to create a URL category, see Specifying a HTTP Proxy Server.
Repeat the command to add more URL categories.

To cancel the specified URL category, in the Web posting profile configuration mode, use the
command no url-category {all | url-category-name}.
Binding the Web Posting Profile to a Policy Rule
After binding the Web posting profile to a policy rule, the system will process the traffic that is
matched to the rule according to the profile configuration. To bind the Web posting profile to a
policy-global

figuration mode:
rule [id id-number]
To bind the Web posting profile to a policy rule, in the policy rule configuration mode, use the fol-
lowing command:
webpost profile-name
l profile-name - Specifies the name of Web posting profile that will be bound.
Binding the Web Posting Profile to a Security Zone
If the Web posting profile is bound to a security zone, the system will detect the traffic destined
to the specified security zone based on the profile configuration. If the policy rule is bound with a
Web posting profile, and the destination zone of the policy rule is also bound with a Web posting
profile, then the Web posting profile bound to the policy rule will be valid.
To bind the Web posting profile to a security zone, in the security zone configuration mode, use
webpost enable profile-name
l profile-name – Specifies the name of the Web posting profile that will be bound to the secur-
ity zone. One security zone can only be bound with one Web posting profile.
mand:
no webpost enable
Viewing Web Posting Profile Information
To view the Web posting profile information, in any mode, use the following command:
show webpost-profile [profile-name]
l profile-name – Shows the specified Web posting profile information. If this parameter is not
specified, the command will show the information of all the Web posting profiles.

Email Filter
The email filter function is designed to control the emails and record logs according to the sender,
receiver, email content and attachment when sending emails via SMTP, and control the receiving
actions according to the email content when receiving emails via POP3 and IMAP.
Configuring Email Filter via CLI
The email filter can be configured via CLI by binding a profile to a policy rule. Once the email fil-
ter profile is bound to a policy rule, the system will process the traffic that is matched to the rule
according to the profile configuration.
To configure email filter via CLI, take the following steps:
1. Create an email filter profile, and specify the control type, action, controlled mailbox and
mailbox exception in the profile.
2. Bind the email filter profile to an appropriate policy rule or a zone.
Creating a Mail Filter Profile
You need to specify control type, action, controlled mailbox and mailbox exception in the email
filter profile. To create an email filter profile, in the global configuration mode, use the following
command:
mail-profile profile-name
l profile-name - Specifies the name of the email filter profile, and enter the configuration mode
of the email filter profile. If the specified name exists, the system will directly enter the email
filter profile configuration mode.
To delete the specified email filter profile, in the global configuration mode, use the command no
mail-profile profile-name.

Specifying the Control Type
By default the email filter rule is applied to all the supported mailboxes. To specify the control
type, in the email filter profile configuration mode, use the following command:
mail control {smtp | pop3 | imap}
l smtp - Specifies the email type that will be controlled as SMTP mails.
l pop3- Specifies the email type that will be controlled as POP3 mails.
l imap- Specifies the eamil type that will be controlled as IMAP mails.
To cancel the specified control type, in the email filter profile configuration mode, use the com-
mand no mail control {smtp | pop3 | imap}.
Controlling All the Emails and Specifying the Action
To control all the emails and specify the action, in the email filter profile configuration mode, use
mail any [log]
l log – Logs all the behaviors of sending emails.
To cancel the specified action, in the email filter profile configuration mode, use the command no
mail any.
Specifying the Sender/Recipient and Action
To specify the sender/recipient that will be controlled and the corresponding action, in the email
filter profile configuration mode, use the following command:
mail {sen der | recip ien t} email-address [b lo ck] [lo g]
l sender | recipient – Specifies to control the sender or recipient.
l email-address – Specifies the email address of the sender or recipient.

l block – Blocks the emails that contain the specified sender or recipient.
l log – Logs the behaviors of sending emails that contain the specified sender or recipient.
Repeat the command to specify more senders/recipients and the corresponding actions.
To cancel the specified sender/recipient and action, in the email filter profile configuration mode,
use the command no {sender | recipient} email-address.
To control the email that contains the specified keyword category and the corresponding action,
in the email filter profile configuration mode, use the following command:
l block – Blocks the emails that contain the specified keyword(s).
l log – Logs the behaviors of sending emails that contain the specified keyword(s).
Repeat the command to specify more keyword categories and actions.

To cancel the specified keyword category and the corresponding action, in the email filter profile
configuration mode, use the command no keyword-category keyword-category-name.
Specifying the Control Type
To specify the control type, in the email filter profile configuration mode, use the following com-
mand:
mail en ab le {sen der | recip ien t | attach | keywo rd-catego ry}
l sender | recipient | attach | keyword-category – Specifies to control the sender, recipient,

attach, keyword-category.

To disable the specified control type, in the email filter profile configuration mode, use the com-
mand no mail enable {sender | recipient | attach | keyword-category}.
Specifying the Action for other emails
Other emails refer to the emails that do not match any of the specified conditions (including
sender, recipient, keyword category and attachment). To specify the action for other emails, in the
email filter profile configuration mode, use the following command:
mail o th ers [b lo ck] [lo g]
l block – Blocks other emails.
l log – Logs the behaviors of sending other emails.
To cancel the specified action for other emails, in the email filter profile configuration mode, use
the command no mail others.
Specifying the Account Exception
The account exception, either a sender or a recipient account, is not controlled by the email filter
rule. To specify an account exception, in the email filter profile configuration mode, use the fol-
lowing command:
mail whitelist mail-address
l mail-address – Specifies the email address of the exception account.
Repeat the command to specify more account exceptions.

To remove the specified account from the whitelist, in the email filter profile configuration mode,
use the command no mail whitelist mail-address.
Binding the Email Filter Profile to a Policy Rule
After binding the email filter profile to a policy rule, the system will process the traffic that is
matched to the rule according to the profile configuration. To bind the email filter profile to a
policy-global

figuration mode:
rule [id id-number]
To bind the email filter profile to a policy rule, in the policy rule configuration mode, use the fol-
lowing command:
mail profile-name
l profile-name - Specifies the name of email filter profile that will be bound.
Binding the Email Filter Profile to a Security Zone
If the email filter profile is bound to a security zone, the system will detect the traffic destined to
the specified security zone based on the profile configuration. If the policy rule is bound with a
email filter profile, and the destination zone of the policy rule is also bound with a email filter pro-
file, then the email filter profile bound to the policy rule will be valid.
To bind the email filter profile to a security zone, in the security zone configuration mode, use
mail enable profile-name
l profile-name – Specifies the name of the email filter profile that will be bound to the security
zone. One security zone can only be bound with one email filter profile.
mand:
no mail enable
Viewing Email Filter Profile Information
To view the email filter profile information, in any mode, use the following command:
show mail-profile [ profile-name ]
l profile-name – Shows the specified email filter profile information. If this parameter is not
specified, the command will show the information of all the email filter profiles.

To view the control type information, in any mode, use the following command:
sh o w mail-o b ject [mail-p ro file profile-name ]
l mail-profile profile-name – Shows the control type information of the specified email filter
profile. If this parameter is not specified, the command will show all the control type inform-
ation.
APP Behavior Control
The app behavior control function is designed to control and audit (record log messages) the
actions of HTTP, TELNET and FTP applications, including:
l Control and audit the FTP contents and methods, including Login, Get, and Put;
l Control and audit the HTTP methods, including Connect, Get, Put, Head, Options, Post, and
Trace;
l Control and audit the request content initiated by the TELNET client.
Configuring APP Behavior Control via CLI
The application behavior control function is mainly implemented by binding a profile to a policy
rule. Once the application behavior control profile is bound to a policy rule, the system will pro-
cess the traffic that is matched to the rule according to the profile configuration.
To configure the application behavior control via CLI, take the following steps:
1. Create an application behavior control profile, and specify the FTP, HTTP and TELNET
applications that will be controlled and action in the profile.
2. Bind the application behavior control profile to an appropriate policy rule or a zone.
Creating an APP Behavior Control Profile
You need to specify the FTP, HTTP and TELNET applications that will be controlled and action
in the application behavior profile. To create an application behavior control profile, in the global

behavior-profile profile-name
l profile-name - Specifies the name of the application behavior control profile, and enter the
configuration mode of the profile. If the specified name exists, the system will directly enter
the application behavior control profile configuration mode.
To delete the specified application behavior control profile, in the global configuration mode, use
the command no behavior-profile profile-name.
Controlling FTP Application
To configure the action for the FTP method, in the application behavior control profile con-
ftp {lo gin [ user-name ] | get [ file-name ] | p ut [ file-name ]} {b lo ck | p ermit} [lo g]
l login [user-name] – Controls FTP login method. To control the login method of the spe-
cified user, use parameter user-name.
l get [file-name] – Controls FTP Get method. To control the Get method to the specified file,
use parameter file-name.
l put [file-name] – Controls FTP Put method. To control the Put method to the specified file,
use parameter file-name.
l block | permit – Specifies the action. It can be blockor permit.
l log – Logs the FTP method.
To cancel the specified action for the FTP method, in the application behavior control profile con-
n o ftp {lo gin [ user-name ] | get [ file-name ] | p ut [ file-name ]}

Controlling HTTP Application
To configure the action for the HTTP method, in the application behavior control profile con-
h ttp {co n n ect | delete [ host ] | get [ host ] | h ead [ host ] | options [ host ] | post [ host ] | put
[ host ] | trace [ host ]} { block | permit } [ log ]
l connect | delete [host] | get [host] | head [host] | options [host] | post [host] | put [host] |
trace [host] – Controls the specified HTTP method. To control the HTTP method to the
specified host, use parameter host.
l block | permit – Specifies the action. It can be block or permit.
l log – Logs the HTTP method.
To cancel the specified action for the HTTP method, in the application behavior control profile
n o h ttp {co n n ect | delete [ host ] | get [ host ] | h ead [ host ] | o p tio n s [ host ] | p o st [ host ] | p ut
[ host ] | trace [ host ]}
Controlling TELNET Application
To control the request initiated by the TELNET client, in the application behavior control profile
teln et keywo rd-catego ry keyword-category-name { [ block ] [ log ] }
l block – System will block the content which matches the specifies keyword category.
l log – System will record logs when the content matches the specifies keyword category.

In the application behavior control profile configuration mode, use the command no
telnetkeyword-categorycategory-name to cancel the controlling of TELENT
content.
Binding the APP Behavior Control Profile to a Policy Rule
After binding the application behavior control profile to a policy rule, the system will process the
traffic that is matched to the rule according to the profile configuration. To bind the application
behavior control profile to a policy rule, enter the policy rule configuration mode in two steps.
First, in the global configuration mode, use the following command to enter the policy con-
figuration mode:
policy-global
figuration mode:
rule [id id-number ]
To bind the application behavior control profile to a policy rule, in the policy rule configuration
behavior profile-name
l profile-name - Specifies the name of application behavior control profile that will be bound.
Binding the APP Behavior Control Profile to a Security Zone
If the application behavior control profile is bound to a security zone, the system will detect the
traffic destined to the specified security zone based on the profile configuration. If the policy rule
is bound with a application behavior control profile and the destination zone of the policy rule is
also bound with a application behavior control profile, then the application behavior control pro-
file bound to the policy rule will be valid.
To bind the application behavior control profile to a security zone, in the security zone con-
behavior enable profile-name

l profile-name – Specifies the name of the application behavior control profile that will be
bound to the security zone. One security zone can only be bound with one application beha-
vior control profile.
mand:
no behavior enable
Viewing APP Behavior Control Profile Information
To view the application behavior control profile information, in any mode, use the following com-
mand:
show behavior-profile [ profile-name ]
l profile-name – Shows the specified application behavior control profile information. If this
parameter is not specified, the command will show the information of all the application beha-
vior control profiles.
To view the object information in the application behavior control profile, in any mode, use the
following command:
sh o w b eh avio r-o b ject [b eh avio r-p ro file profile-name ]
l behavior-profile profile-name – Shows the object information of the specified application

behavior control profile. If this parameter is not specified, the command will show the object
information of all the application behavior control profiles.

File Filter
The file filter function checks the files transported through HTTP, FTP, SMTP, IMAP, POP3 ,
SMBprotocols and control them according to the file filter rules.
l Be able to check and control the files transported through GET and POST methods of
HTTP, FTP, SMTP, IMAP, POP3 and SMB. If SMB protocol type is used, the system sup-
ports the detection and controlling of files in break-point resumption scenarios.
l Support file size, file type, and file name filter conditions.
l Support block, log, and permit actions.
If IPv6 is enabled, File Filter function supports file detection and behavior control based on
IPv6. For more information about how to enable IPv6, see IPv6.
The filter conditions supported by each protocol area shown below:
HTTP
FTP SMTP POP3
GET POST
File size √ √ √ √ √
File type √ √ √ √ √
File name √ √ √ √ √
Configuring File Filtering
After bind the file filter profile to a policy rule, the system will process the traffic that matches
the rule according to the profile. The system also supports binding the file filter profile to a
ZTNA policy to perform file detection and processing on the traffic matching the ZTNA policy.
For configuration information, refer to Configuring ZTNA Policy.
To configure file filter via CLI, take the following steps:

l Create a file filter profile, and configure the file filter rule.
l Specify the protocol to be checked, the filter condition, and the actions in the file filter rule.
l Bind the file filter profile to an appropriate policy rule.
Creating a File Filter Profile
To create a file filter profile, in the global configuration mode, use the following command:
dlp-profile profile-name
l profile-name - Specifies the name of the file filter profile, and enter the configuration mode of
the file filter profile. If the specified name exists, the system will directly enter the file filter
To delete the file filter profile, use the no dlp-profile profile-name command.
Creating a File Filter Rule
Use the file filter rule to specify the protocol that you want to check, the filter conditions, and the
actions. To create a filter rule, in the file filter profile configuration mode, use the following com-
mand:
filter id id-number
l id id-number – Specifies the ID of the created file filter rule, and enter the configuration
mode of the file filter rule. If the specified ID exists, the system will directly enter the file fil-
ter rule configuration mode. The ID value ranges from 1 to 8, you can specify up to 8 file fil-
ter rules.
The file must match all filter conditions in a file filter rule, and the system will perform cor-
responding control actions.
Use the no filter id id-number to delete the specified filter id.

Specifying the File Size
When the size of the transported file reaches the specied file size, the system will trigger the
actions. To specify the file size, in the file filter rule configuration mode, use the following com-
mand:
file-size-threshold size-value
l size-value – Specify the file size. The value ranges from 1 to 512,000. The unit KB.
To cancel the file size settings, use the no file-size-threshold command.
Specifying the File Name
When the name of the transported file matches the specified file name, the system will trigger the
actions. To specify the file name, in the file filter rule configuration mode, use the following com-
mand:
file-namename
l name – Specify the file name. The value ranges from 1 to 255 characters. You can specify up
to 32 file names. If there is no wildcard in this specified name, then the transported file whose
name is the same as the specfied name will trigger the actions. If the asterisk (*) appears in
this specified name, then the transported file whose name contains the part that followes the
asterisk will trigger the actions.
Use the no file-name name command to cancel the settings.
Configuring the Description
To add the description to a file filter profile, in the file filter profile configuration mode, use the
following command:
l description – Enters the description.
Use no description to delete the description.

Specifying the Protocol
The file filter function will check the files transpored through the protocols you specified. To spe-
cify the protocol, in the file filter rule, use the following command:
protocol-type { all | h ttp -get | h ttp -p o st | ftp | smtp | imap | pop3 }
l all | http-get | http-post | ftp | smtp | pop3 – Specifies the protocols. allrepresents to
check the files transported through the GET and POST methods of HTTP, FTP, SMTP ，
POP3. http-getrepresents to check the files transported through the GET method of HTTP.
http-postrepresents to check the files transported through the POST method of HTTP. ftprep-
resents to check the files transported through FTP. smtprepresents to check the files trans-
ported through SMTP. imaprepresents to check the files transported through IMAP.
pop3represents to check the files transported through POP3.
To cancel the settings, use the no protocol-typecommand.
Specifying the File Type
When the transmitted file is a particular type, the system will trigger the actions. The file filter
function can identify the following file types:
7Z, AI, APK, ASF, AVI, BAT, BMP, CAB, CATPART, CDR, CIN, CLASS, CMD, CPL, DLL,
DOC, DOCX, DPX, DSN, DWF, DWG, DXF, EDIT, EMF, EPS, EPUB, EXE, EXR, FLA,
FLV, GDS, GIF, GZ, HLP, HTA, HTML, IFF, ISO, JAR, JPG, KEY, LNK, LZH, MA, MB,
MDB, MDI, MIF, MKV, MOV, MP3, MP4, MPEG, MPKG, MSI, NUMBERS, OCX, PAGES,
PBM, PCL, PDF, PGP, PIF, PL, PNG, PPT, PPTX, PSD, RAR, REG, RLA, RMVB, RPF, RTF,
SGI, SH, SHK, STP, SVG, SWF, TAR, TDB, TIF, TORRENT, TXT, VBE, WAV, WEBM,
WMA, WMF, WMV, WRI, WSF, XLS, XLSX, XML, XPM, ZIP, BZIP2, UNKNOWN
To specify the file type, in the file filter rule configuration mode, use the following command:
file-type type

l type - Specify the file type. The type names are described above. You can specify one type
once and repeat this command to specify multiple types. To control the file type that not sup-
ported, you can use the UNKNOWN type.
Use the no file-type typecommand to cancel the settings.
Specifying the Action
Specify the action to control the files that matches the filter conditions. To specify the action, in
the file filter rule configuration mode, use the following command:
action { log | block }
l block – block represents to block the uploading or downloading of the file that matches the
filter conditions.
l log –Permit the transporting of the file that matches the filter conditions with logs.
Use the no actioncommand to cancel the settings.
Binding the File Filter Profile to a Policy Rule
After binding the file filter profile to a policy rule, the system will process the traffic that matches
the rule according to the profile. To bind the file filter profile to a policy rule, enter the policy
rule configuration mode in two steps.
In the global configuration mode, use the following command to enter the policy configuration
mode:
policy-global
figuration mode:
To bind the file filter profile to a policy rule, in the policy rule configuration mode, use the fol-
lowing command:
dlp-profile profile-name

l profile-name - Specifies the name of file filter profile that will be bound.
To cancel the binding, use the no dlp-profilecommand.s
Viewing File Filter Profile
To view the file filter profile, in any mode, use the following command:
show dlp-profile profile-name
l profile-name – Shows the specified file filter profile.
Configuring Decompression Control Function
After configuring the decompression control function, StoneOS can decompress the transmitted
compressed files, and can handle the files that exceed the max decompression layer as well as the
encrypted compressed files in accordance with the specified actions. This function supports to
decompress the files in type of RAR, ZIP, TAR, GZIP, and BZIP2.
Tips: The decompression control function are effective for both the file filter func-
tion and the Anti-Virus function. For the Anti-Virus function, refer to "Anti-Virus"
on Page 1863.
Enabling / Disabling Decompression Function
StoneOS can decompress the transmitted compressed files. The decompression function is
enabled by default. To enable or disable the decompression function, in the global configuration
decompression {enable | disable}
l enable | disable - Enable(enable) or (disable) the decompression function.

Specifying the Maximum Decompression Layer
By default, StoneOS can check the files of up to 5 decompression layers. To configure the max-
imum decompression layers and the actions for the compressed files that exceed the max decom-
pression layer, in the global configuration mode, use the following command:
decompression max-recursion number exceed-actio n {lo g-o n ly | reset-co n n }
l number - Specifies the decompression layer. The value range is 1 to 5. The default value is 1.
l log-only | reset-conn - Specifies the action for the compressed files that exceed the max-
imum decompression layer. The available options include (log-only) and (reset-conn). The
default action is log-only.
n o deco mp ressio n max-recursio n
Notes: For compressed files containing docx, pptx, xlsx, jar, and apk formats, when
action is specified as reset-conn, the maximum compression layers should be added
one more layer to prevent download failure.
Specifying an Action for Encrypted Compressed Files
To specify an action for encrypted compressed files, in the global configuration mode, use the fol-
lowing command:
decompression encryption-file action {lo g-o n ly | reset-co n n }
l log-only | reset-conn – Specifies the action for the encrypted compressed files. The available
options include (log-only) and (reset-conn).
Use the no decompression encryption-file action command to cancel the settings.
Viewing Decompression Control Configuration Information
To view the decompression control configuration information, in any mode, use the following
command:

show decompression configuration

Network Behavior Record
Network behavior record function audits the IM applications behaviors and record log messages
for the access actions, includes:
l Audits the QQ, wechat and sinaweibo user behaviors.
l Log the access behaviors.
If IPv6 is enabled, Network behavior record function supports IM application behavior auditing
and behavior control based on IPv6. For more information about how to enable IPv6, see IPv6.
Configuring Network Behavior Recording via CLI
The Network behavior record can be configured via CLI by binding a profile to a policy rule.
Once the Network behavior record profile is bound to a policy rule, the system will process the
matching traffic according to the profile configuration.
To configure Network behavior record via CLI, take the following steps:
1. Create a Network behavior record profile, and specify the IM application type, timeout and
record log messages for the access actions in the profile.
2. Bind the Network behavior record profile to an appropriate policy rule or a zone.
Creating a Network Behavior Record Profile
You need to specify the the IM application type, timeout and record log messages for the access
actions in the network behavior record profile. To create a NBR profile, in the global con-
nbr-profile profile-name
l profile-name - Specifies the name of the NBR profile, and enter the configuration mode of the
NBR profile. If the specified name exists, the system will directly enter the NBR profile con-
figuration mode.

To delete the specified NBR profile, in the global configuration mode, use the command no nbr-
profile profile-name.
IM Audit
The system can identify the UID (unique identification) from the IM applications traffic, as well
as the related IP address, MAC address, and occurred time. Then it records the corresponding
logs in IM logs.
To enable this function, in the NBR configuration mode, use the following command:
im {qq | wech at | sin aweib o } lo g en ab le
l qq - Specifies the audits of QQ.
l wechat - Specifies the audits of WeChat.
l sinaweibo - Specifies the audits of sina Weibo.
To disable this function, in the NBR configuration mode, user the no im {qq | wechat | sina-
weibo} log enablecommand.
Notes: To configuring the IM auditing function, you need to use the application-
identifycommand to enable the application identification function of the zone
bound by the rule.
Configuring Timeout Value
During the timeout period, the IM user traffic of the same UID will not trigger the new logs and
after the timeout reaches, it will trigger new logs. To configure the timeout value, in the NBR con-
figuration mode, use the command below:
im {qq | wech at | sin aweib o } timeout value
l qq | wechat | sinaweibo – Specifies the IM user type.
l value – Specifies the timeout value. The unit is minute. The default value is 20.

In the NBR configuration mode, use no im {qq | wechat | sinaweibo} timeoutcommand to
restore to the default value.
Recording Web Surfing Log
In the NBR profile configuration mode, you can use the following command to enable the system
to record the web surfing log:
web -surfin g-reco rd meth o d [get | get-p o st [p o st-co n ten t] | p o st [p o st-co n ten t]]
l get - Records the web surfing log using the GET method.
l get-post - Records the web surfing log using the GET and POST methods.
l post - Records the web surfing log using the POST method.
l post-content – Records the POST content.
In the NBR profile configuration mode, use the following command:

no web-surfing-record
Binding the NBR Profile to a Policy Rule
After binding the NBR profile to a policy rule, the system will process the traffic that is matched
to the rule according to the profile configuration. To bind the NBR profile to a policy rule, enter
the policy rule configuration mode in two steps. First, in the global configuration mode, use the
following command to enter the policy configuration mode:
policy-global
figuration mode:
rule [id id-number ]
To bind the NBR profile to a policy rule, in the policy rule configuration mode, use the following
command:
n b r profile-name

l profile-name - Specifies the name of NBR profile that will be bound.
After the binding, you need to modify the priority of the policy rule to assure the traffic matching
to this rule is prioritized. After then, you need to specify the user, destination zone and schedule
of the rule. You can also enable or disable the rule. For more information, see the“Policy”.
Binding the NBR Profile to a Security Zone
If the NBR profile is bound to a security zone, the system will detect the traffic destined to the
specified security zone based on the profile configuration. If the policy rule is bound with a NBR
profile, and the destination zone of the policy rule is also bound with a NBR profile, then the
NBR profile bound to the policy rule will be valid.
To bind the NBR profile to a security zone, in the security zone configuration mode, use the fol-
lowing command:
n b r en ab le profile-name
l profile-name – Specifies the name of the NBR profile that will be bound to the security
zone. One security zone can only be bound with one NBR profile.
mand:
no nbr enable
Viewing NBR Profile Information
To view the NBR profile information, in any mode, use the following command:
show nbr-profile [ profile-name ]
l profile-name – Shows the specified NBR profile information. If this parameter is not spe-
cified, the command will show the information of all the NBR control profiles.

Log Management
The Data Security logs (File Filter logs, Content Filter logs, Network Behavior Record logs) of
system provide comprehensive records of users’ network behaviours, including visiting URLs,
sending emails, content of the emails and the attachments, Web postings, IM and chatting con-
tent, and FTP/HTTP methods, etc. These records are the data source for HSM (Hillstone Secur-
ity ManagementTM) to provide log query, statistics, audit, analysis and other services. For more
information, see Hillstone Security Management help document.
Log Severity and Format
The Data Security logs belong to the severity of Information.

To facilitate the access and analysis of the Data Security logs, StoneOS logs follow a fixed pattern
of information layout, i.e. date/time, severity level@module: descriptions. See the example
below.
2017-06-17 11:34:27, WEBPOST: IP 100.100.10.55 (-) vrouter trust-vr, url, content_type con-
tent_type, action action, reason reason, rule rule, character set character-set, content
Output Destinations
Log files can be sent to the following destinations. You can specify one of them at your own
choice:
l Console - Console port of the device.
l Buffer - Memory buffer.
l Syslog Server - Sends logs to a UNIX or Windows Syslog Server.
Configuring Log
The configurations of Data Security logs include enabling/disabling Data Security log, specifying
the output destination, exporting and clearing logs. For more information about the con-
figurations, see the table below.

Configuration CLI
To enable/disable the log In the global configuration mode, use the following com-
function mand:
l Enable: logging data-security [dlp | cf | nbr] on
l Disable:no logging data-security[dlp | cf | nbr] on
To record the login/- In the NBR profile configuration mode, use the following
logout log messages of command:
IM l To record the login/logout log messages of QQ,

WeChat, and sinaWeibo:im {qq | wechat | sinaweibo}
log enable
l To disable the recording of the login/logout log mes-

sages of QQ, WeChat, and sinaWeibo:no im {qq |
wechat | sinaweibo} log enable
To specify the output des- In the global configuration mode, use the following com-
tination mand:
l To Console or syslog server:logging data-security [dlp

| cf | nbr] to {console | syslog[binary-format [dis-
tributed [src-ip-hash | round-robin]] | custom-format]
}
l To buffer:logging data-security [dlp | cf | nbr] to buf-

fer [size buffer-size]
To view the data security show logging data-security [dlp | cf | nbr]

logs
To clear data security logs clear logging data-security [dlp | cf | nbr]

Data Security Configuration Examples
This section describes five Data Security configuration examples, including:
l Example 1: URL filter
l Example 2: Web content
l Example 3: Web posting
l Example 4: Mail filter
l Example 5: Network behavior record
The network topology is shown in the figure below. Hillstone device works as the gateway of an
enterprise. Ethernet0/0 connects to Internet and belongs to the untrust zone; ethernet0/1 con-
nects to the Intranet of R&D Department and belongs to the trust zone; ethernet0/3 connects to
the Intranet of Marketing Department and belongs to the trust1 zone.

Tip:
l Do not use CLI and WebUI to configure Data security at the same time.
Choose only one method.
l For more information about how to configure the interface, security zone
and log, see other related chapters. This section only describes Data secur-
ity configuration.
Example1: URL Filter Configuration
The goal is to configure a URL filter rule that forbids the members in the R&D department (the
network segment is 10.100.0.0/16) to access the news websites (except for www.abc.com) and
an entertainment websites www.bcd.com during office hours (09:00 to 18:00, Monday to Friday),
also forbids searching the keyword ef, and logs the access and search attempts.
Preparations
Before configuring the URL filter function, finish the following preparations first:
1. Install the URL service license and reboot the device.
2. Update the predefined URL database.
Configuration Steps on CLI
Step 1: Configure a schedule:
hostname(config)# sch edule wo rkday
hostname(config-schedule)# p erio dic weekdays 09:00 to 18:00
hostname(config)#
Step 2: Configure the user-defined URL category named bcd that contains www.bcd.com:

hostname(config)# url-catego ry b cd
hostname(config)# url www.b cd.co m url-catego ry b cd
Step 3: Configure the keyword category named url-keyword:
hostname(config)# catego ry url-keywo rd
hostname(config)# keywo rd ef simp le catego ry url-keywo rd
Step 4: Configure the URL filter profile named urlcontrol:
hostname(config)# url-p ro file urlco n tro l
hostname(config-url-profile)# url-catego ry News b lo ck lo g
hostname(config-url-profile)# keywo rd-catego ry url-keywo rd b lo ck lo g
hostname(config-url-profile)# exit
hostname(config)#
Step 5: Bind the URL filter profile to a policy rule:
hostname(config-policy-rule)# url urlco n tro l
hostname(config-policy-rule)# sch edule wo rkday
hostname(config)#
Step 6: Configure a bypass domain that excludes www.abc.com from control:
hostname(config)# address ab c
hostname(config-addr)# h o st www.ab c.co m
hostname(config-policy)# rule fro m an y to ab c service an y p ermit

hostname(config)#
After the configuration, modify the priority of the policy rule to assure the traffic matching to the
configured rule is prioritized. When the rule takes effect, during the office hours, the member in
the R&D department cannot access the news websites (except for www.abc.com) and www.b-
cd.com, and cannot search the keyword ef. The system will log the access and search attempts.
Example 2: Web Content Configuration
The goal of Exmaple 2 is to configure a Web content rule that forbids the members in the R&D
department to access the web pages containing the keywords X and Y (except for the member a.
The network segment of the R&D department is 10.100.0.0/16), and logs the access attempts.
Preparations
Before configuring the Web content function, finish the following preparations first:
Step 1: Configure the keyword category named web-keyword:
hostname(config)# co n ten tfilter
hostname(config-contentfilter)# catego ry web -keywo rd
hostname(config-contentfilter)# keywo rd X simp le catego ry sto ck-keywo rd
hostname(config-contentfilter)# keywo rd Y simp le catego ry sto ck-keywo rd
hostname(config-contentfilter)# exit
hostname(config)#
Step 2: Configure the Web content profile named webkeyword-control:
hostname(config)# co n ten tfilter-p ro file web keywo rd-co n tro l
hostname(config-contentfilter-profile)# keywo rd-catego ry web -keywo rd b lo ck lo g

hostname(config-contentfilter-profile)# exit
hostname(config)#
Step 3: Bind the Web content profile to a policy rule:
hostname(config-policy-rule)# co n ten tfilter web keywo rd-co n tro l
hostname(config)#
Step 4: Set the user exception that excludes member a from control:
hostname(config-aaa-server)# user a

vice an y p ermit
hostname(config-policy-rule)# user lo cal a
hostname(config)#
configured rule is prioritized. When the rule takes effect, the members in the R&D department
cannot access web pages containing the keyword X or Y. And also, the system will log the access
attempts.

Example 3: Web Posting Configuration
The goal is to configure a Web posting rule that logs the actions of posting information with
keyword X on the website www.abc.com.
Preparations
Before configuring the Web posting function, finish the following preparations first:
Step 1: Configure the keyword category named reactionary-keyword:
hostname(config)# co n ten tfilter
hostname(config-contentfilter)# catego ry reactio n ary-keywo rd
hostname(config-contentfilter)# keywo rd X simp le catego ryreactio n ary-keywo rd
hostname(config-contentfilter)# exit
hostname(config)#
Step 2: Configure the use-defined URL category named abc that contains www.abc.com:
hostname(config)# url-catego ry ab c
hostname(config)# url www.ab c.co m url-catego ry ab c
Step 3: Configure the Web posting profile named webpost-control:
hostname(config)# web p o st-p ro file web p o st-co n tro l
hostname(config-webpost-profile)# keywo rd-catego ry reactio n ary-keywo rd lo g
hostname(config-webpost-profile)# url-catego ry ab c
hostname(config-webpost-profile)# exit
hostname(config)#
Step 4: Bind the Web posting profile to a policy rule:

hostname(config-policy-rule)# web p o st web p o st-co n tro l
hostname(config)#
configured rule is prioritized. When the rule takes effect, the system will record log messages
when someone is posting information with keyword X in the website www.abc.com.
Example 4: Email Filter Configuration
The goal is to forbid the employees to send emails through QQ mailbox, and record log messages
when any is sending emails through other mailboxes.
Step 1: Configure the Email filter profile named mailfilter:
hostname(config)# mail-p ro file mailfilter
hostname(config-mail-profile)# mail sen der *@ qq.co m b lo ck
hostname(config-mail-profile)# mail o th ers lo g
hostname(config-mail-profile)# mail co n tro l all
hostname(config-mail-profile)# exit
hostname(config)#
Step 2: Bind the Email filter profile to a policy rule:
hostname(config-policy-rule)# mail mailfilter

hostname(config)#
configured rule is prioritized. When the rule takes effect, the employees cannot send emails
through QQ mailbox, and all the sending actions through other mailboxes will be logged.
Example 5: Network Behavior Record Configuration
The goal is to configure a network behavior record rule that records the WeChat login/logout log
messages of the Marketing department members (the role is marketing).
Step 1: Configure the user, role, and role mapping rule (take user1 as the example):
hostname(config)# aaa-server local
hostname(config-aaa-server)# user-group usergroup1
hostname(config-user)# gro up usergro up 1
hostname(config)# ro le marketin g
hostname(config-role-mapping)# match user-gro up usergro up 1 ro le marketin g
hostname(config)#
Step 2: Configure the role mapping rule for the local AAA server:

hostname(config)#
Step 3: Configure interfaces and zones:
hostname(config)# in tern et eth ern et0/3
hostname(config-if-eth0/3)# zo n e trust1
hostname(config)#
Step 4: Configure WebAuth and DNS policy:
hostname(config-webauth)# en ab le
hostname(config-policy)# rule fro m an y to an y service an y web auth lo cal
hostname(config-policy-rule)# src-zo n e trust1
hostname(config-policy-rule)# ro le un kn o wn

hostname(config-policy)# rule fro m an y to an y service dn s p ermit
hostname(config)#
Step 5: Configure the policy rule:
hostname(config-policy)# rule fro m an y to an y service an y p ermit
hostname(config-policy-rule)# ro le marketin g
hostname(config)#
Step 6: Configure the NBR profile named marketim:
hostname(config)# n b r-p ro file marketim
hostname(config-nbr-profile)# im wech at lo g en ab le
hostname(config-nbr-profile)# exit
hostname(config)#
Step 7: Control the NBR rule named imcontrol:
hostname(config-policy-rule)# im marketim

hostname(config-policy-rule)# ro le marketin g
hostname(config)#
configured rule is prioritized. When the rule takes effect, the system will log the WeChat login/-
logout actions of the Marketing department members.

Object Configuration
Objects mean the items referenced during Content Filter profiles and URL Filtering profiles con-
figurations, including:
l Predefined URL database
l User-defined URL database
l URL lookup
l Keyword category
l Warning page
l Bypass domain
l User exception
l First Access of Uncategorized URL
Predefined URL Database

System ships with a license controlled predefined URL database. The predefined URL database
will not take effect on the supported platforms until a URL license is installed.
Predefined URL database provides URL categories for the configurations of URL filter, web con-
tent, and web posting. The predefined URL database is divided into 39 categories, with a total
number of URLs up to 20 million.
Updating the Predefined URL Database
By default, the system updates the predefined URL database every day. You can change the
update parameters according to your own requirements. Hillstone provides two default URL data-
base update servers: update1.hillstonenet.com and update2.hillstonenet.com. You can update
your URL database online or manually. For more information about how to configure the pre-
defined URL database, see the following table:

Configuration CLI
Specifying the update In the global configuration mode, use the following com-
mode mand:
url-db update mode {auto | manual}
To configure an update In the global configuration mode, use the following com-
protocol (HTTPS by mand:
default) l Specifying the update protocol: url-ub update protocol

HTTP
l Restoring to the default: no url-ub update protocol

HTTP
Configuring the update In the global configuration mode, use the following com-
server mand:
url-db update {server1 | server2 | server3} {ip-address |
domain-name} [vrouter vrouter-name]
Specifying the update In the global configuration mode, use the following com-
schedule mand:
url-db update schedule {daily | weekly {mon | tue | wed
| thu | fri | sat | sun} | monthly date} [HH:MM]
Updating now In the execution mode, use the following command:

exec url-db update
Updating manually In the execution mode, use the following command:

import url-db from {ftp server ip-address [vrouter vrouter-
name] [user user-name password password] | tftp server ip-
address | usb0 | usb1} file-name
Note: Non-root VSYS does not support this command.
Viewing URL DB info show url-db info
Viewing URL DB update show url-db update

configuration

Configuration CLI
Viewing URL statistics show statistics-set name [{current | history | history-max}

[sort-by {up | down | item}] ]
Refreshing URL exec url-db refresh {all | url url-string}

information in the local
l all- Refresh all URL information in the local cache.
cache manually
l url url-string- Refresh the specified URL in the local
cache.
Viewing the count of show url-db statistics

URL statistics
Clearing the count of clear url-db statistics

URL statistics
To specify the HTTP proxy server for the URL category signature database updating, use the fol-
url-db up date p ro xy-server {main | b ackup } ip-address port-number
l main | backup – Use the mainparameter to specify the main proxy server and use the
backupparameter to specify the backup proxy server.
To cancel the proxy server configurations, use theno url-db update proxy-server {main |
backup}command.

User-defined URL Database
Besides categories in predefined URL database, you can also customize user-defined URL cat-
egories. User-defined URL database provides URL categories for the configurations of URL filter,
web content, and web posting.
System provides three predefined URL categories: custom1, custom2, custom3. You can import
your own URL lists into one of the predefined URL category.
For more information about user-defined URL database, see the table below:
Configuration CLI
To create a URL category In the global configuration mode, use the following com-
mand:
url-category category-name
To add a URL entry In the global configuration mode, use the following com-
mand:
url url url-catego ry category-name
Enable/Disable the To enable this function, use the following command in the
function that the user- global configuration mode:
defined url-db-https-enable
URL database supports To disable this function, use the following command in the
the domain name of global configuration mode:
the HTTPS protocol
no url-db-https-enable
To view the status of this show url-db-https

function, use the com-
mand in any mode:
Import User-defined import url-file {custom1 | custom2 | custom3} from ftp
URL server IP [vrouter vrouter-name][user username password

password] file-name
import url-file {custom1 | custom2 | custom3} from tftp

Configuration CLI
server IP [vrouter vrouter-name] file-name

Note: The URL file directory is /flash/urldb/url_file. The
file should be less than 1 M, and has at most 1000 URLs.
Wildcard is supported to use once in the URL file, which
should be located at the start of the address. Non-root
VSYS does not support this function.
Clear User-defined URL exec url-file {custom1 | custom2 | custom3} clear
To view URL category show url-category

info
To view all the user- show url

defined URLs
URL Lookup
You can inquire a URL to view the details by URL lookup, including the URL category and the
category type. For more information about how to inquire a URL, see the table below:
Configuration CLI
To inquire a URL show url url-string
Configuring a URL Inquiry Server
URL inquiry server can classify an uncategorized URL (an uncatergorized URL is an address that
is neither in predefined URL database nor in user-defined URL database) you have accessed, and
then add it to the URL database during database updating. Hillstone provides two default URL
inquiry servers: url1.hillstonenet.com and url2.hillstonenet.com. By default, the URL inquiry serv-
ers are enabled. For more information about how to configure the URL inquiry server, see the
table below:
Configuration CLI
To enable/disable a URL Enable: in the global configuration mode, use the following

Configuration CLI
inquiry server command:

url-db-query {server1 | server2} enable
Disable: in the global configuration mode, use the fol-
lowing command:
no url-db-query {server1 | server2} enable
To configure a URL In the global configuration mode, use the following com-
inquiry server mand:

url-db-query {server1 | server2} {ip-address | domain-
name} [vrouter vrouter-name] [port port] [encrypt-type
BCAP]
To view the URL inquiry show url-db-query [server1 | server2]

server info
Keyword Category
Keyword categories include predefined keyword categories and custom keyword categories,
which are used in the URL filtering/File Content Filter/Web Content/Web Posting/Email fil-
ter/HTTP/FTP Control function. You can use predefined keyword categories or customize the
keyword category as needed. System provides four predefined keyword categories, which are pre-
def_bank_card (keyword for bank card number), predef_email_address (keyword for email
address), predef_cellphone_number (keyword for mobile phone number), and predef_mainland_
id_card (keyword for ID number), which cannot be edited or deleted.
For more information about how to customize a keyword category, see the table below:
Configuration CLI
To create a keyword cat- In the global configuration mode, use the following com-
egory mand:
category category-name
To add a keyword entry In the global configuration mode, use the following com-
mand:

Configuration CLI
keyword keyword {regexp | simple} category category-

name [confidence value]
To commit the changes In the execution mode, use the following command:
to keywords (number exec contentfilter apply

increase/decrease, con-
tent changes)
Show the keyword cat- In any mode,use the following command:
egory show category category-name
Show the keyword entry In any mode,use the following command:

keyword keyword {regexp | simple} category category-
name [confidence value]
Keyword Matching Rules
System will scan traffic according to the configured keywords and calculate the trust value for the
hit keywords. The calculating method is: adding up the results of times * trust value of each
keyword that belongs to the category. The system will perform the following actions according to
the added up value:
l If the sum is larger than or equal to the category threshold (100), the configured category
action will be triggered;
l If more than one category action can be triggered and there is a block action configured, the
final action is to block;
l If more than one category action can be triggered and all the configured actions are permit, the
final action is to permit.
For example, a web content rule contains two keyword categories C1 with action block and C2
with action permit. Both of C1 and C2 contain the same keywords K1 and K2. Trust values of
K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in C2 are 30 and 80.

If the system detects one occurrence of K1 and K2 each on a web page, then C1 trust value is
20*1+40*1=60<100, and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is
triggered and the web page access is permitted.
If the system detects three occurrences of K1 and 1 occurrence of K2 on a web page, then C1
trust value is 20*3+40*1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for
both C1 and C2 are satisfied, but the block action for C1 is triggered, so the web page access is
denied.
Tip:
l The keyword category threshold is 100.
l To implement network behavior control accurately and effectively, you are

recommended to configure multiple keywords. E.g., if only web game is
configured to block accesses to web game websites, lots of other websites
will be blocked together. However, if you configure web game, experience
value, and equipment as the keywords, and give proper trust values to
these keywords, the control accuracy will be improved. And if you can col-
lect all the game related terms and assign a proper trust value to each term,
the control will be implemented completely and precisely.
Warning Page
The warning page shows the user block information and user audit information.
Configuring Block Warning
If the network behavior is blocked by the Data Security function (URL filter, web content, web
post, email filter, HTTP/FTP control), the access to the Internet will be denied. The information
of Access Denied will be displayed in your browser, and some web surfing rules will be shown to
you on the warning page at the same time. You can also define the displayed information by your-

self. According to the different network behaviors, the default block warning page includes the
following three situations:
l Visiting a certain type of URL:
l Visiting the URL that contains a certain type of keyword category:
l Posting information to a certain type of website or posting a certain type of keywords; HTTP
actions of Connect, Get, Put, Head, Options, Post, and Trace; downloading HTTP binary
files, such as .bat, .com; downloading ActiveX and Java Applets.
By default the block warning function is enabled. For more information about the con-
figuration of the function, see the table below:
Configuration CLI
To enable/disable Enable: In the global configuration mode, use the fol-
block warning lowing command: block-notification

Disable: In the global configuration mode, use the fol-

Configuration CLI
lowing command: no block-notification
Customize the block To customize the block warning information, use the
warning information or following command in the global configuration mode:
restore the block warn- customize-block-notification title title-name body

string
ing information to the
To restore the block warning information to the default
default one
one, use the following command in the global con-
figuration mode:
no customize-block-notification
To view the status of show block-notification
block warning
To view the user- show customize-block-notification
defined block warning Tips:

information l If you have customized your own block warning
information, the customized information will dis-
play.
l If you do not use the customized information, the

default block information will display.
Configuring Audit Warning
After enabling the audit warning function, when your network behavior matches the configured
Data Security rule, your HTTP request will be redirected to a warning page, on which the audit
and privacy protection information is displayed. For example, if a keyword rule is configured to
monitor HTTPS access to websites that contain the specified keyword, then after enabling the
audit warning function, when you’re accessing a website that contains the keyword over
HTTPS, a warning page will be displayed in your Web browser, as shown in the figure below:

Audit warning is disabled by default. For more information about the configurations of the func-
tion, see the table below:
Configuration CLI
To enable/disable audit Enable: In the global configuration mode, use the following
warning command:
nbc-user-notification
Disable: In the global configuration mode, use the fol-
lowing command:
no nbc-user-notification
Customize the audit warn- To customize the audit warning information, use the fol-
ing information or restore lowing command in the global configuration mode:
the audit warning inform- customize-audit-notification title title-name body string
ation to default To restore the audit warning information to default, use the
no customize-audit-notification
To view the user-defined show customize-audit-notification
audit warning information l If you have customized your own audit warning inform-
ation, the customized information will be displayed.
If you do not use the customized information, the default

audit information will be displayed.
After enabling audit warning, if your network behavior originating from one single source IP is
matched to any configured network behavior control rule, you will be prompted with the audit
warning page every 24 hours when visiting the web page.

Bypass Domain
Regardless of the Data Security configurations (URL filter, keyword filter, web posting control,
email filter, and HTTP/FTP control), requests to the specified bypass domains will be allowed
unconditionally. To add a bypass domain via WebUI, take the following steps:
1. Select Object > Data Security >Content Filter > Web Content/Web Posting/Email Fil-
ter/HTTP/FTP Control.
2. At the top-right corner, Select Configuration > Bypass Domain. The Bypass Domain dialog
appears.
3. Click Add. The domain name will be added to the system and displayed in the bypass
domain list. Repeat Step 3 to add more bypass domains.
Notes:
l Bypass domains must be precisely matched
l Bypass domains are effective to the entire system.
User Exception
The user exception function is used to specify the users who will not be controlled by Data Secur-
ity, including URL filter, Web content, Web posting control, email filter, IM control, and
HTTP/FTP control. The system supports the following types of user exception: IP, IP range,
role, user, user group, and address entry.
To configure user exception via WebUI, take the following steps:
1. Select Object > Data Security > Content Filter > Web Content/Web Posting/Email Fil-
ter/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > User Exception. The User Exception dialog
appears.
3. Select the type of the user from the Type drop-down list.
4. Configure the corresponding options.
5. Click Add. The user will be added to the system and displayed in the user exception list.
Notes: User exceptions are effective to the entire system.
First Access of Uncategorized URL

For the uncategorized URL that you visit for the first time, that is, the URL which is neither in
the system's predefined URL database nor in the user-defined URL database, system will continue
to query the category of the URL in the cloud. Because the query may takes a litter while, system
cannot process the uncategorized URL immediately until the query result is returned.
To solve the above problem, you can specify the waiting time of query and enable the block
action when waiting times out. After the waiting time of query is exceeded, system will block the
access to the uncategorized URL.
Specifying the Waiting Time of Query
To specify the waiting time of query, in the global configuration mode, use the following com-
mand:
url-match-pending hold-time time
l time - Specifies the waiting time of query. The range is 0 to 5000 ms, and the default value is
0 ms.
Use the command no url-match-pending hold-timetime to restore the default value, which means
there is no wait time limit.

Enabling/Disabling the Block Action after Waiting Timeout
To enable the block action when waiting times out, in global configuration mode, use the fol-
lowing command:
url-match-pending timeout-action block
Use the command no url-match-pending timeout-action block to disable the block action when
waiting times out. After the waiting time of query is exceeded, system will continue to perform
URL filtering according to the configuration of URL filtering profile.
Viewing Configurations of First Access of Uncategorized URL
To view configurations of first access of uncategorized URL and the number of blocked times, in
show url-match-pending

URL Filtering
URL filtering is designed to control the access to some websites. This function helps you control
the network behaviors in the following aspects:
l Access control to certain category of websites, such as gambling and pornographic websites;
l Access control to certain category of websites during the specified period. For example, for-
bid to access IM websites during the office hours;
l Access control to the website whose URL contains the specified keywords. For example, for-
bid to access the URL that contains the keyword of game.
Configuring URL Filter via CLI

The URL filtering configurations are based on security zones or policies. If IPv6 is enabled, you
can configure URL and keyword for both IPv4 and IPv6 address.
To configure URL filtering via CLI, take the following steps:
1. Create a URL filtering profile, and specify the URL category, URL keyword category and
action in the profile.
2. Bind the URL filtering profile to a security zone or policy rule.
Creating a URL Filter Profile
You need to specify the control type of the URL filtering profile. The control types are URL cat-
egory, URL keyword category, and Web surfing record. URL category controls the access to some
certain category of website; URL keyword category controls the access to the website who's URL
contains the specific keywords; Web surfing record logs the GET and POST methods of HTTP,
and the posted content. You can select only one control type for each URL filtering profile. There
is a default URL filtering profile named no-url. It can not be edited and deleted. After you bind it
to a policy, URL filtering is disabled. To create a URL filtering profile, in the global configuration
url-profile profile-name

l profile-name - Specifies the name of the URL filtering profile, and enter the configuration
mode of the URL filtering profile. If the specified name exists, the system will directly enter
the URL filtering profile configuration mode. You can configure same URL profile name in dif-
ferent VSYSs.
To delete the specified URL filtering profile, in the global configuration mode, use the command
no url-profile profile-name.
Specifying the URL Category and Action
To specify the URL category that will be filtered and the corresponding action, in the URL fil-
tering profile configuration mode, use the following command:
url-category { all | url-category-name } [ block ] [ log ]
l all | url-category-name – Specifies the URL category that will be filtered. It can be all the
URL categories (all) or a specific URL category (url-category-name）). You can not specify
URL category of other VSYSs. For more information about how to create a URL category, see
Specifying a HTTP Proxy Server.
l block – Blocks access to the corresponding URL category.
l log – Logs access to the corresponding URL category.
Repeat the command to specify more URL categories and the corresponding actions.
To cancel the specified URL category and action, in the URL filtering profile configuration mode,
use the command no url-category {all | url-category-name}.
Inspecting SSL Negotiation Packets
For HTTPS traffic, the system can acquire the domain name of the site which you want to access
from the SSL negotiation packets after this feature is configured. Then, the system will perform
URL filtering in accordance with the domain name. This feature is only applicable to the URL fil-
tering profile whose control type is URL category. If SSL proxy is configured at the same time,
SSL negotiation packets inspection method will be preferred for URL filtering. To configure the

SSL negotiation packets inspection, in the URL filtering profile configuration mode, use the fol-
lowing command:
ssl-inspection
In the URL filtering profile configuration mode, useno ssl-inspectionto cancel the SSL nego-
tiation packets inspection.
Specifying the URL Keyword and Action
To specify the URL keyword that will be filtered and the corresponding action, in the URL fil-
tering profile configuration mode, use the following command:
keywo rd-catego ry { keyword-category-name | o th er} [b lo ck] [lo g]
l keyword-category-name | other – Specifies the URL keyword that will be filtered. The URL
keyword can be a specific keyword category (keyword-category-name) or all the other URL
keyword categories that are not listed (other). For more information about how to create a
l block – Blocks the access to the website whose URL contains the specified keyword.
l log – Logs the access to the website whose URL contains the specified keyword.
Repeat the command to specify more URL keywords and the corresponding actions.
To cancel the specified URL keyword and action, in the URL filtering profile configuration mode,
use the command no keyword-category {keyword-category-name | other}.
Enabling Safe Search
Many search engines, such as Google, Bing, Yahoo!, Yandex, and YouTube, all have a
"SafeSearch" setting, which can filter adult content, and then return search results at different
levels based on the setting. The system supports the safe search function in the URL filtering Pro-
file to detect the “SafeSearch" setting of search engine and perform corresponding control
actions.
To enable the safe search function and specify the control action, in the URL filter profile con-
safe-search {b lo ck | en fo rce}

l block – Specifies the action as block, When the " SafeSearch" setting of search engine is not
set, users will be prevented from accessing the search page and a warning page will pop up
which provides users with the link for "SafeSearch" setting.
l enforce – Specifies the action as execute. When the "SafeSearch" setting of search engine is
not set, system will force to set it at the “strict” level.
To disable the safe search function, in the URL filter profile configuration mode, use the no safe-
search command.
Notes:
l The safe search function only can be used in the following search engines cur-
rently: Google, Bing, Yahoo!, Yandex, and YouTube.
l The safe search function only can be used in combination with the SSL proxy
function because the search engine uses the HTTPS protocol. Therefore,
when the “SafeSearch” is enabled, enable the SSL proxy function for the
policy rule which is bound with URL filter profile.
l To ensure the valid "SafeSearch" function of Google, you need to configure

policy rules to block the UDP 80 and UD
Binding the URL Filtering Profile to a Security Zone
If the URL filtering profile is bound to a security zone, the system will detect the traffic destined
to the specified security zone based on the profile configuration. If the policy rule is bound with
an URL filtering Profile, and the destination zone of the policy rule is also bound with an URL fil-
tering profile, then the URL filtering profile bound to the policy rule will be valid.
To bind the URL filtering profile to a security zone, in the security zone configuration mode, use
url enable url-profile-name

l url-profile-name – Specifies the name of the URL filtering profile that will be bound to the
security zone. One security zone can only be bound with one URL filtering profile.
mand:
no url enable
Binding the URL Filtering Profile to a Policy Rule
After binding the URL filtering profile to a policy rule, the system will process the traffic that is
matched to the rule according to the profile configuration. To bind the URL filtering profile to a
policy-global
figuration mode:
rule [id id-number]
To bind the URL filtering profile to a policy rule, in the policy rule configuration mode, use the
following command:
url profile-name
l profile-name - Specifies the name of URL filtering profile that will be bound.
Notes: Only after cancelling the binding can you delete the URL filtering profile.
to this rule is prioritized. Then, you need to specify the user, destination zone and schedule of the
rule. You can also enable or disable the rule.
To perform the URL filtering function on the HTTPS traffic, you need to enable the SSL proxy
function for the above specified security policy rule. The system will decrypt the HTTPS traffic
according to the SSL proxy profile and then perform the URL filtering function on the decrypted

traffic. According to the various configurations of the security policy rule, the system will perform
Policy Rule Con-

Actions
figurations
SSL proxy enabled The system decrypts the HTTPS traffic according to the SSL
URL filtering disabled proxy profile but it does not perform the URL filtering func-
tion on the decrypted traffic.
SSL proxy enabled The system decrypts the HTTPS traffic according to the SSL
URL filtering enabled proxy profile and performs the URL filtering function on the
decrypted traffic.
SSL proxy disabled The system performs the URL filtering function on the HTTP
URL filtering enabled traffic according to the URL filtering profile. The HTTPS
traffic will not be decrypted and the system will transfer it.
If the SSL proxy and URL filtering functions are enabled on a security policy rule but the control
type of the selected URL filtering profile is the Web surfing record, the system will not record the
GET and POST methods and the posted contents via HTTPS.
If the zone which the security policy rule binds with is also configured with URL filtering, the sys-
tem will perform the following actions:

Actions
SSL proxy enabled URL filtering The system decrypts the HTTPS traffic
URL filtering disabled enabled according to the SSL proxy profile and per-
forms the URL filtering function on the
decrypted traffic according to the URL fil-
tering rule of the zone.
SSL proxy enabled URL filtering The system decrypts the HTTPS traffic
URL filtering enabled enabled according to the SSL proxy profile and per-

Actions
forms the URL filtering function on the

decrypted traffic according to the URL fil-
tering rule of the policy rule.
SSL proxy disabled URL filtering The system performs the URL filtering func-
URL filtering enabled enabled tion on the HTTP traffic according to the
URL filtering rule of the policy rule. The
HTTPS traffic will not be decrypted and
the system will transfer it.
Viewing URL Filtering Profile Information
To view the URL filtering profile information, in any mode, use the following command:
sh o w url-p ro file [ profile-name ]
l profile-name – Shows the specified URL filtering profile information. If this parameter is not
specified, the command will show the information of all the URL filtering profiles.
URL Blacklist/Whitelist
You can further control the access to some websites by configuring URL blacklist/whitelist.
l After the URL blacklist is configured, when you send an access request to the specified URL
in the blacklist, the system will block the request.
l After the URL whitelist is configured, when you send an access request to the specified URL
in the whitelist, system will not perform URL filtering for the access request and let the
request pass.

l The URL blacklist, the URL whitelist and the URL filtering profile all configured with URL
categories, the matching priority for URL category filtering is: the URL blacklist > the URL
whitelist > the URL filtering profile.
Notes:
l An URL category can only be referenced by an object (URL blacklist, URL
whitelist or URL filtering profile). For example, when the URL category
"Advertisement" has been added to the URL blacklist, this URL category can-
not be added to the URL whitelist, and it will not be referenced in the URL
filtering profile.
l Non-root VSYS does not support the URL blacklist\whitelist function, and
the URL blacklist/whitelist configuration under root VSYS does not take
effect and has no effect on non-root VSYS.
Configuring the URL Blacklist
The URL blacklist is used to filter URL access requests that are not allowed. After the URL cat-
egory is added to the URL blacklist, the HTTP/HTTPS traffic that hits the blacklist of the URL
is blocked.
To configure the URL blacklist, you need to enter the URL blacklist configuration mode. Enter
the URL blacklist configuration mode. In global configuration mode, use the following command:
url-blacklist
To add the URL category to the URL blacklist, in the URL blacklist configuration mode, use the
following command:
url-category url-category-name
l url-category-name- Specifies the URL category to add to the URL blacklist.
To delete the URL category from the URL blacklist, in the URL blacklist configuration mode, use

no url-category url-category-name
Configuring the URL Whitelist
The URL whitelist is used to filter the allowed URL access requests. After the URL category is
added to the URL whitelist, the HTTP/HTTPS traffic hitting the URL whitelist is processed and
not controlled by the URL filtering profile.
To configure the URL whitelist, you need to enter the URL whitelist configuration mode. Enter
the URL whitelist configuration mode. In global configuration mode, use the following command:
url-whitelist
To add the URL category to the URL whitelist, in the URL whitelist configuration mode, use the
following command:
url-category url-category-name
url-category-name- Specifies the URL category to add to the URL whitelist.
To delete the URL category from the URL whitelist, in the URL whitelist configuration mode,
no url-category url-category-name
Viewing the URL Blacklist Information
To view URL blacklist information, in any mode, use the following command:
show url-blacklist
Viewing URL Whitelist Information
To view URL whitelist information, in any mode, use the following command:
show url-whitelist

SSL Proxy
To assure the security of sensitive data when being transmitting over networks, more and more
websites adopt SSL encryption to protect their information. The device provides the SSL proxy
function to decrypt HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic. The SSL proxy func-
tion works in the following two scenarios:
The first scenario, the device works as the gateway of Web clients. The SSL proxy function
replaces the certificates of encrypted websites with the SSL proxy certificate to get the encrypted
information and send the SSL proxy certificate to the client's Web browser. During the process,
the device acts as an SSL client and SSL server to establish connections to the Web server and
Web browser respectively. The SSL proxy certificate is generated by using the device's local cer-
tificate and re-signing the website certificate. The process is described as below:
The second scenario, the device works as the gateway of Web servers. The device with SSL proxy
enabled can work as the SSL server, use the certificate of the Web server to establish the SSL con-
nection with Web clients (Web browsers), and send the decrypted traffic to the internal Web
server.
Work Mode
There are three work modes. For the first scenario, the SSL proxy function can work in the "Cli-
ent Inspection - Proxy" mode ; for the second scenario, the SSL proxy function can work in the
"Server Inspection - Offload" mode and "Server Inspection - Proxy" mode.
When the SSL proxy function works in the "Client Inspection - Proxy" mode, it can perform the
SSL proxy on specified websites.
For the websites that do not need SSL proxy, it dynamically adds the IP address and port of the
websites to a bypass list, and the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic will be
bypassed.

For the websites proxied by the SSL proxy function, the device will check the parameters of the
SSL negotiation. When a parameter matches an item in the checklist, the corresponding
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic can be blocked or bypassed according to
the action you specified.
l If the action is Block, the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic will be

blocked by the device.
l If the action is Bypass, the HTTPS/POP3S/SMTPS/IMAPS traffic will not be decrypted.

Meanwhile, the device will dynamically add the IP address and port number of the Website to
the bypass list, and the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic will be
bypassed.
The device will decrypte the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic that are not
blocked or bypassed.
When the SSL proxy function works in the "Server Inspection - Offload" mode, it will proxy the
SSL connections initialized by Web clients, decrypt the HTTPS traffic, and send the HTTPS
traffic as plaintext to the Web server.
When the SSL proxy function works in the "Server Inspection - Proxy" mode, it will proxy the
SSL connections initialized by Web clients, decrypt the HTTPS traffic, and re-encrypt the traffic
and send it to the Web server.
You can integrate SSL proxy function with the followings:
l Integrate with the application identification function. Devices can decrypte the
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic encrypted using SSL by the applic-
ations and identify the application. After the application identification, you can configure the
policy rule, QoS, session limit, policy-based route.
l Integrate with the Web content function, Web post function, and email filter function.
Devices can audit the actions that access the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS
website.

l Integrate with AV, IPS, Antispam, Sandbox , Content Filter , File Filter and URL. Devices
can perform the AV protection, IPS protection, Sandbox protection, Content filter , File fil-
ter, File content cilter and URL filter on the decrypted
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic, can perform the File content filter,
Web content, Web posting, HTTP/FTP control on the decrypted HTTPS traffic, and can per-
form the Email filter on the decrypted POP3S/SMTPS/IMAPS/RDPS/FTPS traffic.
Working as Gateway of Web Clients

To implement SSL proxy, you need to bind an SSL proxy profile to the policy rule. After binding
the SSL proxy profile to a policy rule, the system will use the SSL proxy profile to deal with the
traffic that matches the policy rule. To implement SSL proxy, take the following steps:
1. Configure the corresponding parameters of SSL negotiation, including the following items:
specify the PKI trust domain of the device certificates, obtain the CN value of the subject
field from the website certificate and import a device certificate to the Web browser.
2. Configure an SSL proxy profile, including the following items: choose the work mode, con-
figure the actions to the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic when its
SSL negotiation matches the item in the checklist, enable the aduit warning page, and so on.
3. Bind an SSL proxy profile to a proper policy rule. The device will decrypt the
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic that matches the policy rule and is
not blocked or bypassed by the device.
Configuring SSL Proxy Parameters
Configuring SSL proxy parameters includes the following items:

l Specify the PKI trust domain of the device certificate
l Obtain the CN value of the website certificate
l Import a device certificate to a Web browser
Specifying the PKI Trust Domain of Device Certificate
By default, the device will use the PKI trust domain of trust_domain_ssl_proxy_2048 to re-sign
the Web server certificate, i.e. SSL proxy certificate. You can change the PKI trust domain by
using the following command in the global configuration mode:
sslproxy trust-domain trust-domain-name
l trust-domain-name – Select a trust domain. You can select trust_domain_ssl_proxy or trust_

domain_ssl_proxy_2048. The trust domain of trust_domain_ssl_proxy uses RSA and the mod-
ulus is 1024; the trust domain of trust_domain_ssl_proxy_2048 uses RSA and the modulus is
2048.
To restore the trust domain settings to the default one, use the no sslproxy trust-domain.
Obtaining the CN Value
To get the CN value in the Subject field of the website certificate, take the following steps (take
www.gmail.com as the example):
1. Open the IE Web browser, and visit https://www.gmail.com.
2. Click the Security Report button next to the URL.
3. In the pop-up dialog, click View certificates.
4. In the Details tab, click Subject. You can view the CN value in the text box.

Importing a Device Certificate to a Web Browser
In the proxy process, the SSL proxy certificate will be used to replace the website certificate.
However, there is no SSL proxy certificate's root certificate in the client browser, and the client
cannot visit the proxy website properly. To address this problem, you have to import the root cer-
tificate (certificate of the device) to the browser. To import a device to the client browser, take
the following steps:
1. Export the device certificate to your local PC. Use the following command:
CLI:
export pkitrust-domain-name {cacert | cert | pkcs12 password | pkcs12-
derpassword} to {ftp serverip-address [useruser-namepasswordpassword] |
tftp server ip-address | usb0 | usb1} [file-name]
Example:
hostname# exp o rt p ki trust_do main _ssl_p ro xy cacert to tftp server
10.10.10.1
Export ok,target filename 1252639478
hostname#
2. Import the certificate (before importing the certificate, change the extension name of the
certificate to .crt) to the web browser (take Internet Explore as the example). Start IE, from
the toolbar, select Tools > Internet Options. On the Content tab, click Certificates. In the
Certificates dialog, click the Trusted Root Certification Authorities tab, and then click
Import, as shown in the figure below. Import the certificate as prompted by the Certificate
Import Wizard.

If the encryption standard you select in step 1 is pkcs12 or pkcs12-der, you need to enter
the certificate password in the pop-up window when importing the certificate to the web
browser. The password is the one that you specified in the pkcs12 password | pkcs12-der
passwordcommand.
Configuring an SSL Proxy Profile
Configuring an SSL proxy profile includes the following items: configure the session reuse func-
tion, choose the work mode, set the website list (use the CN value of the Subject field of the web-
site certificate), configure the actions to the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS
traffic when its SSL negotiation matches the item in the checklist, enable the aduite warning page,
and so on. The system supports up to 32 SSL proxy profiles. To create an SSL proxy profile, use
sslproxy-profile profile-name

l profile-name - Specifies the name of the SSL proxy profile and enter the SSL proxy profile con-
figuration mode. If the name already exists, the system will enter the SSL proxy profile con-
To delete an SSL proxy profile, use the no sslproxy-profile profile-name.
Configuring the Session Reuse Function
With the Session Reuse function enabled, when the client initiates an SSL connection request to
the server, the server checks whether the request connection has been created, and if so, the pre-
vious SSL connection is resumed without the need for a complete TLS handshake, thereby redu-
cing the time consumption during the handshake process.
The system supports the following two session reuse methods:
l Ticket: Select the check box to enable the session reuse based on session ticket. In this
method, when an SSL connection is established between a client and a server for the first
time, the server encapsulates the symmetric key and other status information generated in the
TLS handshake into a session ticket which is encrypted, and then forwards the session ticket
to the client, which is stored in the cache of the client. When the client initiates the SSL con-
nection again (or initiates the connection request again after disconnection), the session ticket
will first be sent to the server for decryption. If the server successfully decrypts and verifies
the ticket, the first SSL connection will be resumed.
l ID: Select the check box to enable the session reuse based on session ID. In this method,
when an SSL connection is established between a client and a server for the first time, the ses-
sion ID, symmetric key and other status information generated during the TLS handshake will
be stored both in the cache of the client and the server. When the client initiates the SSL con-
nection request again (or initiates the connection request again after disconnection), the server
compares the session ID in the new request with the cached one and, if consistent, the first
SSL connection will be resumed.

Notes:
l When the device works as the gateway of Web clients, the Web servers need
to support the session reuse function.
l If session reuse based on session ticket and based on session ID are both con-
figured, session reuse based on session ticket will be prioritized.
Configuring the Session Reuse Method

To enable or disable the session reuse function based on session ID or based on session ticket, in
the SSL proxy profile configuration mode, use the following command:
session reuse {id | ticket} {enable | disable}
l id | ticket - Specifies to enable (enable) or disable (disable) the session reuse function based
on session ID (id) or based on session ticket (ticket).
Configuring the Session Cache Size

To configure the size of the session caches stored in the system during session reuse based on ses-
sion ticket or during session reuse based on session ID, in the SSL proxy profile configuration
session reuse cache-size value
l value - Specifies the size of the session caches stored in the system during session reuse based
on session ticket or during session reuse based on session ID.
See the range and default values:
Default value
Model Range (Unit: piece)
(Unit: piece)
SG-6000-A1100 and below platforms of 0 - 32. 0 means session 32

A series; cache information is not
SG-6000-E1600and below platforms of saved.

Default value
(Unit: piece)
E series;
SG-6000-VM01 of CloudEdge
SG-6000-A2000 to SG-6000-A3600 of 0 - 128. 0 means ses- 128

A series; sion cache information
SG-6000-E1606 to SG-6000-E3968 of is not saved.
E series;
SG-6000-A3700 and above platforms of 0-256. 0 means session 256

All platforms of K series; saved.
SG-6000-E3965 and above platforms of
E series;
All platforms of X series;
SG-6000-VM04 and SG-6000-VM08 of
CloudEdge
To cancel the specified size, in the SSL proxy profile configuration mode, use the command of no
session reuse cache-size.
Configuring the Session Timeout
To configure the timeout value of the session caches stored in the system during session reuse
based on session ticket or during session reuse based on session ID, in the SSL proxy profile con-
session reuse timeout value
l value - Specifies the timeout value of the session caches stored in the system during session
reuse based on session ticket or during session reuse based on session ID. If this timeout

expires, the session caches will be deleted, and when the client establishes a SSL connection
with the server, it needs a complete TLS handshake. The value range is 1800 to 72000
To cancel the specified value, in the SSL proxy profile configuration mode, use the command of
no session reuse timeout.
Clearing the Session Caches
To clear the session caches stored in the system during session reuse based on session ticket or
during session reuse based on session ID, in any mode, use the following command:
clear sslproxy {session-ticket | session-id} cache
l session-ticket | session-id - Specifies to clear the session caches stored in the system during
session reuse based on session ticket (session-ticket) or during session reuse based on session
ID (session-id).
Viewing the Session Caches

To view the session caches stored in the system during session reuse based on session ticket or
show sslproxy {session-ticket | session-id} cache
l session-ticket | session-id - Specifies to view the session caches stored in the system during
ID (session-id).
Choosing a Work Mode
When the device works as the gateway of Web clients, the SSL proxy function can work in the Cli-
ent Inspection - Proxy mode.
In the SSL Profile configuration mode, use the following command to choose the work mode:
mo de client-inspection proxy

Specifying an Application to be Proxied by the SSL Proxy Function
If the SSL proxy function works in the client-inspection proxy mode, you can specify an applic-
ation to be proxied by the function. By default, only the HTTPS traffic passing through the
default port will be proxied, but you can specify additional applications as needed, such as
IMAPS, POP3S, SMTPS, RDPS and FTPS. Besides, you can configure user-defined ports for the
applications to be proxied. For specific configurations, refer to Configuring Rules in User-defined
Application Signature Configuration Mode in Firewall > Service and Application > Userdefined
Application.
To specify an application to be proxied by the SSL proxy function, in the SSL proxy profile con-
inspect-app {https | imaps| pop3s | smtps | rdps | ftps }
l https - Proxies the HTTPS traffic.
l imaps - Proxies the IMAPS traffic.
l pop3s- Proxies the POP3S traffic.
l smtps - Proxies the SMTPS traffic.
l rdps - Proxies the RDPS traffic.
l ftps - Proxies the FTPS traffic.
Setting the URL Whitelist
When the SSL proxy is in the Client Inspection - Proxy mode, you can specify URL categories
(predefined URL categories or user-defined URL categories) as needed, set the URL websites that
will not be proxied by the SSL proxy function. By default, the predefined URL categories "Health
& Medicine" and "Finance" have been added to the URL whitelist.
To set the URL whitelist, in the SSL proxy profile configuration mode, use the following com-
mand:
url-category category-name

l category-name - Specifies the name of the URL category that needs to be added to the URL
whitelist. Up to 8 URL categories can be added.
To delete a URL category from the URL whitelist, use the no url-category category-namecom-
mand.
Notes: To ensure that the URL whitelist works, please upgrade the predefined URL
database before configuring this function.
Enabling the Root Certificate Push

When the HTTPS traffic is decrypted by the SSL proxy function, your request to an HTTPS web-
site will be redirected to the Install Root Certificate page. In this page, you will be prompted that
your accesses to HTTPS websites are being monitored, and that you should pay attention to your
privacy and abide by applicable laws and regulations. The Install Root Certificate page is as fol-
lows:
To enable/disable the Root Certificate Push, in the SSL proxy profile configuration mode, use the
following command:
Enable the Root Certificate Push: no ca-cert-push disable
Disable the Root Certificate Push: ca-cert-push disable
After enabling the Root Certificate Push, if your HTTPS accesses originating from one single
source IP are matched with any configured policy rule, you will be prompted with the Install Root
Certificate page every 12 hours when visiting the website over HTTPS.
You can clear the prompt history of root certificate downloading. After that, even that you have
received the prompt before, you will be prompted with the page immediately when you visit the
website over HTTPS again and your access matches with any configured policy rule. To clear the
prompt history of root certificate downloading, in any mode, use the following command:
clear sslproxy ca-cert-push

Configuring the Actions to the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS
Traffic
Before performing the SSL proxy process, the device will chek the parameters of the SSL nego-
tiation. When a parameter matches an item in the checklist, the corresponding
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic can be blocked or bypassed according to
the action you specified.
l If the action is Block, the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic will be

blocked and cannot display in the Web browser.
l If the action is Bypass, the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic will not be

decrypted. Meanwhile, the device will dynamically add the IP address and port number of the
Website to the bypass list. When connecting to the Websites that are dynamically added to the
bypass list, the first connection will be disconnected. Uses need to re-connect to the Web-
sites and the content will be displayed.
The device will decrypt the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic that are not
blocked or bypassed.
Notice the following items during the configurations:
l When the parameters match multiple items in the checklist and you configure difference
actions to different items, the Block action will take effect. The corresponding
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic will be blocked.
l If the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic is not bypassed or blocked after

the SSL negotiation check, the system will decrypt the
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic.
Checking the SSL Protocol Version
Check the SSL protocol version used by the server. When the version of the SSL protocol used
by the SSL server meets the minimum and maximum requirements, the system can proxy its

HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic. To configure the SSL protocol version
supported by the system, in the SSL proxy profile configuration mode, use the following com-
mands:
l max-sup p o rt-ssl-versio n {tlsv1.0 | tlsv 1.1 | tlsv1.2 | tlsv1.3}–Specifies the maximum

SSL protocol version supported by the system. The default version is tlsv1.3.
l min-support-ssl-version {tlsv1.0 | tlsv 1.1 | tlsv1.2 | tlsv1.3}–Specifies the minimum SSL

protocol version supported by the system. The default version is tlsv1.0.
To restore the default setting, use the no {max-support-ssl-version | min-support-ssl-version}

command.
When the SSL server uses the SSL protocol version which is not supported in the system, you
need to configure the action for HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic, in the
SSL proxy profile configuration mode, use the following command:
unsupported-ssl-version {bypass | block}
l bypass | block– Uses the bypass parameter to bypass the

HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic and the system will not decrypt the
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic. Use the block parameter to block
the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic. By default, the system will
bypass and not decrypt the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic in this
condition.
To restore the default setting, use the no unsupported-ssl-version command.
Checking the Unkown Failure
When SSL negotiation fails and the cause of the failure can't be confirmed, you need to configure
the action for HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic, in the SSL proxy profile
unknown-ssl-failure {bypass | block}


condition.
To restore the setting to the default value, use the no unknown-ssl-failurecommand.
Checking the Encryption Algorithm
When the SSL server uses the encryption algorithm which is not supported in system, configure
the action for HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS, in the SSL proxy profile con-
unsupported-cipher {bypass | block}

condition.
To restore the default setting, use the no unsupported-ciphercommand.
Checking Whether the SSL Server Certificate is Overdue
Check whether the SSL server certificate is overdue. When the SSL server certificate is overdue,
the system can decrypt, block or bypass the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS
traffic according to your configuration. To configure the action for
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic when the SSL server certificate is over-
due, in the SSL proxy profile configuration mode, use the following command:
exp ired-cert {decryp t | b lo ck | b yp ass}
l decrypt | block | bypass– Uses the decrypt parameter to decrypt the

HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic. Use the block parameter to block the

HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic. Use the bypass parameter to bypass
the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic and the system will not decrypt
decrypt the traffic.
To restore the value to the default one, use no expired-certcommand.
Checking Whether the SSL Server Verifies the Client Certificate
Check whether the SSL server verifies the client certificate. When the server verifies the client
certificate, the system can block or bypass the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS
traffic. By default, the system bypass the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic
and the traffic will not be decrypted. To configure the action for
HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS when the SSL server verifies the client cer-
tificate, in the SSL proxy profile configuration mode, use the following command:
verify-client {bypass | block}
l bypass | block–Uses the bypass parameter to bypass the

the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic.
To restore the setting to the default one, use the no verify-clientcommand.
Configuring an Action When Server Certificate Verification Fails
You can configure an action for the HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic when

system fails to verify the Web server certificate. In the SSL proxy profile configuration mode, use
verify-server-cert-failed {block | bypass | decrypt}
l block - Uses the block parameter to block the

HTTPS/POP3S/SMTPS/IMAPS/RDPS/FTPS traffic when the certificate is failed to be

verified.
l bypass - Uses the bypass parameter to bypass the

verified.
l decrypt - Uses the decrypt parameter to decrypt the

verified. By default, system will use the self-signed certificate to complete the SSL nego-
tiation with the Web browser. To use the trusted certificate "SG6000" to complete the SSL
negotiation with the Web browser, in the SSL proxy profile configuration mode, use the com-
mand use-self-sign-cert disable. To restore to the default value, in the SSL proxy profile con-
figuration mode, use the command no use-self-sign-cert disable.
To add the description to an SSL proxy profile, in the SSL proxy profile configuration mode, use
l description – Enters the description.
Use no descriptionto delete the description.
Prioritizing the Low-intensity Encryption Algorithm
When the device works as both the gateway of Web clients and an SSL server, to ensure the per-
formance of the SSL proxy function, the high-intensity encryption algorithm will be used by
default when the device receives the cipher suite from the SSL client. If you need to weaken the
encryption of the SSL proxy function, you can specify that the SSL server prefers the low-intens-
ity encryption algorithm. In the SSL proxy Profile configuration mode, use the following com-
mand:
downstream-cipher-mode low-intensity-first

To restore the default high-intensity encryption algorithm, use the command no downstream-
cipher-mode low-intensity-first.
Updating the Trusted Root Certificate Database
To ensure that the root certificates stored on your device are sufficient and up-to-date, and to
reduce errors occurred during server certificate verification, you need to update the trusted root
certificate database timely. You can change the update configurations of the trusted root cer-
tificate database as needed. The update configurations include:
l Configuring the update mode of the trusted root certificate database
l Updating now
l Importing a trusted root certificate database file
l Viewing update information of the trusted root certificate database
l Viewing information of the trusted root certificate database
Configuring the Update Mode of the Trusted Root Certificate Database
To configure the update mode of the trusted root certificate database, in the global configuration
trusted-ro o t-ca-sto re up date [mo de {auto | man ual} | p ro xy-server {main | b ackup } proxy-
ip proxy-port | sch edule {daily | weekly {sun | mo n | tue | wed | th u | fri | sat} | mo n th ly
date } [ HH:MM ] | server1 { domain | ip } [vro uter vrouter-name ] | server2 { domain | ip }
[vro uter vrouter-name ] | server3 { domain | ip } [vro uter vrouter-name ] | protocol HTTP ]
l mode {auto | manual} – Specifies the update mode of the trusted root certificate database.
System supports automatic and manual update modes. The default mode is automatic update.
l proxy-server {main | backup} proxy-ip proxy-port– Specifies the proxy server for updating
the trusted root certificate database.

l schedule {daily | weekly {sun | mon | tue | wed | thu | fri | sat} | monthly date}
[HH:MM] – Specifies the schedule for automatically updating the trusted root certificate data-
base.
l protocol HTTP - Specifies the update protocol as HTTP, and the default protocol is HTTPS.
Updating Trusted Root Certificate Database
To update the trusted root certificate database immediately, in the execution mode, use the fol-
lowing command:
exec trusted-ro o t-ca-sto re up date
Importing a Trusted Root Certificate Database File
In some cases, your device may be unable to connect to the update server to update the trusted
root certificate database. To solve this problem, StoneOS provides the function for importing a
trusted root certificate database file, i.e., importing a trusted root certificate database file to the
device from an FTP or TFTP server, so that the device can update the trusted root certificate data-
base locally. To import a trusted root certificate database file, in the execution mode, use the fol-
lowing command:
imp o rt trusted-ro o t-ca-sto re fro m {ftp server { A.B.C.D | X:X:X:X::X } [vro uter vrouter-
name ] [user username p asswo rd string ] | tftp server { A.B.C.D | X:X:X:X::X }[vro uter
vrouter-name ]} file-name

l ftp server { A.B.C.D | X:X:X:X::X } [vrouter vrouter-name] [user user-name password pass-
word] – Specifies the IP address, VRouter, user name and password of the FTP server to
import a trusted root certificate database file. If no user name and password are specified, you
will log onto the server anonymously.
l tftp server { A.B.C.D | X:X:X:X::X } [vrouter vrouter-name]– Specifies the IP address and
VRouter of the TFTP server to import a trusted root certificate database file.
l file-name – Specifies the name of the trusted root certificate database file to be imported.
Viewing Update Information of the Trusted Root Certificate Database
To view update information of the trusted root certificate database, in any mode, use the fol-
lowing command:
show trusted-root-ca-store update
Viewing Information of the Trusted Root Certificate Database
To view information of the trusted root certificate database, in any mode, use the following com-
mand:
show trusted-root-ca-store info
Working as Gateway of Web Servers

To implement SSL proxy, you need to bind an SSL proxy profile to the policy rule. After binding
the SSL proxy profile to a policy rule, the system will use the SSL proxy profile to deal with the
traffic that matches the policy rule. To implement SSL proxy, take the following steps:
1. Configure an SSL proxy profile, including the following items: choose the work mode, spe-
cify the trust domain of the Web server certificate and the HTTP port number of the Web
server.
2. Bind an SSL proxy profile to a proper policy rule. The device will decrypte the HTTPS
traffic that matches the policy rule.

Configuring an SSL Proxy Profile
Configuring an SSL proxy profile includes the following items: configure the session reuse func-
tion, choose the work mode, specify the trust domain of the Web server certificate and the HTTP
port number of the Web server.
To create an SSL proxy profile, use the following command in the global configuration mode:
sslproxy-profile profile-name
l profile-name - Specifies the name of the SSL proxy profile and enter the SSL proxy profile con-
figuration mode. If the name already exists, the system will enter the SSL proxy profile con-
To delete an SSL proxy profile, use the no sslproxy-profile profile-namecommand.
Configuring the Session Reuse Function
With the Session Reuse function enabled, when the client initiates an SSL connection request to
the server, the server checks whether the request connection has been created, and if so, the pre-
vious SSL connection is resumed without the need for a complete TLS handshake, thereby redu-
cing the time consumption during the handshake process.
The system supports the following two session reuse methods:
l Ticket: Select the check box to enable the session reuse based on session ticket. In this
method, when an SSL connection is established between a client and a server for the first
time, the server encapsulates the symmetric key and other status information generated in the
TLS handshake into a session ticket which is encrypted, and then forwards the session ticket
to the client, which is stored in the cache of the client. When the client initiates the SSL con-
nection again (or initiates the connection request again after disconnection), the session ticket
will first be sent to the server for decryption. If the server successfully decrypts and verifies
the ticket, the first SSL connection will be resumed.

l ID: Select the check box to enable the session reuse based on session ID. In this method,
when an SSL connection is established between a client and a server for the first time, the ses-
sion ID, symmetric key and other status information generated during the TLS handshake will
be stored both in the cache of the client and the server. When the client initiates the SSL con-
nection request again (or initiates the connection request again after disconnection), the server
compares the session ID in the new request with the cached one and, if consistent, the first
SSL connection will be resumed.
Notes:
l When the device works as the gateway of Web servers, the Web clients need
to support the session reuse function.
l If session reuse based on session ticket and based on session ID are both con-
figured, session reuse based on session ticket will be prioritized.
Configuring the Session Reuse Method

To enable or disable the session reuse function based on session ID or based on session ticket, in
the SSL proxy profile configuration mode, use the following command:
session reuse {id | ticket} {enable | disable}
l id | ticket - Specifies to enable (enable) or disable (disable) the session reuse function based
on session ID (id) or based on session ticket (ticket).
Configuring the Session Cache Size

To configure the size of the session caches stored in the system during session reuse based on ses-
sion ticket or during session reuse based on session ID, in the SSL proxy profile configuration
session reuse cache-size value

l value - Specifies the size of the session caches stored in the system during session reuse based
on session ticket or during session reuse based on session ID.
See the range and default values:
Default value
(Unit: piece)
SG-6000-A1100 and below platforms of 0 - 32. 0 means session 32

SG-6000-E1600and below platforms of saved.
E series;
SG-6000-A2000 to SG-6000-A3600 of 0 - 128. 0 means ses- 128

A series; sion cache information
SG-6000-E1606 to SG-6000-E3968 of is not saved.
E series;
SG-6000-A3700 and above platforms of 0-256. 0 means session 256

All platforms of K series; saved.
SG-6000-E3965 and above platforms of
E series;
All platforms of X series;
SG-6000-VM04 and SG-6000-VM08 of
CloudEdge
To cancel the specified size, in the SSL proxy profile configuration mode, use the command of no
session reuse cache-size.
Configuring the Session Timeout

To configure the timeout value of the session caches stored in the system during session reuse
based on session ticket or during session reuse based on session ID, in the SSL proxy profile con-
session reuse timeout value
l value - Specifies the timeout value of the session caches stored in the system during session
reuse based on session ticket or during session reuse based on session ID. If this timeout
expires, the session caches will be deleted, and when the client establishes a SSL connection
with the server, it needs a complete TLS handshake. The value range is 1800 to 72000
To cancel the specified value, in the SSL proxy profile configuration mode, use the command of
no session reuse timeout.
Clearing the Session Caches
To clear the session caches stored in the system during session reuse based on session ticket or
clear sslproxy {session-ticket | session-id} cache
l session-ticket | session-id - Specifies to clear the session caches stored in the system during
ID (session-id).
Viewing the Session Caches

To view the session caches stored in the system during session reuse based on session ticket or
show sslproxy {session-ticket | session-id} cache
l session-ticket | session-id - Specifies to view the session caches stored in the system during
ID (session-id).

Choosing a Work Mode
When the device works as the gatetway of Web servers, the SSL proxy function can work in the
"Server Inspection - Offload" mode or "Server Inspection - Proxy" mode.
l When the SSL proxy function works in the "Server Inspection - Offload" mode, it will proxy
the SSL connections initialized by Web clients, decrypt the HTTPS traffic, and send the
HTTPS traffic as plaintext to the Web server.
l When the SSL proxy function works in the "Server Inspection - Proxy" mode, it will proxy
the SSL connections initialized by Web clients, decrypt the HTTPS traffic, and re-encrypt the
traffic and send it to the Web server.
In in the SSL Profile configuration mode, use the following command to specify the work mode:
mode server-inspection { offload | proxy}
l offload - Specifies the SSL proxy working mode as "Server Inspection - Offload" mode.
l proxy - Specifies the SSL proxy working mode as "Server Inspection - Proxy" mode.
Specifying Trust Domain
Since the device will work as the SSL server and use the certificate of the Web server to establish
the SSL connection with Web clients (Web browsers), you need to import the certificate and the
key pair into a trust domain in the device. For more information about importing the certificate
and the key pair, see the PKI chapter in StoneOS_CLI_User_Guide_User_Authentication.
After you complete the importing, specify the trust domain used by this SSL Profile. In the SSL
Profile configuration mode, use the following command to specify the trust domain:
ssl-offload server-trust-domain trust-domain-name
l trust-domain-name – Specifies the trust domain name that will be used by this SSL Profile.
To cancel the setting, use the no ssl-offload server-trust-domaincommand.

Specifying HTTP Port Number
To specify the HTTP port number of the Web server, in the SSL Profile configuration mode, use
l port – Specifies the port number.
Use the no server-portcommand to cancel the setting.
Enable Warning Page
When the HTTPS traffic is decrypted by the SSL proxy function, the request to a HTTPS website
will be redirected to a warning page of SSL proxy. In this page, the system notifies the users that
their accesses to HTTPS websites are being monitored and asks the uses to protect their privacy.
In the SSL proxy profile configuration mode, use the following command to enable/disable the
warning page:
Enable the warning page: no ssl-notification-disable
Disable the warning page: ssl-notification-disable
After enabling the warning page, if your HTTPS access behavior originating from one single
source IP is matched to any configured policy rule and SSL proxy profile, you will be prompted
with the warning page every 30 minutes when visiting the website over HTTPS.
You can clear the SSL proxy warning history. After that, even that you have received the warning
page before, you will be prompted immediately when you visit the website over HTTPS again. To
clear the SSL proxy audit warning history, in any mode, use the following command:
clear sslproxy notification
To add the description to an SSL proxy profile, in the SSL proxy profile configuration mode, use
l description –Enters the description.
Use no descriptionto delete the description.

Binding the SSL Proxy Profile to a Policy Rule
After binding the SSL proxy profile to a policy rule, the system will process the traffic that is
matched to the rule according to the profile configuration. To bind the SSL proxy profile to a
policy-global
figuration mode:
To bind the SSL proxy profile to a policy rule, in the policy rule configuration mode, use the fol-
lowing command:
sslproxy profile-name
l profile-name - Specifies the name of profile that is bound to the SSL proxy.
to this rule is prioritized. After then, you need to specify the user, destination zone and schedule
of the rule. You can also enable or disable the rule. For more information, see the “Policy”.
Configuring the SSL Proxy Filter Rule

After the SSL proxy function is enabled, if the HTTPS traffic of the proxy is abnormal, system
supports the SSL proxy filter rule to locate the anomaly by filtering the HTTPS traffic of the
proxy in the specified address or network segment.
Adding the SSL Proxy Filter Rule
To add the SSL proxy filter rule, in any mode, use the following command:
exec sslproxy-filter add src-ip {A.B.C.D|A.B.C.D/M} [ dst-ip A.B.C.D dst-port port-number ]

l src-ip {A.B.C.D|A.B.C.D/M}- Specifies the source IP address of which the proxy HTTPS
traffic needs to be filtered.
l dst-ip A.B.C.D dst-port port-number - Specifies the destination IP address and destination
port number of which the proxy HTTPS traffic needs to be filtered.
Deleting the SSL Proxy Filter Rule
To delete the SSL proxy filter rule, in any mode, use the following command:
exec sslproxy-filter del
Viewing the SSL Proxy Filter Rule Information
To view the SSL proxy filter rule information, in any mode, use the following command:
show sslproxy-filter
Configuring Asynchronous Acceleration

SSL proxy support for asynchronous acceleration using QAT engine. To configure the current
acceleration engine for IPSec or SSL Proxy, in the global configuration mode, use the following
command:
cryp to -en gin e {ip sec |sslp ro xy}
l ipsec - Configure the current acceleration engine for IPSec.
l sslproxy- Configure the current acceleration engine for SSLVPN.
Notes: After configuring the asynchronous acceleration, system must reboot to

make it take effect.
To view the status of the QAT engine, in any mode, use the following command:
sh o w sslp ro xy qat-en gin e status
To view the module currently using the QAT engine, in any mode, use the following command:

sh o w cryp to -en gin e
To view the current request/response count of the QAT engine, in any mode, use the following
command:
sh o w sslp ro xy qat-en gin e co un ter
To view the statistic information of SSL Proxy asynchronous function, in any mode, use the fol-
lowing command:
sh o w sslp ro xy asyn c statistic
Configuring Domain White List

Websites that do not need or support SSL proxy can be added to the domain white list. The sys-
tem provides the predefined domain white list to save the sites that do not support SSL proxy.
For example, sites that require client certificate authentication is required or sites with fixed the
website certificates. You can also add sites to the domain white list as needed. Predefined domain
white list entries cannot be edited or deleted.
Configuring a User-defined Domain White List
If you choose not to decrypt a site out of service concerns, privacy concerns, or other voluntary
reasons, you can add it to the domain white list. The device will not perform the SSL proxy func-
tion for the sites on the white list. To configure a user-defined domain white list, in the global
sslproxy exempt-domain domain-name description reason {enable | disable}
l domain-name–Enters the domain of the user-defined domain white list. You can enter 1
to 63 characters and the domain is case sensitive. You can use the wildcard "*" in the
domain. The wildcard "*" can only be used once and should be placed at the beginning of
the domain, such as "*.hillstonenet.com".
l reason–Enters the description of the user-defined domain white list.
l enable–Enables the domain white list.
l disable–Disables the domain white list.

To delete the user-defined domain white list, use the no sslproxy exempt-domain domain-name
command.
Configuring the IP Whitelist

The device will not perform the SSL proxy function for the traffic from the IP address on the
whitelist. You can add the IP, the traffic from which does not need or support SSL proxy, to the
IP whitelist. The IP whitelist contains dynamic IP whitelist and static IP whitelist.
Configuring the Static IP Whitelist
The device will not perform the SSL proxy function for the traffic from the IP address on the IP
whitelist. You can create a static IP on the whitelist as needed and the static IPs on the whitelist
never expire. To create a static IP on the whitelist, in the global configuration mode, use the fol-
lowing command:
sslproxy exempt-ip {ipv4 | ipv6} addressport port_id
l ipv4 | ipv6–Specifies the IP type of the static IP listed on the whitelist entry as IPv4 or
IPv6.
l address–Specifies the IP address of the static IP listed on the whitelist.
l port port_id–Specifies the TCP port of the static IP listed on the whitelist.
To delete the static IP listed on the whitelist, use the no sslproxy exempt-ip {ipv4 | ipv6}
address port port_id command.
Configuring the Validity Time of Dynamic IP Whitelist
When the device works as the gateway of Web clients, the system automatically adds the IP
address to the dynamic IP whitelist in the following conditions: The traffic from this IP cannot be
SSL proxied by the system and the action for the traffic is to bypass. In this scenario, the system
will not perform SSL proxy function for the traffic from the IPs listed on the IP whitelist in the
future. For more information on the configuration of the SSL proxy profile, see Configuring an
SSL Proxy Profile. The traffic of the IP, which is added to the dynamic IP whitelist because its
traffic cannot be proxied by the device, will be re-proxied again after the validity time is due. You

can configure the validity time of IPs on the dynamic IP whitelist. The system automatically
deletes existing dynamic IPs on the whitelist after their validity time is due. To configure the
validity time of the dynamic IPs on the whitelist, in the global configuration mode, use the fol-
lowing command:
sslproxy exempt-ip timeout num
l num–Specifies the validity time of the dynamic IPs on the whitelist. The unit is by day.
The range of the validity time is from 1 to 30 days. The default validity time is 15 days.
Notes: After you modify the SSL Profile policy or change the validity time of the
dynamic IPs on the whitelist, the system deletes all IPs on the current lists.
Clearing the IP Whitelist

To clear all the IP addresses on the whitelist, in the global configuration mode, use the following
command:
clear sslproxy exempt-ip
Notes: The total number of IPs that can be listed on the whitelist varies on dif-
ferent platforms. When the number of IP addresses that can be listed on the whitel-
ist exceeds its upper limit, the system generates event logs to remind you of clearing
IPs on the whitelist.
Viewing SSL Proxy Information

To view the SSL proxy information, use the following commands:
l show sslproxy [] {exempt-domain| exempt-ip}
l exempt-domain–Views the information of the domain white list, including the number
of total sites on the domain white list, and the domain, type, description, status of each
site on the white list.

l exempt-ip–Views the information of the IP whitelist, including the IP address, port
number, creation time, expiration time, and the reason why each IP is added to the
white list.
l View the SSL proxy state, including the SSL proxy work mode, statistics, and the PKI domain
of the SSL proxy certificate, number of bypassed sessions, number of dropped new sessions,
value of real-time proxy HTTPS traffic, times of certificate verification failures:
l View the SSL profile information, including the work mode, policy rules bound to the SSL
proxy, configuration of inspection conditions, the status of alarms, URL whitelist: show
sslproxy-profile [profile-name]
l View the TCP proxy information: show tcpproxy [] session-id id

Chapter 14 Monitor
l "Monitor" on Page 2189 describes how to configure all monitoring statistics function for the
system.
l "Alarm" on Page 2251 describes how to configure an alarm rule to analyze and collect alarm
information.
l "Logs" on Page 2271 introduces all the log functions of the system and how to output various
log information of the device.
l "Diagnostic Tool" on Page 2307 describes all troubleshooting commands.
l "NetFlow" on Page 2328describes how to configure the NetFlow function to perform stat-
istics and analysis on network traffic.

Monitor
Overview
Monitor include:
l User Monitor: Monitor based on user, Gathers statistics on the data and traffic passing through
user, usergroup, address Book.
l Application Monitor: Monitor based on application, Gathers statistics on the data and traffic
passing through application, application-group.
l Threat Monitor : Monitor based on threat, Gathers statistics on the threats.
l QoS Monitor: Monitor based on QoS, Gathers statistics on the pipes.
l Service/Network Node Monitor: Monitor based on service/network node, Gathers statistics

on the packet loss rate and latency of service/network nodes.
l Device Monitor: Monitor based on devices. Gathers statistics on the total traffic, interface
traffic, zone , Online IP , new/concurrent sessions, NATand hardware status.
l URL Hit: Monitor based on URL. Gathers statistics on user/IPs, URLs and URL categories.
l Application Block: Gathers statistics on the applications and user/IPs.
l Keyword Block: Gathers statistics on the Web keyword, Web keywords, email keywords,
posting keywords and users/IPs.
l Authentication User: Gathers statistics on the authenticated users.
l User-defined Monitor: Gathers statistics on the data passing through the Hillstone device.
If IPv6 is enabled, system will count the total traffic/sessions/AD/URLs/applications of IPv4

and IPv6 address. Only User Monitor/Application Monitor/Cloud Application Monitor/Device
Monitor/URL Hit/Application Block/User-defined Monitor support IPv6 address.
2189 Chapter 14 Monitor

Tip: It is strongly recommended to use WebUI to configuring and view the mon-
itor results, because it can render the data information more vividly. CLI is not
recommended.
User Monitor
Gathers statistics on the data and traffic passing through user, usergroup, address Book. If IPv6 is
enabled, system will support to monitor both IPv4 and IPv6 address.
Configuring Monitor Address Book
The monitor address is a database that stores the user's address which is used for the statistics. In
statistics address address-entry-name
l address-entry-name – Specifies the name of the address entry.
To disable address-based statistics, in the global configuration mode, use the following command:
no statistics address address-entry-name
Viewing Address Book Statistical Information
To view the statistical information on the traffic from or to the specified address, in any mode,
sh o w statistics address [ address-entry-name ] [curren t | lasth o ur | lastday | lastmo n th ]
l address-entry-name – Specifies the name of the address entry. If this parameter is not spe-
cified, the command will show traffic statistics of all the address entries being referenced by
the statistics function (by command statistics address address-entry-name).
l current – Shows the real-time traffic statistics of the specified address entry

l lasthour – Shows the traffic statistics of the specified address entry per 30 seconds for the
last 60 minutes.
l lastday – Shows the traffic statistics of the specified address entry per 10 minutes for the last
24 hours.
Configuring Subnet Monitor Address Book
The system will match the traffic which is sent from the Internet to Subnet according to the spe-
cified address. If matched, the traffic will be counted to the Subnet side. To configure the subnet
monitor address book, in the global configuration mode, use the following command:
statistics-filter {address | ipv6-address} address-entry-name
l address-entry-name – Specifies the name of the address entry.
To disable subnet monitor address book, in the global configuration mode, use the following com-
mand:
no statistics-filter {address | ipv6-address} address-entry-name
Viewing Subnet Monitor Address Entry Information
In global configuration mode, use the following command:

sh o w statistics-filter address { address | ipv6-address }
Viewing the Stat-set for User Monitor
The predefined stat-set for user monitor includes:
Type Name Description
User Monitor predef_user_bw Statistics on the traffic of all the

users
predef_ztna_user_bw Statistics on the traffic of all

ZTNA users

predef_user_sess Statistics on the sessions of all the

users
predef_user_app_bw Statistics on the traffic of all the

users’ applications
predef_exstat_exstat_ip_bw Statistics on the user traffic of the

selected address book
predef_exstat_exstat_ip_sess Statistics on the user sessions of

the selected address book
predef_exstat_exstat_app_bw Statistics on the app traffic of the

selected address book
predef_exstat_exstat_app_sess Statistics on the app sessions of

the selected address book
To view the predefined stat-set information for user monitor, see Viewing Stat-set Information.
Tip: Non-root VSYS also supports user monitor, but does not support address
book statistics.
Application Monitor
Application-based statistics allows you to gather statistics on the traffic of the specified applic-
ation in real time, or per 30 seconds, per 10 minutes and per 24 hours in the last 60 minutes, 24
hours and 30 days respectively. If IPv6 is enabled, system will support to monitor both IPv4 and
IPv6 address.

Configuring Monitor Application Group
To configure the monitor application group, in the global configuration mode, use the following
command:
statistics application-group application-group-name
l application-group-name – Specifies the name of the application group.
To delete monitor application group, in the global configuration mode, use the following com-
mand:
no statistics application-group application-group-name
Viewing Application-based Statistical Information
To view the statistical information on the traffic of the specified application, in any mode, use the
following command:
sh o w statistics ap p licatio n -gro up [ application-group-name ] [curren t | lasth o ur | lastday | last-
mo n th ]
l application-group-name – Specifies the name of the application group. If this parameter is

not specified, the command will show traffic statistics of all the application groups being ref-
erenced by the statistics function (by command statistics servgroup servicegroup).
l current – Shows the real-time traffic statistics of the specified application group.
l lasthour – Shows the traffic statistics of the specified application group per 30 seconds for
the last 60 minutes.
l lastday – Shows the traffic statistics of the specified application group per 10 minutes for the
last 24 hours.
l lastmonth – Shows the traffic statistics of the specified application group per 24 hours for
the last 30 days.

Viewing the Stat-set for Application Monitor
The predefined stat-set for applicaton monitor includes:
applicaton mon- predef_app_bw Statistics on the traffic of all the

itor applications
predef_app_sess Statistics on the sessions of all the

applications
predef_exstat_exstat_ip_bw Statistics on the user traffic of the

selected application group
predef_exstat_exstat_ip_sess Statistics on the user sessions of

the selected application group
predef_exstat_exstat_app_bw Statistics on the app traffic of the

selected application group.
predef_exstat_exstat_app_sess Statistics on the app sessions of

the selected application group.
To view the predefined stat-set information for application monitor,see Viewing Viewing Stat-set
Information.
Tip: Non-root VSYS also supports application monitor, but does not support to
monitor application group.

Threat Monitor
Viewing the Stat-set for Threat Monitor
Non-root VSYS also supports threat monitor in T Series platforms. The predefined stat-set for
threat monitor includes:
threat monitor predef_ip_dip_threat Statistics on the all the threats
To view the predefined stat-set information for threat monitor, see Viewing Stat-set Information.
QoS Monitor
Only supports to use WebUI to viewing the QoS monitor information, see StoneOS_WebUI_
User_Guide.
Service/Network Node Monitor（For T Series）

The commands of service/network node monitor:
host…type dns
Create a service node, type is DNS. Use the no form to delete the node.
Command:
host [ test-only ] [ id node-id ] name node-name { ip-address | host-name } type dns
domain domain-name [ port port ] source-interface interface-name [ probe-interval inter-
val ] [ parent parent-id ] [ desc description ] group group-name
no host id node-id
Description:
test-only -If this parameter is specified, the system will show the results of detection.
node-id - Specifies the service/network node ID.

node-name - Specifies the name of service/network node.
ip-address - Specifies the node IP address.
host-name - Specifies the host name of node.
domain-name -Specifies the DNS domain name.
port -Specifies the port of server, the value range is 1 to 65535.
interface-name -Specifies the interface name of egress interface.
probe-interval interval -Specifies the probe interval, the value range is 15 to 120 seconds.
parent-id -Specifies the parent node ID. If this parameter is not specified, the parent node is root
node as default.
description -Specifies the description.
group-name -Specifies the name of the group. If the group does not exist, the system will create it
automatically.
Default values:
port:53
probe-interval interval:30s
parent-id:0
Mode:
Monitor configuration mode.
Guidance:
None
Example:
hostname(config-monitor)# h o st n ame test 1.1.1.1 typ e dn s do main www.b aidu.co m so urce-
in terface eth ern et0/3
host…type ftp
Create a service node, type is FTP. Use the no form to delete the node.
Command:

h o st [test-o n ly][id node-id ] n ame node-name { ip-address | host-name } type ftp [[p o rt port ] |
user username p asswo rd password uri uri [p o rt port ]] so urce-in terface interface-name [p ro b e-
in terval interval ] [p aren t parent-id ] [desc description ]
no host id node-id
Description:
node-id -Specifies the service/network node ID.
node-name -Specifies the name of service/network node.
ip-address -Specifies the node IP address.
host-name -Specifies the host name of node.
user username -Specifies the user name of server.
password password -Specifies the password of server.
uri uri -Specifies the name of file saved on server.
node as default.
Default values:
port: 21
probe-interval interval: 30s
parent-id: 0
Mode:
Guidance:
None

Example:
hostname(config-monitor)# host name test 1.1.1.1 type ftp user admin admin uri file
source-interface ethernet0/3
host…type http
Create a service node, type is HTTP. Use the no form to delete the node.
Command:
h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e h ttp url url-
address [p o rt port ] source-interface interface-name [p ro b e-in terval interval ] [p aren t parent-
id ] [desc description ]
n o h o st id node-id
Description:
url-address-Specifies the name of file saved on server.
node as default.
Default values:
port:80
parent-id:0

Mode:
Guidance:
None
Example:
hostname(config-monitor)# host name test 1.1.1.1 type http url www.sina.com.cn
source-interface ethernet0/3
host…type icmp
Create a service node, type is ICMP. Use the no form to delete the node.
Command:
h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e icmp so urce-
in terface interface-name [p ro b e-in terval interval ] [p aren t parent-id ] [desc description ]
Description:
node as default.
Default values:
probe-interval interval: 30s

parent-id: 0
Mode:
Guidance:
None
Example:
hostname(config-monitor)# host name test 1.1.1.1 type icmp source-interface eth-
ernet0/3
host…type imap4
Create a service node, type is IMP4. Use the no form to delete the node.
Command:
h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e imap 4 [p o rt port ]
so urce-in terface interface-name [p ro b e-in terval interval ] [p aren t parent-id ] [desc description ]
no host id node-id
Description:
node as default.

Default values:
port:143
parent-id:0
Mode:
Guidance:
None
Example:
hostname(config-monitor)# host name test 1.1.1.1 type imap4 source-interface eth-
ernet0/3
host…type ldap
Create a service node, type is LDAP. Use the no form to delete the node.
Command:
h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e ldap [[p o rt port ]
| user username p asswo rd password uri uri [p o rt port ]] so urce-in terface interface-name
[p ro b e-in terval interval ] [p aren t parent-id ] [desc description ]
Description:
user username -Specifies the user name of server.
password password -Specifies the password of server.

uri uri -Specifies the name of file saved on server.
node as default.
Default values:
None
Mode:
Guidance:
None
Example:
hostname(config-monitor)# host name test 1.1.1.1 type ldap user admin admin uri file
port 21 source-interface ethernet0/3
host…type pop3
Create a service node, type is POP3. Use the no form to delete the node.
Command:
h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e p o p 3 [p o rt port ]
so urce-in terface interface-name [p ro b e-in terval interval ] [p aren t parent-id ] [desc description ]
Description:

node as default.
Default values:
port:110
parent-id:0
Mode:
Guidance:
None
Example:
hostname(config-monitor)# host name test 1.1.1.1 type pop3 source-interface eth-
ernet0/3
host…type smtp
Create a service node, type is SMTP. Use the no form to delete the node.
Command:
h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e smtp [p o rt
port ] source-interface interface-name [p ro b e-in terval interval ] [p aren t parent-id ] [desc
description ]
Description:

node as default.
Default values:
port:25
parent-id:0
Mode:
Guidance:
None
Example:
hostname(config-monitor)# host test-only name test 1.1.1.1 type smtp source-interface
ethernet0/3 probe-interval 60
host…type {tcp | udp}
Create a user-defined node. Use the no form to delete the node.

Command:

h o st [test-o n ly] [id node-id ] n ame node-name { ip-address | host-name } typ e {tcp | udp } p o rt
port so urce-in terface interface-name [p ro b e-in terval interval ] [p aren t parent-id ] [desc descrip-
tion ]
no host id node-id
Description:
node as default.
Default values:
parent-id:0
Mode:
Guidance:
None
Example:
hostname(config-monitor)# host name test 1.1.1.1 type tcp port 4455 source-interface
ethernet0/3

show monitor host config
To view the service/network node monitor configuration information.

Command:
show monitor host config
Description:
None
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# show monitor host config
show monitor host status
To view the service/network node status.

Command:
show monitor host status
Description:
None
Default values:
None
Mode:
Any mode
Guidance:

None
Example:
hostname# show monitor host status
Device Monitor
Non-root VSYS also supports device monitor, but doesn’t support hardware status. If IPv6 is
enabled, system will support to monitor both IPv4 and IPv6 address. The commands of device
monitor:
Viewing Interface-based Statistical Information
To view the statistical information on the traffic passing through the specified interface, in any
command mode, use the following command:
sh o w statistics in terface-co un ter in terface interface-name {seco n d | min ute | hour | day}[
IPv4 | IPv6 | n o ip ]
l second – Shows the traffic statistics of the specified interface per second for the last 60
seconds.
l minute – Shows the traffic statistics of the specified interface per minute for the last 60
minutes.
l hour – Shows the traffic statistics of the specified interface per hour for the last 24 hours.
l day – Shows the traffic statistics of the specified interface for the last 30 days.
l IPv4 | IPv6 | noip - Shows the traffic statistics of of IPv4, IPv6 address type, or non IP pack-
ets. If this parameter is not specified, all traffic information will be displayed by default.
Viewing the Stat-set for Device Monitor
The predefined stat-set for device monitor includes:

Device Monitor predef_zone_ bw Statistics on the traffic of all the

security zones
predef_if_bw Statistics on the traffic of all the

interfaces
predef_zone_sess Statistics on the sessions of all the

security zones
predef_if_sess Statistics on the sessions of all the

interfaces
To view the predefined stat-set information for device monitor, see Viewing Stat-set Information.
Viewing the Information of Hard Disk Module
There is a hard disk module at the bottom of SG-6000-E6368, SG-6000-E6168, SG-6000-

E5568, SG-6000-E5268, SG-6000-E5168, SG-6000-E3968, SG-6000-E3668 and SG-6000-
E2868. The hard disk module mainly saves logs to the local and achieves the goals of device mon-
itoring, behavior auditing, etc. To view the installation and ultilization of hard disk module, in any
show disk
Viewing the Utilization of Virtual Hard Disk of CloudEdge Devices
The virtual hard disk of CloudEdge device is divided into system partition and data partition. The
system partition is used to store system files, while the data partition is used to store logs and
reports. To view the utilization of the virtual hard disk of CloudEdge device, in any mode, use
show disk
Example:
hostname# sh o w disk

Displays the utilization of system partition of the virtual
hard disk of CloudEdge device
The percentage of system disk utilization: 18.6%
total(KB) used(KB) free(KB)
1888268 351952 1536316
Displays the utilization of data partition of the virtual hard disk of CloudEdge device
The percentage of data disk utilization: 14.2%
total(KB) used(KB) free(KB)
3997376 567056 3430320
hostname#
Viewing Memory Usage
In any mode, use the following command to view the usage of the system memory:
show memory
In any mode, use the following command to view the system memory size occupied by file sys-
tems:
show memory filesys
URL Hit
The predefined stat-set for URL hit includes:

URL Hit predef_url_hit Statistics on the URL hits
predef_user_url Statistics on the URLs accessed by

the users
predef_url_cat_hit Statistics on the URL category hits
predef_user_url_cat_hit Statistics on the URL categories

accessed by the users
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.
To view the predefined stat-set information for URL hit, see Viewing Stat-set Information.
Tip: Non-root VSYS also supports URL hit in E and X series platforms.
Link State Monitor

Link state monitoring can calculate the sampling traffic information of the specific interface in the
link, including latency, packet loss rate, jitter, bandwidth utilization, so as to realize the mon-
itoring and display of the overall status of the link. System also supports for link detection to cal-
culate the traffic information of the specific destination IP address in the link, including latency,
and jitter.
Enabling/Disabling Link User Experience Monitor
To enable the link user experience monitor, first enter the link monitor configuration mode, and
then specify the binding interface. In the global configuration mode, use the following command
to specify the binding interface:
link-perf-monitor interface interface-name
l interface-name – Specify the interface name.
To delete the interface, use the no link-perf-monitor interface interface-namecommand in the

link monitor configuration mode.

To enable the link user experience monitor for interface, in the link monitor configuration mode,
monitor on
To disable this function for the specified interface, use the no monitor on command in the link
monitor configuration mode.
Enabling/Disabling Application Switch for Interface
After enabling the application switch, you can see details of the specific application in this inter-
face. By default, the application switch is disabled. To enable the application switch, in the link
monitor configuration mode, use the following command:
application on
To disable this function for the specified interface, use the no application oncommand in the link
state monitor configuration mode.
Specify the Description of Interface
To specify the description for the binding interface, in the link monitor configuration mode, use
description string
l string - Specify the description for the binding interface.
To delete the description, use the no description in the link monitor configuration mode.
Viewing Link Configuration Information
To view link state monitor configuration information, in any mode, use the following command:
show link-perf-monitor information
Viewing Statistics Information of Link User Experience
To view statistics information of link user experience, in any mode, use the following command:

sh o w lin k-p erf-mo n ito r statistics [in terface interface-name [ap p licatio n application-name ][
h isto ry {min ute | h o ur | day | mo n th }]] [ ip v4 | ip v6]
l interface interface-name – View the link user experience monitoring statistics according to
the specified interface.
l application application-name – View the link user experience monitoring statistics according
to the specified application. If not specified, the system will display the statistics information
according to the specified interface.
l history {minute | hour | day | month}–View the history statistics information.
l ipv4 | ipv6–View the link user experience monitoring statistics according to the specified IP
type. If not specified, system will display the statistics information including IPv4 and IPv6
by default.
Configuring the Link Detection Destination
System supports for link detection to calculate the traffic information of the specific destination
IP address in the link, including latency, and jitter.
To configure the detection destination, first enter the link detection monitor configuration mode,
and then specify the destination IP address. In the global configuration mode, use the following
command to specify the destination IP address:
lin k-detect-o b ject
To configure the link detection destination of IPv4, in the link detection monitor configuration
ipA.B.C.D protocol {tcp [port port-number] | icmp} [interval value] [description description]
l A.B.C.D- Specify the IP address of detection destination.
l tcp [port port-number]- Specify the protocol type as TCP and specify the port number.
l icmp- Specify the protocol type as ICMP.

l interval value- Specifies the interval time of the detection packet. The value range is 1 to 5
seconds, the default value is 1.
l description description-Specify the description for the detection destination.
To delete the detection destination, use the no ip A.B.C.D in the link detection monitor con-
figuration mode.
To configure the link detection destination of IPv6, in the link detection monitor configuration
ipv6 X:X:X:X::X protocol {tcp [port port-number] | icmpv6} [interval value] [description descrip-
tion]
l X:X:X:X::X- Specify the IPv6 address of detection destination.
l tcp [port port-number]- Specify the protocol type as TCP and specify the port number.
l icmpv6 - Specify the protocol type as ICMPv6.
l interval value- Specifies the interval time of the detection packet. The value range is 1 to 5
seconds, the default value is 1.
l description description- Specify the description for the detection destination.
To delete the detection destination, use the no ipv6 X:X:X:X::X in the link detection monitor
configuration mode.
Viewing Link Detection Monitor Configuration Information
To view link detection monitor configuration information, in any mode, use the following com-
mand:
sh o w lin k-detect-o b ject {all | A.B.C.D | X:X:X:X::X }
l all – Display the link detection monitor configuration information of all the destination IP
address.

l A.B.C.D | X:X:X:X::X - Display the link detection monitor configuration information of the
specified destination IP address.
Application Block
The predefined stat-set for Application Block includes:
Application predef_app_block Statistics on the application blocks

Block predef_user_app_block Statistics on the application blocks
of all the users
predef_user_app_app_block Statistics on the application blocks

of the specified user
To view the predefined stat-set information for Application Block, see Viewing Stat-set Inform-
ation.
Tip: Non-root VSYS also supports application block in E and X series platforms.
Keyword Block
The predefined stat-set for Keyword Block includes:
Keyword Block predef_kw_block Statistics on the file content/

webpage/ E-mail/Web posting
keyword blocks
predef_user_kw_block Statistics on the keyword blocks

of all the users
predef_user_kw_kw_block Statistics on the keyword blocks

of the specified user
To view the predefined stat-set information for Keyword Block, see Viewing Stat-set
Information.
Tip: Non-root VSYS also supports keyword block in E and X series platforms.
Authentication User
The commands of authentication User:
show auth-user
View the online authuser information.

Command:
sh o w auth -user [usern ame user-name in terface interface-name | vro uter vrouter-name ]
Description:
username user-name -View the online user of specific username information .
web-auth -View the online WebAuth user information.
scvpn -View online users of all SCVPN instances.
Default values:
None
Mode:
Any mode
Guidance:
This command also displays the groups associated with an online user. If an online user is asso-
ciated with more than 256 groups, it will display only the firstly configured 256 groups.
Example:

hostname# show auth-user scvpn
show auth-user groupname
View the information about online authenticated users in a specific user group.
Command:
show auth-user groupname group_name
Description:
groupname group_name -Specifies the name of the user group.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname#show auth-user groupname group1
show dp-auth-user
View the online auth user information of system data plane.

Command:
sh o w dp -auth -user [usern ame user-name [in terface interface-name | vro uter vrouter-name ]]
Description:
username user-name -View the online user information with the specific username.
interface interface-name - Specifies the interface name.
vrouter vrouter-name - Specifies the VRouter name.
Default values:
None

Mode:
Any mode
Guidance:
Only for system debug.
Example:
hostname# show dp-auth-user
show pseudo-group
View the user group ID information.

Command:
show pseudo-group [aaa-server server-name group group-name]
Description:
aaa-server server-name - View the user group ID of the specified AAA server.
group group-name - View the user group ID of the specified user group.
Default values:
None
Mode:
Any mode
Guidance:
Only for system debug.
Example:
hostname# show pseudo-group
show auth-user agent
View the information of the online agent users.

Command:
sh o w auth -user agen t [in terface interface-name | vro uter vrouter-name ]

Description:
interface interface-name -Specifies the interface name.
vrouter vrouter-name -Specifies the interface VRouter name.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user agen t in terface eth ern et0/0
show auth-user dot1x
View the information of the online 802.1x users.

Command:
sh o w auth -user do t1x [in terface interface-name | vro uter vrouter-name ]
Description:
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user do t1x

show auth-user interface
View the online users information that use specific interface as authentication ingress interface.
Command:
show auth-user interface interface-name
Description:
interface-name -Specifies the interface name.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user in terface eth ern et1/1
show auth-user ip
View the online user of specific IP information .

Command:
show auth-user agent [ip ip-address| ip ip-address toip-address] [interface interface-name |
vrouter vrouter-name]
Description:
ip-address -Specifies the IP address.
ip ip-address to ip-address -Specifies the range of IPv4 or IPv6 addresses.
Default values:

None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user ip 10.180.32.1
hostname# show auth-user ip 10.180.32.1 to 10.182.32.2
show auth-user l2tp
To view all the clients of the L2TP instance.

Command:
sh o w auth -user l2tp [in terface interface-name | vro uter vrouter-name ]
Description:
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# show auth-user l2tp interface ethernet0/1
show auth-user mac
View the online user of specific MAC address.

Command:
sh o w auth -user mac mac-address
Description:
mac-address -Specifies the MAC address.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user mac 0050.569d.0b 7e
show auth-user radius-snooping
To view the information of the online users.

Command:
sh o w auth -user radius-sn o o p in g [in terface interface-name | vro uter vrouter-name | slo t slot-
no ]
Description:
vrouter vrouter-name - Specifies the interface VRouter name.
slot slot-no - Specifies the number.
Default values:
None
Mode:
Any mode
Guidance:

None
Example:
hostname# show auth-user radius-snooping
show auth-user static
View the static auth-user, include IP or MAC binding users.

Command:
sh o w auth -user {static | mac mac-address | ip ip-address } [in terface interface-name |
vro uter vrouter-name ]
Description:
mac mac-address -Specifies the MAC address for binding.
ip ip-address -Specifies the IP address for binding.
vrouter vrouter-name - Specifies the VRouter name.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user static
show auth-user scvpn
View online users of all SCVPN instances.

Command:
sh o w auth -user scvp n [in terface interface-name | vro uter vrouter-name ]

Description:
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# show auth-user scvpn
show auth-user endpoint-tag
View online uses appended with the specified endpoint tags.

Command:
sh o w auth -user [in terface interface-name | vro uter vrouter-name | endpoint-tag endpoint-
tag-name ]
Description:
endpoint-tag endpoint-tag-name-Specifies the endpoint tag name. Both partial match and exact
match are supported.
Default values:
None
Mode:
Any mode
Guidance:
None

Example:
hostname# show auth-user endpoint-tag tag1
show auth-user ztna
View ZTNA online users.

Command:
sh o w auth -user ztn a [in terface interface-name | vro uter vrouter-name | endpoint-tag end-
point-tag-name ]
Description:
endpoint-tag endpoint-tag-name-Specifies the endpoint tag name. Both partial match and exact
match are supported.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# show auth-user ztna endpoint-tag tag1
show auth-user ad-scripting
View the information of the online sso-agent users.

Command:
show auth-user ad-scripting [in terface interface-name | vro uter vrouter-name ]
Description:

vrouter vrouter-name- Specifies the interface VRouter name.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user ad-scrip tin g
show auth-user ad-polling
View the information of the online users.

Command:
sh o w auth -user ad-p o llin g [in terface interface-name | vro uter vrouter-name ]
Description:
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# show auth-user ad-polling

show auth-user sso-radius

Command:
sh o w auth -user sso -radius [in terface interface-name | vro uter vrouter-name ]
Description:
vrouter vrouter-name- Specifies the interface VRouter name.
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# show auth-user sso-radius
show auth-user sso-monitor

Command:
sh o w auth -user sso -mo n ito r [in terface interface-name | vro uter vrouter-name ]
Description:
interface interface-name- Specifies the interface name.
Default values:
None
Mode:

Any mode
Guidance:
None
Example:
hostname# show auth-user sso-monitor
show auth-user webauth-ntlm

Command:
sh o w auth -user web auth -n tlm [in terface interface-name | vro uter vrouter-name ]
Description:
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user web auth -n tlm
show auth-user xauth
View the information of the online XAUTH users.

Command:
sh o w auth -user xauth [in terface interface-name | vro uter vrouter-name ]
Description:

Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user xauth
show auth-user webauth
View the online WebAuth user information.

Command:
sh o w auth -user web auth [in terface interface-name | vro uter vrouter-name ]
Description:
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user web auth

show auth-user vrouter
View the user of specific VRouter.

Command:
show auth-user vrouter
Description:
None
Default values:
None
Mode:
Any mode
Guidance:
None
Example:
hostname# sh o w auth -user vro uter trust-vr
User-defined Monitor
The stat-set of StoneOS allows you to gather statistics on the data passing through the device.
With this function configured, you can view the real-time or periodical statistical information
based on data types or grouping methods. All the statistical information can be filtered as needed
to help you have a more detailed and accurate understanding of the resource allocation and net-
work security status of system.
User-defined monitor statistics include:
l Creating a stat-set
l Configuring the type of statistical data

l Configuring a data grouping method
l Configure a filter
Creating a Stat-set
To create a stat-set, in the global configuration mode, use the following command:
statistics-set name
l name – Specifies the name of the stat-set. The length is 1 to 31 characters.
After executing the above command, the system will create a stat-set with the specified name, and
enter the configuration mode; if the name of the stat-set exists, the system will directly enter the
stat-set configuration mode.
To delete the specified stat-set, in the global configuration mode, use the following command:
no statistics-set name
Configuring the Type of Statistical Data
The type of statistical data of stat-sets includes bandwidth, session, new session ramp-up rate,
attack rate, virus number, intrusion count, URL hit, keyword block and application block. To con-
figure the type of statistical data, in the stat-set configuration mode, use the following command:
target-data {b an dwidth | sessio n | ramp up -rate | url-h it | ap p licatio n -b lo ck| attack-rate }
[reco rd-h isto ry] [ro o t-vsys-o n ly]
l bandwidth | session | rampup-rate | url-hit | application-block | attack-rate – Specifies

the type of statistical data of stat-sets. It can be bandwidth, session, new session ramp-up rate,
attack rate, virus number, intrusion count, URL hit, keyword block or application block and
AD attack count.
l record-history – Monitors data of the last 30 days.
l root-vsys-only – Just monitors data of root VSYS. If this parameter is not configured, data of
all VSYSs will be statistical.

To remove the configurations that specify the type of statistical data of the stat-set, in the stat-set
no target-data
Notes: When configuring a stat-set, keep in mind that:
l The URL hit statistics are only available to users who have a URL license.
l Non-root VSYS only supports types including bandwidth, session, new ses-
sion ramp-up rate and URL hit
l If you specified the root-vsys-only parameter, data grouping method cannot

be configured to VSYS.
Configuring a Data Grouping Method
The data grouping methods of statistical set include IP, interface, security zone, application, user,
URL, URL category and VSYS type. The actual options may vary from different date types. Non-
root VSYS also supports grouping methods including IP, interface, security zone, application,
user, URL and URL category.
To configure a data grouping method, in the stat-set configuration mode, use the following com-
mand:
gro up -b y {[ip [directio n al] [in itiato r | resp o n der | b elo n g-to -zo n e zone-name | n o t-b elo n g-
to -zo n e zone-name | b elo n g-to -in terface interface-name | n o t-b elo n g-to -in terface inter-
face-name ]] | in terface [directio n al] | zo n e [directio n al] | ap p licatio n | user [directio n al] |
url | url-catego ry | vsys}
l ip – Specifies IP address as the data grouping method for the stat-set. You can use initiator |
responder | belong-to-zone zone-name | not-belong-to-zone zone-name | belong-to-inter-
face interface-name | not-belong-to-interface interface-nameparameters to specify the IP
range for the statistics. It can be the IP that initiates the session ( initiator), the IP that
receives the session (responder), the IP that belongs to a specific security zone (belong-to-

zone zone-name), the IP that does not belong to a specific security zone (not-belong-to-zone
zone-name), the IP that belongs to a specific interface (belong-to-interface interface-name), or
the IP that does not belong to a specific interface (not-belong-to-interface interface-name).
l directional – Specifies the statistical results for both directions, i.e., when the data is
grouped by IP, interface or security zone, the inbound and outbound traffic, the number of
received and sent sessions, the ramp-up rate of new received and sent sessions will be
gathered for the statistics respectively; if this option is not configured, the default statistics
result is non-directional, i.e., when the data is grouped by IP, interface or security zone, all the
traffic, sessions and ramp-up rate of news sessions will be gathered for the statistics.
l interface – Specifies interface as the data grouping method for the stat-set.
l zone – Specifies security zone as the data grouping method for the stat-set.
l application – Specifies application as the data grouping method for the stat-set. In such a
case the type of statistical data should not be AD attack rate, URL hit count and keyword
block count.
l user – Specifies user as the data grouping method for the stat-set.
l url – Specifies URL as the data grouping method for the stat-set.
l url-category – Specifies URL category as the data grouping method for the stat-set.
l vsys – Specifies VSYS as the data grouping method for the stat-set.
To cancel of the configurations that specify the data grouping method of the stat-set, in the stat-
set configuration mode, use the following command:
no group-by
The following table lists statistical information based on IP type:

Data type
Key- Applic-
Condi-
Direction Ramp-up URL hit word ation
tion Traffic Session
rate count block block
count count
Statistics Statistics
Statistics
on the ses- on the
on the
sion num- new ses-
Initiator traffic of
ber of the sions of
the ini-
initiator's the ini-
tiator's IP
IP tiator's IP
Statistics Stat- Stat-

on the istics on istics on Statistics
on the on the ses-
new ses- the the on the
Respon- traffic of sion num-
sions of URL hit keywor- application
No dir- der the ber of the
the count d block block
ection respon- respon-
respon- of the count of count of
der's IP der's IP
der's IP spe- the spe- the spe-
cified cified cified IPs
Statistics Statistics Statistics
IPs IPs
on the on the ses- on the
traffic of sion num- new ses-
Belong to an IP that ber of an sions of
zone belongs to IP that an IP that
a specific belongs to belongs to
security a specific a specific
zone security security

Data type
Key- Applic-
Condi-
count count
zone zone

Data type
Key- Applic-
Condi-
count count
Statistics
on the ses- on the
on the
sion num- new ses-
traffic of
ber of an sions of
Not an IP that
IP that an IP that
belong to does not
does not does not
zone belong to
belong to belong to
a specific
a specific a specific
security
security security
zone
zone zone
Statistics
on the ses- on the
on the
sion num- new ses-
traffic of
Belong to ber of an sions of
an IP that
interface IP that an IP that
belongs to
belongs to belongs to
a specific
interface
interface interface
Not Statistics Statistics Statistics
belong to on the on the ses- on the
interface traffic of sion num- new ses-

Data type
Key- Applic-
Condi-
count count
ber of an sions of
an IP that
IP that an IP that
does not
does not does not
belong to
belong to belong to
a specific
interface
interface interface

on the on the on the
inbound number of new
and out- received received
Initiator
bound and sent and sent
traffic of sessions sessions
the ini- of the ini- of the ini-
Bi-dir- tiator's IP tiator's IP tiator's IP
ectional
Respon-
der
the of the of the

Data type
Key- Applic-
Condi-
count count
respon- respon- respon-

der's IP der's IP der's IP
Statistics
on the on the
on the
number of new
inbound
received received
and out-
and sent and sent
bound
Belong to sessions sessions
traffic of
zone of an IP of an IP
an IP that
that that
belongs to
a specific
security
security security
zone
zone zone

Not inbound number of new
belong to and out- received received
zone bound and sent and sent

an IP that of an IP of an IP

Data type
Key- Applic-
Condi-
count count
that does that does

does not
not not
belong to
belong to belong to
a specific
security
security security
zone
zone zone
Statistics
on the on the
on the
number of new
inbound
received received
and out-
and sent and sent
Belong to bound
sessions sessions
interface traffic of
of an IP of an IP
an IP that
that that
belongs to
a specific
interface
interface interface

Not
belong to
interface

Data type
Key- Applic-
Condi-
count count
and sent and sent

bound
sessions sessions
traffic of
of an IP of an IP
an IP that
that does that does
does not
not not
belong to
belong to belong to
a specific
interface
interface interface
The interface, zone, user, application, URL, URL category, VSYS type-based statistical inform-
ation table.
Data type
Key- Applic-
Dir-
Group by Ramp-up URL hit word ation
ection Traffic Session
count count
Statistics Statistics Statistics Stat-

on the on the ses- on the istics on
No dir- traffic of sion num- new ses- the URL
Zone N/A N/A
ection the spe- ber of the sions of hit
cified specified the spe- count of
security security cified the spe-

Data type
Key- Applic-
Dir-
count count
security
zones zones
zones

cified
security
Bi-dir- bound and sent and sent
zones
ectional traffic of sessions sessions
the spe- of the spe- of the spe-
cified cified cified
security security security
zones zones zones
Statistics
Statistics Statistics Stat-
on the
on the on the ses- istics on
new ses-
No dir- traffic of sion num- the URL
sions of
ection the spe- ber of the hit
the spe-
Interface cified specified count of N/A N/A
cified
interfaces interfaces the spe-
interfaces
cified
Bi-dir- Statistics Statistics Statistics inter-
ectional on the on the on the faces

Data type
Key- Applic-
Dir-
count count

the spe- of the spe- of the spe-
cified cified cified
interfaces interfaces interfaces
on the on the
on the on the ses-
new ses- block
traffic of sion num-
Applic- sions of count of
N/A the spe- ber of the N/A N/A
ation the spe- the spe-
cified specified
cified cified
applic- applic-
applic- applic-
ations ations
ations ations
Statistics Statistics Statistics Stat- Stat- Statistics

on the on the ses- on the istics on istics on the
No dir- traffic of sion num- new ses- the URL on the applic-
User
ection the spe- ber of the sions of hit keywor- ation
cified specified the spe- count of d block block
users users cified the spe- count count of

Data type
Key- Applic-
Dir-
count count
Statistics
on the
inbound
of the
and out- the spe-
Bi-dir- cified spe-
bound users cified
ectional users cified
traffic of users
users
the spe-
cified
users
Stat-
istics on
the hit
URL N/A N/A N/A N/A count of N/A N/A
the spe-
cified
URLs
Stat-
istics on
URL Cat-
N/A N/A N/A N/A the hit N/A N/A
egory
count of
the spe-

Data type
Key- Applic-
Dir-
count count
cified
URL cat-
egories
Stat-
Statistics
Statistics Statistics istics on
on the
on the on the ses- the URL
new ses-
traffic of sion num- hit
VSYS N/A sions of N/A N/A
the spe- ber of the count of
the spe-
cified specified the spe-
cified
VSYSs VSYSs cified
VSYSs
VSYSs
Configuring a Filter
You can configure a filtering condition for the stat-set to gather statistics on the specified con-
dition, such as statistics on the session number of the specified security zone, or the traffic of the
specified IP.
Type Description
filter zone Data is filtered by security zone.
filter zone zone-name ingress Data is filtered by ingress security zone.
filter zone zone-name egress Data is filtered by egress security zone.
filter interface Data is filtered by interface.

Type Description
filter interface if-name ingress Data is filtered by ingress interface.
filter interface if-name egress Data is filtered by egress interface.
filter application Data is filtered by application.
filter ip Data is filtered by address entry.
filter ip add-entry source Data is filtered by source address (address

entry).
filter ip add-entry destination Data is filtered by destination address

(address entry).
filter ip A.B.C.D/M Data is filtered by IP.
filter ip A.B.C.D/M source Data is filtered by source IP.
filter ip A.B.C.D/M destination Data is filtered by destination IP.
filter user Data is filtered by user.
filter user-group Data is filtered by user group.
filter role Data is filtered by user role.
filter service Data is filtered by service.
To configure a filter, in the stat-set configuration mode, use the following command:
filter {ip { A.B.C.D/M | address-entry } [so urce | destin atio n ] | in terface name [in gress |
egress] | zo n e name [in gress | egress] | ap p licatio n name | user user-name aaa-server-name |
user-gro up user-group-name aaa-server-name | ro le role-name | service service-name }
l ip {A.B.C.D/M | address-entry} – Specifies an IP as the filter. The IP can be an IP address

range (for example, 10.101.0.1, 255.255.255.0 or 10.101.0.1/24) or an address entry defined
in the system address book. If IPv6 is enabled, system will support to monitor items of IPv6
address.

l source|destination – Specifies a source IP address or destination IP address as the fil-
ter.
l interface name – Specifies an interface as the filter.
l ingress | egress – Specifies an ingress interface or egress interface as the filter.
l zone name – Specifies a security zone as the filter.
l ingress | egress – Specifies an ingress or egress of a security zone as the filter.
l application name – Specifies an application as the filter.
l user user-name aaa-server-name – Specifies a user as the filter.
l user-group user-group-name aaa-server-name – Specifies a user group as the filter.
l role role-name - Specifies a user role as the filter.
l service service-name - Specifies a service as the filter.
Repeat the command to configure multiple filters. The system supports up to 32 filters for each
stat-set, among which the number of filters for each type of the user, user group and role filters
cannot exceed 8. If multiple filters configured for the same stat-set belong to the same type, then
the logical relationship among these conditions will be OR; if they belong to different types, the
logical relationship among these conditions will be AND.
To delete the specified type of filters, in the stat-set configuration mode, use the following com-
mand:
n o filter {ip { A.B.C.D/M | address-entry } [so urce | destin atio n ] | in terface name [in gress |
egress] | zo n e name [in gress | egress] | ap p licatio n name | user user-name aaa-server-name |
user-gro up user-group-name aaa-server-name | ro le role-name | service service-name }
To delete all types of filters, in the stat-set configuration mode, use the following command:
no filter all

Enabling/Disabling Stat-set
By default all the predefined stat-set for user monitor, application monitor, device monitor are dis-
abled except for the stat-set of bandwidth.
To enable or disable a stat-set, in the stat-set configuration mode, use the following commands.
l Enable: active
l Disable: no active
Tip: After the above command is executed in the root VSYS, specified pre-
defined stat-set of all VSYSs will be enabled or disabled（except that the non-
root VSYS does not support this predefined stat-set）. You can not enable or dis-
able their own predefined stat-set in non-root VSYSs.
Viewing Stat-set Information
To view the configuration information of the predefined and user-defined stat-set, in any mode,
sh o w statistics-set name [{curren t | h isto ry | h isto ry-max}[ IPv4 | IPv6 ] [so rt-b y {up |
do wn | item}]]
l show statistics-set – Shows the configuration information of all the stat-sets in the system.
l name – Specifies the name of the stat-set to show the configuration information of the stat-
set.
l current | history | history-max – Shows specific statistics of the specified stat-set, including:
l current – Shows the current statistics of the specifies stat-set.
l history – Shows historic statistics of the specified stat-set. The system samples data
every five minutes.

l history-max – Shows historic maximum statistics of the specified stat-set. This para-
meter is only applicable to stat-set of session type.
l IPv4 | IPv6 – Shows specific statistics of the specified address type.
l sort-by {up | down | item} – Specifies the sorting method for the statistics of the specified
stat-set (in a descending order of the file size).
l up - Sorted by outbound data.
l down – Sorted by inbound data (only when the Group by is configured with Bi-dir-
ectional parameters).
l item - Sorted by Group by objects.
Diagnostic Center
The system supports the Diagnostic Center function. This function can be used to collect stat-
istics of packet loss of different functional modules, which helps you identify issues. The detailed
function is described as follows.
l Supports statistics on packet loss of functional modules. The packet loss statistics are dis-
played in lists, bar charts, or line charts.
l Allows you to view detailed packet loss statistics of functional modules, including the time of
packet loss, 5-tuple (source IP, source port, destination IP, destination port, and protocol
type), and module of packet loss.
l Allows you to manually enable the collection of 5-tuple statistics of packet loss or set the
threshold to trigger packet loss statistics collection.
l Supports the storage of packet loss statistics to device disks. You can set limits on the size of
the statistics storage space. For more information, see Storage Management.

Notes: The Diagnostic Center function is available only for SG-6000 A-Series
devices installed with hard disks.
Always Collecting 5-Tuple Statistics of Packet Loss
You can enable the function of always collecting 5-tuple statistics of packet loss. This way, the
system will always collect the 5-tuple statistics of packet loss of all functional modules (source IP,
source port, destination IP, destination port, and protocol type). To enable this function, run the
module-drop-counter force-cap-packet enable
In the global configuration mode, run the no module-drop-counter force-cap-packet enablecom-
mand to disable the function of always collecting 5-tuple statistics of packet loss.
Notes: After the function of always collecting 5-tuple statistics of packet loss is
enabled, the packet loss threshold of functional modules and packet loss growth
rate threshold do not take effect.
Configuring a Packet Loss Threshold
You can configure a packet loss threshold for functional modules. If the packet loss count of a func-
tional module exceeds the threshold, it is determined the packet loss is abnormal and the 5-tuple of
abnormal packet loss is recorded. To configure a packet loss threshold, run the following command
module-drop-counter module module-name threshold number
l module-name - Specifies the name of the functional module.
l number - Specifies the packet loss threshold. Valid values: 0 to 20000. Default value: 0,
which indicates that no threshold is specified and the 5-tuple statistics of packet loss are
always collected.

In the global configuration mode, run the module-name command to reset the packet loss
threshold to the default value.
Configuring a Packet Loss Growth Rate Threshold
You can configure a packet loss growth rate threshold for functional modules. If the packet loss
growth rate of a functional module exceeds the threshold, it is determined the packet loss is abnor-
mal and the 5-tuple of abnormal packet loss is recorded. To configure a packet loss growth rate
threshold, run the following command in the global configuration mode:
module-drop-counter growth-rate number
l number - Specifies the packet loss growth rate threshold. Valid values: 0 to 100. Default
value: 0, which indicates that no threshold is specified and the 5-tuple statistics of packet loss
are always collected.
In the global configuration mode, run the no module-drop-counter growth-rate command to reset
the packet loss growth rate threshold to the default value.
Long-term Monitor
The system supports the long-term monitor function. This function can be used to continuously
monitor and collect statistics on device traffic and sessions and then store these statistics, which
meets your requirements for network monitoring and diagnostics. The detailed function is
described as follows.
l Supports the storage of statistics for device traffic and sessions over the last 180 days to the
device disks. You are allowed to set limits on the size of the statistics storage space.
l Supports query by IP or application type. You can query data from a maximum of 31 con-
secutive days within the last 180 days.
l Supports the display of statistics in lists, bar charts, and line charts.

Notes: The long-term monitor function is available only for SG-6000 A-Series
devices installed with hard disks and SG-6000 K-Series devices installed with hard
disks (excluding SG-6000-K9180).
Enabling/disabling Long-term Monitor
By default, the Long-term Monitor function is disabled. To enable/disable this function, run the
statistics-long-term {enable | disable}
l enable - Enable the Long-term Monitor function.
l disable - Disable the Long-term Monitor function.

Alarm
Overview
The alarm feature can actively detect protected network to locate suspicious issues and send out
alarming messages. The rule that defines what behavior should be alerted is called alarm rule.
The system can analyze alarm messages and display the analysis results in the form of chart and
time line. In addition, alarm messages can also be sent to system administrators by sending emails
or sms text. In this way, the administrator can receive alerts in the first place and respond to the
alarms.
Alarm Commands
action
Specify the alarming method.

Command:
action {mail | sms } {on | off}
no action {mail | sms}
Description:
mail -Send via Email.
sms -Send via SMS.
on | off -Enable/Disable the method.
Default values:
None
Mode:
alarm rule configuration mode
Guidance:
None

Example:
hostname<config-alarm-app># action mail on
alarm
Enter the alarm configuration mode.

Command:
alarm
Description:
None
Default values:
None
Mode:
Global configuration mode
Guidance:
None
Example:
hostname# co n fig
hostname<config># alarm
hostname<config-alarm>#
alarm-expiration-time
Configure the expiration time.

Command:
alarm-expiration-time time
no alarm-expiration-time
Description:
time -Specify the expiration time. The default value is 7 days.

Default values:
None
Mode:
alarm configuration mode
Guidance:
None
Example:
hostname<config-alarm># alarm-expiration-time 10
alarm-receiver
Configure the receiver information of warning email.

Command:
alarm-receiver n ame name desc description mail mail sms sms
n o alarm-receiver n ame name
Description:
name name -Specifies the recipient's name.
desc description -Specifies the recipient's description.
mail mail -Specifies the email address for receiving warning emails.
sms sms -Specifies the mobile phone number for receiving warning messages.
Default values:
None
Mode:
Guidance:
None
Example:

hostname<config-alarm># alarm-receiver name admin1 mail [email protected] sms
1391234567
alarm-rule (application)
Create an alarm rule(application), and enter the alarm rule configuration mode.If this rule is already
exists, the system will directly enter the alarm rule configuration mode.
Command:
alarm-rule [id id ] n ame name [desc description ] typ e ap p licatio n b an dwidth | co n curren t-ses-
sio n s | p acket-fo rward-rate | ramp up
n o alarm-rule {id id | n ame name }
Description:
id id -Specifies the alarm rule ID.
name name -Specifies the name of alarm rule.
desc description -Specifies the description for alarm rule.
bandwidth -Send a warning for each application bandwidth.
concurrent-sessions -Send a warning for each application concurrent-sessions.
packet-forward-rate -Send a warning for each application packet-forward-rate.
rampup -Send a warning for each application new sessions.
Default values:
None
Mode:
Guidance:
This rule use the default parameters, if you want to modify the parameters, see other commands.
Example:
hostname# co n fig

hostname<config-alarm># alarm-rule id 25 n ame rule-ap p typ e ap p licatio n b an dwidth
hostname<config-alarm-app>#
alarm-rule (network)
Create an alarm rule(network), and enter the alarm rule configuration mode.If this rule is already
Command:
alarm-rule [id id ] n ame name [desc description ] typ e n etwo rk h o st id id
n o alarm-rule id id | n ame name
Description:
desc description -Specifies the description for alarm rule
host id id- Specifies the host ID.
Default values:
None
Mode:
Guidance:
None
Example:
hostname# co n fig
hostname<config-alarm># alarm-rule id 12 desc rule-n etwo rk typ e n etwo rk h o st id 14
hostname<config-alarm-network>#

alarm-rule (resource)
Create an alarm rule(resource), and enter the alarm rule configuration mode.If this rule is already
Command:
alarm-rule [id id ] n ame name [desc description ] typ e reso urce {ch assis-temp erature | co n -
curren t-sessio n s | cp u-temp erature | cp u-usage | in terface-b an dwidth interface |memo ry |
ramp up | sto rage}
Description:
chassis-temperature -Send a warning for chassis-temperature.
concurrent-sessions- Send a warning for concurrent-sessions.
cpu-temperature -Send a warning for cpu temperature.
cpu-usage -Send a warning for cpu usage.
interface-bandwidth interface -Send a warning for interface bandwidth.
memory -Send a warning for memory.
rampup -Send a warning for rampup.
storage -Send a warning for storage.
Default values:
None
Mode:
Guidance:
This rule use the default parameters, if you want to modify the parameters, see other commands.

Example:
hostname# config
hostname<config-alarm># alarm-rule id 12 n ame rule-reso urce desc rule-ch as-temp typ e

reso urce ch assis-temp erature
hostname<config-alarm-resource>#
alarm-rule (service)
Create an alarm rule(service), and enter the alarm rule configuration mode.If this rule is already
Command:
alarm-rule [id id ] n ame name [desc description ] typ e service h o st id id
Description:
host id id -Specifies the host ID.
Default values:
None
Mode:
Guidance:
None
Example:
hostname# config

hostname<config-alarm># alarm-rule id 12 n ame rule-scv desc rule-service typ e service h o st
id id
hostname<config-alarm-service>#
app-name
Add application or application group to alarm rules.

Command:
app-name name
no app-name name
Description:
name -Specifies the application or application group.
Default values:
None
Mode:
Guidance:
None
Example:
hostname# co n fig
hostname<config-alarm># alarm-rule id 25 n ame rule-ap p typ e ap p licatio n b an dwidth
hostname<config-alarm-app># ap p -n ame msn
disable
Disable the alarm rules.

Command:
disable

Description:
None
Default values:
None
Mode:
Guidance:
None
Example:
hostname<config-alarm-app># disable
enable
Enable the alarm rules.

Command:
enable
Description:
None
Default values:
None
Mode:
Guidance:
None
Example:
hostname<config-alarm-app># enable

level
Specify the level of alarm.

Command:
level {critical | warn in g | in fo }
Description:
critical -Specifies the alarm level is critical.
warning -Specifies the alarm level is warning.
info -Specifies the alarm level is critical.
Default values:
None
Mode:
Guidance:
None
Example:
hostname<config-alarm-app># level critical
receiver
Configure a recipient of alarm rule.

Command:
receiver {mail | sms } sendobject-name
n o receiver {mail | sms } sendobject-name
Description:
mail -Specifies send alarm via Email.
sms -Specifies send alarm via SMS.
sendobject-name -Specifies the recipient's name. This name must already exists.

Default values:
None
Mode:
Guidance:
None
Example:
hostname<config-alarm-app># receiver sms admin-1
schedule
Specify a schedule for alarm rule.

Command:
Description:
schedule-name -Specifies the schedule name.
Default values:
None
Mode:
Guidance:
None
Example:
hostname<config-alarm-app># schedule time-1
warning
Configure the filter of alarm rule.

Command:
warn in g sustain [delay | lo ss-rate] time time {h igh er-th an |lo wer-th an threshhold1 } {o n |
o ff}
warn in g th resh h o ld [delay | lo ss-rate ] {h igh er-th an | lo wer-th an threshhold2 } {o n | o ff}
n o warn in g {sustain | tren d | th resh h o ld} [delay | lo ss-rate]
Description:
sustain -Configure the filter for sustain period.
threshhold- Configure the filter for threshold.
delay -Specifies the delay time. this parameter only for alarm rule(network).
loss-rate -Specifies the loss rate. this parameter only for alarm rule(network).
time time -Specifies the sustain period.
higher-than |lower-than threshhold1 在time time-Specifies the threshold in the specific sustain
period.
higher-than | lower-than threshhold2 -Specifies the threshold for some event.
on | off -Enable or disable the alarm rule.
Default values:
Range and default values:
l The range of application bandwidth is 1 to 231kbps.
l Application maximum of new sessions is device performance parameters.
l Application maximum of concurrent-sessions is device performance parameters
l The range of data forwarding rate is 1 to 231kbps.
l The range of device storage is 10 to 100%
l The range of device new sessions is 10 to 100%
l The range of device concurrent-sessions is 10 to 100%

l The range of specific interface traffic is 1 to 100%.
l The range of CPU occupancy rates is 1 to 100%
l The range of memory occupancy rates is 1 to 100%
l The range of SNAT occupancy rates is 1 to 100%
l The range of CPU temperature is 1 to 90 , unit is degrees celsius.
l The range of device temperature is 1 to 90 , unit is degrees celsius
l The range of network node delay time is 1 to 3000ms.
l The range of service node delay time is 1 to 5000ms
Mode:
Guidance:
None
Example:
hostname<config-alarm-app># warning sustain time 10 higher-than 80 on
resource bandwidth
To configure the detection rule for interface traffic.

Command:
reso urce b an dwidth in terface interface-name in gress bandwidth egress bandwidth [p ro b e-
in terval interval ] {en ab le | disab le}
Delete the detection rule no resource bandwidth interface interface-name

To restore to the default probe-interval : no resource bandwidth interface interface-name probe-
interval
Description:

ingress bandwidth -Specifies the ingress bandwidth, the value range is 1 to 10000000Kbps.
egress bandwidth -Specifies the egress bandwidth, the value range is 10000000Kbps.
probe-interval interval -Specifies the probe-interval. The range is from 5s to 30s. The default
value is 10s.
enable | disable -Enable or disable the detection rules.
Default values:
ingress bandwidth：1000000Kbps；
egress bandwidth：1000000Kbps；
probe-interval interval：10秒。
Mode:
Guidance:
None
Example:
hostname(config-monitor)# reso urce b an dwidth in terface eth ern et0/0 in gress 100000 egress
100000 en ab le
resource concurrent-sessions
To configure the detection rule for concurrent-sessions. By default, it is enabled. Use the no form
to restore to the default value.
Command:
reso urce co n curren t-sessio n s p ro b e-in terval interval
n o co n curren t-sessio n s p ro b e-in terval
Description:
probe-interval interval -Specify the concurrent sessions detect interval. The range is from 5s to
30s

Default values:
probe-interval interval：10s
Mode:
Guidance:
None
Example:
hostname(config-monitor)# reso urce co n curren t-sessio n s p ro b e-in terval 8
resource cpu
To configure the detection rule for CPU. By default, it is enabled. Use the no form to restore to
the default value.
Command:
resource cpu probe-interval interval
no resource cpu probe-interval
Description:
probe-interval interval -Specify the CPU detect interval. The range is from 5s to 30s. The default
value is 10s.
Default values:
Mode:
Guidance:
None
Example:

hostname(config-monitor)# reso urce cp u p ro b e-in terval 20
resource memory
To configure the detection rule for memory. By default, it is enabled. Use the no form to restore
to the default value.
Command:
resource memory probe-interval interval
no resource memory probe-interval
Description:
probe-interval interval -Specify the memory detect interval. The range is from 30s to 300s. The
default value is 30s.
Default values:
Mode:
Guidance:
None
Example:
hostname(config-monitor)# reso urce memo ry p ro b e-in terval 120
resource rampup
To configure the detection rule for new sessions. By default, it is enabled. Use the no form to
restore to the default value.
Command:
resource rampup probe-interval interval
no resource rampup probe-interval

Description:
probe-interval interval -Specify the new sessions detect interval. The range is from 1s to 10s. The
default value is 5s.
Default values:
Mode:
Guidance:
None
Example:
hostname(config)# monitor
hostname(config-monitor)# resource rampup probe-interval 10
resource storage
To configure the detection rule for storage. By default, it is enabled. Use the no form to restore to
the default value.
Command:
resource storage probe-interval interval
no resource storage probe-interval
Description:
probe-interval interval -Specify the disk detect interval. The range is from 1 minute to 15
minutes. The default value is 5 minutes.
Default values:
probe-interval interval：5 minutes
Mode:
Guidance:

None
Example:
hostname(config-monitor)# resource storage probe-interval 10
resource temperature
To configure the detection rule for CPU/chassis temperature. By default, it is enabled. Use the no
form to restore to the default value.
Command:
resource temperature probe-interval interval
no resource temperature probe-interval
Description:
probe-interval interval -Specify the CPU/chassis temperature detect interval. The range is from
30s to 300s. The default value is 60s.
Default values:
Mode:
Guidance:
None
Example:
hostname(config-monitor)# resource temperature probe-interval 100
show alarm-rule
View all alarm rules.

Command:

show alarm-rule [all | app | resource | health | serviceandnetwork | threat]
Description:
None
Default values:
None
Mode:
Any configuration mode
Guidance:
None
Example:
hostname# show alarm all
show alarm-receiver
View the recipients for receiving alarm.

Command:
show alarm-receiver
Description:
None
Default values:
None
Mode:
Guidance:
None
Example:
hostname# show alarm-receiver

show alarm-expiration-time
View the expiration time of alarm.

Command:
show alarm-expiration-time
Description:
None
Default values:
None
Mode:
Guidance:
None
Example:
hostname# show alarm-expiration-time

Logs
Overview
Devices are designed with the log function. System records and outputs various system logs,
including event logs, threat logs, configuration logs, operation logs, network logs, data security
logs (file filter logs, content filter logs, network behavior record logs), traffic logs and debug logs.
l Event logs - Event logs are divided into eight severity levels: errors, warnings, notification,
informational, emergencies, alerts, critical and debugging. For more information about log
severity, see Log Severity.
l Configuration logs - Configuration logs describe the changes of configurations, e.g. con-
figurations on interfaces.
l Operation logs - Logs related with clear command, exec command and some corresponding
WebUI operations, such as the delete operation of NBT cache.
l Network logs - Network logs record operations of network services, e.g. PPPoE and DDNS.
l Threat logs - Threat logs related to behaviors threatening the protected system, e.g. attack
defense and application security.
l File filter logs – Logs related with file filter function.
l Content filter logs – Logs related with content filter function, e.g. file content filter, Web
content filter, Web posting, Email fileter and HTTP/FTP control.
l Network behavior record logs – Logs related with network behavior record function, e.g. IM
behavior, aetc.
l Cloudsandbox logs – Logs related with sandbox function.

l Traffic logs - Traffic logs consist of session logs, NAT logs, and web surfing logs
l Session logs - Session logs, e.g. session protocols, source and destination IP addresses
and ports.
l NAT logs - NAT logs, including NAT type, source and destination IP addresses and
ports.
l URL logs - logs about network surfing, e.g. Internet visiting time, web pages visiting
history, URL filteringing logs.
l Debug logs - Debug logs record the system debugging information.
The log function of StoneOS is a tool to show device operation status, providing evidence for
you to analyze the network and protect against network attacks.
Tip: For T Series platforms:
l The root VSYS doesn’t support data security logs.
l The non-root VSYS doesn’t support data security logs and debug logs.
Log Severity
Event logs categorize system events by severities. The eight severities are described as follows:
Severity No. Description Log Definition
Emergencies 0 Identifies invalid system events. LOG_EMERG
Alerts 1 Identifies problems which need LOG_ALERT

immediate attention, e.g., the
device is being attacked.
Critical 2 Identifies urgent problems, such as LOG_CRIT

hardware failure.

Severity No. Description Log Definition
Errors 3 Generates messages for system LOG_ERR

errors.
Warnings 4 Generates messages for warning. LOG_WARNING
Notifications 5 Generates messages for notice and LOG_NOTICE

special attention.
Informational 6 Generates informational messages. LOG_INFO
Debugging 7 Generates all debugging messages, LOG_DEBUG

including daily operation messages.
Log Output
Log messages can be sent to the following destinations. You can specify one of them at your own
choice:
l Console - The console port of the device. You can close this destination via CLI.
l Remote - Includes Telnet and SSH.
l Buffer - Memory buffer.
l File - By default, StoneOS creates a file to record log messages. You can also specify a file in a
USB destination to output log messages.
l Syslog Server - Sends logs to a UNIX or Windows Syslog Server.
l Email - Sends logs to a specified email account.
l Localdb - Sends logs to the local database of the device.
l SMS - Sends logs to the specifies mobile phone in form of a SMS message.
Event logs can be sent to all the above destinations except for Localdb; threat logs can be sent to
all the above destinations except for SMS and Localdb; traffic logs can be sent to console, buffer,

syslog server, and file; network and debug logs can only be sent to console, buffer and syslog
server.
Log Format
To facilitate the access and analysis of the system logs, StoneOS logs follow a fixed pattern of
information layout, i.e. date/time, severity level@module: descriptions. See the example below:
2018-02-05 01:51:21, WARNING@LOGIN: Admin user "hillstone" logged in through console
from localhost.
Configuring System Logs

You can configure the following log options via CLI:
l Enabling and disabling the log function
l Sending and filtering event logs
l Sending threat logs
l Sending configuration, debug and network logs
l Sending traffic logs
l Sending data security logs (file filter logs, content filter logs, network behavior record logs)
l Sending Cloudsandbox logs
l Sending EPP logs
l Sending IoT Logs
l Configuring a Syslog Server
l Specify the Sending Sourceport Number
l Specifying a facility
l Displaying hostname/username in the traffic logs

l Displaying Username in the Threat Logs
l Sending Logs to an Email Account
l Configuring Log Parameter
l Enabling/Disabling the Record User Information Function for Threat Log
l Viewing log configurations
l Viewing logs
l Exporting logs
l Clearing logs
Enabling/Disabling the Log Function
By default, the traffic logs are disabled (enabling the above logs will affect system performance).
To enable or disable a system log, in the global configuration mode, use the following command:
l Enable:logging {event | configuration | operation | network | traffic {session | nat | url-

filter} | debug | threat | email | data-security [dlp | cf | nbr]} on
l Disable: no logging {event | configuration | operation | network | traffic {session | nat |

urlfilter} | debug | threat| email | data-security [dlp | cf | nbr]} on
Sending and Filtering Event Logs
You can specify the output destination for the event logs as needed, and filter the output logs
based on the severity.
To send event logs to the console, remote terminal, syslog server, mobile phone, hard-disk card
or enable email notification, and filter the output logs, in the global configuration mode, use the
following command:
lo ggin g even t to {co n so le | remo te | syslo g| sms | email | localdb [ location storage-
name ][ storage { automatically-overwrite | stop-overwrite }} [ severity severity-level ]

l console – Sends the event logs to the console.
l remote – Sends the event logs to the remote terminal.
l syslog – Sends the event logs to the Syslog Server.
l sms – Sends the event logs whose severity is Critical or is higher than Critical to the mobile
phone by using SMS.
l email – Sends the event logs to the Email.
l localdb –Sends the logs to the local database(hard-disk card). Only several platforms support
the parameters.
l location – Specifies the location that stores the event logs.
l storage {automatically-overwrite | stop-overwrite} – If automatically-overwriteis

selected, the logs which exceed the disk space will overwrite the old logs automatically.
If stop-overwriteis selected, system will stop storing new logs when the logs exceed the
disk space.
l severity severity-level – Specifies the severity of the output event logs to filter the logs.
Only the logs of the specified severity or higher severities will be sent, i.e., the number
should be equal to or smaller than the specified number. For example, if the specified severity
is Notifications, then system will only send event logs of Notifications, Warnings and Errors
severities.
n o lo ggin g even t to {co n so le | remo te | syslo g | sms |email | lo caldb }
To send the event logs to the memory buffer and filter the logs, in the global configuration mode,
logging event to buffer [ severity severity-level ] [ size buffer-size ]

severities.
l size buffer-size –Specifies the buffer size. The value range is 4096 to 10485764 bytes. The
To disable the function, in the global configuration mode, use the command no logging event to
buffer.
To write the event logs to a file and filter the logs, in the global configuration mode, use the fol-
lowing command:
lo ggin g even t to file [ severity severity-level ] [ name [ usb0 | usb1 ] file-name ] [ size file-
size ]
is Notifications, then system will only write event logs of Notifications, Warnings and Errors
severities.
l name [usb0 | usb1] file-name –Specifies the USB disk and file that are used to save the logs.
l size file-size – Specifies the size of the file (on the USB disk or Flash disk) to which the logs
are written to. The value range is 4096 to 10485764 bytes. The default value is 1048576.
To disable the function, in the global configuration mode, use the command no logging event to
file.
Configuring a Mobile Phone Number
You can specify to send event logs whose severity is Critical or is higher than Critical to the spe-
cified mobile phone in form of SMS. To specifies the mobile phone number that is used to

receive the event logs, in the global configuration mode, use the following command:
logging sms phone-number
l phone-number – Specifies the phone number that is used to receive event logs.
To cancel the specified phone number, in the global configuration mode, use the command no log-
ging sms phone-number.
Sending Threat Logs
You can specify the output destination for the threat logs as needed. To send threat logs to the
console, remote terminal, syslog server, hard-disk or enable email notification, in the global con-
logging threat to { console | remote | syslog [ custom-format [ distributed [ round-
robin | src-ip-hash ]]]| email | localdb [ size size ][ location storage-name ][ storage { auto-
matically-overwrite | stop-overwrite }}
l console – Sends the threat logs to the console.
l remote – Sends the threat logs to the remote terminal.
l syslog – Sends the threat logs to the Syslog Server.
l custom-format – Sends the log messages in plaintext. By default, the system sends the log
messages in plaintext.
l distributed – Sends the log messages to multiple syslog servers in the distribution mode.
l src-ip-hash | round-robin – Specifies the server selection algorithm.src-ip-hashindicates the

source-hashing algorithm and round-robinindicates the round-robin scheduling algorithm. The
round-robin scheduling algorithm is the default algorithm.
l email – Sends the threat logs to the Email.
l localdb – Sends the logs to the local database(hard-disk card). Only several platforms support
the parameters.

l size – Enter a number as the percentage of a storage the logs will take. Value range is 1
to 90, and the default is 30. For example, if you enter 30, the event logs will take at
most 30% of the total disk size.
l location – Specifies the location that stores the threat logs.

disk space.
l severityseverity-level – Specifies the severity of the output threat logs to filter the logs. Only
the logs of the specified severity or higher severities will be sent, i.e., the number should be
equal to or smaller than the specified number. For example, if the specified severity is Noti-
fications, then system will only write event logs of Notifications, Warnings and Errors sever-
ities.
n o lo ggin g th reat to {co n so le | remo te | syslo g [ custo m-fo rmat [ distributed [ round-robin
| src-ip-hash ]]] | email | localdb } [ severity severity-level ]
To send the threat logs to the memory buffer, in the global configuration mode, use the following
command:
logging threat to buffer [ severity severity-level ] [ size buffer-size ]
l severity severity-level – Specifies the severity of the output threat logs to filter the logs.
severities.
l size buffer-size – Specifies the buffer size. The value range is 4096 to 1048576 bytes. The

To disable the function, in the global configuration mode, use the command no logging threat to
buffer.
To write the threat logs to a file, in the global configuration mode, use the following command:
lo ggin g th reat to file [severity severity-level ] [n ame [usb 0 | usb 1] file-name] [size file-size]
l severity severity-level – Specifies the severity of the output threat logs to filter the logs.
severities.
are written to. The value range is 4096 to 1048576 bytes. The default value is 1048576.
To disable the function, in the global configuration mode, use the command no logging threat to
file.
Sending Configuration/Operation/Debug/Network Logs
You can specify the output destination for the configuration, debug and network logs as needed.
To send configuration, operation, debug or network logs to the console, syslog server, memory
buffer , file or local database, in the global configuration mode, use the following command:
lo ggin g {co n figuratio n | n etwo rk} to {co n so le | syslo g | lo caldb [size size ][lo catio n stor-
age-name ][ storage { automatically-overwrite | stop-overwrite }}
l configuration | network – Specifies the type of the logs that will be sent. The available
options include configuration and network.
l console – Sends the logs to console.
l syslog - Sends the logs to syslog server.

l localdb – Sends the logs to the local database(hard-disk card). Only several platforms support
the parameters.
l size – Enter a number as the percentage of a storage the logs will take. Value range is 1
to 30, and the default is 10. For example, if you enter 30, the event logs will take at
most 30% of the total disk size.
l location –Specifies the location that stores the configuration and network logs.

disk space.
lo ggin g [ deb ug | o p eratio n ]to {co n so le | syslo g}
l console – Sends the debug and operation logs to console.
l syslog - Sends the logs to syslog server.
To disable the function, in the global configuration mode, use the command no logging {con-
figuration| operation | debug | network} to {console | syslog | localdb}
To write the configuration , operation or network logs to a file, in the global configuration mode,
lo ggin g {co n figuratio n | o p eratio n | n etwo rk} to file [n ame [usb 0 | usb 1] file-name ] [size
file-size ]
l configuration | operation | network – Specifies the log type.
are written to. The value range is 4096 to 1048576bytes. The default value is 1048576.
figuration | operation | network} to file.

To send configuration, operation,debug or network logs to the memory buffer, in the global con-
lo ggin g {co n figuratio n | o p eratio n | deb ug | n etwo rk} to b uffer [size buffer-size ]
l configuration | operation | debug | network – Specifies the type of the logs that will be
sent. The available options include configuration, debug and network.
l size buffer-size - Specifies the buffer size. The value range is 4096 to 524288 bytes. The
figuration | operation | traffic | debug | network} to buffer.
Sending Debug Logs to a File
You can send the debug logs to a file and then export the file for local use via the export log
debug command. By default, the system will not send the debug logs to a file. To enable the sys-
tem to send the debug files to a file, in the global configuration mode, use the following com-
mand:
logging debug to file
To specify the size of the file to which the debug logs will be sent, in the global configuration
logging debug to file size file-size
l size file-size – Specifies the size of the file to which the debug logs will be sent. The size
range and default value vary by device models.
In the global configuration mode, use the no logging debug to file command to disable the system
from sending debug logs to a file.
In any mode, use the show logging debug file command to view the content of the debug log file
that the system has sent.

Configuring the Conditions of Using the Debug Function
When the debug function is enabled, the CPU usage might increase and affect service forwarding.
You can configure the work priority of the debug function and service forwarding as required. By
default, the debug function's priority is higher than service forwarding.
To make service forwarding take precedence over the debug function, in the global configuration
log debug-limit cpu-threshold value
l value - Specifies the threshold for the CPU usage, in percent. The value range is 0 to 99.
When 0 is specified, the debug function takes precedence over service forwarding. When
other value is specified, service forwarding takes precedence over the debug function. In the
scenario where service forwarding take precedence over the debug function, if the system has
multiple CPUs, when the usage of any CPU reaches the specified threshold, the system will
considers that the debug function has affected service forwarding and therefore disables it.
To make the debug function take precedence over service forwarding, in the global configuration
mode, use the no log debug-limit cpu-threshold or log debug-limit cpu-threshold 0 command.
When enabling the debug function, you can configure a timer to control the execution time length
allowed for the debug function. When the timer elapses, the debug function will be disabled. In
log debug-limit time value
l value - Specifies the execution time length of the debug function. The value range is 1 to 60s.
To cancel the execution time length configuration of the debug function, use the no log debug-
limit time command in the global configuration mode.
Note: When both service first and execution timer are configured, the debug function will be dis-
abled when any of the conditions is met.

Sending Traffic Logs
Traffic logs consist of session logs, NAT logs, and web surfing logs. You can send traffic logs to
the console, syslog server, memory buffer and local SSD (Web surfing logs cannot be sent to
SSD). You can select the output destination according to your requirements.
To send the traffic logs to the console , buffer or syslog server, use the following command in the
lo ggin g traffic {sessio n | n at | urlfilter} to {co n so le | syslo g | b uffer [size buffer-size ] }
To send session logs and NAT logs to the local SSD, in the global configuration mode, use the fol-
lowing command:
logging traffic {session | nat} to localdb}
l session | nat | urlfilter – Specifies the log type that you want to output.
l console | syslog | buffer – Specifies the output destination. You can output the logs to the
console ,buffer or syslog server.
l localdb – Specifies the output destination of session logs and NAT logs as the SSD on the
device. Web surfing logs cannot be sent to the local SSD. Only SSD-equipped A-series and
K-series devices support this function.
l size buffer-size - Specifies the buffer size. The value range is 4096 to 524288 bytes. The
In the global configuration mode, use the following command to disable the output function: no
logging traffic {session | nat | urlfilter} to {console | syslog | buffer }or no logging traffic {ses-
sion | nat} to localdb.
Sending Data Security Logs
You can specify the output destination for the data security logs (file filter logs, content filter
logs, network behavior record logs) as needed. To send data security logs (file filter logs, content
filter logs, network behavior record logs)to the console, remote terminal, syslog server, local

database, or enable email notification, in the global configuration mode, use the following com-
mand:
lo ggin g data-security [dlp | cf | n b r] to {co n so le | syslo g[b in ary-fo rmat [distrib uted [src-ip -
h ash | ro un d-ro b in ]] | custo m-fo rmat]] }
l console – Sends the data security logs to the console.
l syslog – Sends the data security logs to the Syslog Server.
l binary-format – Sends the logs in binary format.
l distributed – Sends the logs to multiple servers in the distribution mode.

source-hashing algorithm andround-robinindicates the round-robin scheduling algorithm. The
l custom-format – Sends the logs in plaintext. By default, the system sends the logs in plain-
text.
n o lo ggin g data-security [dlp | cf | n b r] to {co n so le | syslo g }
To send the data security logs (file filter logs, content filter logs, network behavior record logs) to
the memory buffer, in the global configuration mode, use the following command:
lo ggin g data-security [dlp | cf | n b r] to b uffer [size buffer-size ]
l size buffer-size –Specifies the buffer size. The value range is 4096 to 524288 bytes. The
To disable the function, in the global configuration mode, use the command no logging data-secur-
ity [dlp | cf | nbr] to buffer.

Sending Cloudsandbox logs
You can specify the output destination for the Cloudsandbox logs as needed. To send Cloud-
sandbox logs to the console, buffer, syslog server, and file. Before you send cloudsandbox logs,
you need to enable the Sandbox function in the global configuration mode:
logging sandbox on
In the global configuration mode, useno logging sandbox on command to disable Sandbox func-
tion.
To specify the output destination for the Cloudsandbox logs, in the global configuration mode,
lo ggin g san db o x to {co n so le | syslo g | b uffer [size buffer-size ] | file file-name [ size file-
size ]}
l console – Sends the cloudsandbox logs to the console.
l syslog – Sends the cloudsandbox logs to the Syslog server.
l buffer [size buffer-size] - Sends the cloudsandbox logs to buffer and specify the buffer size.
The value range is 4096 to 524288 bytes. The default value is 524288.
l file file-name [size file-size] - Specifies the name or size of the file (on the USB disk or Flash
disk) to which the logs are written to. The value range is 4096 to 1048576bytes. The default
value is 1048576.
In the global configuration mode, use no logging sandbox to {console | syslog | buffer |
file}command to disable the function.
Sending EPP logs
You can specify the output destination for the EPP logs as needed. To send EPP logs to the con-
sole, buffer, syslog server, file, remote terminal and Email. Before you send EPP logs, you need to
enable the EPP logs function in the global configuration mode:
logging epp on

In the global configuration mode, use no logging epp on command to disable EPP logs function.
To specify the output destination for the EPP logs, in the global configuration mode, use the fol-
lowing command:
lo ggin g ep p to {co n so le | syslo g | b uffer [size buffer-size ] | file file-name [size file-size ] |
remo te | email}
l console – Sends the EPP logs to the console.
l syslog – Sends the EPP logs to the Syslog server.
l buffer [sizebuffer-size] - Sends the EPP logs to buffer and specify the buffer size. The value
range is 4096 to 524288 bytes. The default value is 524288.
l file file-name [sizefile-size] - Specifies the name or size of the file (on the USB disk or Flash
disk) to which the logs are written to. The value range is 4096 to 1048576bytes. The default
value is 1048576.
l remote – Sends the EPP logs to the remote terminal.
l email – Sends the EPP logs to the Email.
In the global configuration mode, use no logging epp to {console | syslog | buffer | file| remote
| email } command to disable the function.
Sending IoT Logs
IoT logs can be sent to the console, buffer and syslog server. You can specify the output des-
tination for IoT logs as needed. Before you specify the output destination, in the global con-
figuration mode, you need to enable the IoT logs function with the following commands:
lo ggin g io t-mo n ito r o n
In the global configuration mode, use no logging iot-monitor on to disable the IoT logs function.
To send IoT logs to console, buffer and syslog server, in the global configuration mode, use the
following command:

lo ggin g io t-mo n ito r to {co n so le | b uffer [size buffer-size ] | syslo g [ custom-format [dis-
trib uted [src-ip -h ash | ro un d-ro b in ]]]}
l console – Sends IoT logs to the specified console.
l syslog – Sends IoT logs to the specified syslog server. For how to configure the syslog
server, refer to Configuring Syslog Server.
l custom-format – Sends IoT logs in the plain text. By default, system sends logs in the plain
text.
l distributed – Distributes IoT logs in the plain text to several syslog servers.
l src-ip-hash | round-robin – Specifies the algorithm, including src-ip-hash and round-robin

(the default algorithm).
In the global configuration mode, use the following command to disable the function.
n o lo ggin g io t-mo n ito r to {co n so le | b uffer | syslo g}
Configuring the Output Log Format
StoneOS logs follow a fixed pattern of information layout. By default, the logs sent to the Syslog
Server does not display the year, the hostname and the log severity, i.e. <Device Number*8+log
severity> date/timeSN( VSYS name) log ID HillstoneNetworks#log type@module: descrip-
tions
You can configure the output log format as needed. In the the global configuration mode, use the
following command:
l Display the four digit year: logging syslog 4digit-year-timestamp

The format is: <Device Number*8+log severity> four digit year-date/time time zoneSN(
VSYS name) log ID HillstoneNetworks# log type@module: descriptions

l Display the hostname and the log severity: logging syslog additional-information
The format is: <Device Number*8+log severity> date/timeSN( VSYS name) hostname log
severity log ID HillstoneNetworks# log type@module: descriptions
To cancel the displaying of four digit year /hostname/ log severity, in the the global configuration
l Cancel display the four digit year: no logging syslog 4digit-year-timestamp
l Cancel display the hostname and the log severity: no logging syslog additional-information
Optimizing the Function of Exporting Session Logs and NAT Logs to the Local
Disk
Typically, the system's log processing process (LOGD) and database storage process (MYSQLD)
work on Core0 of the CPU. When session logs and NAT logs are exported to the local disk,
Core0 can be overloaded with a large amount of high speed log data storage operations, potentially
affecting the normal operation of other functional modules. To solve this problem, when session
logs and NAT logs are exported to the local disk, you can move log processing process and data-
base storage process from Core0 to Core MAX and limit the speed at which logs are sent to the
log processing process. Core MAX is the CPU core with the largest number. For example, if the
system has 12 CPU cores in total, which are numbered as Core0 to Core11, Core11 is the Core
MAX.
It is recommended that when exporting session logs and NAT logs to the local disk, if the per-
formance consumption of Core0 is too high or you need to increase the speed at which logs are
sent to the log processing process, you can move log processing process and database storage pro-
cess from Core0 to Core MAX, and then configure the speed at which logs are sent to the log pro-
cessing process.
Binding the Log Processing Process and Database Storage Process to Core MAX
To bind the log processing process and database storage process to Core MAX, use the following
command in the global configuration mode:
cp-multi-cores logd

In the global configuration mode, use command no cp-multi-cores logd to clear the binding of pro-
cessing process and database storage process to Core MAX.
Notes:
l The function of binding the log processing process and database storage pro-
cess to Core MAX is only supported by SG-6000-A2700 and later models.
l After bind the log processing process and database storage process to Core
MAX or clear the binding, restart the device to make the configuration take
effect.
l Before binding the log processing process and database storage process to
Core MAX, you should use the command flow-core-num number in the
global configuration mode to specify the number of CPU cores occupied
by the system data. number is recommended to be max_core_number-1.
max_core_number is the number of total CPU cores of the system. For
example, if the system has 12 CPU cores in total, the command is flow-
core-num 11. Restart the device to make the configuration take effect.
Configuring the Speed at Which Logs are Sent to Log Processing Process
To configure the speed at which logs are sent to log processing process, use the following com-
logging speed-limit to local value
l value - Specifies the speed at which logs are sent to log processing process. For details, refer
to the following table.
Device Value (piece/second)
SG-6000- Value ranges from 1000 to 15000. Value is set in interval

A5100 and of 1000. For example, 1000, 2000, and 3000. The default
later models value is 8000.

Device Value (piece/second)
SG-6000- Value ranges from 1000 to 8000. Value is set in interval of

A3800 1000. For example, 1000, 2000, and 3000. The default
value is 5000.
SG-6000- Value ranges from 1000 to 5000. Value is set in interval of

A3700 and 1000. For example, 1000, 2000, and 3000. The default
former mod- value is 2000.
els
In the global configuration mode, use command no logging speed-limit to restore to the default
speed at which logs are sent to log processing process.
The function of configuring the speed at which logs are sent to log processing process is only sup-
ported by SG-6000 A series devices.
To view configuration of the speed at which logs are sent to log processing process, use the fol-
show logging speed-limit
Configuring a Syslog Server
To send logs to a Syslog Server, you need to configure the IP address or host name of the Syslog
Server, or configure the VRouter and UDP/TCP port number of the Syslog Server as needed. To
configure a Syslog Server, in the global configuration mode, use the following command:
lo ggin g syslo g { ip-address | hostname } {tcp port-number | udp port-number | secure-tcp
port-number [server-cert-ch eck-disab le]| vro uter vr-name {tcp port-number | udp port-num-
ber | secure-tcp port-number [server-cert-ch eck-disab le]} | format-type { CUCC [ default
] | SGCC-S5000 | SGCC-S6000 ] so urce-in terface interface-name {tcp port-number |
udp port-number | secure-tcp port-number [server-cert-ch eck-disab le]} [typ e log-type ]

l ip-address | hostname – Specifies the IP address or host name of the Syslog Server.
l tcp port-number | udp port-number | secure-tcp port-number [server-cert-check-disable]–

Specifies the protocol type and port number. If "Secure-TCP" protocol is selected, you can
type server-cert-check-disable，and system can transfer logs normally and do not need any
certifications.
l vrouter vr-name – Specifies the name of the VRouter.
l source-interface interface-name - Specifies the source interface on which logs are sent. The
system will use the IP address of the interface as the source IP and send logs to the syslog
server. If this interface is configured with a management IP address, the management IP
address will be priorized.
l format-type { CUCC [ default ] | SGCC-S5000 | SGCC-S6000 ] source-interfaceinterface-

name {tcpport-number | udpport-number | secure-tcpport-number [server-cert-check-
disable]- Specify the log formats of Syslog Server log Server, including CUCC, SGCC S5000
and SGCC S6000. Select the format according to the log Server type.
l CUCC [ default ] - Specifies the format type in which the log information is sent.
CUCC means to sending NAT444 logs in the format specified by China Unicom.
default means to sending other logs in the default format.
l SGCC-S5000- Syslog Server log Server can only receive SGCC-S5000 log format,
such as the log Server's of State Grid Corporation of China.
l SGCC-S6000- Syslog Server log Server can only receive SGCC- 6000 log format,
such as the monitoring Server's of State Grid Corporation of China.
l type log-type – Specifies the log type. If this parameter is configured, only the specified log
type will be sent to the syslog server.
To delete the Syslog Server configuration, in the global configuration mode, use the following
command:

n o lo ggin g syslo g { ip-address | hostname } {tcp port-number | udp port-number | secure-tcp
port-number [server-cert-ch eck-disab le]| vro uter vr-name {tcp port-number | udp port-num-
ber | secure-tcp port-number [server-cert-ch eck-disab le]} | format-type CUCC [ default ]
| SGCC-S5000 | SGCC-S6000 ] so urce-in terface interface-name {tcp port-number | udp
port-number | secure-tcp port-number [server-cert-ch eck-disab le]}} [typ e log-type ]
Specify the Sending Sourceport Number
The system supports to specify the sending sourceport number used to send log messages to the
Syslog Server. When the sending sourceport number is specified, the system will use the specified
sending sourceport to send log messages to the Syslog Server. If the sending sourceport number
is not specified, the system will use the random sourceport to send log messages to the Syslog
Server by default.
To specify the sending sourceport number, in the global configuration mode, use the following
command:
logging syslog {src-port port-number}
l src-portport-number - Specify the sending sourceport number used to send log messages to
the Syslog Server. The range is from 1024 to 65535.
To cancel the specification of the sending sourceport number and use random sourceport by
default, in the global configuration mode, use the negative form of the above command as fol-
lows:
no logging syslog {src-portport-number}
Notes:
l The client can only check the specified sending sourceport number by
WebUI.
l Click Monitor > Log Configuration > Sending Sourceport Con-

figuration to check the specified sending sourceport number.

l The binary logs sent to the Syslog Server is not influenced by the sending
sourceport configuration. The binary logs are sent by UDP protocol using
5566 sourceport.
l When SNAT is enabled, the system will randomly select port as the sending
sourceport according to the port resources of network addresses translated by
NAT.
Specifying a Facility
To send the log information to a UNIX Syslog Server, you need to specify a facility for the Syslog
Server. To specify a facility, in global configuration mode, use the following command:
logging facility localx
l localx – Specifies the facility. The value range of x is 0 to 7. The default value is 7.
To restore to the default value, in the global configuration mode, use the command no logging
facility.
Displaying Hostname/Username in the Traffic Logs
Traffic logs consist of session logs, NAT logs, and web surfing logs. By default the hostname and
username are not displayed in the traffic logs. To display the hostname or username in the traffic
logs, in the global configuration mode, use the following command:
l Display the hostname of the session logs, NAT logs, and web surfing logs: logging content
hostname
l Display the username of the session logs: logging session content username
After executing the above commands, the hostname and username will be displayed in the traffic
logs.

Notes: The NetBIOS name resolution function is the prerequisite of displaying host-
name in the traffic logs. For detailed configuration procedure, see Configuring
NetBIOS Name Resolution.
To cancel the displaying of hostname/username, in the global configuration mode, use the fol-
lowing commands:
l no logging {session | nat | urlfilter} content hostname
l no logging session content username
Displaying Username in the Threat Logs
By default the username are not displayed in the threat logs. To display the username in the threat
logs, in the global configuration mode, use the following command:
logging threat content username
To cancel the displaying of username, in the global configuration mode, use the following com-
mands:
no logging threat content username
Sending Logs to an Email Account
Logs can be sent to the specified Email address. You need to configure the Email address to
receive log messages and the SMTP server instance.
Configuring an Email Address
To configure the Email address to receive the log messages, in the global configuration mode, use
logging email to email-address smtp smtp-instance

l email-address – Specifies the email address that is used to receive the log messages.
l smtp smtp-instance – Specifies the name of the SMTP server instance used to send the mail
(must be a valid SMTP server instance in the system).
To delete the configuration of email address, in the global configuration mode, use the following
command:
no logging email to email-address
Configuring a SMTP Server Instance
To configure a SMTP server instance, in global configuration mode, use the following command:
smtp n ame smtp-name server { ip-address | hostname } {fro m email-addr | vro uter vr-
name fro m email-addr }[usern ame user-name p asswo rd password ] [ mode { plain | starttls |
ssl }] [ port server-port ]
l smtp-name – Specifies the name of the SMTP server instance.
l ip-address | hostname – Specifies the IP address or hostname of the SMTP server.
l email-addr – Specifies the sender’s address.
l vroutervr-name – Specifies the VRouter of the SMTP server.
l usernameuser-namepasswordpassword – Specifies the username and password of the sender

account.
l mode { plain | starttls | ssl}- Specifies the transmission mode of the email.
l plain- Specifies that the mail is sent in plain text and is not encrypted. This mode is the
default transmission mode.
l starttls- STARTTLS is an extension to the plain text communication protocol that

upgrades plain text connections to encrypted connections. Specified in this mode, the
mail will be transmitted using encrypted mode.

l ssl - SSL protocol is a security protocol that provides security and data integrity for net-
work communication. Specified in this mode, the mail will be transmitted using encryp-
ted mode.
l portserver-port - Specifies the port number of the SMTP server. The range is 1 to 65535. The
default port number is different for different transmission modes, PLAIN: 25, STARTTLS:
25, SSL: 465.
To delete the specified SMTP server instance, in the global configuration mode, use the com-
mand no smtp namesmtp-name.
Configuring PBR Log Function
After you enable PBR log, the system will generate PBR logs once PBR policy rule is matched by
traffic.
Enabling PBR Log Function
You can enable PBR log function basing on PBR policy rules. By default, this feature is disabled.
To enable or disable PBR log function, in the PBR policy rule configuration mode, use the fol-
lowing command:
l To enable: log enable
l To disbale: no log enable
To display the PBR logs in output destination, in the global configuration mode, use the following
command:
logging traffic pbr on
In the global configuration mode, use the no logging traffic pbr oncommand
to cancel the settings.

Tip: If you have configured prioritized destination routing (DBR) lookup,even if
PBR policy rule is matched by traffic, the system will not generate PBR logs.
Sending PBR Logs
You can send PBR traffic logs to the console, syslog server and memory buffer. You can select
the output destination according to your requirements.
To send PBR traffic logs to the console, syslog server or memory buffer, in the global con-
lo ggin g traffic p b r to {co n so le | syslo g | b uffer [size buffer-size ]}
l console | syslog | buffer – Specify the output destination. You can output the logs to the
console, syslog server or buffer.
l size buffer-size - Specify the buffer size. The value range is 4096 to 2097152 bytes. The
In the global configuration mode, use the no logging traffic pbr to {console | syslog |
buffer}command to disable the corresponding output function.
Tip: Currently, the system does not output:
l PBR logs of binary format.
l PBR logs for IPv6.
Displaying Hostname/Username in PBR Logs
By default, the hostname and username are not displayed in the PBR traffic logs. To display the
hostname or username in PBR logs, in the global configuration mode, use the following com-
mand:
lo ggin g p b r co n ten t {h o stn ame | usern ame}

In the global configuration mode, use the no logging pbr content {hostname | username}com-
mand to cancel the display of hostname/username.
Viewing PBR Logs
To view all the PBR logs, in any mode, use the following commands:
show logging traffic pbr
Configuring Log Parameter
The system supports to modify parameter of the event log, network log, and configuration log,
including the description, level of the log, and enabling/disabling the log generation.
Disabling the Log Generation
To disabling the generation of the specified log ID, in the global configuration mode, use the fol-
lowing command:
logging logid log-idoff [descriptiondescription]
l logid log-id- Disabling the generation of specified log ID.
l descriptiondescription - Edit the decription of the specified log ID.
In the global configuration mode, use the no logging logid log-idoff command to enabe the gen-
eration of the specified log ID.
Configuring Log Level
To configure the log level, in the global configuration mode, use the following command:
logging logid logidseverityseverity-level [descriptiondescription]
l logid logid- Spcified the log ID.
l severityseverity-level - Specified the log level, including EMERG, ALERT, ALERT, ERR,
WARNING, NOTICE, INFO.
l descriptiondescription - Edit the decription of the specified log ID.

In the global configuration mode, use the no logging logid logidseverity command to cancel the
modification of log level.
Enabling/Disabling the Record User Information Function for Threat Log
You can enable or disable the Record User Information function for Threat Log. With this func-
tion enabled, threat logs will record information about the authenticated user, including AAA
server, username, and hostname. By default, this function is disabled. To enable the Record User
Information function for Threat Log, in the global configuration mode, use the following com-
mand:
logging threat content username
In the global configuration mode, use the no logging threat content username command to disable
the Record User Information function for Threat Log.
Viewing Log Entries for Configuring Log Parameters
To view the log entries for configuring log parameters, in global configuration mode, use the fol-
lowing commands:
show logging logid config
Viewing Log Configurations
To view the log configurations, in any mode, use the following commands:
l Show the system log configuration:show logging
l Show the syslog server configuration:show logging syslog
l Show the email address configuration:show logging email
l Show the log statistics:show logging statistics
l Show the SMTP server configuration: show smtp
l Show if the hostname and username are displayed : show logging content

l Show if the hostname and username are displayed in the logs: show logging content
l Show the SMS configuration: show logging sms
Viewing Logs
To view the specified type of logs, in any mode, use the following commands:
l Show the event logs:

show logging event [severity severity-level]
l Show the debug, network or threat logs:

show logging {debug [slot slot-number] [cpu cpu-number]| network | threat }
l Show the configuration logs:

show logging configuration
l Show the operation logs:

show logging [operation]
l Show the data security logs (file filter logs, content filter logs, network behavior record logs):
show logging data-security [dlp | cf | nbr]
l Show all the traffic logs:

show logging traffic
l Show the traffic logs (session log part):

show logging traffic session filter-session [src-ip A.B.C.D | src-port port-num | dst-ip
A.B.C.D | dst-port port-num | protocol {icmp | tcp | udp | others} | policy-id policy-id |
action {policy-deny | session-start | session-end | policy-default}]
l Show the traffic logs (NAT log part):

show logging traffic nat filter-nat [src-ip A.B.C.D | src-port port-num | dst-ip A.B.C.D | dst-
port port-num | protocol {icmp | tcp | udp | others} | trans-src-ip A.B.C.D | trans-src-port

port-num | trans-dst-ip A.B.C.D | trans-dst-port port-num | snat-rule-id rule-id | dnat-rule-
id rule-id]
l Show the traffic logs (URL log part):

show logging traffic urlfilter
l Shows the IoT logs:

show logging iot-monitor
Exporting Logs
You can export the debug logs, event logs and threat logs to the specified FTP/FTPS/SFTP
server, TFTP server or USB disk.
To export the debug logs, event logs or threat logs to the specified FTP/FTPS/SFTP server, in
exp o rt lo g { debug | even t | th reat } to {ftp | ftps | sftp } server ip-address vro uter
vrouter-name user user-name p asswo rd password [ file-name ]
l debug | event | threat - Specifies the log type that will be exported.
l ip-address - Specifies the IP address of the FTP/FTPS/SFTP server.
l vrouter-name - Specifies the virtual router name.
l file-name - Specifies the name of the file to which the logs will be exported.
To export the debug logs, event logs or threat logs to the specified TFTP server, in the execution
exp o rt lo g { debug | {even t | th reat } to tftp server ip-address [ file-name ]
To export the debug logs, event logs or threat logs to the specified USB disk, in the execution
exp o rt lo g { debug | even t | th reat } to { usb0 | usb1 } [ file-name ]

Clearing Logs
To clear the specified logs in the system, in the execution mode, use the following command:
clear logging { co n figuratio n | o p eratio n | deb ug | even t | n etwo rk | th reat | traffic {ses-
sio n | n at | urlfilter} | data-security [dlp | cf | n b r]| io t-mo n ito r}
l configuration -Clears all the configuration logs information in the system.
l operation -Clears all the operation logs information in the system.
l debug – Clears all the debug logs information in the system.
l event – Clears all the event logs information in the system.
l network – Clears all the network logs information in the system.
l threat – Clears all the threat logs information in the system.
l traffic {session | nat | urlfilter}– Clears the specified traffic logs information in the system.
l data-security [dlp | cf | nbr] – Clears all the data security logs information in the system. File
filter logs (dlp), Content filter logs (cf), Network behavior record logs (nbr) .
l iot-monitor – Clears all the IoT logs in system.
Notes: This command cannot clear the following important event log information:
l Restart: system restart, module restart.
l Hardware exception: fan, power, etc.
l Configurations for deleting or rolling back.
l Swithing between master device and backup device.
l SCM HA.

Sending Traffic Logs to Syslog Servers
When there are lots of log messages generated by Hillstone devices, a single Syslog server may fail
to deal with all the messages. To address this problem, Hillstone devices support the distributed
sending function. With this function configured, Hillstone devices can send the log messages to
multiple Syslog servers according to a certain algorithm to reduce the pressure to a single Syslog
server.
Only the traffic and data security log messages can be sent in the distributed way. And only the
threat logs can be sent in plaintext and in the distributed way.
To configure the distributed sending function, in the global configuration mode, use the following
command:
lo ggin g {traffic {sessio n | n at | urlfilter} | data-security [dlp | cf | n b r]} to syslo g [b in ary-
fo rmat [distrib uted [src-ip -h ash | ro un d-ro b in ]] | custo m-fo rmat]
l traffic {session | nat | urlfilter}| data-security [dlp | cf | nbr] – Specifies the log type that
will be sent.
l syslog – Sends the logs to Syslog servers.
l binary-format – Sends the traffic logs in the binary format.
l distributed – Sends the traffic logs to multiple Syslog servers according to the algorithm spe-
cified.
l src-ip-hash | round-robin – Specifies the algorithm used to choose Syslog servers. src-ip-
hash, choose the Syslog server according to the source IP address; round-robin, choose the
Syslog server by the round-robin algorithm, and this is the default algorithm used by the sys-
tem.
l custom-format – Sends logs in the plaintext format. By default, the system will send the
traffic logs in the plaintext format.
To remove the traffic log sending configuration, in the global configuration mode, use the fol-
lowing command:
n o lo ggin g {traffic {sessio n | n at | urlfilter} | data-security [dlp | cf | n b r]} to syslo g

To send the threat logs in the plaintext format and in the distributed way, use the following com-
lo ggin g th reat to syslo g [custo m-fo rmat [distrib uted [src-ip -h ash | ro un d-ro b in ]]]
l custom-format – Sends the logs in the plaintext format. By default, the system sends the logs
in the plaintext format.
l syslog – Sends the logs to the syslog server.
l distributed – Sends the logs to the syslog server in the distributed way.

source-hashing algorithm and round-robinindicates the round-robin scheduling algorithm. The
In the global configuration mode, use the following command to cancel the output of the threat
logs:
no logging threat to syslog
Example of Configuring Logs

This section describes two typical CLI log configuration examples: sending event logs to the con-
sole and sending event logs to the Syslog server.
Example 1: Sending Event Logs to the Console
Step 1: Enable the event log function:
hostname(config)# lo ggin g even t o n
Step 2: Send the event logs to the console; set the severity to Debugging:
hostname(config)# lo ggin g even t to co n so le severity deb uggin g

Example 2: Sending Event Logs to the Syslog Server
Step 1: Enable the event log function. The workstation with IP address of 202.38.1.10 is used as
the Syslog Server of UDP type; set the severity to Informational:
hostname(config)# lo ggin g even t o n
hostname(config)# lo ggin g syslo g 202.38.1.10 udp 514 typ e even t
hostname(config)# lo ggin g even t to syslo g severity in fo rmatio n al
Step 2: Power on the Syslog Server.
Example 3: Sending Traffic Logs to a Local File
Step 1:Configure a track object. Track the syslog server whose IP address is 202.38.1.10.
hostname(config)# track ab c
hostname(config-trackip)# th resh o ld 3
hostname(config-trackip)# ip 202.38.1.10 in terface eth ern et0/1 in terval 2
Step 2: Enable the function of sending traffic logs to the syslog server. The IP address of the sys-
log server is 202.38.1.10. The name of the VRouter is trust-vr, the type is UDP, the port number
is 514, and the log type is traffic (NAT logs).
hostname(config)# lo ggin g traffic n at o n
hostname(config)# lo ggin g syslo g 202.38.1.10 vro uter "trust-vr" udp 514 typ e traffic
n at
hostname(config)# lo ggin g traffic n at to syslo g
Step 3: Power on the syslog server.

Step 4: Configure the settings to send the traffic logs to a local file. The folder name is aa.
hostname(config)# lo ggin g traffic n at to file n ame usb 0 aa
Step 5: Enable the track function for the syslog server and set the maximum rate of sending traffic
logs to a file as 600 entries per second.
hostname(config)# lo ggin g traffic n at to syslo g track ab c lo cal-b ackup rate-limit 600

Diagnostic Tool
Introduction
System supports the following diagnostic methods:
l Packet Capture Tool: Users can capture packets in the system by Packets Capture Tools.
After capturing the packets, you can export them to your local disk and then analyze them by
third-party tools.
l Packet Path Detection: Based on the packet process flow, the packet path detection function
detects the packets and shows the detection processes and results to users by chart and
description. This function can detect the following packet sources: emulation packet, online
packet, and imported packet (system provides the Packet Capture Tool for you that can help
you capture the packets).
The detectable packets from different packet sources have different detection measures. The sys-
tem supports the following measures:
l Emulation packet detection: Emulate a packet and detects the process flow in the system of
this packet.
l Online packet detection: Perform a real-time detection of the process flow of the packets in
the system.
l Imported packet detection: Import the existing packets and detects the process flow in the
system of the packets.
Using WebUI to configure the diagnostic tool is strongly recommended.

Commands
Packet Capture Commands
Configuring Packet Capture Task
Including configuration capture tasks, capture rules, start/stop capture, export capture files, clear
capture files.
packet-capture task
Create an online packet capture task and enter the packet capture task configuration mode. Use
the no form of the command to delete the specified online packet capture task.
Command:
p acket-cap ture task task-name
no packet-capture task task-name

Description:
task-name - Specifies the name of the online packet capture task and enter the packet capture
task configuration mode.
Default values:
None
Mode:
Any mode
Guidance:
The system allows you to create at most 5 packets capture tasks.
Example:
hostname(config)# packet-capture task task1

interface
Configure the interface used for the online packet capture task. Use the no form of the command
to delete the specified interface.
Command:
in terface interface-name
n o in terface
Description:
interface-name - Specifies the name of the interface used for the online packet capture task, which
cannot capture packets based on the tunnel interface and management interface.
Default values:
None
Mode:
Packet capture task configuration mode
Guidance:
None
Example:
hostname(config-pkt-task)# interface ethernet0/0
direction
Configure the traffic direction of the interface. Use the no form of the command to delete the spe-
cified traffic direction.
Command:
directio n {in | o ut}
no direction
Description:

in - Specifies to capture packets from the inbound interface. If fails, the packets may be blocked
by the firewall or not flow into the firewall. If no packets flow into the firewall, you can
troubleshoot the upstream link or upstream device as needed.
out - Specifies to capture packets from the outbound interface. If succeeds, you can troubleshoot
the downstream link or downstream device as needed.
If direction is not configured, both inbound and outbound are specified. In this case, you can
determine the actual traffic direction based on captured packets.
Default value:
None
Mode:
Guidance:
None
Example:
hostname(config-pkt-task)# direction in
task-info
Configure the packet capture task.

Command:
task-in fo [ p acp -time time-value ] [descrip tio n description ]
no task-info
Description:
pacp-timetime-value - Specifies the effective duration of the capture task, the range is 1 to 720
minutes, the default value is 30 minutes.
descriptiondescription - Specifies the description information of the packet capture task. The
range is 1 to 255 characters
Default values:
pacp-timetime-value - 30 minutes

Mode:
Guidance:
None.
Example:
hostname(config-pkt-task)# packet-capture pacp-time 20
filter-rule
Configure the packet capture rule.

Command:
filter-rule id id [src-ip ipv4-address/mask |src-ip v6 ipv6-address/prefix | src-ip -min min-
ipv4 src-ip -max max-ipv4 | src-ip v6-min min-ipv6 src-ip v6-max max-ipv6 |user aaa-server user-
name | user-gro up aaa-server user-name ] [src-p o rt port-num ] [dst-ip ipv4-address/mask |dst-
ip v6 ipv6-address/prefix | dst-ip -min min-ipv4 dst-ip -max max-ipv4 | dst-ip v6-min min-
ipv6 dst-ip v6-max max-ipv6 |url url ] [dst-p o rt port-num ] [p ro to {tcp | udp | icmp | proto-
num }] [ap p licatio n app-name ]
no filter-rule id id
Description:
filter-rule id id -Specifies the ID of packet capture rule. The range is 1-8.
src-ipipv4-address/mask - Specifies the source IPv4 address and its mask of the packet.
src-ipv6 ipv6-address/prefix - Specifies the source IPv6 address and its range of the packet.
src-ip-minmin-ipv4 src-ip-maxmax-ipv4 - Specifies the source IPv4 range of the packet.
src-ipv6-minmin-ipv6 src-ipv6-maxmax-ipv6 - Specifies the source IPv6 range of the packet.
useraaa-serveruser-name - Specifies the user of the packet.
user-groupaaa-serveruser-name - Specifies the user group of the packet.
src-port port-num -Specifies the source port number of the packet.
dst-ipipv4-address/mask - Specifies the destination IPv4 address and its mask of the packet.
dst-ipv6 ipv6-address/prefix - Specifies the destination IPv6 address and its range of the packet.

dst-ip-minmin-ipv4 dst-ip-maxmax-ipv4 - Specifies the destination IPv4 range of the packet.
dst-ipv6-minmin-ipv6 dst-ipv6-maxmax-ipv6 - Specifies the destination IPv6 range of the packet.
urlurl- Specifies the destination URL of the packet.
dst-portport-num -Specifies the destination port number of the packet.
proto {tcp | udp | icmp | proto-num} -Specifies the protocol type or the protocol number of the
packet.
applicationapp-name -Specifies the application type of the packet.
Default values:
any.
Mode:
Guidance:
A maximum of 8 packet capture rules can be created in the same packet capture task.
Example:
hostname(config-pkt-task)# filter-rule id 1 src-ip 1.1.1.1 src-port 23 dst-ip 2.2.2.2 dst-
port 23 application http
exec packet-capture
Begin or stop capturing packets.

Command:
Begin capturing packets: exec packet-capture task task-namestart
Stop capturing packets: exec packet-capture stop
Description:
task task-name- Specifies the name of the packets capture task.
Default values:
None
Mode:

Any mode
Guidance:
None
Example:
hostname# exec p acket-cap ture task task1 start
hostname# exec p acket-cap ture sto p
export packet-capture-file
Export the file which is captured by Packet Capture Tool.

Command:
exp o rt p acket-cap ture-file {slo t slot-number |all } {tar task-name | file task-name file-name }
to {ftp server ip-address [user user-name p asswo rd password ] | tftp server ip-address }
[vro uter vr-name ] [ file-name ]
Description:
slotslot-number |all - Export the data package file of the specified slot number to the FTP server-
/TFTP server. Support for some devices (X series devices and K9180).
tartask-name | filetask-name file-name- Export all file compressed packages of the packet capture
task or a specified file.
ftp serverip-address [useruser-namepassword password] -Export the specified file to FTP server.
l ip-address - Specifies the FTP IP address.
l user user-namepasswordpassword – Specifies the username and password for the FTP user.
If not specified, system will use anonymous to login.
tftp serverip-address -Export the specified file to TFTP server.

vroutervr-name -Specifies the VR name.
file-name -Specifies the file name you exported.
Default values:
vroutervr-name - trust-vr；

file-name – pktdump.pcap。
Mode:
Executive mode
Guidance:
Only devices with hard disks support this CLI. For T series devices and other devices without
hard disks, please export the data package file via WebUI.
We recommend that the packet you capture at a time does not exceed 500 MB because a larger
packet may fail to be exported caused by timeout.
Example:
hostname# export packet-capture-file tar test to tftp server 10.1.1.1
clear packet-capture task
Clear the packet capture file of the specified capture task

Command:
clear packet-capture task task-name
Description:
task-name- Specifies the name of the packet capture task that needs to clear the packet capture
file.
Default values:
None.
Default values:
Any mode.
Guidance:
None.
Example:
hostname# clear p acket-cap ture task task1

Packet Capture Global Configuration
The global configuration items of packet capture vary according to the type of device:
l For devices with hard disks, you can configure the percentage of the packet capture files to
the total hard disk size.
l For devices without hard disks, you can configure the packet capture file save percent and the
packet capture file save time.
packet-capture save-mem
Configure the maximum percentage of packet capture files in remaining memory (devices without
hard disk) or total size of hard disk (devices with hard disk).
Command:
p acket-cap ture save-mem mem-percent
no packet-capture save-mem
Description:
mem-percent -Specifies the maximum percentage of packet capture files in remaining memory
(devices without hard disk) or total size of hard disk (devices with hard disk), the range is 5%-
50%.
Default values:
10%
Mode:
Guidance:
None
Example:
hostname(config)# p acket-cap ture save-mem 20

packet-capture save-time
Configure the length of time the packet capture file is saved.

Command:
p acket-cap ture save-time save-time-value
no packet-capture save-time
Description:
save-time-value -Specifies the length of time the packet capture file is saved, the unit is minutes,
the range is 1-440 minutes.
Default values:
30 minutes.
Mode:
Guidance:
This command is supported only on no hard disk devices.
Example:
hostname(config)# p acket-cap ture save-time 60
Show Commands
show packet-capture status
Display the status of packet capture.

Command:
sh o w p acket-cap ture status [task task-name [ cp u cpu-number | slo t slot-number ]]
Description:
task task-name -Display the status information of the packet capture task with the specified name.

cpucpu-number | slotslot-number - Display the packet capture status information of the specified
CPU or slot number. Only some devices (X series devices, K9180) are supported.
Default values:
None.
Mode:
Any mode
Guidance:
Only X series devices and K9180 device support the display of the capture status information of
the specified CPU or slot number.
Example:
hostname(config)# sh o w p acket-cap ture status task test
show packet-capture task
Display packet capture task information

Command:
sh o w p acket-cap ture task
Description:
None.
Default values:
None.
Mode:
Any mode
Guidance:
None.
Example:
hostname(config)# sh o w p acket-cap ture task

Packet Path Detection Commands
Emulation Packet
troubleshooting packet-trace emulation-template
Configure emulation detection.

Command:
tro ub lesh o o tin g p acket-trace emulatio n -temp late name typ e {tcp | udp } src-ip ip-address
src-p o rt port-num dst-ip ip-address dst-p o rt port-num in gress-in terface interface-name
[descrip tio n description ]
tro ub lesh o o tin g p acket-trace emulatio n -temp late name typ e icmp src-ip ip-address dst-ip ip-
address typ e type-value co de code-value in gress-in terface interface-name [descrip tio n descrip-
tion ]
n o tro ub lesh o o tin g p acket-trace emulatio n -temp late name
Description:
emulation-template name -Specifies the name of the emulation packet.
type {tcp | udp} /type icmp -Specifies the protocol type of the emulation packet.
src-ip ip-address -Specifies the source IP address of the emulation packet.
dst-ip ip-address- Specifies the source port of the emulation packet, only when the protocol type
is specified as TCP/UDP.
src-port port-num -Specifies the destination port of the emulation packet, only when the pro-
tocol type is specified as TCP/UDP.
dst-port port-num -Specifies the destination IP address of the emulation packet.
type type-value code code-value -Specifies the ICMP type value and code value only when the
protocol type is specified as ICMP.
ingress-interface interface-name -Specifies the ingress interface of the emulation packet.
description description -Specifies the description.
Default values:

None
Mode:
Guidance:
The system allows you to create at most 20 emulation packets.
This command is only supported in T series devices and E series devices.
Example:
hostname(config)# troubleshooting packet-trace emulation-template temp1 type udp
src-ip 10.0.0.1 src-port 10 dst-ip 192.168.0.1 dst-port 100 ingress-interface eth-
ernet0/0
exec troubleshooting packet-trace emulation-template
Begin emulation packet path detection.

Command:
exec troubleshooting packet-trace emulation-template name start
Description:
emulation-template name- Specifies the name of the emulation packet.
Default values:
None
Mode:
Any mode
Guidance:
Example:
hostname# exec troubleshooting packet-trace emulation-template test start

exec troubleshooting packet-trace stop
Stop emulation packet path detection.

Mode:
Any mode
Guidance:
Example:
hostname# exec troubleshooting packet-trace stop
export troubleshooting packet-trace emulation-template
Export the file captured by emulation packet path detection.

Command:
exp o rt tro ub lesh o o tin g p acket-trace emulatio n -temp late name to {ftp server ip-address [user
user-name p asswo rd password ] | tftp server ip-address } [vro uter vr-name ] [ file-name ]
Description:
ftp server ip-address [user user-name password password] -Export the specified file to FTP server.
l ip-address -Specifies the FTP IP address.
l user user-name password password – Specifies the username and password for the FTP user.
tftp server ip-address -指Export the specified file to TFTP server.

vrouter vr-name -Specifies the VR name.
file-name -Specifies the file name you exported.
Default values:
vrouter vr-name - trust-vr。
Mode:

Executive mode
Guidance:
Example:
h o stn ame# export troubleshooting packet-trace emulation-template temp1 to tftp
server 10.1.1.1
Online Packet
troubleshooting packet-trace filter
Configure online detection.

Command:
tro ub lesh o o tin g p acket-trace filter name typ e live-traffic {[[src-ip ip-address ] | [user aaa-
server user-name ] | [user-gro up aaa-server user-name ]] [src-p o rt port-num ] [[dst-ip ip-
address ] | [url url ]] [dst-p o rt port-num ] [p ro to {tcp | udp | icmp | proto-num }] [ap p licatio n
app-name ] [in gress-in terface interface-name ]} [descrip tio n description ]
no troubleshooting packet-trace filter name

Description:
filter name -Specifies the name of the online packet.
src-ip ip-address -Specifies the source IP address of the online packet.
user aaa-server user-name -Specifies the user of the online packet.
user-group aaa-server user-name -Specifies user group of the online packet.
src-port port-num -Specifies the source port of the online packet.
dst-ip ip-address -Specifies the destination IP address of the online packet.
url url -Specifies the URL of the online packet.
dst-port port-num -Specifies the destination port of the online packet.
packet.

application app-name -Specifies the application type of the online packet.
ingress-interface interface-name -Specifies the ingress interface of the online packet.
description description- Specifies the description.
Default values:
None
Mode:
Guidance:
The system allows you to create at most 5 packets capture entries.
Example:
hostname(config)# tro ub lesh o o tin g p acket-trace filter test typ e live-traffic dst-ip 10.1.1.1
ap p licatio n h ttp in gress-in terface eth ern et0/0
exec troubleshooting packet-trace filter
Begin online packet path detection.

Command:
Begin online packet path detection: exec troubleshooting packet-trace filter name [packet-
capture] start [time-out value]
Description:
filter name -Specifies the name of the online packet.
packet-capture -Enable the packet path detection function.
time-out value -Specifies the detection time. When reaching the time value, system will stop
detection automatically. Range is from 1 to 1440 minutes.
Default values:
time-out value - 30 minutes
Mode:

Any mode
Guidance:
The imported packet detection function is only supported in T series devices and E series devices
with hard disks.
Example:
hostname# exec troubleshooting packet-trace filter 123 start time-out 60
Stop packet path detection.

Mode:
Any mode
Guidance:
The imported packet detection function is only supported in T series devices and E series devices
with hard disks.
Example:
export troubleshooting packet-trace packet-capture-file
Export the file captured by online packet path detection.

Command:
exp o rt tro ub lesh o o tin g p acket-trace p acket-cap ture-file to {ftp server ip-address [user user-
name p asswo rd password ] | tftp server ip-address } [vro uter vr-name ] [ file-name ]
Description:
ftp server ip-address [user user-name password password] -Export the specified file to FTP server.

tftp server ip-address -Export the specified file to TFTP server.

file-name- Specifies the file name you exported.
Default values:
vrouter vr-name - trust-vr；
file-name – ts_pktdump.pcap。
Mode:
Executive mode
Guidance:
Example:
hostname# export troubleshooting packet-trace packet-capture-file to tftp server
10.1.1.1
Imported Packet
import troubleshooting packet-trace
Import a file for packet path detection.

Command:
imp o rt tro ub lesh o o tin g p acket-trace rep lay-file fro m {ftp server ip-address [user user-name
p asswo rd password ] | tftp server ip-address } [vro uter vr-name ] file-name
Description:
ftp server ip-address [user user-name password password] -Import the specified file from FTP
server.

tftp server ip-address -Import the specified file from TFTP server.
file-name -Specifies the file name you imported.
Default values:
vrouter vr-name - trust-vr。
Mode:
Executive mode
Guidance:
This command is only supported in T series devices and E series devices with hard disks.
Example:
hostname# import troubleshooting packet-trace replay-file from ftp server 10.1.1.1
user user1 password password1 test.pcap
troubleshooting packet-trace filter
Configure imported detection.

Command:
tro ub lesh o o tin g p acket-trace filter name typ e rep lay-file {[src-ip ip-address ] [src-p o rt port-
num ] [dst-ip ip-address ] [dst-p o rt port-num ] [p ro to {tcp | udp | icmp | proto-num }] [ap p lic-
atio n app-name ] in gress-in terface interface-name } [descrip tio n description ]
no troubleshooting packet-trace filter name

Description:
filter name -Specifies the name of the imported packet.
src-ip ip-address -Specifies the source IP address of the imported packet.
src-port port-num -Specifies the source port of the imported packet.

dst-ip ip-address -Specifies the destination port of the imported packet.
dst-port port-num -Specifies the destination IP address of the imported packet.
imported packet.
application app-name - Specifies the application type of the imported packet.
ingress-interface interface-name -Specifies the ingress interface of the imported packet.
description description - Specifies the description.
Default values:
None
Mode:
Guidance:
The system allows you to create at most 5 packets capture entries.
This command is only supported in T series devices and E series devices with hard disks.
Example:
hostname(config)# troubleshooting packet-trace filter test1 type replay-file src-ip
10.0.0.1 ingress-interface ethernet0/0
exec troubleshooting packet-trace filter
Begin imported packet path detection.

Command:
Begin imported packet path detection: exec troubleshooting packet-trace filter name start
Description:
filter name - Specifies the name of the imported packet.
Default values:
None
Mode:

Any mode
Guidance:
Example:
hostname# exec troubleshooting packet-trace filter test1 start
Stop imported packet path detection.

Mode:
Any mode
Guidance:
Example:

NetFlow
Overview
NetFlow is a data exchange method, which records the source /destination address and port num-
bers of data packets in the network. It is an important method for network traffic statistics and
analysis.
Hillstone NetFlow supports the NetFlow Version 9. With this function configured, the device
can collect user's ingress traffic according to the NetFlow profile, and send it to the server with
NetFlow data analysis tool, so as to detect, monitor and charge traffic.
Configuring NetFlow
The NetFlow configurations are based on interfaces.
To configure the interface-based NetFlow, take the following steps:
1. Enable NetFlow function.
2. Create a NetFlow profile, and then specify the active timeout value, template refresh rate
and configure the NetFlow server in the profile.
3. Bind the NetFlow Profile to an interface.
Enabling NetFlow
To enable the NetFlow function, in the global configuration mode, use the following command:
netflow enable
To disable the NetFlow function, in the global configuration mode, use the following command:
no netflow enable.
Creating a NetFlow Profile
NetFlow profile configurations contains the active timeout value, the template refresh rate, and
the NetFlow server settings.

To create a NetFlow profile, in the global configuration mode, use the following command:
netflow-profile netflow-profile-name
l netflow-profile-name - Specifies the NetFlow profile name and enters the NetFlow profile
configuration mode. If the specified name exists, system will directly enter the NetFlow pro-
file configuration mode.
To delete the specified NetFlow profile, in the global configuration mode, use the command no
netflow-profile netflow-profile-name.
Configuring the Template Refresh Rate
You can configure the NetFlow template refresh rate by time or number of packets, after which
system will refreshes the NetFlow profile. In the NetFlow profile configuration mode, use the fol-
lowing command:
l Time： template-refresh-minute refresh-value

refresh-value -Specifies the time after which system refreshes the NetFlow profile. The range
is 1 to 3600 minutes. The default value is 30 minutes.
l Packets： template-refresh-packet packet-value

packet-value - Specifies the number of packets. When the number of NetFlow packets
exceeds the specified value, system will refreshes the NetFlow profile. The range is 1 to 600.
Configuring the Active Timeout Value
The active timeout value is the time after which the device will send the collected NetFlow
traffic information to the specified server once. In the NetFlow profile configuration mode, use
active-timeout timeout-value
l timeout-value – Specifies the active timeout value. The range is 1 to 60 minutes. The default
value is 5 minutes.

To restore to the default value, in the NetFlow profile configuration mode, use the following com-
mand: no active-timeout.
Configuring the NetFlow Server
To configure the NetFlow server for data analysis, in the NetFlow profile configuration mode, use
server name [ip ip-address | p o rt port-number ]
l name – Specifies the server name, the range is 1 to 32 characters.
l ip ip-address – Specifies the IP address of NetFlow server.
l port port-number – Specifies the port number of NetFlow server.The range is 1 to 65535.
To delete the specified server, in the NetFlow profile configuration mode, use the following com-
mand: no server name.
Notes: You can add up to 2 NetFlow servers.
Containing the Enterprise Field
You can specify whether the collected NetFlow traffic information contains the enterprise field.
To specify that the collected NetFlow traffic contains enterprise field, in the NetFlow profile con-
figuration mode, use the following command：
export-enterprise-fields
To specify that the collected NetFlow traffic does not contains enterprise field, in the NetFlow
profile configuration mode, use the following command: no export-enterprise-fields.
Specifying the Source Interface
To specify the source interface for sending NetFlow traffic information, in the NetFlow profile
so urce in terface interface-name address interface-address

l interface-name – Specifies the source interface name.
l interface-address – After specifying the source interface, the system will automatically
acquire and display the management IP address or the secondary IP address of the source inter-
face.
To delete the source interface configurations, in the NetFlow profile configuration mode, use the
following command: no source.
Binding a NetFlow Profile to an Interface
If the NetFlow profile is bound to an interface, the device will collect user's ingress traffic inform-
ation according to the NetFlow profile. To bind a NetFlow profile to an interface, in the interface
n etflo w-p ro file netflow-profile-name
l netflow-profile-name – Specifies the name of the NetFlow profile that will be bound to the
interface.
To remove the binding, in the interface configuration mode, use the following command: no net-
flow-profile
Viewing NetFlow Information
To view the configurations of NetFlow profile, in any mode, use the following command:
sh o w n etflo w-p ro file [ netflow-profile-name ]
To view the NetFlow statistic information, in any mode, use the following command:
sh o w n etflo w [gen eric] | [slo t slot-no ]
l generic –Shows the general NetFlow statistic information.
l slot slot-no –Shows the NetFlow statistic information of the specified slot.

StoneOS CLI User Guide Complete Book 5.5R10

Uploaded by

Copyright:

Available Formats

StoneOS CLI User Guide Complete Book 5.5R10

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

StoneOS CLI User Guide Complete Book 5.5R10

Uploaded by

Copyright:

Available Formats

Hillstone Networks

StoneOS CLI User Guide

About this Guide:

About This Guide 1

Command Line Interface 2

CLI Modes and Prompts 2

Global Configuration Mode 2

Sub-module Configuration Mode 3

Switching between CLI Modes 3

CLI Error Message 3

Command Short Form 4

Listing Available Commands 4

Completing Partial Commands 5

CLI Page Display 7

Specifying Screen Size 8

Specifying Connection Timeout 8

Redirecting the Output of Show Commands 9

Viewing device Processes 10

Accessing a Device via Console Port 3

Accessing a Device via Telnet 4

Accessing a Device over SSH 5

Accessing a Device via WebUI 6

Logging in by Using Certificate Authentication 7

Configuring the Device Side 8

Configuring the Client Side 9

Unfreezing the WebUI 10

Forwarding Rules in VSwitch 14

Viewing MAC Table Information 16

Configuring a Virtual Wire 18

Enabling Virtual Wire 18

Configuring a Virtual Wire Interface Pair 18

Viewing Virtual Wire Configuration Information 19

Enabling NSH layer 2 Proxy 20

NSH Proxy Debugging 20

Viewing the NSH Packets on Interfaces 20

Viewing the NSH Sessions 20

Viewing Virtual Wire and NSH Proxy Configurations 21

VLAN Transparent in the Transparent Mode 21

Enabling and Disabling Mult-VR 25

Viewing VRouter Information 26

Working Principle of Bypass Mode 29

Configuring Bypass Mode 29

Creating a Tap Zone 30

Binding an Interface to a Tap Zone 30

Configuring a Bypass Control Interface 30

Specifying a Statistical Range 31

Configuring a Linkage Firewall 32

Example of Configuring Bypass Mode 33

Packet Handling Process 38

Configuring the Deny Session Function 42

Specifying the Deny Session Type 42

Specifying the Maximum Number of Deny Sessions 43

Specifying the Timeout Value 44

Viewing the Deny Session Configuration Information 44

Viewing the Deny Session Information 44

TCP RST Packet Check 44

Global Network Parameters 45

TCP Sequence Number Check 45

TCP Three-way Handshaking Timeout Check 46

TCP Connection State Age-time 46