BDS WebUI User Guide V5.0

Hillstone Networks
BDS WebUI User Guide

Version 5.0
TechDocs | https://docs.hillstonenet.com
Copyright 2023 Hillstone Networks All rights reserved.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying
and recording for any purpose other than the purchaser's personal use without the written permission of Hill-
stone Networks
Hillstone Networks
Commercial use of the document is forbidden.
Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/
About this Guide:
This guide gives you comprehensive configuration instructions of Hillstone Networks BDS .
For more information, refer to the documentation site: https://docs.hillstonenet.com.
To provide feedback on the documentation, please write to us at:
TechDocs@hillstonenet.com
Hillstone Networks
TWNO: TW-WUG-BDS-5.0-EN-V1.0-8/23/2023
Contents
Contents 1
Chapter 1 Getting Started Guide 18
Preparation 18
Initial Configuration 18
Basic Configuration 20
Deploying Tap Mode 20
Zero-Configuration Deployment 20
Changing the Initial Configurations 21
Initial Visit to Web Interface 24
Configuring Network Connections 27
Configuring MGT Interface 27
Configuring DNS Server 28
Configuring Destination Route 28
Preparing the System 30
Creating System Administrators 30
Adding Trust Hosts 31
Installing Licenses 32
Updating Signature Database 33
Configuring Intranet Assets 34
Monitoring Data Display 36
TOC - 1
Risk Assessment 36
Server Risk Monitor 37
Endpoint Risk Monitor 37
Threat Monitor 38
Application Analysis 38
Device Monitor 40
Chapter 2 Risk Assessment 41
Overview 42
Server Risk Monitor Overview 43
Endpoint Risk Monitor Overview 44
Threat Monitor Overview 45
Screening Monitoring Mode 46
Chapter 3 Security Analysis 48
Server Risk Monitor 49
Server List 50
Server Details 53
Server Threat Topology 59
Icons 59
Filters 60
Lines 61
Modifying the Layout of Page 63
Viewing the Details of Server 64
TOC - 2
Viewing the Risk TOP 10 Server 65
Server Traffic Topology 67
Icons 67
Filters 68
Lines 69
Modifying the Layout of Page 70
Viewing the Details of Server Traffic Monitor 71
Viewing the Result of Traffic Monitor 72
Viewing the Traffic TOP 10 Server 75
Endpoint Risk Monitor 76
Endpoint Risk Monitor Details 76
Endpoint Details 78
Viewing the Abnormal Traffic Monitor Result of Endpoint 83
Threat Monitor 84
Threat Details 84
Viewing the Threat Intelligence 86
Viewing the Threat Details 88
Hot Threat Intelligence 104
Viewing Hot Threat Intelligence 107
Chapter 4 Incident Response 108
Threat Alarm Rule 109
Configuring a Threat Alarm Rule 109
TOC - 3
Editing the Threat Alarm Rule 114
Enabling/Disabling the Threat Alarm Rule 115
Deleting the Threat Alarm Rule 115
Customizing Alarm Sound 115
Viewing the Details of Threat Sound Alarm 116
White List Management 118
Creating a White List 118
Viewing the White List 119
Mitigation 121
Linkage Device 123
Creating a Linkage Device 123
Connectivity Test 125
Enabling/Disabling the Linkage Device 125
Deleting the Linkage Device 126
Viewing the Linkage Blocking Information 126
Chapter 5 System Monitor 127
Traffic Monitor 128
Traffic Baseline Management 129
Traffic Baseline Overview 129
Details of Traffic Baseline 129
Configuring Traffic Monitor 132
Application Analysis 135
TOC - 4
Layout Overview 135
Configuring Filters 137
Configuring Global Filters 137
Configuring Local Filters 138
Examples of Application Monitor 138
Device Monitor 140
Summary 140
Statistical Period 142
System Alarm 143
Alarm as a Monitor 143
Alarms by Time 143
Alarm by Severity 144
Alarm Details 145
Alarm Rule 147
Creating an Alarm Rule 147
Send Object 150
Creating a Send Object 150
Viewing Relevant Alarm Rules 150
Chapter 6 Report & Log 151
Reporting 152
Report File 153
Report Template 154
TOC - 5
Creating a User-defined Template 155
Editing a User-defined Template 158
Deleting a User-defined Template 159
Cloning a Report Template 159
Report Task 160
Creating a Report Task 160
Editing the Report Task 164
Deleting the Report Task 164
Enabling/Disabling the Report Task 164
Report Status 165
Logging 166
Log Severity 166
Destination of Exported Logs 167
Log Format 167
Threat Logs 168
CloudSandBox Logs 172
Event Logs 173
Network Logs 174
Configuration Logs 175
Session Logs 176
Managing Logs 178
Configuring Logs 178
TOC - 6
Option Descriptions of Various Log Types 178
Log Configuration 184
Creating a Log Server 184
Configuring Log Encoding 184
Adding Email Address to Receive Logs 185
Specifying a Unix Server 185
Chapter 7 Configuration Management 187
System Information 188
Viewing System Information 188
Network Configuration 190
Security Zone 191
Configuring a Security Zone 191
Management Interfaces 193
Configuration Management Interfaces 193
Interface 194
Configuring an Interface 195
General Properties of Interfaces 195
Creating a Loopback Interface 197
Creating an Aggregate Interface 198
Creating an Ethernet Sub-interface/Aggregate Sub-interface 202
Editing an Interface 204
DNS 207
TOC - 7
Configuring a DNS Server 207
Configuring a Analysis 207
Configuring a DNS Cache 208
Global Network Parameters 209
Configuring Global Network Parameters 209
Advanced Routing 212
Destination Route 213
Creating a Destination Route 213
Object Configuration 216
Address 217
Creating an Address Book 217
Viewing Details 219
Service Book 220
Predefined Service/Service Group 220
User-defined Service 220
User-defined Service Group 220
Configuring a Service Book 221
Configuring a User-defined Service 221
Configuring a User-defined Service Group 223
Viewing Details 224
Application Book 225
Editing a Predefined Application 225
TOC - 8
Creating a User-defined Application 225
Creating a User-defined Application Group 226
Creating an Application Filter Group 228
Creating a Signature Rule 229
Schedule 233
Periodic Schedule 233
Timeframe 233
Creating a Schedule 233
Intranet Assets 236
Configuring Intranet Assets 237
Configuring the Asset Range 237
Creating an Asset Range 238
Importing the Asset Range 240
Importing the File Template 241
Exporting the Asset Range 242
Configuring an Asset Scanning Task 243
Creating an Asset Scanning Task 244
Scan Report 246
Asset List 247
Creating an Intranet Asset 248
Importing Assets 250
Importing the File Template 251
TOC - 9
Exporting Assets 252
ARP Defense 253
Configuring ARP Defense 254
Configuring Binding Settings 254
Adding a Static IP-MAC-Port Binding 254
Obtaining a Dynamic IP-MAC Bindings 254
Bind the IP-MAC Binding Item 255
Importing/Exporting Binding Information 255
Configuring ARP Inspection 256
Chapter 8 Threat Detection 258
Threat Detection Signature Database 259
Anti Virus 260
Configuring Anti-Virus 261
Preparing 261
Configuring Anti-Virus Function 261
Configuring an Anti-Virus Rule 262
Configuring Anti-Virus Whitelist Function 263
Creating an Anti-Virus Whitelist 264
Editing an Anti-Virus Whitelist 264
Deleting an Anti-Virus Whitelist 264
Configuring Anti-Virus Global Parameters 265
Intrusion Detection System 268
TOC - 10
Configuring IDS 269
Configuring an IDS Rule 269
Viewing Details about IDS Profile 293
Editing an IDS Profile 293
Deleting an IDS Profile 294
Cloning an IDS Profile 294
Signature List 296
Searching Signatures 296
Managing Signatures 297
IDS Global Configuration 302
Configuring IDS White list 303
Anti-Spam 305
Configuring Anti-Spam 306
Preparing 306
Configuring Anti-Spam Function 306
Configuring an Anti-Spam Profile 307
Configuring an Anti-Spam User-defined Blacklist 310
Anti-Spam Global Configuration 312
Botnet Detection 313
DGA Detection 313
DNS Tunnel Detection 313
Configuring Botnet Detection 315
TOC - 11
Preparing 315
Configuring Botnet Detection Function 315
Configuring a Botnet Detection Rule 316
Address Library 318
Configuring the Exclude List 318
Creating a Custom Exclude List 318
Deleting a Custom Exclude List 319
Filtering a Entry in the Exclude List 319
Configuring the Block List 319
Creating a Custom Block List 319
Deleting a Custom Block List 320
Filtering a Entry in the Block List 320
Adding to Exclude List 320
Botnet Detection Global Configuration 326
Attack Detection 328
Configuring Attack Detection 328
Configuring Flood Protection Threshold Learning 336
Configuring Flood Protection Threshold Learning Parameters 336
Enabling Flood Protection Threshold Learning 339
Viewing and Applying Flood Protection Threshold Learning Result 340
Sandbox 342
Configuring Sandbox 343
TOC - 12
Preparation 343
Configuring Sandbox 343
Configuring a Sandbox Rule 344
Sandbox Global Configurations 348
Threat List 350
Trust List 350
Abnormal Behavior Detection 352
Endpoint Detection 353
DGA Domain Name Detection 354
Abnormal Behavior Detection Global Configuration 354
Viewing the Abnormal Behavior Detection Information 359
Advanced Threat Detection 361
Configuring Advanced Threat Detection 361
Viewing Advanced Threat Detection Information 361
Deception Detection 364
Preparing 364
Configuring Deception Detection 364
Enabling/ Disabling a Deception Detection Object 366
Viewing the Deception Detection Information 367
Web Attack Detection 368
Configuring Web Attack Detection Function 368
Configuring Web Attack Detection Global Configuration 369
TOC - 13
Configuring Web Attack Detection Rules 370
Enabling/Disabling Web Attack Detection Rules 370
Filtering Web Attack Detection Rules 372
Editing the Sort Order of Web Attack Detection Rules 372
Editing Rule Parameters 373
Viewing Predefined Rules 378
Rule Search 380
Configuring User-defined Rule 381
Configuring Web Attack Detection Whitelist 382
Encrypted Traffic Detection 383
Configuring the Encrypted Traffic Detection Function 384
Chapter 9 System Management 387
Device Management 388
Administrators 388
Creating an Administrator Account 388
Admin Roles 390
API Token 392
Creating an API Token 392
Trust Host 394
Creating a Trust Host 394
Management Interface 395
System Time 397
TOC - 14
Configuring the System Time Manually 397
Configuring NTP 398
NTP Key 399
Creating a NTP Key 399
Option 400
Rebooting the System 401
System Debug 402
Failure Feedback 402
System Debug Information 402
Password Reset Management 402
Configuration File Management 404
Backing Up/Restoring Configuration Files 404
Viewing the Current Configuration 406
SNMP 407
SNMP Agent 407
SNMP Host 408
Trap Host 409
V3 User Group 410
V3 User 412
Upgrading System 414
Upgrading Firmware 414
Upgrading Database Data 415
TOC - 15
Updating Signature Database 417
License 419
Applying for a License 421
Installing a License 422
Verifying License 423
Mail Server 425
Creating a Mail Server 425
Extended Services 426
Connecting to iSource 427
iSource Typical Deployment 428
Stand-alone Deployment 428
Cluster Deployment 429
Connecting to iSource 430
Sensor Mode 430
Cascade Mode 432
Viewing the Connection Status of iSource 434
Connecting to HSM 436
HSM Deployment Scenarios 436
Connecting to HSM 437
Connecting to the Threat Trace Server 439
Connecting to the Threat Trace Server 440
Connecting to Hillstone Cloud Service Platform 441
TOC - 16
Connecting to Hillstone Cloud Service Platform 441
PKI 445
Creating a PKI Key 446
Creating a Trust Domain 447
Importing/Exporting Trust Domain 450
Importing Trust Certification 451
Configuring a Certificate Chain 451
Creating a Certificate Chain 452
Exporting a Certificate Chain 453
Configuring Certificate Validity Check 453
Chapter 10 Diagnostic Tool 454
Packet Capture Tool 455
Configuring Packet Capture Tools 455
Test Tools 458
DNS Query 458
Ping 458
Traceroute 458
Chapter 11 CLI 460
Logging into a Device 460
Configuring Interfaces 460
Configuring Route 461
Restore Device to Factory Settings 461
TOC - 17
Chapter 1 Getting Started Guide
The Hillstone Server Breach Detection System (BDS) adopts multiple threat detection technologies that include
both traditional signature-based technology as well as large-scale threat intelligent data modeling and user beha-
vioral analytic modeling, which provides an ideal solution to detect unknown or 0-day threat attacks, to protect
high-value, critical servers and their sensitive data from being leaked or stolen. Together with deep threat hunting
analysis capabilities and visibility, Hillstone BDS provides security admins the effective means to detect IOCs
(Indicators of Compromise) events, restore the threat attack kill chain and provide extensive visibility into threat
intelligence analysis and mitigation.
Preparation
This guide helps you go through initial launch and basic set-up of devices.
Before this, you need to correctly install your Hillstone BDS device.
Note：For detailed installation steps, please see Hillstone Networks BDS Hardware Reference Guide.
Initial Configuration
In order to complete the initial launch of the device, this guide will guide you to perform the following initial con-
figuration, including basic configuration and monitoring data display, after the above preparations are completed.
l Basic Configuration
l "Initial Visit to Web Interface" on Page 24
l "Deploying Tap Mode" on Page 20
l "Configuring Network Connections" on Page 27
l Configuring MGT Interface
l Configuring DNS Server
l Configuring Destination Route
Chapter 1 Getting Started Guide 18

l "Preparing the System" on Page 30
l Creating System Administrators
l Adding Trust Hosts
l Installing Licenses
l Updating Signature Databases
l "Configuring Intranet Assets" on Page 34
l Monitoring Data Display
l Risk Assessment
l Application Analysis
l Device Monitor
After completing all the above initial configurations, you can complete the set-up of the device, At the same time,
you can view the relevant monitoring data displayed on the WebUI page.
According to your own needs, you can also configure more advanced functions, such as traffic monitoring, report
generating and incident responding. For detailed configuration steps, please see BDS WebUI UserGuide.
19 Chapter 1 Getting Started Guide

Basic Configuration
Deploying Tap Mode

BDS(Server Breach Detection System) provides the function of server / endpoiot risk monitor, subnet threat
monitor and traffic monitor. The intranet traffic of server is mirrored to BDS, the system detects, monitors and
analyzes the mirror traffic. BDS is only suitable for deploying in tap mode, and does not forward traffic mirrored
from core network gateway. So when BDS crashed, your network will not be affected.
The device has pre-defined configurations of security zone (tap-bds) for tap mode. You need to select the mirror
interface on the device, add it to the tap-bds zone, and connect the mirror interface to the corresponding switch
or router.
Complete the following topology to use tap mode.
Zero-Configuration Deployment
BDS supports zero-configuration deployment, you only need to connect the interface eth0/2 of BDS device with
the switch to complete the deployment of BDS in your network environment.
After the deployment is completed, you do not need to configure anything else. The device has enabled the pre-
defined configurations of threat detection. You can also change the initial configurations as you need to enable the
higher level of detection, and the detection range of the system becomes more widely.
To view the pre-defined configuration of the current device, use the following steps. Before viewing, read "Initial
Visit to Web Interface" on Page 24.
Step 1: Configuring port mirroring of switch, mirroring traffic to the interface of BDS. (If needed)
Step 2: Viewing the Default Configurations of Zone. Select Network > Zone. In the Zone page, find tap-bds zone
in the zone list which is the pre-defined tap zone.
Step 3: Viewing the Default Configuration of interface ethernet0/2. Select Network > Interface, and double-
click ethernet0/2, the default configuration is shown.
Step 4: Viewing Default Configuration of Threat Detection
1. Select Configuration Management > Network Configuration > Zone, and double-click tap-bds.
2. Viewing the default configurations of threat detection in the Threat Detection configuration page as it is
shown in the right column
The above settings can help you detect the abnormal behavior and find the unknown threat when the device is
working.
Changing the Initial Configurations
After the zero-configuration deployment is completed, you can change the default configurations of the system,
and enable the required threat detection functions. The following steps will describe how to configure the threat
detection function for BDS.
Step 1: Configuring port mirroring of switch, mirroring traffic to the interface of BDS (If needed).
Step 2: Binding the interface eth0/2 to the tap-bds zone.
1. "Initial Visit to Web Interface" on Page 24.
2. Select Configuration Management > Network Configuration > Interface.
3. Double-click ethernet0/2 in the interface list.
4. In the Ethernet Interface page, configure the options as below:
21 Basic Configuration
Option Configuration
Binding Zone TAP
Zone tap-bds
Step 3: Configuring intranet asset object.
1. Select Configuration Management > Asset Configuration > Intranet Assets, and click New.
2. In Intranet Assets page, configure the intranet network server, endpoint group as the intranet assets. For
detailed example, see Configuring Intranet Assets.
Step 4 : Enabling threat detection functions.
You can enable relevant threat detections based on the tap-bds zone according to your need.
1. Select Configuration Management > Network Configuration > Zone, select tap-bds zone in the list and
click Edit.
2. In Zone Configuration page, expand Threat Detection configuration, check the following options to enable
the threat detection functions:
Antivirus Click the Enable button, and select an Anti-

Virus rule from the profile drop-down list below
Intrusion Detection Sys- Click the Enable button, select an IDS rule
tem from the profile drop-down list below; or you
can click Add Profile from the profile drop-
down list below.
Antispam Click the Enable button, select an Anti-Spam

rule from the profile drop-down list below; or
you can click Add Profile from the profile drop-
down list below.
Attack Detection Click the Enable button and click Configure to

set the threshold.
Abnormal Behavior Click the Enable button. Endpoint Detection :
Detection Click the Endpoint Detection Enable button.

To enable the abnormal behavior detection of
the HTTP and suspicious file factor, click the
Enable button of Advanced Detection.
Forensic: Click the Enable button of Forensic
to capture and save the corresponding evidence
that leads to the alarm of abnormal behavior.
Advanced Threat Click the Enable button. Capture Packets: If

Detection you need to capture packets, click the Capture
Packets Enable button, system will save the rel-

evant messages, and support to download it.
Sandbox Click the Enable button, select a sandbox rule

from the profile drop-down list below; or you
can click Add Profile from the profile drop-
down list below.
After the above steps, you have changed the initial configurations. The system will enable full detection.
Initial Visit to Web Interface
Interface MGT0 is configured with IP address 192.168.1.1/24 by default, it is open to SSH, Ping, HTTPS, and
SNMP. For the initial visit, use this interface.
To visit the web interface for the first time:
1. Go to your computer's Ethernet properties, set the IPv4 protocol as below.
2. Connect an RJ-45 Ethernet cable from your computer to the MGT0 of the device.
3. In your browser's address bar, type "http://192.168.1.1" and press Enter.
4. In the login interface, type the default username and password: hillstone/hillstone.
5. When logging in for the first time, you need to read and accept the EULA (End User License Agreement).
Click EULA to view the details of the EULA .
6. Click Login . If you are a first-time user, you will be redirected to the configuration wizard page.
7. On the configuration page, configure MGT interfaces, configure destination routes, configure DNS servers,
synchronize the system time, install licenses, upgrade signature databases, and configure intranet assets in
sequence.
8. Click Complete configuration .
Notes:
l When the default administrator "hillstone" and the default password are used to
access the WebUI page for the first time, there may be a risk of the password being
cracked. It is recommended to change the default login password immediately.
l You can click Exit Wizard to directly go to the homepage of the system. To enter the
configuration wizard again, select Help > Configuration Wizard in the upper-right
corner.
Configuring Network Connections
Configuring MGT Interface
After accessing the device for the first time through the default IP address 192.168.1.1/24, you can modify the
IP address of the MGT0 interface and use it as the subsequent device access address.
To configure the MGT interface, take the following steps below:
1. Select Configuration Management > Network Configuration > Management Interface.
2. Select the item MGT0, and click Edit to open the MGT Interface page.
Modify the default IP address of the MGT interface in the MGT Interface page.
Option Value
IP Address 10.180.108.105
Netmask 255.255.0.0
3. Click OK.
Configuring DNS Server
You can configure a server used for DNS resolution for the device.
To configure the DNS server, take the following steps:
1. Select Configuration Management > Network Configuration > DNS > DNS Server.
2. Click New to open the DNS Server Configuration page.
Enter the basic value of the DNS server in the DNS Server Configuration page.
Option Value
Server IP 10.187.10.1
3. Click OK.
Configuring Destination Route
You can add default routing entries. To add a new destination route, take the following steps:
1. Select Configuration Management > Network Configuration > Destination Route.
2. Click New to open the Destination Route Configuration page.
Enter the basic value of the destination route in the Destination Route Configuration page.
Option Value
Destination 10.230.0.0
Netmask 255.255.0.0
Gateway 10.180.0.1
3. Click OK.
Preparing the System
Creating System Administrators
The system administrator has the authority to read, write and execute all features in this system. Also, it can con-
figure all modules in any mode, view the current and historical configurations.
To create a system administrator, take the following steps:
1. Select Configuration Management >System Configuration > Device Management > Administrators.
2. Click New.
Enter values in the Admin Configuration page.

Option Value
Name Admin
Role Administrator
Password 123456
Confirm Pass- 123456
Option Value
word
Login Type Select Telnet, SSH, HTTPand HTTPS.
3. Click OK.
Notes: The system has a default administrator "hillstone" , which cannot be deleted or
renamed.
Adding Trust Hosts
The trust host is administrator's host. Only endpoints included in the trust hosts can manage the system.
To add a trust host, take the following steps:
1. Select Configuration Management >System Configuration > Device Management > Trusted Host.
2. Click New.
Enter values in the Trusted Host Configuration page.
Option Value
Type Select IP/Netmask.
IP 192.168.1.2/24
Login Type Select the login type allowed: Telnet, SSH, HTTP and
HTTPS.
3. Click OK.
Installing Licenses
To ensure the normal operation of the device detection function and the normal update and upgrade of the sig-
nature database, you are recommended to install all free licenses, including the APP signature license, the
StoneShield license, the AntiVirus license, the Botnet C&C Detection license, the IDS license and the Platform
license. If you need Threat Intelligence function, Anti-Spam function and Sandbox function, you can purchase the
corresponding service license.
After you obtain the license string or file from the sales person, take the following steps to install the license:
1. Select Configuration Management >System Configuration > License.
2. Choose one of the two ways to import a license:
l Upload License file: Select the radio button, click Browse, and select the license file (a .txt file).
l Manual Input: Select the radio button, and paste the license code into the text box.
3. Click OK.
4. To make the license take effect, reboot the system. Select Configuration Management >System Con-
figuration > Device Management > Option . In the System Option tab, click Reboot.
Updating Signature Database
After installing the license, you are recommended to upgrade the corresponding signature database immediately.
By default, the system will automatically update databases on a daily basis. Features that require constant signature
updates are license-controlled. You must purchase license in order to be able to update signature libraries.
To update a database, take the following steps:
1. Select Configuration Management >System Configuration > Upgrade Management, and click the <Sig-
nature Database Update> tab.
2. Find your intended database, and choose one of the following two ways to upgrade.
l Remote Update: Click Update , the system will automatically update the database.
l Local Update: Select Browse to open file explorer, and select your local signature file to import it into
the system.
Configuring Intranet Assets
Intranet assets refer to IT assets owned by an endpoint that are essential to its ability to operate and make profit.
Those assets include key servers, endpoint groups, networking devices, data storage server etc. Since critical assets
are essential for business day-to-day operations, they are grown to targets of cyber-attacks. Therefore, the critical
assets in a company need to be secured and protected with even stronger defense mechanisms comparing with
other individual endpoints.
You can configure intranet assets in two ways: creating and importing. The following steps, taking the server as an
example, shows how to configure intranet assets by creating.
1. Select Configuration Management > Asset Configuration > Intranet Assets.
2. Click New to open the Intranet Asset Configuration page.
Enter the basic information of the intranet asset in the Intranet Asset Configuration page.
Option Discription
Name test
Type Select Server (group).
IP Select IP/Netmask and enter 10.180.188.14/32.
3. Click OK.
You can also configure intranet assets by importing. First, you need to download the template file and fill in the
intranet asset information according to the instructions in the file, and then perform the importing operation.
According to the server information in the example, the intranet asset information should be filled in as shown in
the figure below.
Note: For detailed steps, please see BDS WebUI UserGuide.
Monitoring Data Display
After completing the basic configuration of the device, you can view the relevant monitoring data displayed on the
following page to quickly get familiarized with the monitoring and device status.
l Risk Assessment
l Application Analysis
l Device Monitor
Risk Assessment
Click Risk Assessment to open the Risk Assessment page. On this page, you can view multi-dimensional and in-
depth server risk overview, endpoint risk overview and statistical overview of related threat events.
Click button to enter the Screening Monitoring Mode.

Server Risk Monitor
You can view the following information in this part.
l Risk distribution of servers
l Trend of risk servers within the last two weeks
l Top 5 risk servers within the last two weeks
Endpoint Risk Monitor
37 Monitoring Data Display

l Risk distribution of endpoints
l Trend of risk endpoints within the last two weeks
l Top 5 risk endpoints within the last two weeks
Threat Monitor
l Number of IOC events within the last two weeks
l Trend of IOC events within the last two weeks
l Latest ten Hot Events
l Geographical distribution of threats
l Top 5 threat tags/events within the last two weeks
Application Analysis
Select System Monitor > Application Analysis to open the Application Analysis page.On this page, you can view
information about application usage, source IP activity, destination IP activity, source regions, destination regions
and interface in specified period.

39 Monitoring Data Display
Device Monitor
Select System Monitor > Device Monitor to open the Device Monitor page. On this page, you can view inform-
ation about total traffic, sessions, CPU/memory status and hardware status.
l Total traffic within the specified statistical period
l Current sessions utilization, new sessions trend and concurrent sessions trend
l Current CPU utilization, memory utilization and CPU temperature statistics
l Real-time hardware status, including storage, chassis temperature and fan status

Chapter 2 Risk Assessment
Risk assessment page display all servers, endpoints and threats in a multi-dimensional and deeper way.
l Focus on Indicators of Compromises (IOC event). IOC event is an evidence that indicate whether the security
of the network has been breached or server/endpoints have been compromised, and plays a key role in asso-
ciation analysis.
IOC threat event behaviors can be divided into 6 types: C&C, Internal Attacks, Internal Scans, Botnet to
External , File transfer and External attacks.
l Graphical display of Host Risk Index (HRI). The HRI is an index of the comprehensive calculation of the IOC
events, associated threat events of the server or the endpoint in the past 14 days and the threat attack property
of each event and its weight.
Servers or endpoints with different risk indexes will be displayed in different color icons on the server risk
monitor page or the endpoint risk monitor page. When the risk index is greater than 0, the red icon is displayed.
When the risk index is 0, the green icon is displayed.
l Comprehensive display of threat tags related to servers, endpoints, and threat events. Threat tag is a kind of
keyword information that is more convenient for users to understand the threat, virus or vulnerability. When a
server / endpoint detects a threat event, system adds a corresponding threat labels, such as: Eternal Blue,
Ransomware, WannaCry, Trojan, etc., so that users can more intuitively understand the intranal server or end-
point information they are concerned about through threat tags.
By default, system supports the threat tag database, which contains predefined threat tag names and the map-
ping between tags and threat events. By default, system will update the threat tag database at the certain time
everyday, and you can modify the updating settings according to your own requirements. System supports auto-
matically update and manual update, see "Upgrading System" on Page 414.
l "Server Risk Monitor" on Page 49: Displays the statistics of intranet server IOC threat event, threat behavior,
abnormal traffic. Displays the trend of risk server changes for the last 2 weeks via trend map. And display the
risks/ traffic relationships, threat information and traffic details between the intranet servers in server risk
monitor topology page .

l "Endpoint Risk Monitor" on Page 76: Displays the statistics of IOC threat event and threat behavior of
intranet endpoint, and displays the detail information of the whole network risk endpoint and the detailed
information of the endpoint threat behavior in tabular form.
l " Threat Monitor" on Page 84 :Displays the details of the whole network threats within a specified period in
graphs.
Overview
Click Risk Assessment to open the risk assessment overview page.
l The detection time range of the statistics displayed in the upper right corner of the page.
l Click Refresh Interval drop-down list, and select the refreshing interval of the Risk Assessment page, including
30 seconds, 1 minute, 5 minutes and Manual.
42 Chapter 2 Risk Assessment

l The default refreshing interval is 5 minutes.
l If you select Manual, you can click after the drop-down list to refresh the Risk Assessment page.
l Click button to enter the Screening Monitoring Mode.
Server Risk Monitor Overview
l Risk Distribution : Displays the statistics of the risk server (risk and no risk) via pie graph.
l Hover over your mouse on the red portion of the pie chart to view the number of risk intranet servers.
Click the red portion of the pie chart to open the "Server List" on Page 50 page, and view all the risk
intranet servers list within a specified time period.
l Hover over your mouse on the green portion of the pie chart to view the number of no-risk intranet
servers. Click the green portion of the pie chart to open the "Server List" on Page 50 page, and view the
no-risk intranet servers list within a specified time period.
l Hover over your mouse on the middle portion of the pie chart to view the number of all intranet serv-
ers. Click the number to open the "Server List" on Page 50 page, and view the list of all intranet servers
within a specified time period.
l Trend of Risk Servers: Displays the trend of risk server in the last 2 weeks via trend chart.
l Hover over your mouse on the trend chart to view the number of risk servers for the specified date.
l Top 5 Risk Servers: Displays the top 5 risk servers ranked in the last 14 days.
l Click the server name link to open the Server Detail dialog, and view the details of selected risk server.

l Click the threat tag corresponding to the server to open the "Server List" on Page 50 page, and auto-
matically select the threat tag as the filter condition to display a list of all servers in the intranet cor-
responding to the threat tag.
l Click All link to view the list of all servers.
Endpoint Risk Monitor Overview
l Risk Distribution : Displays the statistics of the risk endpoint (risk and no risk) via the left pie graph.
l Hover over your mouse on the red portion of the pie chart to view the number of risk endpoints. Click
the red portion of the pie chart to view the risk endpoints list in the "Endpoint Risk Monitor" on Page
76 page.
l Hover over your mouse on the green portion of the pie chart to view the number of no-risk endpoints.
Click the green portion of the pie chart to view the no-risk endpoints list in the "Endpoint Risk Monitor"
on Page 76 page.
l Hover over your mouse on the middle portion of the pie chart to view the number of all intranet end-
points. Click the number to view the all endpoints list in the "Endpoint Risk Monitor" on Page 76 page.
l Trend of Risk Endpoints: Displays the trend of risk endpoints in the last 2 weeks via trend chart.
l Hover over your mouse on the trend chart to view the number of risk endpoints for the specified date.
l Top 5 Risk Endpoints: Displays the top 5 risk endpoints ranked in the last 14 days.
l Click the endpoint name link to open the Endpoint Detaildialog, and view the details of selected risk
endpoint.

l Click the threat tag corresponding to the endpoint to open the "Endpoint Risk Monitor" on Page 76
page, and automatically select the threat tag as the filter condition to display a list of all endpoints in the
intranet corresponding to the threat tag.
l Click All link to view the list of all endpoints.
Threat Monitor Overview
l Threat : Displays the statistical results of the number of intranet IOC threats for the last 2 weeks.
l Click the number of intranet IOC threats, and then the page will redirect to the " Threat Monitor" on
Page 84 page for viewing the detailed list of threat events for selected threat types.
l Trend of IOC Events: the trend of IOC events in the last 2 weeks via trend chart.
l Hover over your mouse on the trend chart to view the number of IOC threats for the specified date.
l Threat Geographical Distribution : Display the all the external attackers geographic distribution in the map.
Hover your mouse over the dark region to view the threat amount in this area. Click the dark region, and then
the page will redirect to the " Threat Monitor" on Page 84 page for viewing the detailed list of threat events
from the selected region.
l Hot Events: Displays the name of the last 10 hot threat intelligence received. If system is attacked by a threat
in the threat intelligence, it will be displayed in red, otherwise it will be displayed in blue. Click the name of the
hot threat intelligence to jump to the Hot Intelligence Monitor page to view the details list of the selected hot
threat intelligence.

l Top 5 Threat Tags: Display the top 5 threat tags in the last 2 weeks.
l Click the threat tag name to open the "Endpoint Risk Monitor" on Page 76page, and automatically
select the threat tag as the filter condition to display a list of all threat events in the intranet cor-
responding to the threat tag.
l Click the number of threat tags corresponding to the server / terminal / threat event to open the
"Server List" on Page 50 / "Endpoint Risk Monitor" on Page 76 / "Endpoint Risk Monitor" on Page
76page, which displays a list of all servers / endpoints / threat events corresponding to the threat tag in
the intranet.
l Top 5 Threat Events: Displays the top 5 attacks ranked in order of the count of performed attacks in bar
chart.
l Click bar chart or threat name, and then the page will redirect to the " Threat Monitor" on Page 84 page
for viewing the detailed list of threat events for selected threat events.
l Click All link, and then the page will redirect to the " Threat Monitor" on Page 84 page for viewing the
detailed list of all threat events.
Screening Monitoring Mode

The screening monitoring mode of risk assessment displays information about the risk and security situation of
the intranet. You can use this mode to monitor the risk of the whole network.
Click the button in the upper right corner of the risk assessment to enter the screening monitoring mode.

Notes: To ensure accurate geographical distribution, please specify the country or region
where the device is located in Host Configuration of Configuration Management >System
Configuration > Device Management > Option .

Chapter 3 Security Analysis
The security analysis include:
l "Server Risk Monitor" on Page 49: Display risk and traffic details between servers through lists, topologies,
etc.
l "Endpoint Risk Monitor" on Page 76: Displays the all risky endpoints and threats information of the whole net-
work.
l " Threat Monitor" on Page 84: Displays the all threats information of the whole network within the specified
period
l "Hot Threat Intelligence" on Page 104: Displays the intelligence of hot threats on the Internet, including IPS
vulnerability, virus and threats detected by the cloud sandbox.

Server Risk Monitor
For administrators, the internal world in the intranet assets is invisible, They mostly do not know the source dir-
ection of the internal risk of servers and the throughput of the traffic between two intranet servers. As a con-
sequence, it is difficult for the administrator to monitor the risk and traffic of intranet servers.
BDS provides visibility within the intranet server. The risk and traffic of intranet servers is visible to admin-
istrators in topology view page. The insight is shown by displaying the network topology with icons and arrows.
Related links:
l "Server List" on Page 50
l "Server Threat Topology" on Page 59
l "Server Traffic Topology" on Page 67
49 Chapter 3 Security Analysis

Server List
Server list page displays the all server detailed statistics within the specified time of the whole network.
To enter the server list, take the following steps:
1. Click Security Analysis >Server, and select the Threat tab.
2. Click the Table button in the top right corner.
l Servers with different risk indexes will be displayed in different color icons in the server list page. When the
risk index is greater than 0, the red icon is displayed. When the risk index is 0, the green icon is displayed.
l Click Detection Period drop-down list and select the statistical cycle. The default time range is the last 14 days.
l To delete a server which has been identified, select the check box of the server and click the Delete button
above the list. After deletion, all historical data of the server will be deleted in the system. When the server gen-
erates new traffic, system will re-recognize and display it in the server list.
Note: The deletion of an identified server does not affect the intranet asset configuration.
l Click to select the condition in the drop-down list to search for the risky servers.

Notes: The added filter conditions take effect in both the server list page, the server
threat topology page, and the server traffic topology page.
For example: Add a "Risk Status" filter on the server list page and specify "Risk" as
shown below:
After opening the server traffic topology page, this filter condition has been auto-
matically added to the page, as shown below:
l To save the filter, take the following steps:
1. Click the button to the right of the filter, then click the in the pop-up list.
2. Enter the name in the pop-up text box and click the Save button.
3. Click the saved filter name to display the server information corresponding to the filter condition.
l To delete the filter, take the following steps:
l Delete a single filter: Hover your mouse on that filter and click the × on the right to delete the filter.
l Delete all filters: Click × Remove All button on the right side of filter to delete all filters.

l Delete the saved filters: Click the button to the right of the filter, then in the pop-up list, click the ×
to the right of the saved filter name you want to delete.
l Add to exception IP: For a server that has been identified by the server group, you can add the IP address of
the server to the exception IP of the owning server group (so that it is no longer recognized as a server). To
add a IP address to the exception IP, take the following steps:
1. Hover your mouse over the server IP entry that needs to be added to the exception IP in the list, and
click the button that appears on the right.

2. Click + Add to Exception IP in the pop-up menu to add the server IP address to the exception IP.
3. You can view the intranet assets configuration details in the pop-up Intranet Asset Configuration dialog
.
4. Click OK to save the configurations.
Server Details
Click Intranet Asset (Server IP) link to open the Server Detail dialog.

l In the Threat tab, view the IOC threat event or the associated threat event of the server.
l The threat between the external network and the internal network is displayed on the left side, and the
threat of the internal network to the internal network is displayed on the right side.
l The name of the threat event behavior beside the icon, the red number on the top right corner of the
icon indicates the number of occurrences of the threat event. The direction of the link arrow indicates
the direction of the threat behavior.
l The red link indicates the IOC threat or associated threat event is detected. Click the red link to view the
details of the classified threat of the selected behavior in the following list.
l Gray links indicates that there is no IOC threat or associated threat event.
l Click the Clean up server threat events button, and the system will remove all threat events related to
this server.

l Click a threat name link in the list , to view detailed information , source / destination, knowledge base
and history about threat. Please refer to Threat Details.
l In the list, click the threat intelligence icon ( , or ) behind the address in the "Source"/"Destin-
ation" column in the list, or hover your cursor over a object, and there is a button ( ) to its right. Click
this button to open the threat intelligence center (CloudVista) to Viewing the Threat Intelligence.
l In the Events Highlights tab to view the IOC events that have been detected recently of the server with high
reliability. Click Details to view the details of specific threat events.

l In Traffic Monitor tab, view all traffic (normal, exception) topology sent or received by server.
l Click links to view the result of traffic monitor.
l Click to select the condition in the drop-down list to search for the server traffic.
l After you have deployed the threat trace function and installed the BDS ThreatTrace client on the server, you
can view the list of executable programs related to the threats of the server in the Server Application tab.

l Click the Export Report button, the browser launches the default download tool, and downloads the Server
Security Assessment Report in PDF format. Through this report, you will know the basic state of the server,

related network threats, and abnormal traffic.

Server Threat Topology
The Server Threat Topology page displays all the resources of the user's network (external network, intranet
assets), and displays the risks/ traffic relationships between the intranet servers.
To enter the Server Threat Topology page, take the following steps:
1. Click Security Analysis >Server, and select the Threat tab.
2. Click Topology button in the top right corner to open the server threat topology page.
l Click Detection Period drop-down list to set the time cycle.
Icons
Icons have the following meaning:
l : Risk Server
l : No Risk Server
l : Subnet

l : Internet
l : Threat
Filters
The server risk monitor topology view page can be changed automatically according to the filters you set.
To set up filters:
1. Click button, and select a filter type.
2. Enter a keyword or select an item. To set more than one filter type, click the button in the right
side.
After the setup is complete, the server risk monitor topology will be filtered according to the selected filters syn-
thetically.
Notes: The added filter conditions take effect in both the server list page, the server threat
topology page, and the server traffic topology page.
For example: Add a "Risk Status" filter on the server list page and specify "Risk" as shown
below:
After opening the server traffic topology page, this filter condition has been automatically
added to the page, as shown below:

To save the filter, take the following steps:
To delete the filter, take the following steps:
l Delete the saved filters: Click the button to the right of the filter, then in the pop-up list, click the × to the
right of the saved filter name you want to delete.
Lines
If a intranet asset is connected to another intranet asset using an arrow "￫", the threat event between the two
intranet assets are detected. The direction of the arrow represents the direction of the threat event. The end of
arrow is the source, and the tip of the arrow is the target.
l The intranet assets have a red link, which indicates that the threat event is detected between the two intranet
assets.

l Click the red link to view the threat event detailed list.

l Click the specified intranet asset icon to highlight other intranet assets that have a threat relationship with the
selected intranet asset.
l If the intranet asset have no links, indicating that there is no threat associated with them, and they will be dis-
played below the page.
Modifying the Layout of Page
You can modify the layout of the page icon as needed.
To modify the page layout, take the following steps:
1. Press and hold the intranet asset icon and dragged it to the desired position.
2. After the modification, the page layout will be automatically saved.
3. If you need to reset it to the default location, click the button.

Notes: Only the Administrator and Operator have the authority to modify and save the page
layout.
Viewing the Details of Server
To view the details of server, take the following steps:
1. In the server threat topology page, right click on a server icon to view the basic information of the server in the
pop-up dialog.

2. Double click the server icon or click Threat in the pop-up basic information dialog to open the Server Detail
dialog. For details, please refer to Server Details.
Viewing the Risk TOP 10 Server
Click Top 10 risk servers on the right side and display the list of the top 10 risk servers in the pop-up window
within the specified time range.

l Click the server name in the list to highlight other intranet assets that have a threat relationship with the selec-
ted server.

Server Traffic Topology
The Server Traffic Topology page displays the traffic monitoring result of all the resources of the user's network
(external network, intranet assets), and displays the traffic relationships between the intranet servers and subnets.
For the configuration of traffic monitor, refer to "Traffic Monitor" on Page 128.
To enter the Server Traffic Monitor page, take the following steps:
1. Click Security Analysis >Server.
2. Select Traffic tab to open the server traffic monitor topology page.
l Click Detection Period drop-down list to set the time cycle.
Icons
Icons have the following meaning:
l : Risk Server
l : No Risk Server

l : Subnet
l : Internet
l : Abnormal Traffic
l : Normal Traffic
Filters
The server traffic monitor topology view page can be changed automatically according to the filters you set.
To set up filters:
1. Click button, and select a filter type.
2. Enter a keyword or select an item. To set more than one filter type, click the button in the right
side.
After the setup is complete, the server risk monitor topology will be filtered according to the selected filters syn-
thetically.
Notes: The added filter conditions take effect in both the server list page, the server threat
topology page, and the server traffic topology page.
For example: Add a "Risk Status" filter on the server list page and specify "Risk" as shown
below:
After opening the server traffic topology page, this filter condition has been automatically

added to the page, as shown below:
To save the filter, take the following steps:
To delete the filter, take the following steps:
l Delete a single filter: Hover your mouse on that filter and click the x button on the left to delete the filter.
l Delete all filters: Hover your mouse over the x button on the right side of to delete all filters.
l Delete the saved filters: Click the button to the right of the filter, then in the pop-up list, click the x to the
right of the saved filter name you want to delete.
Lines
If a intranet asset is connected to another intranet asset using an arrow "￫", traffic between the two intranet assets
are detected. The direction of the arrow represents the direction of the traffic. The end of arrow is the source,
and the tip of the arrow is the target.

l The intranet assets have a red link, which indicates that the abnormal traffic is detected between the two
intranet assets.
l The intranet assets have a green link, which indicates that the normal traffic is detected between the two
intranet assets.
l Click the specified intranet asset icon to highlight other intranet assets that have a traffic relationship with the
selected intranet asset.
Modifying the Layout of Page
You can modify the layout of the page icon as needed.
To modify the page layout, take the following steps:
1. Press and hold the intranet asset icon and dragged it to the desired position.
2. After the modification, the page layout will be automatically saved.
3. If you need to reset it to the default location, click the button.
Notes: Only the Administrator and Operator have the authority to modify and save the page
layout.

Viewing the Details of Server Traffic Monitor
To view the details of server traffic monitor, take the following steps:
1. In the server traffic monitor topology page, right click on a server icon to view the basic information of the
server in the pop-up dialog.

2. Double click the server icon or click Threat in the pop-up basic information dialog to open the Server Detail
dialog. For details, please refer to Server Details.
Viewing the Result of Traffic Monitor
After configuring the "Traffic Monitor" on Page 128 function, you can view the results in the server traffic mon-
itor topology view page.
1. In the server traffic monitor topology page, select a server, click the link line, and view the traffic relationship
list in the pop-up dialog. The abnormal traffic items are highlighted in red.

2. Click and select a filter type to filter the list of traffic items.
3. Double-click the abnormal traffic item or click corresponding + button , and view the actual traffic and traffic
threshold trend comparison chart in the expanded area.

l The abnormal traffic is shown in red dot. Hover your mouse over the red dot to view the type and value
of abnormal traffic.
l Click Baseline Learning button to relearn this traffic baseline.
l Click Not Monitor button to disable this traffic baseline.
l Click Ignored Event button and select the abnormal traffic time item in the drop-down list to ignore the
specified abnormal traffic point, and the red mark will be removed.
l To zoom in on the trend chart, you can select the part you want to enlarge in the trend graph. Click Reset
Zoom button to restore the default display.

Viewing the Traffic TOP 10 Server
Click Top 10 heavy traffic servers on the right side and display the list of the traffic top 10 servers in the pop-up
window within the specified time range.
l Click the server name in the list to highlight other intranet assets that have the traffic relationship with the selec-
ted server.

Endpoint Risk Monitor
Endpoint Risk Monitor Details

Endpoint risk monitor page displays the all risky endpoints and threats information of the whole network.
l Endpoints with different risk indexes will be displayed in different color icons on the server risk monitor page
or the endpoint risk monitor page. When the risk index is greater than 0, the red icon is displayed. When the
risk index is 0, the green icon is displayed.
l Click to select the condition in the drop-down list to search for the risky endpoints.
l To delete an endpoint which has been identified, select the check box of the endpoint and click the Delete but-
ton above the list. After deletion, all historical data of the endpoint will be deleted in the system. When the end-
point generates new traffic, system will re-recognize and display it in the endpoint list.
Note: The deletion of an identified endpoint does not affect the intranet asset configuration.

3. Click the saved filter name to display the endpoint information corresponding to the filter condition.
l Add to Server: For the service type of endpoint that has been identified and has not been identified as an
intranet asset server, the user can identify the endpoint as an intranet asset server.
1. Hover your mouse over the Endpoint Name/IP entry that needs to be added to the server in the end-
point list, and click the button that appears on the right.

2. Click + Add to Server to identify the endpoint as an intranet asset server.
3. You can modify the endpoint name , description and service type in the Intranet Asset Configuration
dialog.
5. At this point, you can view the endpoint entry information that has been added to the server in the
Intranet Assets page (Click Configuration Management > Asset Configuration> Intranet Assets).
Endpoint Details
Click a Endpoint Name/IP link in the list , to view the endpoint details

l In the Threat Analysis tab, view the IOC threat event or the associated threat event of the endpoint.
l The threat between the external network and the internal network is displayed on the left side, and the
threat of the internal network to the internal network is displayed on the right side.
l The name of the threat event behavior beside the icon, the red number on the top right corner of the
icon indicates the number of occurrences of the threat event. The direction of the link arrow indicates
the direction of the threat behavior.
l The red link indicates the IOC threat or associated threat event is detected. Click the red link to view the
details of the classified threat of the selected behavior in the following list.
l Gray links indicates that there is no IOC threat or associated threat event.

l Click the Clean up endpoint threat events button, and the system will remove all the threats associated
with this server.
l Click a threat name link in the list , to view detailed information , source / destination, knowledge base
and history about threat. Please refer to Threat Details.
l In the list, click the threat intelligence icon ( , or ) behind the address in the "Source"/"Destin-
ation" column in the list, or hover your cursor over a object, and there is a button ( ) to its right. Click
this button to open the threat intelligence center (CloudVista) to Viewing the Threat Intelligence.
l In the Events Highlights tab to view the IOC events that have been detected recently of the endpoint with
high reliability. Click Details to view the details of specific threat events.
l After you have deployed the threat trace function and installed the BDS ThreatTrace client on the endpoint,
you can view the list of executable programs related to the threats of the server in the Endpoint Application

tab.
l Click the Export Report button, the browser launches the default download tool, and downloads the End-
point Safety assessment report in PDF format. Through this report, you will know the basic state of the end-

point, related network threats, and abnormal traffic.

Viewing the Abnormal Traffic Monitor Result of Endpoint
When an endpoint has abnormal traffic, and the 'abnormal traffic' column in the endpoint list shows the number
of abnormal traffic, you can view the abnormal traffic monitor results of the endpoint in Endpoint Detail dialog.
1. In the endpoint list, select the endpoint entry with the abnormal traffic.
2. Click Endpoint Name/IP link.
3. Click Abnormal Traffic tab to view the abnormal traffic monitor results of the endpoint.

Threat Monitor
Threat Details
Threat Monitor page displays the all threats information of the whole network within the specified period.
Click Security Analysis > Threat Event to open the threat events page.
l Click and select a filter type to filter the list of endpoint items. When selecting filter condition
Attack Result, view the threat events of the specified attack result, including:
l Attempted: Indicates that an attack occurs, but the attack is unsuccessful or the result of the attack is
uncertain, and it is impossible to determine whether the attacked device has compromised.
l Successful: The attacker has successfully exploited the vulnerability or delivered a malicious sample,
and it is unclear whether the malicious sample is executed.
l Confirmed Compromised: It is confirmed that the attacked device has been compromised, and there
have been behaviors such as outreach and lateral spread.

l Unknown: Upgrading the attack results from the old database or the attack results preset by the
unsupported detection engine.
l Click Detection Period drop-down list to set the time cycle
3. Click the saved filter name to display the threat information corresponding to the filter condition.
l Click a threat name link in the list , to view the threat details.
l Click Add Threat Alarm Rule in the upper right corner to open the Threat Alarm Rule Configuration page,
and configure threat alarm rules for threat events that need to be focused on. For detailed configuration,
please refer to "Threat Alarm Rule" on Page 109.
l System support to upload some elements in the logs generated by each module to the cloud platform, such as
IP address, URL, etc. The cloud platform will check whether the elements have threat intelligence through the
third-party server. You can view threat intelligence information related to elements through the threat intel-
ligence center (CloudVista).

l In the threat list, click the threat intelligence icon ( , or ) behind the address in the
"Source"/"Destination" column in the list, or hover your cursor over a object, and there is a button (
) to its right. Click this button to open the threat intelligence center (CloudVista) to view threat intel-
ligence.
l Status of the Threat Intelligence： : Normal intelligence with a whitelist; : Suspicious intelligence;
:Malicious intelligence.
Notes:
l The threat intelligence function will not work unless a threat intelligence license
has been installed .
l Before using this function, please configure "Connecting to Hillstone Cloud Ser-
vice Platform" on Page 441.
Viewing the Threat Intelligence
In the threat intelligence center (CloudVista), you can view the details of threat intelligence.

Threat Intelligence display information description.
Option Description
Details
Basic Properties Display the network, country, Province, ASN and regional internet
registry of the element.
IP WHOIS Display the detail of the IP address, including IP User and information.
IP Reverse Lookup
Passive DNS Display the history of the IP address resolved into a domain name, includ-
Replication ing resolve date and domain.
RDNS Record Display the history of reverse resolution, that is, the record of domain
name resolved into IP address.
Related Samples
Downloaded Display the lasted files downloaded from this IP address.

Files
Contacting Files Display the lasted files contract this IP address when executed.

Option Description
Referring Files Display the lasted files contains this IP address.
Related URLs Display the lasted URLs observed by threat intelligence on this IP
address.
SSL Certificate
HTTPS Cer- Displays the lasted certificate observed with HTTPS connection to the
tificate IP address.
Notes: When you use IE browser to view threat intelligence for the first time, please uncheck
"Enable pop-up blocker" in the browser "Internet Options" configuration to avoid the phe-
nomenon that it cannot be viewed.
Viewing the Threat Details
In the Details dialog, view detailed information , source / destination, attacker IP address, victim IP address,
attacker result, knowledge base and history about threat.
l Hover the mouse over after the threat name, and the detailed description of the threat event will be dis-
played.
l Click the threat intelligence icon ( , or ) behind the "source"/"destination" address on the page to
open the threat intelligence center (CloudVista) to view the relevant information of the intelligence. For the
meaning of threat intelligence information, please refer to Viewing the Threat Intelligence.
l Threat Analysis: Depending on the threats of the different detection engine , Threat Analysis tab content is
also different.

l Anti Virus /IDS: Display the threat detailed information and view or download the evidence packets.
For more information about Anti Virus /IDS, refer to "Anti Virus" on Page 260/"Intrusion Detection
System" on Page 268.

l Web Attack Detection : Display the threat detailed information.
For more information about Attack Detection, refer to "Attack Detection" on Page 328.

l Abnormal Behavior Detection : Display the abnormal behavior detection information.
For more information about Abnormal Behavior Detection, refer to "Abnormal Behavior Detection"
on Page 352.
l Advanced Threat Detection : Display the advanced threat detection information, malware reliability
information, etc.

For more information about Advanced Threat Detection, refer to "Advanced Threat Detection" on
Page 361.

l Deception Detection : Display the deception detection information.
For more information about Deception Detection, refer to"Deception Detection" on Page 364.

l Sandbox Detection : Display the detailed threat information of the suspicious file.
For more information about Sandbox, refer to "Sandbox" on Page 342.

l Anti-Spam:Display the spam filter information, such as sender and subject of spam.
For more information about Anti-Spam, refer to "Anti-Spam" on Page 305.

l Botnet Detection : Display the detailed threat information of the botnet.
For more information about Botnet C&C Detection, refer to "Botnet Detection" on Page 313.

l Process Information : Display details of process information associated with a specified threat event, including
executable programs, execution commands, execution time, etc.
l Threat Hunting:For some of the most common threats, such as SYN port scanning, host IP scanning, host
port scanning, SMB service scanning, lots of suspicious HTTP response error codes,
SSH/FTP/TELNET/LDAP/POP3/SMTP/IMAP4/MYSQL/RDP/SMB/VNC brute force attacks, the
system supports to scan and analyze the evidence of threats. In the Threat Hunting tab, view the evidence of

the specified threat.
l Knowledge Base: About the threats detected by IDS, Abnormal Behavior Detection , Advanced Threat
Detection an Deception Detection display the specified threat description, solution etc.
l MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of
attack behaviors. It categories known attacks as tactics and techniques, establishing a practical and clear frame-
work. The system maps detected suspicious behaviors to the MITRE ATT&CK® model and displays the
MITRE ATT&CK® tactic IDs and MITRE ATT&CK® technique IDs of the threat in threat logs, helping you
identify suspicious behaviors in a better way. To ensure that the latest MITRE ATT&CK® knowledge base is
used during detection, it is recommended to upgrade the MITRE ATT&CK® knowledge database. For more
information about upgrading the MITRE ATT&CK®Knowledge Base, refer to Updating Signature Database.

l MITRE ATT&CK® Tactic Details: In this tab, you can view the name, created time, last modified time,
data source, official link, and description of this tactic. MITRE ATT&CK® Tactic represents the tactical
object of adversary and the reason for performing the attack.
l ATT&CK® Technical Details: In this tab, you can view this technique's name, data source, per-
mission/system/network requirements, tactic, parent technique, sub technique, mitigation methods, offi-
cial link, platform, ect. MITRE ATT&CK® Technique represents how an adversary achieves a tactical
goal by performing an action.
l Threat Data: For threat events whose detection engine is Intrusion Detection System, if you have enabled the
function of capturing complete threat data, click View next to Threat Data to view ASCII code and hexa-
decimal number of threat in the Threat Data panel. You can analyze the entire process of the threat by using
this option. If the function of capturing complete threat data is disabled, the Threat Data section is not dis-
played in the Log Details panel of threat logs.
l History:Display the selected threat historical information of the whole network.
l Threat Topology: For selected threat event, display the threat information, propagation path, number of
attacks, and detection time in the threat topology view.

l Click Detection Time Rangedrop-down list and select the statistical cycle. The default time range is the
last 14 days.
l " " indicates a risky endpoint/server, " " indicates a no risk endpoint/server or indicates an external
network IP address, and the direction of the arrow indicates the direction of the threat.
l Hover over the threat topology node to display the detection time of the threat event on the specified
endpoint/server and the number of attacks initiated.
l Click the threat topology node to open the corresponding Details dialog. For details, please refer to
Server Details/Endpoint Details.
l Admin Action : Click to modify the threat state(Open, Ignore, Confirmed, False Positive, Fixed).
In the Admin Action dialog, enter the configurations

Option Description
Change to Select the state of threat, includes Open, Ignore, Confirmed, False
Positive and Fixed. This operation only takes effect on the generated
threat events.
l Open : When the threat entry status is 'Open', system will

report it again in the next detection.
l False Positive: The threat entry, whose status is ' False Positive
', will not participate in the HRI evaluation. It will be deleted
from the threat event list, but system will report it again in the
next detection. For the threat items detected by Advanced
Threat Detection, the system will further process it and not
report it again in the next detection.
Some of the threat events can be further processed by sig-
nature processing. For the configuration, refer to Signature
Processing.
l Ignore: The threat entry, whose status is 'Ignore ' , will not par-
ticipate in the HRI evaluation, and the threat association will
not be displayed in the server risk monitor topology view page,
but system will report it again in the next detection.
l Confirmed: When the threat entry status is 'Confirmed ' , sys-

tem will report it again in the next detection.
And it can be further processed by signature processing. For
the configuration, refer to Signature Processing.
l Fixed: The threat entry, whose status is 'Fixed ', will not par-
ticipate in the HRI evaluation. System will report it again in the
next detection.
View history View the analysis history of selected threat.
Marking Scope Select the marking scope of the threat entry . The system supports

Option Description
batch tagging of the threat entries of same source address (IPv4 or

IPv6) or the same destination address (IPv4 or IPv6), aggregated
threat entries, or all threat entries.
Signature pro- When the threat entry is marked as Confirmed, its source and des-
cessing tination address can be added into the block list. The linkage policies
are displayed in the Mitigation page, and system will send the linkage
policies to the firewall for blocking action.
l Add Block List: Click the Enable button of Add Block List to
add the source address , destination address or service of the
threat event to the block list.
Note: The Source Address , Destination Address and Service
check box must be checked for one.
l Duration : Specify a block duration for the specified linkage

action. The range is 1-1440 minutes, 1-24 hours, 1-30 days and
forever (The forever is only specified when the block source
IP and block destination IP are specified).
l Linkage Device: Click the drop-down list to select one or more

device names that perform linkage actions.
Note：When the device has been configured with linkage device con-
figuration, the blocking can take effect. For the linkage device con-
figuration, refer to " Linkage Device" on Page 123. (ThreatSensor
series device does not support the linkage device configuration.)
When the threat entry is marked as False Positives, the cor-
responding signature ID can be disabled.
l Signature ID: Click signature ID link to view the details of sig-

nature.
l Disable Signature: Select the Disable this intrusion detection

Option Description
feature globally check box to disable the signature ID of selec-

ted threat entry.
Note：This operation is only applicable to IDS threat events.
Create Whitelist Click Create Whitelist button, specify the threat name, source and
destination addresses of threat in the Threat White List Con-
figuration dialog, The threat event will be added into the global threat
white list, then it will not be reported again in the next detection.
Note: The source address and destination address cannot be fully
configured as any, supports IPv4 address or IPv6 address. About
White List Management, refer to "White List Management" on Page
118.
ThreatSensor series device does not support this function.

Hot Threat Intelligence
Hot threat intelligence page displays the intelligence of hot threats on the Internet, including IPS vulnerability,
virus and threats detected by the cloud sandbox. You can view the details of the hot threats, or carry out pro-
tection operations to prevent them.
Click Security Analysis> Hot Intelligence Monitor to enter the Hot Threat Intelligence page. By default, the
threats intelligence list shows the information of the latest year, including the release time, name, type, protection
status and operation.
l Select a time period from the Release Time drop-down list to filter the threat information of the specified time
period.
l Click to add conditions to filter threat information as needed.
l Click the Enable button after Hot Threat Intelligence Push . If it's selected, Hillstone Cloud server will push
the latest hot threat intelligence to system , and once system gets threat intelligence from the Hillstone Cloud
server, it will be notified in the form of pop-up window. Otherwise, Hillstone cloud platform will no longer

push the latest hot threat intelligence. Meanwhile, the previously received threat intelligence can only be
viewed, and relevant protective operations are not allowed.
l Select one threat intelligence item in the list and the corresponding threat details and protection logs will be dis-
played below the list.
l Threat Details: You can view the detailed threat information, including the release time ,the name, sig-
nature ID, severity, details, solutions, affected systems and other information (the items may vary
slightly for different types of threat).
Option Description
Release Time Displays the release time of threat intelligence.
Threat Intel- Displays the threat intelligence name.

ligence Name
Signature ID Displays the corresponded signature ID of the IPS signature data-

base of the threat intelligence.
Severity Displays the severity of threat intelligence.
Details Displays the details of threat intelligence.
Solution Displays the solutions to the threat.
Affected Sys- Displays the name of operating system that the threat will affect.
tems
CVE ID Displays the CVE ID and link of the threat. Click the link
address, and a new page will be opened, where you can view the
CVE details.
Reference Displays links of the reference information about the threat.

Information Click the link address and a new page will be opened, where you
can view details of the reference information.
l Detection Log: If system has been attacked by the threat described in the threat intelligence in the latest
month, the protection logs will be displayed. If not, the detection log is empty
l Click the threat intelligence name in the list or the corresponded operation ("Enable" or "View") in the "Oper-
ation" column, and the Hot Threat Intelligence dialog box will pop up. You can view the information about
the hot threat intelligence in the dialog.

l Click <Threat Detail> to view the information about the threat.
l For some threats in the "Disabled" status, you can see the corresponding protection solutions in the
<Solution >tab. Click the links in sequence according to the steps in the solution, and configure the
related functions. Only when you finish all the steps in one solutions (multiple solutions, at least one solu-
tion), the threat intelligence status will become "Enabled".
l For some threats in the "Disabled" status, the < Detection Measures> tab will not be displayed and you
need to take the protective measures on other websites or servers, but system provides some solutions in
the <Threats Details> tab. After the threat is protected, click Confirm of Enabled button and the status
of threat intelligence will be changed to "Enabled".
l For the threat in the "Enabled" status, if it’s protected by system, you can click <Configuration List
>to view the protective measures, and click View to view details of the detection measures.
Notes: Because the operation steps in the < Detection Measures >tab are correlated, please
follow the steps of the solution in turn. For example, if the signature database has not been
upgraded, the signature ID will not be shown, and subsequent protections may be unavailable.

Or after the signature database is upgraded, the subsequent steps may change or some of the
subsequent steps may be omitted.
Viewing Hot Threat Intelligence

System will obtain and download the latest threat intelligence information from the Hillstone cloud server at the
set time every day or when you log in to system, and the information will be upgraded in the hot threat intelligence
list.
When you enable the Hot Threat Intelligence Push function, once system gets a new intelligence, the notice of
New Threat Intelligence will display in the upper right corner of the page. Hover the mouse over the notification,
click "New Threat Intelligence", and the page will jump to the hot threat intelligence page. On the Security Ana-
lysis> Hot Intelligence Monitor page, the new threat intelligence will be displayed in the form of pop-up windows
for users to view.

Chapter 4 Incident Response
The incident response module including:
l "Threat Alarm Rule" on Page 109: Including threat conditions and action method. When a threat event that
meets the threat conditions (such as threat type, severity, behavior category, threat name, etc.) occurs , system
will notify the user in time according to the action method specified in the rule (such as linked to the firewall,
voice reminder or email)
l "White List Management" on Page 118: The threat white list consists of a threat name, source address, and
destination address, and when a subsequent threat event matches the threat white list, system will record the
count of hits and no longer report the threat.
l "Mitigation" on Page 121:The linkage policies are displayed in the Mitigation page, and system will send the
linkage policies to the firewall for blocking action.
l " Linkage Device" on Page 123: Configure the firewall information as the global firewall linkage configuration
in the Firewall Linkage Configuration page to combine the BDS device with a Hillstone firewall.
Notes: ThreatSensor series device does not support this function.

Threat Alarm Rule
The threat alarm rules, including threat conditions and action method. When a threat event that meets the threat
conditions (such as threat type, severity, behavior category, threat name, etc.) occurs , system will notify the user
in time according to the action method specified in the rule (such as linked to the firewall, sound alarm or email),
and the user can perform subsequent action processing for the threat event.
Configuring a Threat Alarm Rule

To configuration a threat alarm rule, take the following steps:
109 Chapter 4 Incident Response

1. Click Incident Response > Threat Alarm Rule.
2. Click New.
In the Threat Alarm Rule Configuration page , enter the threat alarm rule configurations.
Option Description
Name Enter the name of threat alarm rule. The range is 1 to 127 char-
acters.

Option Description
Description Specifies the description of the threat alarm rule. The range is 0
to 255 characters.
Threat Condition
Threat Condition Specify the generation conditions for generating threat alarms,
including asset type, IP address, severity, threat type, etc.
l Asset Type: Specifies the asset type which needs to be

matched for generating a threat alarm. Click the drop-
down list and select the server, endpoint, or all.
l IP: Specifies the IP address ( source IP or destination IP,

supports IPv4 address or IPv6 address) of asset which
needs to be matched for generating a threat alarm.
1. Click drop-down list, and select IPv4/Network,

IPv4 Range, IPv6/Prefix or IPv6 Range from the
open page,.
2. Enter the corresponding IP address in the text box.
3. Click the button to add the specified IP

address/IP address range to the list on the right. Sys-
tem allows up to 8 IP addresses/IP address ranges
to be added.
4. To delete the added IP address, check the IP

address checkbox in the list on the right, then click
the button.
l Source IP: Specifies the source IP (IPv4 address or IPv6

address) of threat event which needs to be matched for
generating a threat alarm. The add method steps as above.
l Destination IP : Specifies the destination IP (IPv4 address

Option Description
or IPv6 address) of threat event which needs to be

matched for generating a threat alarm. The add method
steps as above.
l Severity: Specifies the severity of threat event which

needs to be matched for generating a threat alarm. Click
the drop-down list and select the severity of threat event
check box. You can choose more items.
l Threat Type :Specifies the threat type which needs to be

matched for generating a threat alarm. Click the drop-
down list and select the subtype of the threat event. At
most one threat type can be chosen.
l Behavior Category: Specifies the behavior category which

needs to be matched for generating a threat alarm. Click
the drop-down list and select the behavior category check
box. You can choose more items.
l Threat Name Contains: Specifies the content included in

the threat event name which needs to be matched for gen-
erating a threat alarm, for example: CVE-199-0067. Only
one content is supported.
Note:
l The logical relationship among the threat conditions is

AND.
l The logical relationship among the multiple-choice con-

figuration items for a single threat condition is OR.
l If the threat condition is not configured, the default is

expressed as all, for example: when the "threat type" is not
specified, it means that all threat types are included.

Option Description
Response Method
Device Linkage Specifies whether to enable the linkage with the firewall and the
linkage action.
l Enable: Click the Enable button to enable the linkage

with the firewall. After it' s enabled, when a threat alarm is
generated, system will block the source IP, destination IP
or service of the threat event matching the alarm con-
ditions.
l Source IP Block : Specify to block the source IP address

of the threat event matching the alarm conditions.
l Destination IP Block : Specify to block the destination IP

address of the threat event matching the alarm conditions.
l Service Block : Specify to block the connection from

the source address to the destination address of the
threat event matching the alarm conditions.
l Duration (required): Specify a block duration for the spe-

cified linkage action. The range is 1-1440 minutes, 1-24
hours, 1-30 days and forever (The forever is only spe-
cified when the block source IP and block destination IP
are specified).
l Linkage Device: Click the drop-down list to select one or

more device names that perform linkage actions.
Note : Before enabling this function, ensure that the linkage
device configuration is completed.
For the linkage device configuration, refer to " Linkage Device"
on Page 123.

Option Description
Threat Sound Alarm Specifies whether to enable the threat sound alarm.
Click the Enable button to enable the threat sound alarm. After
it' s enabled when there's a newly generated threat alarm or the
threat alarm hasn't be viewed, system will use the default or the
customized sound to remind the user and display a reminder at
the "Notice" in the upper right corner of the system.
For customizing alarm sound and viewing details of the threat
sound alarm, refer to Customizing Alarm Sound and Viewing
the Details of Threat Sound Alarm .
Mail Alarm Specifies whether to send the alarm mail.

Click the Enable button to enable to send the alarm email. After
it' s enabled, when a threat alarm is generated, system will send a
alarm email to the specified recipient according to the con-
figuration.
l Email: Enter the address of the recipient who receives the

alarm email in the text box. The email address range is 1 to
255 characters, separated by semicolons.
l Send Test Mail: Click Send Test Mail button to whether

system can send the email to the specified email address
successfully.
l Mail Title: Specifies the title of the alarm mail. The title
range is 0 to 127 characters. The default mail title is: noti-
fication email from threat alarm rule "xxx"
l Mail Interval: Specifies the interval between two alarm

emails. The range isr1 to 1440 minutes, and the default
minimum interval is 10 minutes.
Editing the Threat Alarm Rule

To edit the threat alarm rule, take the following steps:

1. Select Incident Response > Threat Alarm Rule to open the threat alarm rules list.
2. Select the threat alarm rule check box to be edited and click the Edit button.
3. In the Threat Alarm Rule Configuration page, edit the selected threat alarm rule.
4. Click OK.
Enabling/Disabling the Threat Alarm Rule

To enable/ disable the threat alarm rule, take the following steps:
2. Select the threat alarm rule check box to be enabled/ disabled.
3. Click the Enable or Disable button.
Deleting the Threat Alarm Rule

To delete the threat alarm rule, take the following steps:
2. Select the threat alarm rule check box to be deleted.
3. Click Delete.
Customizing Alarm Sound

The system supports to customize the alarm sound. After you customize the alarm sound and enable the Threat
Sound Alarm in the threat alarm rule, the system will use the customized alarm sound to remind you when new
threat alarms appear or remain unchecked.
To customize alarm sound, take the following steps:

l Select Incident Response > Threat Alarm Rule to open the threat alarm rule list.
l Click Custom Alarm Tone to open the Custom Alarm Tone dialog box.
l Click Browse to select the custom audio file to be uploaded.
l Click Preview to play the uploaded custom audio file.
l Click Restore Default to use the default threat alarm sound.
l Click OK.
Notes: The system only supports to upload audio files in MP3 format, and the file size must be
no more than 200KB.
Viewing the Details of Threat Sound Alarm

After the Threat Sound Alarm is enabled in the threat alarm rule, when system generates a threat alarm that
matches the rule, the notice of Threat Sound Alarm will display in the upper right corner of the page.
To view the details of threat sound alarm, take the following steps:
1. Hover the mouse over the notification, click Threat Sound Alarm.

2. Viewing the threat events matching threat alarm rules (threat sound alarm enabled) in the Threat Sound
Alarm dialog.
3. Click Clear Threat Sound Alarm to clear all threat sound alarm.

White List Management
With the complexity of the network environment, the threat of the device will generate more and more warning.
The generated threat events can be processed by changing the state of threat (refer to Admin Action), in order to
make users more convenient to deal with the occurrence of future threats, the system provides a global threat
white list function. The threat white list consists of a threat name, source address, and destination address, and
when a subsequent threat event matches the threat white list, system will record the count of hits and no longer
report the threat.
Notes: Threat Sensor series device does not support this function.
Creating a White List
To create a threat white list, take the following steps:
1. Click Security Analysis > Threat Event and then the page will redirect to the " Threat Monitor" on Page 84
page.
2. Select the threat entries that need to be added to the white list, and click the threat name link in the list to open
the Threat dialog.
3. Click to open the Admin Action dialog.
4. Click Create Whitelist button.
In the Threat White List Configuration dialog , enter the configurations

Option Description
Threat Name Specify the white list name. Click threat name, select the name in the
drop-down list, which can be used as a threat name or any to whitelist
name.
Source Address Specify the white list source address (IPv4 or IPv6) to be matched.
Click Source Address, select the source address of selected threat
event or any in the drop-down list.
Destination Specify the white list destination address (IPv4 or IPv6) to be

Address matched. Click Destination Address, select the source address of
selected threat event or any in the drop-down list.
5. Click OK.
Viewing the White List
Click Incident Response> Whitelist to view the threat white list entries.
The information of white list

Option Description
Threat Name Displays the threat name of white list.
Source Address Displays the source address of white list.
Destination Displays the destination address of white list.

Address
Detected by Displays the detection engine.
Hit Count Displays the hit count of white list entry.
Last Detection Displays the last detection time of hit the threat white list.
Time

Option Description
Status Displays the status of white list entry. indicates the status is enable ,
indicates the status is disable.

Mitigation
The linkage policies are displayed in the Mitigation page, and system will send the linkage policies to the linkage
device for blocking action. For the linkage device configuration, refer to " Linkage Device" on Page 123.
Click Incident Response> Mitigation , and select Block IP or Block Service tab to open the mitigation page.

l The information of mitigation
Option Description
Linkage Device Displays IP of the linkage device.

IP
Linkage Device Displays name of the linkage device.

Name
Block IP Displays the block IP address. (Only displayed in the Block IP list)
Block Content Displays the block source IP, destination IP, destination port and pro-
tocol. (Only displayed in the Block Service list)
Start Time Displays the start time of the block action.
End Time Displays the end time of the block action.
Status Displays the status of linkage policy.
l Specify the filter conditions above, and the linkage policy information that meets the conditions will be dis-
played in the list.
l Cancel the linkage policy: select a linkage policy entry, click the button in the "Operation" column of the
list.
l The linkage policy can be added through threat events, threat alarm rule. For the configuration, refer to
Admin Action and Admin Action in " Threat Monitor" on Page 84 page.

Linkage Device
You can configure the firewall information in the Linkage Device page to combine the BDS device with a Hill-
stone firewall.
l When the device works in the TAP mode and specific interface is the one that receives the mirror traffic.
When the threat entry is marked as Confirmed, its source address, destination address and service can be
added into the block list. The system will send the linkage policies to the firewall for blocking action. For the
configuration of Add Block List, refer to Admin Action in " Threat Monitor" on Page 84 page.
l When a threat event that meets the threat conditions of threat alarm rule occurs , system will block the source
IP ,destination IP or service of the threat event. For the configuration of threat alarm rule, refer to "Threat
Alarm Rule" on Page 109.
Notes:
l The Firewall Linkage Configuration supports with E, X, T, A series device and NIPS.
l ThreatSensor series device does not support this function.
Creating a Linkage Device

To configure the firewall information, take the following steps:

1. Select Incident Response > Linkage Device.
2. Click New .
In the Linkage Configuration page, configure the following parameters.

Option Description
Name Specifies a name for the linkage device.
Protocol Specifies the protocol type used to access the linkage device, includ-
ing HTTP, HTTPS, SSH, and the default protocol is HTTP.
IP Specifies the linkage device's IP address.
Port Specifies the port number corresponding to the selected protocol.

The default port number will be displayed according to the selected
protocol: the default port number of HTTP protocol is 80, the
default port number of HTTPS protocol is 443, and the default port
number of SSH protocol is 22.
User Specifies the login name for the linkage device.
Password Specifies the password corresponding to the login name.
Description Specifies the description of the linkage device.

3. Click OK.
Notes: You can create up to 10 linkage devices.
Connectivity Test
The connectivity test of linkage device includes automatic connectivity test and manual connectivity test.
l Automatic connectivity test: After configuring the basic information of the linkage device, system will auto-
matically verify whether the linkage device can be connected.
l Manual connectivity test: In the Linkage Configuration page, manually click the Test button to test the con-
nectivity of linkage devices.
To test linkage device connectivity manually, take the following steps:
2. Select the item of linkage device to be tested in the list, and click the Edit.
3. After confirming the configuration information of the linkage device in the Linkage Configuration page, click
the Test button.
4. If the "The device is connected successfully" message appears, it means that the linkage device can be con-
nected.
5. If the "Failed to connect the device " message appears, it means that the linkage device cannot be connected,
and you need to further check whether the configuration information is accurate.
Enabling/Disabling the Linkage Device

By default, the configured linkage device is enabled automatically.
To enable/disbale the linkage device, take the following steps:

2. Select the item of linkage device that needs to be enabled/disabled in the list, and then click the Enable or Dis-
able button.
Deleting the Linkage Device

To delete the linkage device, take the following steps:
2. Select the item of linkage device that needs to be deleted in the list, and then click the Delete button.
Viewing the Linkage Blocking Information

You can view the linkage blocking information in the following two ways:
l Select Incident Response> Mitigation to view the linkage policies of BDS device.
l Select Policy > Perimeter Traffic Filtering > IP Blacklist > Dynamic IP Blacklist and Policy > Perimeter
Traffic Filtering > Service Blacklist on the firewall to view the block list.

Chapter 5 System Monitor
The System Monitor module analyzes the traffic via the device and provides the statistics in various aspects and
styles.
The system can monitor the following objects:
l "Traffic Monitor" on Page 128 : Monitor the traffic of the intranet assets.
l " Application Analysis " on Page 135:Represents all statistical information about network applications
l "Device Monitor" on Page 140: Displays the device statistics within the specified period (real-time, latest 1
hour, latest 1 day, latest 1 month), including the total traffic, interface traffic, zone, Online IP, new/concurrent
sessions, and hardware status.
l " System Alarm" on Page 143 :Detect protected network to locate suspicious issues and send out alarming
messages. The rule that defines what behavior should be alerted is called alarm rule.

Traffic Monitor
Intranet assets as the key protection object of the company, the traffic of the intranet assets also need to be
focused on.
The system provides traffic monitor function, including server traffic monitoring and endpoint traffic mon-
itoring. This function studies traffic in the specified learning cycle and forms a traffic baseline. After the learning
is completed, the system will analyze the relationship between the traffic of the intranet asset and the baseline , so
as to determine whether the intranet asset has abnormal traffic. Finally, you can view the results in Threat Server
Traffic Topology page.
The followings are the concept description of the traffic monitor:
l Server Traffic Monitor: Monitoring the traffic of intranet assets of the server type. According to the traffic dir-
ection, the server traffic is divided into three categories: the traffic of the server, the traffic of the internal net-
work to the server, and the traffic of the external network to the server.
l Endpoint Traffic Monitor: Monitoring the traffic of intranet assets of the endpoint group type. There are two
types of endpoint traffic: the downstream traffic and the upstream traffic.
l Traffic Baseline: Traffic baseline is a measure to determine whether there is a traffic anomaly in traffic mon-
itoring, and the system learns the traffic rate during the specified learning cycle to generate the corresponding
traffic baseline.
l Abnormal Traffic : After the learning cycle ends, if the subsequent traffic exceeds the traffic baseline or the
traffic that has not appeared in the learning cycle, the system determines that the intranet assets have abnormal
traffic.
Related links:
l "Configuring Traffic Monitor" on Page 132
l "Traffic Baseline Management" on Page 129
l "Server Traffic Topology" on Page 67
128 Chapter 5 System Monitor

Traffic Baseline Management
The traffic baseline is divided into the following three categories:
l Baseline in learning state: The baseline of learning traffic, it is displayed in a dotted line.
l Baseline in monitor state: The baseline of the traffic learning has been completed, it is displayed in solid line
l Baseline not monitored: The baseline that no longer learning or monitoring.
Traffic Baseline Overview
Click System Monitor > Traffic Monitor >Traffic Baseline. The traffic baseline page displays the amount of
baseline information of each intranet server in a tabular form.
Details of Traffic Baseline
In Traffic Baseline page, click + button of a server item, and select tabs (Traffic Baseline From Server tab ,
Traffic Baseline From Host to Server tab or Traffic Baseline From Internet tab ) to view the 3 baseline traffic
details of this server in the expanded area.

l Relearn: Select a baseline item, click Relearn button to relearn this traffic baseline.
l Delete: Select a baseline item, click Delete button to delete this traffic baseline.
l Not Monitor: Click Not Monitor button to disable this traffic baseline.
l Relearn All Baseline: Click Relearn All Baseline to delete all traffic baselines that the server has learned and
established, and start building new traffic baselines again.
l Viewing the traffic baseline details: Double-click the baseline item or click corresponding + button , and select
tabs to view the actual traffic and traffic threshold trend comparison chart in the expanded area.
The baseline list displays information instructions

Option Description
Source Displays the source address of traffic baseline.
Destination Displays the destination address of traffic baseline.
Destination Displays the destination port of traffic baseline.

Port
Service Displays the service of traffic baseline.
To view the description of service, take the following steps:
1. Hover your mouse over the service name, click the button
that appears on the right.
2. And hover the mouse over the 'Description', view the descrip-
tion information of the service in the pop-up window on the
right.
Baseline Status Displays the status of traffic baseline.
Start Mon- Displays the start monitoring time of traffic baseline.

itoring Time
Last Traffic Displays the last traffic update time of traffic baseline.
Update Time

Configuring Traffic Monitor
To configure the traffic monitor, take the following steps:
1. Click System Monitor> Traffic Monitor > Configuration .
In configuration page, configure the following options.

Option Description
Sensitivity Slides the slider to specifies the monitoring sensitivity. According to

the sensitivity level, the sensitivity of the flux variation is determined
by baseline threshold value. for The sensitivity is divided into low,
medium and high, and the default sensitivity is medium.
Learning Cycle Specifies the learning cycle of the traffic baseline, which can be spe-
cified as 7 days, 14 days, 21 days and 28 days, the default value is 14
days.
Auto Create After the created server traffic baseline enters the monitoring status,
BaseLine if a new connection traffic that has not been detected during the
learning status appears on the server, system will generate a "new con-

Option Description
nection" alarm. In order to reduce these unnecessary alarms, you can

click the Enable button to enable create baselines automatically.
l After the function is enabled, system will create a traffic

baseline automatically for the "new connection" alarm accord-
ing to specific rules (for example, the number of "new con-
nection" alarms in a week is greater than or equal to 5). The
system will no longer generate a "new connection" alarm for
the new connection traffic on the server that doesn’t exceed
the traffic baseline.
l After the function is disabled, when the created server traffic

baseline enters the monitoring status, system will generate the
“new connection” alarm for all new connection traffic
without creation of baselines.
Server Traffic Click the Enable button to enable the server traffic monitor. After
Monitor enabling this function, the system starts learning traffic immediately,
and the 'Start Time' will show the beginning of the server traffic learn-
ing.
Endpoint Click the Enable button to enable the endpoint traffic monitor.
Traffic Monitor After enabling this function, the system starts learning traffic
immediately, and the 'Start Time' will show the beginning of the
endpoint traffic learning.
l Server Download Traffic Baseline: Specifies the download

traffic threshold of endpoint to the server during one day.
When the statistics of total traffic downloaded from server in
the endpoint during one day exceeds the specified threshold,
system will record the total traffic in the downloading traffic
baseline (The traffic that is within the threshold will not be
recorded). If the number of recording days reaches that spe-

Option Description
cified by the learning cycle, the downloading traffic baseline will

enter monitoring status. When the subsequent total down-
loading traffic per day exceeds the threshold calculated by the
baseline, system will generate alarms.
l Internet Upload Traffic Baseline: Specifies the upload traffic

threshold of endpoint to Internet during one day.
When the statistics of total traffic uploaded from endpoint to
Internet during one day exceeds the specified threshold, system
will record the total traffic in the uploading traffic baseline
(The traffic that is within the threshold will not be recorded). If
the number of recording days reaches that specified by the
learning cycle, the downloading traffic baseline will enter mon-
itoring status. When the subsequent total uploading traffic per
day exceeds the threshold calculated by the baseline, system will
generate alarms.
NoteFor viewing the result of endpoint abnormal traffic monitor,
refer to Viewing the Abnormal Traffic Monitor Result of Endpoint.
2. Click OK.
Notes: By default, the traffic monitor function is disabled. If this function is disable. all the
data will be deleted.

Application Analysis
The application analysis page represents all statistical information about network applications. In the forms of
chart and table, it displays application monitor data with both a general view and detailed items. It also can drill
down to dig into other aspects of an application.
Layout Overview
Select System Monitor > Application Analysis.

Application analysis page consists of 6 statistical items which are displayed in their own frames. Although the items
are different, they are displayed in the same way that with a few clicks we can drill down to see more.

Each frame is divided into two parts. The upper part is a treemap, area chart, bar chart or a line chart; the lower
part is table which has data arranged in a certain order.
l To switch view: Click the icon on the top right “ ” to change to a different chart view.
l To refresh data of a frame: Click the " ” icon to refresh data.
l To close a frame: Click “ ” to hide the selected frame.
l To show more items: A frame only shows top 10 items on the default view. To view more, Choose one of the
following two ways to view more.
l click “ ” in the upper right corner of the frame to show top 500.
l Within a frame, hover your cursor over the Other object, its right has a button. Click this button and
select View More Data.
Configuring Filters
Application analysis supports two types of filters:
l Global filter: Global filters apply to all monitor objects in the entire page.
l Local filter: Local filters only affect the items in the current frame
Configuring Global Filters
Three ways to add global filters:
l Click the button on the top, and select a filter type from drop-down menu. A text box or
another drop-down menu will appear, enter or select the filter name.
l Within a frame, hover your cursor over an object, its right has a button. Click this button and select Add to
Global Filter.
l Within a frame, when some local filters are already one the top of the frame, click the button on the right of
a local filter, then the filter becomes a global filter.

Global filters are shown on the top of Application Analysis page. All the frames update their data automatically to
match the global filter.
To cancel a global filter, click the button next to a filter. At the same time, the same local filtering conditions will
also be deleted together.
Configuring Local Filters
To add a local filter:
l With the Application Usage frame, click an object in the chart, the object becomes a local filter of application
usage.
l Click any object which turns cursor into a hand icon, this object becomes a local filter.
l In the table of each frame, hover your cursor over any object name, a button appears. Click this button
and select Add to Local Filter.
Local filters are on the top of a frame.
To cancel a local filter: on the top of a frame, click the button next to a filter.
Examples of Application Monitor
Application Usage Interface
Source IP Activity Destination IP Activity

Source Regions Destination Regions

Device Monitor
The display methods of this function vary with platforms.
The Device page displays the device statistics within the specified period, including the total traffic, sessions,
CPU/memory status and hardware status.
Summary
Select System Monitor > Device Monitor > Summary to display the device statistics within last 24 hours.
l Total traffic: Displays the total traffic within the specified statistical period.
l Hover your mouse over the chart to view the total traffic statistics at a specific point in time.
l Select a different Statistical Period to view the statistical information in that period of time.

l Hardware status: Displays the real-time hardware status, including storage, chassis temperature and fan status.
l Storage: Displays the percentage of disk space utilization.
l Click Storage for system to display the disk space utilization trend.
l Hover your mouse over the chart to view the disk space utilization statistics at a specific point in
time.
l Chassis temperature: Displays the current CPU/chassis temperature.
l Click Chassis Temperature for system to display the CPU/chassis temperature trend.
l Hover your mouse over the chart to view the CPU/chassis temperature statistics at a specific
point in time.
l Fan status: Displays the operation status of the fan. Green indicates normal, and red indicates error or a
power supply module is not used.
l Sessions: Displays the current sessions utilization, new sessions trend and concurrent sessions trend.
l Hover your mouse over the chart to view the new sessions and concurrent sessions statistics at a specific
point in time.
l CPU/memory status: Displays current CPU utilization, memory utilization and CPU temperature statistics.
l Click legends of CPU Utilization , Memory Utilization or CPU Temperature to specify the histogram
statistical objects. By default, it displays statistics of all objects.
l Hover your mouse over the histogram to view the detailed information, and the link Details is displayed.
l Click Details to view the trend of specified histogram.
l Hover your mouse over the chart to view CPU utilization, memory utilization or CPU tem-
perature statistics at a specific point in time.

Statistical Period
System supports the predefined time cycle. The statistical period may vary slightly on different monitored objects.
If there is conflict between this guide and the actual page, the latter shall prevail. Select statistical period from the
drop-down menu Last 24 Hours at the top right corner of some statistics page to set the time cycle.
l Real-time: Displays the current statistical information.
l Last 60 Minutes: Displays the statistical information within the latest 1 hour.
l Last 24 Hours: Displays the statistical information within the latest 1 day.
l Last 7 Days: Displays the statistical information within the latest 1 week.
l Last 30 Days: Displays the statistical information within the latest 1 month.
l Custom: Displays the statistical information within the custom period. Click Custom to configure the start time
and end time.

System Alarm
The alarm feature can actively detect protected network to locate suspicious issues and send out alarming mes-
sages. The rule that defines what behavior should be alerted is called alarm rule.
The system can analyze alarm messages and display the analysis results in the form of chart and time line. In addi-
tion, alarm messages can also be sent to system administrators by sending emails or sms text. In this way, the
administrator can receive alerts in the first place and respond to the alarms.
Related links:
l "Alarm Rule" on Page 147
l "Send Object" on Page 150
Alarm as a Monitor
The alarms are show under Monitor module. When an occurrence defined in the alarm rule happens, the alarm
message is generated and shown in the alarm page. For alarm rule, refer to "Alarm Rule" on Page 147.
In the alarm page, alarms are shown by three categories: alarms arranged by time, alarms arranged by severity
levels and alarms details .
Alarms by Time
In the Time tab, alarm messages on a two-dimensional coordinate axis. To see the alarm by time page, select Sys-
tem Monitor > System Alarm, and select the Time tab.
System Alarm 143

l Configuring filters: The left vertical axis shows the number of alarms. You may define the conditions to filter
alarms.
l Type: Select one or more types from the drop-down menu, click Add to add them to the right.
l Severity: Select one or more severity levels. There are three severity hierarchy: critical, warning, and
informational.
l Status: Select a message status from drop-down menu: all, unread and read.
l Time: Select the time range when alarms are generated. You may select to view the last one hour, one
day, one week, one month or other user-defined time.
l Hover over a dot (red, yellow or green) and click the link, you will be redirected to the detail page of that alarm.
l Click to jump to the alarm rules configure page.
Alarm by Severity
Alarms in the Severity tab shows the number bar of alarm messages of different severity levels. Select System
Monitor > System Alarm, and select the Severity tab.
l Configuring filters:
l Status: Select a message status from drop-down menu: all, unread and read.
144 System Alarm

l Time: Select the time range when alarms are generated. You may select to view the last one hour,
one day, one week, one month or other user-defined time.
l Click on a bar, you will be redirected to the alarm details page.
Alarm Details
Select System Monitor > System Alarm, and click the All tab. You will be able to see all alarm messages and their
detailed information.
l Configuring filters.
l Last Alarm Time: Select the time range when alarms are generated. You may select to view the last one
hour, one day, one week, one month or other user-defined time.
l Severity: Select one or more severity levels. There are three severity hierarchy: critical, warning, and
informational.
l Status: Select a message status from drop-down menu: all status, unread messages or/and read mes-
sages.
l Read at: Select what time the message is being read.
l Read by: Select which person has read the message.
l Comment: Select if you want to see messages with or without a comment.
l Reason : Type keywords you want to search in the reasons that trigger alarm.
l To read and comment alarms:
System Alarm 145

l Batch reading: Select all the check boxes of alarm messages you want to read, and click Read Alarm. In
the prompt, enter your comment, and click OK.
l Single reading: Hover your cursor over the Status column and click Read. In the prompt, enter your
comment, and click OK.
l To add or modify a comment:
l Batch adding/modifying: Select all the check boxes of alarm messages you want to comment, and click
Add/Modify Comment. In the prompt, enter your comment, and click OK.
l Single adding/modifying: Select the check boxes of alarm message you want to comment, and click
Add/Modify Comment. In the prompt, enter your comment, and click OK. .
l To view every messages in an alarm:

Click on the number in the Count column, you will see every occurrence time of this alarm incident.
146 System Alarm

Alarm Rule
An alarm rule defines the condition which triggers an alarm. When an incident that complies the alarm rule hap-
pens, the system will detect that incident and generate an alarm message.
There are three alarm categories: device alarms, application alarms.
Creating an Alarm Rule
To create an alarm rule:
1. Select Configuration Management > System Configuration > System Alarm Rule > Rule.
2. Click New.
System Alarm 147

In the Alarm Rule Configuration page, enter values.
Option Description
Rule Name Specify the rule name. You can input 31 characters at most.
Rule Type Specify the description of the warning rule. You can input 255 char-
acters at most.
Trigger Specify the trigger of the warning, including the monitored object and
the threshold.
Select the monitored objects from the drop-down menu and then
select the threshold. Generally, there are two types of thresholds: the
threshold within a period, and the threshold at a specific point of
time. Administrators can use both of them or one of them. If admin-
istrators use both of them, the logical relation between them is "or",
which means the system will generate the warning information when
one threshold meets the settings.
Note: If the monitored object is New Sessions, Concurrent Sessions,
or Interface Bandwidth, the threshold is percentage.
Advanced
Schedule Specify the schedule of the warning rule from the drop-down list.
The warning rule will take effect during the specified period of time,
which is decided by the schedule. You can also click New Schedule in
the drop-down list to create a new schedule.
Severity Specify the severity of the incident.
Alarm mode Specify the alarming method .
l Send via Email: Select the checkbox and then specify a recip-
ient or create a new recipient from the Recipient drop-down
menu. The system will report the events to the recipient by
sending a warning email. To create or edit a recipient, go to
Configuration Management > System Configuration> Sys-
tem Alarm Rule> Send Object (refer to "Send Object" on
148 System Alarm

Option Description
Page 150).
l Send via SMS: Select the checkbox and then specify a recipient
or create a new recipient from the Recipient drop-down menu.
The system will report the events to the recipient by sending a
mobile phone text message. To create or edit a recipient, go to
Configuration Management > System Configuration> Sys-
tem Alarm Rule > Send Object (refer to "Send Object" on
Page 150).
l Send via Trap: Select the checkbox, and the system will send
messages to Trap host when an event occurs. To configure a
Trap host, go to System > SNMP (refer to "SNMP" on Page
407).
Note: If you use "Send via Trap", you must designate a SNMP host
and Trap host at the same time.
Description Specify the description of the rule. You can input 255 characters at
most.
3. Click OK.
System Alarm 149

Send Object
After configuring the alarm rules, the system will report the warning events to the recipient by sending a warning
email or message. In the Send Object page , configure the recipient information.
Creating a Send Object
To create a send object:
1. Click Configuration Management > System Configuration > System Alarm Rule>Send Object.
2. Click New.
In Recipient Configuration page, enter the recipient information.

Option Description
Name Specify the recipient's name.
Email Specify the email address for receiving warning emails.
Comment Specify the comments of recipient.
Viewing Relevant Alarm Rules
In the Relevant Warning Rules window, you can view the warning rules that relates to a selected recipients after
selecting recipients.
150 System Alarm

Chapter 6 Report & Log
Report and Log module includes:
l " Reporting" on Page 152: Gathers and analyzes data for the following report categories, providing all-around
and multi-dimensional statistics.
l " Logging" on Page 166: Records and displays the threat logs, CloudSandBox logs, event logs, network logs,
configuration logs, etc.

Reporting
System provides rich and vivid reports that allow you to analyze network risk, network access and device status
comprehensively by all-around and multi-dimensional statistics and charts.
You can configure report task in "Report Template" on Page 154 and "Report Task" on Page 160, and view gen-
erated report files in "Report File" on Page 153.
Notes:
l If the user has configured the report function before upgrading to version 3.0, the exist-
ing report configuration information will not take effect after upgrading to version 3.0.
Please reconfigure the report function again.
l ThreatSensor series device does not support this function.
Related Links:
l "Report File" on Page 153
l "Report Template" on Page 154
l "Report Task" on Page 160
152 Chapter 6 Report & Log

Report File
Go to Report & Log > Reports > Report File, the report file page shows all the generated report files.
l Sort report files by different conditions: Select Group by Time, Group by Task or Group by Status from the
drop-down list, and then select a time, task or status from the selective table, the related report files will be
shown in the report file table.
l The bold black entry indicates that the report file status is "unread".
l Click Delete to delete the selected report files.
l Click Export to download the selected report files.
l Click Mark as Read to modify the status of the selected report files.
l Click to select the condition in the drop-down list. In the text box, enter the keyword to search for the
report files.
l In the File Type column, click the icon of the report file to preview the report file. Not all platforms support.
Notes: If your browser has enabled "Blocking pop-up windows", you will not see the gen-
erated file. Make sure to set your browser "Always allow pop-up windows", or you can go to
your blocked window history to find the report file.

Report Template
Report templates, define all the contents in the report files. To generate the report file, you need to configure the
report template first.
Report templates are classified as predefined and user-defined templates, providing a variety of pre-categorized
report items.
l Predefined Template: Predefined templates are built in system. By default, different report items have been
selected for each predefined template category. The predefined template cannot be edited or deleted. The pre-
defined template categories are as follows:
Category Description
Network and Statistics of the current network situation, covering the network
Application traffic, application traffic.
Traffic Report
Top 10 End- Statistics of the top 10 Endpoints and Servers by network threats,
points and Serv- covering the host application traffic, network threats.
ers by Network
Threats
Global Net- Statistics of the global network and risk status, covering the overview,
work and Risk network and application traffic, network threats and Endpoint and
Assessment Server details.
Report
Top 10 End- Statistics of the top 10 Endpoints and Servers by application traffic,
points and Serv- covering the Endpoint and Server application traffic, network
ers by threats.
Application
Traffic
Network Statistics of the threats in the current network, covering the threat
Threat Report trend, external attackers and threat categories.
l User-defined Template: The report template created as needed. You can select the report items. Up to 32
user-defined templates can be created.

Creating a User-defined Template
To create a user-defined template, take the following steps:
1. Click Report & Log > Report > Template.
2. Click New.
In the Report Template Configuration page, configure the following options.

Option Description
Name Specifies the name of the report template.
Description Specifies the description of the report template.

Option Description
Content Select the check box of the report item as needed. By default, all
report items are selected. The report items are described as fol-
lows:
l Network and Security Risk Summary: Statistics of the com-

prehensive and overall assessment for the health status and
security risks of the entire network.
l Network Traffic Details: Statistics of network traffic, helping

you better understand the usage of bandwidth, traffic des-
tination and management.
l Application Statistics and Risk Details: Statistics of the traffic

of all applications on the device and obtains the usage of the
main service applications in the intranet. Click the TOP drop-
down list to specify the number of applications that need to
count the traffic for ranking, including TOP5, TOP10, TOP20

Option Description
and TOP50.
l Network Threat Details: Statistics of the threat events detected

by the device, the distribution of external attacks, etc., in order
to know the network threats and risks existing in the current
network.
l Endpoint and Server Application and Risk Details: Statistics of

the traffic of all applications on the TOP endpoints and critical
assets, and the distribution of threats. Click the TOP drop-
down list to specify the number of application traffic \ threats
of endpoint or server for ranking, including TOP5, TOP10,
and TOP20.

Option Description
l Device Status and Alarm: Statistics of the resource usage.
l Threat Description: Display the detailed description of the

threat, helping understand the threat information.
3. Click OK to complete user-defined template configurations.
Editing a User-defined Template
To edit a user-defined report template, take the following steps:
2. In the templates list, select the user-defined report template entry that needs to be edited.
3. Click Edit.
4. Click OK to save the settings.

Deleting a User-defined Template
To delete a user-defined report template, take the following steps:
2. In the templates list, select the user-defined report template entry that needs to be deleted.
3. Click Delete.
Cloning a Report Template
System supports the rapid clone of a report template. You can clone and generate a new report template by modi-
fying some parameters of one current report template.
To clone a report template, take the following steps:
2. In the templates list, select a report template that needs to be cloned.
3. Click the Clone button above the list, and in the Report Template Configuration page, enter the newly cloned
report template name into the "Name" .
4. The cloned report template will be generated in the list.

Report Task
The report task is the schedule related to report file. It defines the report template, data range, generation period,
generation time, and the output method of report files.
You can configure report tasks and generate report files on the device according to your needs.
Creating a Report Task
To create a report task, take the following steps:
1. Select Report & Log > Report > Report Task.
2. Click New.
Configure the basic values of report task.

Option Description
Name Specifies the name of the report task.
Description Specifies the description of the report task. You can modify accord-
ing to your requirements.

Expand Report Template, select the report template you want to use for the report task.
Option Description
Report Tem- Specifies the report template to be used by the report task:
plate
1. Select the report template (predefined report template or cre-
ated user-defined report template) from the Report Template
list on the left.
2. When the report template is selected, the selected report tem-

plate list shows the description of the template and the details
of the report item on the right.
You can also click New or Edit button in the Report Template list
on the left to open the Report Template Configuration dialog box
and create or edit a user-defined report template quickly.
Expand Data Range, configure the IP address range.

Option Description
IP Specifies the IP address range of the report statistics
1. Click IP drop-down list.
2. Select the IP address type, including IPv4/mask and IPv4

range, from the Type drop-down list in the pop-up dialog box.
3. Enter the required address of the address type.
4. Click Add to add the addresses to the right pane.
5. After adding the desired addresses, click the blank area in this
dialog box to complete the configuration.
6. If you need to delete the added address, select the address you
want to delete in the right pane, and click .
Expand Schedule, configure the running time of the report task

Option Description
Schedule The schedule specifies the running time of the report task. The
report task can be run periodically or run immediately.
Periodic: Generates report files as planned.
l Schedule: Specifies the statistical period.
l Generate At: Specifies the generation time.

Generate Now: Generates report files immediately.

Option Description
l Specifies the start time and end time of absolute statistical

period in the time text box.
Expand Output, configure the output mode information of the report.

Option Description
File Format Specifies the output format of the report file, including PDF, HTML,
and WORD formats.
Recipient Sends report file via email. To add recipients, enter the email
addresses in to the recipient text box (use ";" to separate multiple
email addresses. Up to 5 recipients can be configured).
Send via FTP Click the Enable button after the Send via FTP to send the report
file to a specified FTP server.
l Server Name/IP: Specifies the FTP server name or the IP

address.
l Username: Specifies the username used to log on to the FTP

server.
l Password: Enter the password of the FTP username.

Option Description
l Anonymous: Select the check box to log on to the FTP server

anonymously.
l Path: Specifies the location where the report file will be saved.
3. Click OK to complete report task configuration.
Editing the Report Task
To edit the report task, take the following steps:
2. In the report task list, select the report task entry that needs to be edited.
3. Click the Edit button on the top to open the Report Task Configuration page to edit the selected report task.
Deleting the Report Task
To delete the report task, take the following steps:
2. In the report task list, select the report task entry that needs to be deleted.
3. Click the Delete button on the top to delete the selected report task.
Enabling/Disabling the Report Task
To enable or disable the report task, take the following steps:
2. Select the task, and click the Enable or Disable button on the top.
By default, the user-defined task is enabled.

Report Status
The generation of a report might take a long time. You can view the running status of report tasks on the Report
Status page. You can view the status of an immediate report task as soon as it is created. For a periodic report
task, you can the status of it when the execution time reaches.
Select Log & Report > Report > Report Status, click Processing to view the status of current report tasks.
l Time: indicates the time used by executing the report task.
l Name: indicates the name of the report task.
l Status: indicates the status of the report task, including "waiting", "generating" and "complete".
l Stop: click Stop after selecting a report task to terminate its execution.
Select Log & Report > Report > Report Status, click Failed to view the report tasks that fail to be executed.
l Time: indicates the time when the report task execution ends.
l Name: indicates the name of the report task.
l Status: indicates the status of the report task. For reports that fail to be executed, the status is "Failed".
l Fail Cause: indicates the cause of execution failure.

Logging
The Log module records and displays the following logs:
l Threat - logs related to behaviors threatening the protected system, e.g. attack defense logs, AV logs, IDS logs,
attack-detection logs, abnormal behavior detection logs , advanced threat detection logs and deception detec-
tion logs.
l CloudSandBox - logs about sandbox.
l Event - logs about the system, like login logs.
l Network - logs about network services, like route logs.
l Configuration - logs about configuration, e.g. interface configuration logs.
l Session - Session logs, e.g. session protocols, source and destination IP addresses and ports.
Log Severity
Event logs are categorized into eight severity levels.
Severity Level Description
Emergencies 0 Identifies illegitimate system events.
Alerts 1 Identifies problems which need immediate attention

such as device is being attacked.
Critical 2 Identifies urgent problems, such as hardware failure.
Errors 3 Generates messages for system errors.
Warnings 4 Generates messages for warning.
Notifications 5 Generates messages for notice and special attention.
Informational 6 Generates informational messages.
Debugging 7 Generates all debugging messages, including daily oper-

ation messages.

Destination of Exported Logs
Log messages can be sent to the following destinations:
l Console - The default output destination. You can close this destination via CLI.
l Remote - Includes Telnet and SSH.
l Buffer - Memory buffer.
l File - By default, the logs are sent to the specified USB destination in form of a file.
l Syslog Server - Sends logs to UNIX or Windows Syslog Server.
l Email - Sends logs to a specified email account.
Log Format
To facilitate the access and analysis of the system logs, logs follow a fixed pattern of information layout, i.e. date/-
time, severity level@module: descriptions.See the example below:
2000-02-05 01:51:21, WARNING@LOGIN: Admin user "admin" logged in through console from loc-
alhost.

Threat Logs
Threat logs can be generated under the conditions that:
l Threat logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 184.
l You have enabled one or more of the following features: "Anti Virus" on Page 260,"Intrusion Detection Sys-
tem" on Page 268, "Attack Detection" on Page 328.
To view threat logs, select Report & Log > Log > Threat Log .
In this page, you can perform the following actions:
l Configure: Click to jump to the configuration page.
l Export: Click to export the displayed logs as a TXT or CSV file. Only weak password logs in threat logs expor-
ted by the administrator will display the actual weak password information.
l Merge Log: Select the merging types in the drop-down list, including Do Not Merge, Threat Name, Source IP
and Destination IP.
l Filter: Click to add conditions to show logs that march the filter conditions. When selecting filter
condition Attack Result, view the threat logs of the specified attack result, including:
l Attempted: Indicates that an attack occurs, but the attack is unsuccessful or the result of the attack is
uncertain, and it is impossible to determine whether the attacked device has compromised.
l Successful: The attacker has successfully exploited the vulnerability or delivered a malicious sample,
and it is unclear whether the malicious sample is executed.
l Confirmed Compromised: It is confirmed that the attacked device has been compromised, and there
have been behaviors such as outreach and lateral spread.
l Unknown: Upgrading the attack results from the old database or the attack results preset by the
unsupported detection engine.

3. Click the saved filter name to display the threat logs information corresponding to the filter condition.
l Select the log entry and view its details in the Log Details panel, where you can perform the following oper-
ations:
l View the severity, application/protocol, source/destination port, attacker IP address, victim IP address,
attack result, threat start time, end time, and other threat-related information (such as plain-text SQL
command, plain-text paths to URI, etc.)
l Click View packets to view packets corresponding to the threat, or click Download to download the pack-
ets to your PC. The system can capture IPv6 and IPv4 packets.
l For threat logs related to weak password, click View behind the Password field. The administrator can
view weak password details in the Password View panel. Click Copy to copy the weak password.
l Click the ID, Add to Whitelist, or Disable Signature next to Signature ID to go to the corresponding
panel. For more information, see the corresponding panel.
l For threat logs whose detection engine is Intrusion Detection System, if you have enabled the function
of capturing complete threat data, you can view ASCII code and hexadecimal number of threat in the

Log Details panel. You can analyze the entire process of the threat by using this option. If the function
of capturing complete threat data is disabled, the Threat Data section is not displayed in the Log Details
panel of threat logs.
l When the detection engine is Antivirus, you can click MD5 or Add to Whitelist next to the URL field to
add the MD5/URL to the whitelist in Configuration Management > Threat Detection Configuration
> Anti-Virus > Whitelist.
l For certain threats, such as SMB service scanning, suspicious HTTP requests via TOR, accessing mali-
cious websites, FTP command evasion, suspicious external remote control, large amounts of SMTP con-
nections, suspicious SSDP activities, and suspicious NETBIOS activities, support is provided to display
the corresponding detection principles through the Message field.
l MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base
of attack behaviors. It categories known attacks as tactics and techniques, establishing a practical and
clear framework. The system maps detected suspicious behaviors to the MITRE ATT&CK® model and
displays the MITRE ATT&CK® tactic IDs and MITRE ATT&CK® technique IDs of the threat in
threat logs, helping you identify suspicious behaviors in a better way. To ensure that the latest MITRE
ATT&CK® knowledge base is used during detection, it is recommended to upgrade the MITRE
ATT&CK® knowledge database. For more information about upgrading the MITRE ATT&CK®Know-
ledge Base, refer to Updating Signature Database.
l Click ATT&CK® Tactic ID to go to the MITRE ATT&CK® Tactic Details panel, where you
can view the name, created time, last modified time, data source, official link, and description of
this tactic. MITRE ATT&CK® Tactic represents the tactical object of adversary and the reason
for performing the attack.
l Click ATT&CK® Technical ID to go to the MITRE ATT&CK® Technical Details panel, where
you can view this technique's name, data source, permission/system/network requirements, tactic,
parent technique, sub technique, mitigation methods, official link, platform, ect. MITRE
ATT&CK® Technique represents how an adversary achieves a tactical goal by performing an
action.

l In the threat list, click the threat intelligence icon ( , or ) behind the address in the "Source"/"Destin-
ation" column in the list, or hover your cursor over a object, and there is a button ( ) to its right. Click this
button to open the threat intelligence center (CloudVista) to Viewing the Threat Intelligence.

CloudSandBox Logs
To view sandbox logs, select Report & Log > Log > Cloud SandBox Log .
l Configure: Click to jump to the CloudSandBox page.
l Clear: Click to clear the selected logs.
l Export: Click to export the displayed logs as a TXT or CSV file.
l Filter: Click to add conditions to show logs that march your filter. You can enter the IPv4 or IPv6
address if the filter condition is selected as source or destination IP.

Event Logs
To view event logs, select Report & Log > Log > Event Log .
l Filter: Click Filter to add conditions to show logs that march your filter.

Network Logs
To view network logs, select Report & Log > Log > Network Log .
l Filter: Click to add conditions to show logs that march your filter.

Configuration Logs
To view configuration logs, select Report & Log > Log > Configuration Log .
l Configuration: Click to jump to the configuration page.

Session Logs
Session logs can be generated under the conditions that:
l Session logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 178.
To view session logs, select Report & Log > Log > Session Log .
l Clear: Click this button to clear all session logs stored in the system.

Notes:
l For ICMP session logs, the system will only record the ICMP type value and its code
value. As ICMP 3, 4, 5, 11 and 12 are generated by other communications, not a com-

plete ICMP session, system will not record such kind of packets.
l For TCP and UDP session logs, system will check the packet length first. If the packet
length is 20 bytes (i.e., with IP header, but no loads), it will be defined as a malformed
packet and be dropped; if a packet is over 20 bytes, but it has errors, system will drop it
either. So, such abnormal TCP and UDP packets will not be recorded.

Managing Logs
You can configure system to enable the logging function, including enabling various logs.
Configuring Logs
To configure parameters of various log types, take the following steps:
1. Select Report & Log > Log > Log Management.
2. Click of the log type you want, and you will enter the corresponding log settings.
3. Click OK.
Option Descriptions of Various Log Types
This section describes the options when you set the properties of each log types.
Threat Log
Option Description
Enable Click the Enable button to enable the threat logging function.
Cache Select the check box to export threat logs to the cache.
l Max buffer size - The maximum size of the cached threat logs. The
default value may vary from different hardware platforms.
l Lowest Severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.
File Select to export threat logs as a file to USB.
l Lowest Severity - Specifies the lowest severity level. Logs below

the severity level selected here will not be exported.
l Max File Size - Exported log file maximum size.
l Save logs to USB - Select a USB device and enter a name as the log
file name.

Option Description
Terminal Select to send logs to terminals.
Log Server Select the check box to export threat logs to log server.
l View Log Server - Click to see all existing syslog servers or to add a
new server.
l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send
log messages to different log servers, which will relieve the pressure
of a single log server. The algorithm can be Round Robin or Src IP
Hash.
Email address Select the check box to export logs to the specified email address.
l Viewing Email Address: Click to see or add email address.
Database Select the checkbox to save logs in the local device. Only several plat-
forms support this parameters.
l Disk Space - Enter a number as the percentage of a storage the

logs will take. For example, if you enter 30, the threat logs will take
at most 30% of the total disk size.
l Disk Space Limit - If Auto Overwrite is selected, the logs which

exceed the disk space will overwrite the old logs automatically. If
Stop Storing is selected, system will stop storing new logs when the
logs exceed the disk space.
CloudSandBox Log
Option Description
Enable Click the Enable button to enable the cloudsandbox logging function.
Cache Select the check box to export cloudsandbox logs to the cache.
l Max Buffer Size - The maximum size of the cached cloudsandbox

logs. The value range is 4096 to 524288 bytes. The default value
may vary for different hardware platforms.

Option Description
File Select the check box to send a syslog to a file.
l Max File Size - Specifies the maximum size of the syslog file. The
value range is 4096 to 1048576 bytes. The default value is
1048576 bytes.
l Save logs to USB - Select the check box and select a USB drive
(USB0 or USB1) from the drop-down list. Type a name for the
syslog file into the File Name box.
Log Server Select the check box to export cloudsandbox logs to the syslog server.
new server.
Event Log
Option Description
Enable Click the Enable button to enable the event logging function.
Console Select the check box to send a syslog to the Console.

Terminal Select the check box to send a syslog to the terminal.

Cache Select the check box to send a syslog to the cache.

l Max Buffer Size - The maximum size of the cached logs. The
default value may vary for different hardware platforms.
l Max File Size - Specifies the maximum size of the syslog file.

Option Description
The value range is 4096 to 1048576 bytes. The default value is

1048576 bytes.
(USB0 or USB1) from the drop-down list. Type a name for the
syslog file into the File Name box.
Log Server Select the check box to export event logs to the syslog server.
l View Log Server - Click to see all existing syslog servers or to

add new server.

Email Address Select the check box to send event logs to the email.
l View Email Address: Click to see all existing email addresses or

add a new address.

SMS Select the check box to send event logs to the SMS.

Network Log
Option Description
Enable Click the Enable button to enable the network logging function.
Cache Select the check box to export network logs to the cache.
l Max Buffer Size - The maximum size of the cached network logs.
The value range is 4096 to 524288 bytes. The default value may
vary for different hardware platforms.

Option Description
l Max File Size - Specifies the maximum size of the syslog file. The
value range is 4096 to 1048576 bytes. The default value is
1048576 bytes.
(USB0 or USB1) from the drop-down list. Type a name for the sys-
log file into the File Name box.
Log Server Select the check box to export network logs to the syslog server.
new server.
Configuration Log
Option Description
Enable Click the Enable button to enable the configuration logging function.
Cache Select the check box to export configuration logs to the cache.
l Max Buffer Size - The maximum size of the cached configuration

logs. The value range is 4096 to 524288 bytes. The default value
may vary for different hardware platforms.
Log Server Select the check box to export network logs to the syslog server.
l View Log Server - Click to see all existing syslog servers or to add
new server.
Log Speed Limit Select the check box to define the maximum efficiency of generating
logs.
l Maximum Speed - Specified the speed (messages per second).
Session Log
Option Description
Enable Click the Enable button to enable the session logging function.
Cache Select the check box to export session logs to the cache.

Option Description
l Max Buffer Size - The maximum size of the session logs. The value
range is 4096 to 524288 bytes. The default value may vary for dif-
ferent hardware platforms.
Log Server Select the check box to export session logs to log server.
new server.
l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send
log messages to different log servers, which will relieve the pressure
of a single log server. The algorithm can be Round Robin or Src IP
Hash.

Log Configuration
You can create log server, set up log email address, and add UNIX servers.
Creating a Log Server
To create a log server, take the following steps:
1. Select Report & Log > Log > Log Configuration .
2. Click Log Server Configuration tab.
3. Click New.
In the Log Server Configuration page, configure these values.

Option Description
Host Name Enter the name or IP of the log server.
Protocol Specifies the protocol type of the syslog server. If "Secure-TCP" is

selected, you can select Do not validate the server certificate option,
and system can transfer logs normally and do not need any cer-
tifications.
Port Specifies the port number of the syslog server.
Log Type Specifies the log types the syslog server will receive.
Notes: You can add at most 3 log servers.
Configuring Log Encoding
The default encoding format for the log information that is output to the log server is utf-8, and the user can start
GBK encoding as needed. After the GBK encoding format is opened, the log encoding format that is output to
the log server will be GBK encoding. To enable the GBK encoding :

1. Select Report & Log> Log > Log Configuration .
2. Click Log Server Configuration tab.
3. Click the Log Encoding Configuration button in the upper right corner to open the Log Encoding Con-
figuration dialog box.
4. Click the Enable button after the GBK Encoding.
5. .Click OK to save the settings.
Adding Email Address to Receive Logs
An email in the log management setting is an email address for receiving log messages.
To add an email address, take the following steps:
2. Click Web Mail Configuration tab.
3. Click New and enter an email address.
4. If you want to delete an existing email, click Delete.
Notes: You can add at most 3 email addresses.
Specifying a Unix Server
To specify a Unix server to receive logs, take the following steps:

2. Click the Facility Configuration tab.
3. Select the device you want and the logs will be exported to that Unix server.
4. Click OK.

Chapter 7 Configuration Management
The device's configuration management include:
l "System Information" on Page 188: User can view the general information of the system in the System
Information page, including Serial Number, Hostname, Platform, System Time, System Uptime, Firmware,
Signature Database and so on.
l " Network Configuration" on Page 190: Introduces the related elements and configuration of the device net-
work connection.
l " Object Configuration" on Page 216: Introduce the concept and configuration of object users in the system
that need to be referenced by other functional modules.
l "Intranet Assets" on Page 236 : Introduce concepts and configurations related to intranet assets.
l "ARP Defense" on Page 253: Introduce a series of ARP defense functions to check various ARP attacks on
the network.

System Information
Users can view the general information of the system in the System Information page, including Serial Number,
Hostname, Platform, System Time, System Uptime, Firmware, Signature Database and so on.
Viewing System Information

To view system information, select Configuration Management > System Information .
Option Description
Serial Number Shows the serial number of device.
Hostname Shows the name of device.
Platform Shows the platform model of device.
System Time Shows the system date and time of device.
System Uptime Shows the system uptime of device.
Firmware Shows the current version of firmware.
Boot File Shows the boot file.
Anti-Virus Sig- Shows the current version of Anti Virus signature database and its release
nature data.
IDS Signature Shows the current version of IDS signature database and its release data.
Botnet C&C Show the current version of the Botnet C&C Detection signature data-
Detection Sig- base and the date of the last update.
nature DB
Application Iden- Shows the current version of application signature database and its
tification Data- release data.
base
Sandbox Whitel- Shows the current version of sandbox whitelist signature database and its
ist DB release data.
MITRE Shows the current version of MITRE ATT&CK® knowledge base and
ATT&CK® its release data.
Knowledge Base
188 Chapter 7 Configuration Management

Option Description
Abnormal Beha- Show the current version of abnormal behavior model database and the
vior Modeling date of update last time.
Database
Malware Beha- Show the current version of malware behavior model database and the
vior Modeling date of update last time.
Database
Deception Detec- Show the current version of deception detection database and the date of
tion Modeling update last time.
Database
Threat Tag Data- Show the current version of threat tag database and the date of update
base last time.
Notes: Signature is all license controlled, you need to make sure that your system has installed
that license. Refer to "License" on Page 419.

Network Configuration
This chapter describes factors and configurations related to network connection, including:
l "Security Zone" on Page 191: The security zone divides network into different sections, for example, mgt
zone , tap-bds zone or deception zone.
l "Interface" on Page 194: The interface allows inbound and outbound traffic to security zones. An interface
must be bound to a security zone so that traffic can flow into and from the security zone.
l "DNS" on Page 207: Domain Name System.
l "Global Network Parameters" on Page 209: These parameters mainly include IP packet's processing options,
like IP fragmention, TCP MSS value, etc.

Security Zone
Security zone is a logical entity. One or more interfaces can be bound to one zone. Zones have the following fea-
tures:
l A TAP zone or a Layer 3 zone decides the interfaces bound to the zone to work in tap mode or Layer 3 mode.
l The traffic between interfaces that are bound to tap zones are forwarded. The predefined vswitch1 interface
acts as the upstream switch interface, allowing packets forwarding between Layer 2 and Layer 3.
l The traffic between interfaces that are bound to Layer 3 zones are forwarded according to Layer 3 forwarding
rules.
There are several predefined security zones in StoneOS, which cannot be deleted or renamed. You can modify
the configurations of these predefined ones. And you can also customize security zones. Actually predefined secur-
ity zones and user-defined security zones make no difference in functions, and you can make your choice freely.
Configuring a Security Zone
To create a security zone:
1. Select Configuration Management > Network Configuration > Zone.
2. Click New.
3. In the Zone Configuration page, type the name for the zone into the Zone box.
4. Type the descriptions of the zone in the Description text box.
5. Specify a type for the security zone. The system only allows the creation of TAP zone. The TAP zone is a func-
tional zone for the TAP mode.
6. Bind interfaces to the zone. Select an interface from the Binding Interface drop-down list.
7. If needed, click the Enable button to enable APP identification for the zone.
8. If needed, click the Enable button to set the zone to a WAN zone, assuring the accuracy of the statistic ana-
lysis sets that are based on IP data. This option only takes effect on the mgt zone.

9. When configuring the TAP zone, if you need, click the Enable button to enable the function of Duplicate
Packet Check. When this function is enabled, in the TAP mode, the system will detect duplicate packets
received in the TAP zone, and delete duplicate packets to ensure the accuracy of detection function
10. If needed, expand Threat Detection and configure the parameters for Threat Detection function. For detailed
instructions, see" Chapter 8 Threat Detection" on Page 258.

Management Interfaces
The device defines the management interface MGT0 and MGT1, interface MGT0 bound to the mgt zone .
Configuration Management Interfaces
To configure management interfaces:
1. Select Configuration Management > Network Configuration > Management Interface.
2. Select an interface from the Interface Name drop-down list.
3. Specify the zone for the management interface in the Zone drop-down list. You can only select a Lay 3 zone.
4. Specify the method of obtaining IP address in the IP Configuration section. "Static IP" means specifying a
static IP address and the netmask. Click Advanced to specify the secondary IP address into the text box. You
can specify up to 6 secondary IP addresses. "Auto-obtain" means obtaining the IP address through DHCP.
5. Specify the management methods by selecting the "Telnet/SSH/Ping/HTTP/HTTPS/SNMP" check boxes

of the desired management methods.
6. Specify the mode and rate of the management interface. If you select the Auto duplex transmission mode , you
can only select the Auto rate.
7. If needed, select the Shut Down check box to shut down the management interface.
8. Click OK.

Interface
Interfaces allow inbound and outbound traffic to security zones. An interface must be bound to a security zone so
that traffic can flow into and from the security zone.
The security devices support various types of interfaces which are basically divided into physical and logical inter-
faces based on the nature.
l Physical Interface: Each Ethernet interface on devices represents a physical interface. The name of a physical
interface, consisting of media type, slot number and location parameter, is pre-defined, like ethernet2/1 or eth-
ernet0/2.
l Logical Interface: Includes sub-interface, loopback interface and aggregate interface.
Interfaces can also be divided into TAP interface and Layer 3 interface based on their security zones.
l TAP Interface: Any interface in TAP zone. The TAP interface is used to receive mirror traffic.
l Layer 3 Interface: Any interface in Layer 3 zone. Only Layer 3 interfaces can operate in routing mode.
Different types of interfaces provide different functions, as described in the table below.
Type Description
Sub-interface The name of an sub-interface is an extension to the name of its original

interface, like ethernet0/2.1. System supports the following types of sub-
interfaces: Ethernet sub-interface, aggregate sub-interface and redundant
sub-interface. An interface and its sub-interfaces can be bound to one
single security zone, or to different zones.
Loopback inter- A logical interface. If only the security device with loopback interface con-
face figured is in the working state, the interface will be in the working state as
well. Therefore, the loopback interface is featured with stability.
Aggregate inter- Collection of physical interfaces that include 1 to 16 physical interfaces.

face These interfaces averagely share the traffic load to the IP address of the
aggregate interface, in an attempt to increase the available bandwidth for
a single IP address. If one of the physical interfaces within an aggregate
interface fails, other physical interfaces can still process the traffic nor-
mally. The only effect is the available bandwidth will decrease.

Configuring an Interface
The configuration options for different types of interfaces may vary. For more information, see the following
instructions.
General Properties of Interfaces
Interfaces of different types share many common properties. The tables below show the common properties and
their description.
2. Double click an interface to view the configurations:
Expand Interface Properties, configure properties for the interface.

Option Description
Duplex Specifies a duplex working mode for the interface. Options include
auto, full duplex and half duplex. Auto is the default working mode,
in which the system will select the most appropriate duplex working
mode automatically. 1000M half duplex is not supported.
Rate Specifies a working rate for the interface. Options include Auto,
10M, 100M and 1000M. Auto is the default working mode, in which
the system will detect and select the most appropriate working mode
automatically. 1000M half duplex is not supported.
Combo type This option is applicable to the Combo port of copper port + fiber
port. If both the copper port and the fiber port are plugged with
cable, the fiber port will be prioritized by default; if the copper port is
used at first, and then the cable is plugged into the fiber port, after
reboot the fiber port will be used for data transmission. You can spe-
cify how to use a copper port or fiber port. For detailed options, see
the following instructions:
l Auto: The above default scenario.
l Copper forced: The copper port is enforced.

Option Description
l Copper preferred: The copper port is prioritized.
l Fiber forced: The fiber port is enforced.
l Fiber preferred: The fiber port is prioritized. With this option

configured, the device will migrate the traffic on the copper
port to the fiber port automatically without reboot.
MTU Specifies a MTU for the interface. The value range is 1280 to
1500/1800 bytes. The default value is 1500. The max MTU may
vary from different Hillstone models.
ARP Learning Click the Enable button after ARP learning.
ARP Timeout Specifies an ARP timeout for the interface. The value range is 5 to
65535 seconds. The default value is 1200.
Keep-alive IP Specifies an IP address that receives the interface's keep-alive pack-

ets.
MAC clone The system clones a MAC address to the Ethernet sub-interface. If
the user click "Restore Default MAC", the Ethernet sub-interface
will retore the default MAC address.
Expand Advanced Configuration, configure advanced options for the interface.

Option Description
Shutdown System supports interface shutdown. You can not only enforce to
shut down a specific interface, but also control the time of shutdown
by schedule, or control the shutdown according to the link status of
tracked objects. Configure the options as below:
1. Select the Shut down check box to enable interface shutdown.
2. To control the shutdown by schedule or tracked objects, select

an appropriate check box, and then select an appropriate sched-
ule or tracked object from the drop-down list.

Creating a Loopback Interface
To create a loopback interface:
2. Click New > Loopback Interface.
In the Basic page, configure the followings.

Option Description
Interface Name Specifies a name for the loopback interface.
Description Enter descriptions for the loopback interface.
Binding Zone Bind the interface to a zone or not. If Layer 3 zone/TAP is selected,

Option Description
proceed to select a zone from the Zone drop-down list.

If TAP is selected, you can specify the LAN addresses from the
LAN Address drop-down menu. With this configured, the device can
identify the intranet traffic and intranet host, and display them in the
Monitor.
Note: If No Binding is selected, the interface will not bind to any
zone.
Type Select how to obtain the IP address of this interface.
Static IP IP address: Specifies an IP address for the interface.
Netmask: Specifies a netmask for the interface.
Advanced:
l Management IP: Specifies a management IP for the interface.

Type the IP address into the box.
l Secondary IP: Specifies secondary IPs for the interface. You

can specify up to 6 secondary IP addresses.
DHCP: Click the triangle and then select DHCP Server or DHCP
Relay Proxy. For more information, see .
Management Select one or more management method check boxes to configure

the interface management method.
3. "Expand Interface Properties, configure properties for the interface." on Page 195
4. "Expand Advanced Configuration, configure advanced options for the interface." on Page 196
5. Click OK.
Creating an Aggregate Interface
To create an aggregate interface:

1. Configuration Management > Network Configuration > Interface
2. Click New > Aggregate Interface.

Option Description
Interface Name Specifies a name for the aggregate interface.

Option Description
Description Enter descriptions for the aggregate interface.
Binding Zone Bind the interface to a zone or not.

If Layer 3 zone zone/TAP is selected, proceed to select a zone from
the Zone drop-down list.
If TAP is selected, you can specify the LAN addresses from the
LAN Address drop-down menu. With this configured, the device can
identify the intranet traffic and intranet host, and display them in the
Monitor.
zone.
Zone Select a security zone from the Zone drop-down list.
LACP l Forced: Aggregates multiple physical interfaces to form an

aggregate interface. These physical interfaces will share the
traffic passing through the aggregate interface averagely.
l Enables LACP on the interface to negotiate aggregate inter-

faces dynamically. LACP options are:
l System priority: Specifies the LACP system priority. The

value range is 1 to 32768, the default value is 32768.
This parameter is used to assure the interfaces of two
ends are consistent. The system will select interfaces
based on the end with higher LACP system priority. The
smaller the value is, the higher the priority will be. If the
LACP system priorities of the two ends are equal, the sys-
tem will compare MACs of the two ends. The smaller the
MAC is, the higher the priority will be.
l Max bundle: Specifies the maximum active interfaces.

The value range is 1 to 16, the default value is 16. When
the active interfaces reach the maximum number, the
status of other legal interfaces will change to Standby.

Option Description
l Min bundle: Specifies the minimum active interfaces.

The value range is 1 to 8, the default value is 1. When the
active interfaces reach the minimum number, the status
of all the legal interfaces in the aggregation group will
change to Standby automatically and will not forward any
traffic.
HA sync Click the Enable button to enable HA sync function. The primary
device will synchronize its information with the backup device.
Advanced:


Auto-obtain Set gateway information from DHCP server as the default gateway
route: With this check box selected, system will set the gateway
information provided by the DHCP server as the default gateway
route.
Advanced:
l Distance: Specifies a route distance. The value range is 1 to

255. The default value is 1.
l Weight: Specifies a route weight. The value range is 1 to 255.

The default value is 1.

Option Description
l Management Priority: Specifies a priority for the DNS server.

Except for static DNS servers, system can also learn DNS serv-
ers dynamically via DHCP or PPPoE. Therefore, you need to
configure priorities for the DNS servers, so that the system can
choose a DNS server according to its priority during DNS res-
olution. The priority is represented in numbers from 1 to 255.
The larger the number is, the higher the priority is. The priority
of static DNS servers is 20.

Binding Port Select physical interfaces for the aggregate interface from the Mem-
bers drop-down list. The selected physical interfaces cannot belong to
other interfaces or security zones.
5. Expand Load Balance configuration, configure a load balance mode for the interface. "Flow-based" means
enabling automatic load balance based on the flow. This is the default mode. "Tuple" means enabling load
based on the source/destination IP, source/destination MAC, source/destination interface or protocol type of
packet, or the combination of the selected items.
6. Click OK.
Creating an Ethernet Sub-interface/Aggregate Sub-interface
To create an ethernet sub-interface/aggregate sub-interface:
2. Click New > Ethernet Sub-interface/Aggregate Sub-interfacee.

Option Description

the Zone drop-down list. If TAP is selected, you can specify the LAN
addresses from the LAN Address drop-down menu. With this con-
figured, the device can identify the intranet traffic and intranet host,
and display them in the Monitor.
zone.
Advanced:


Auto-obtain Set gateway information from DHCP server as the default gateway
route: With this check box selected, system will set the gateway
information provided by the DHCP server as the default gateway
route.
Advanced:

Option Description



5. Click OK.
Editing an Interface
To edit an interface:
2. Select the interface you want to edit from the interface list and click Edit.

Option Description

the Zone drop-down list. If TAP is selected, you can specify the LAN
addresses from the LAN Address drop-down menu. With this con-
figured, the device can identify the intranet traffic and intranet host,
and display them in the Monitor.
zone.
Advanced:


Auto-obtain Set gateway information from DHCP server as the default gate-
way route: With this check box selected, system will set the gate-
way information provided by the DHCP server as the default
gateway route.
Advanced:

Option Description




3. Click OK.
Notes:
l Before deleting an aggregate interface, you must cancel other interfaces' bindings to it,
aggregate sub-interface's configuration, its IP address configuration and its binding to

the security zone.
l An Ethernet interface can only be edited but cannot be deleted.

DNS
DNS, the abbreviation for Domain Name System, is a computer and network service naming system in form of
domain hierarchy. DNS is designed for TCP/IP network to query for Internet domain names (e.g., www.xxxx.-
com) and translate them into IP addresses (e.g., 10.1.1.1) to locate related computers and services.
The device's DNS provides the following functions:
l Server: Configures DNS servers for the security device.
l Analysis: Sets retry times and timeout for device's DNS service.
l Cache: DNS mappings to cache to speed up query. You can create, edit and delete DNS mappings.
Configuring a DNS Server
You can configure a DNS server for system to implement DNS resolution. To create a DNS server:
1. Select Configuration Management > Network Configuration> DNS > DNS Server.
2. Click New in the DNS Server section.
3. In the DNS Server Configuration page, type the IP address for the DNS server into the Server IP box.
4. Click OK.
Configuring a Analysis
To configure the retry times and timeout for DNS requests:
1. Select Configuration Management > Network Configuration > DNS > Analysis.
2. Select the retry times radio button.
3. Select the timeout values radio button.
4. Select the TTL radio button, which can be a value returned by DNS server (the default value) or a user-
defined value (range from 60s to 600s). If the DNS resolution cache are not responded after the TTL, the sys-

tem will clear all domain name records.
5. Click Apply.
Configuring a DNS Cache
When using DNS, system might store the DNS mappings to its cache to speed up the query. There are three ways
to obtain DNS mappings:
l Dynamic: Obtains from DNS response.
l Static: Adds DNS mappings to cache manually.
l Register: DNS hosts specified by some modules of security devices, such as NTP, AAA, address book, etc.
You can add static DNS mappings to cache, view DNS mappings and delete dynamic mappings.
To add a static DNS mapping to cache:
1. Select Configuration Management > Network Configuration > DNS > Cache.
2. Click New.
Option Description
Hostname Specifies a host name.
Primary IP Specifies host's IP address, up to 8. Type IP address in the IP address

2/3/4/5/6/7/8 boxes below if necessary.
3. Click OK.

Global Network Parameters
Global network parameter configuration includes IP fragment, TCP packet processing methods and other
options.
Configuring Global Network Parameters
To configure global network parameters, take the following steps:
1. Select Configuration Management > Network Configuration > Global Network Parameters > Global
Network Parameters.
2. Configure the following parameters.

Option Description
IP Fragment
Maximum Frag- Specifies a maximum fragment number for every IP packet. The

Option Description
ment Number value range is 1 to 1024. The default value is 48. Any IP packet that
contains more fragments than this number will be dropped.
Timeout Specifies a timeout period of fragment reassembling. The value range

is 1 to 30. The default value is 2. If the Hillstone device has not
received all the fragments after the timeout, the packet will be
dropped.
Long Duration Enables or disables long duration session. If this function is enabled,
Session specify long duration session's percentage in the Percentage text box
below. The default value is 10, i.e., 10% of long duration session in
the total sessions.
TCP
TCP MSS Specifies a MSS value for all the TCP SYN/ACK packets. Click the
Enable button, and type the value into the Maximum MSS text box
below.
Maximum MSS Type the max MSS value into the Maximum MSS text box below.
The value range is 64 to 65535. The default value is 1448.
TCP MSS VPN Specifies a MSS value for IPSec VPN's TCP SYN packets. Click the
Enable button, and type the value into the Maximum MSS text box
below.
Maximum MSS Type the max MSS value for IPSEC VPN into the Maximum MSS
text box below. The value range is 64 to 65535. The default value is
1380.
TCP Sequence Configures if the TCP sequence number will be checked. When this
Number Check function is enabled, if the TCP sequence number exceeds TCP win-
dow, that TCP packet will be dropped.
TCP Three-way Configures if the timeout of TCP three-way handshaking will be

Handshaking checked. Click the Enable button to enable this function, and specify
a timeout value in the Timeout text box below. The value range is 1

Option Description
to 1800 seconds. The default value is 20. If the three-way hand-

shaking has not been completed after timeout, the connection will be
dropped.
TCP SYN Click the Enable button to enable this function, and only when a
Packet Check packet is a TCP SYN packet can a connection be established.
Others
Non-IP and Specifies how to process packets that are neither IP nor ARP.
Non-ARP
Packet
3. Click OK.

Advanced Routing
Routing is the process of forwarding packets from one network to the destination address in another network.
Router, a packet forwarding device between two networks, is designed to transmit packets based on the various
routes stored in routing tables. Each route is known as a routing entry.
Devices support destination routing.
l Destination routing: A manually-configured route which determines the next routing hop according to the des-
tination IP address.

Destination Route
The destination route is a manually-configured route entry that determines the next routing hop based on the des-
tination IP address. Usually a network with comparatively a small number of outbound connections or stable
Intranet connections will use a destination route. You can add a default route entry at your own choice as needed.
Creating a Destination Route
To create a destination route:
1. Select Configuration Management > Network Configuration > Destination Route .
2. Click New.
3. In the Destination Route Configuration page, enter values.

Option Description
Destination Type the IP address for the route into the text box.
Netmask Type the corresponding netmask into the text box.
Next-hop To specify the type of next hop, click Gateway or Interface.
l Gateway: Type the IP address into the Gateway text box.
l Interface: Select a name from the Interface drop-down list.

Type the IP address into the Gateway text box. For a tunnel
interface, you need to type the gateway address for the tunnel's
peer in the optional box below.
Schedule Specifies a schedule when the rule will take effect. Select a desired
schedule from the Schedule drop-down list. After selecting the
desired schedules, click the blank area in this page to complete the

Option Description
schedule configuration.
To create a new schedule, click New Schedule.
Precedence Type the route precedence into the text box. The smaller the para-
meter is, the higher the precedence is. If multiple routes are available,
the route with higher precedence will be prioritized. The value range
is 1 to 255. The default value is 1. When the value is set to 255, the
route is invalid.
Weight Type the weight for the route into the text box. This parameter is
used to determine the weight of traffic forwarding in load balance.
The value range is 1 to 255. The default value is 1.
Tag Specifies the tag value of the destination route. When OSPF redis-
tributes routes, if the configured routing tag values here are matched
to the rules in the routing mapping table, the route will be redis-
tributed to filter its information. The value range is 1 to 4294967295.
Description Type the description information into the Description text box if
necessary.
4. Click OK.

Object Configuration
This chapter describes the concept and configuration of objects that will be referenced by other modules in sys-
tem, including:
l "Address" on Page 217: Contains address information, and can be used by multiple modules.
l "Service Book" on Page 220: Contains service information, and can be used by multiple modules.
l "Application Book" on Page 225: Contains application information, and can be used by multiple modules.
l "Schedule" on Page 233: Specifies a time range or period. The functions that use the schedule will take effect
in the time range or period specified by the schedule.

Address
IP address is an important element for the configurations of multiple modules, such as NAT rules and session
limit rules. Therefore, System supports address book to facilitate IP address reference and flexible configuration.
You can specify a name for an IP range, and only reference the name during configuration. Address book is the
database in system that is used to store the mappings between IP ranges and the corresponding names. The map-
ping entry between an IP address and its name in the address book is known as an address entry.
An address entry also has the following features:
l All address books contain two default address entry named Any and private_network. The IP address of Any
is 0.0.0.0/0, i.e., any IP address. Any can neither be edited nor deleted. The IP addresses of private_network
are 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, that all private network address. The private_network can be
edited and deleted.
l One address entry can contain another address entry in the address book.
l If the IP range of an address entry changes, the system will update other modules that reference the address
entry automatically.
Creating an Address Book
To create an address book:
1. Click Configuration Management > Object Configuration > Address Entry.

2. Click New.
In Address Configuration page, enter the address entry configuration.

Basic
Name Type the address entry name into the Name box.
Member
Member Select an address entry member from the drop-down list, and con-
figure IP/netmask, IP range, host name, address entry, or wildcard as
needed.
Add Click Add to add the configured member to the list below. If needed,
repeat the above steps to add more members.
Delete Delete the selected address entry from the list.
Excluded Member
Member Specify the excluded member. Select an address entry member from
the drop-down list, and configure IP/netmask, IP range, Host name

Basic
or Address entry as needed.

Note: Excluded members address range need to in the address range
of members, otherwise can not complete the configuration.
Add Click Add to add the configured excluded member to the list below.
If needed, repeat the above steps to add more excluded members.
Delete Delete the selected excluded member entry from the list.
3. Click OK.
Viewing Details
To view the details of an address entry, including the name, member, excluded member, description and ref-
erence:
1. Click Configuration Management > Object Configuration > Address Entry.
2. In the Address Book Configuration page, select an address entry from the member list, and view the details
under the list.

Service Book
Service is an information stream designed with protocol standards. Service has some specific distinguishing fea-
tures, like corresponding protocol, port number, etc. For example, the FTP service uses TCP protocol, and its
port number is 21. Service is an essential element for the configuration of multiple modules including policy rules,
NAT rules, etc.
System ships with multiple predefined services/service groups. Besides, you can also customize user-defined ser-
vices/service groups as needed. All these service/service groups are stored in and managed by service book.
Predefined Service/Service Group
System ships with multiple predefined services, and identifies the corresponding application types based on the ser-
vice ports. The supported predefined services may vary from different device models. Predefined service groups
contain related predefined services to facilitate user configuration.
User-defined Service
Except for the above predefined services, you can also create your own user-defined services easily. The para-
meters that will be specified for the user-defined service entries include:
l Name
l Protocol type
l The source and destination port for TCP or UDP service, and the type and code value for ICMP service.
User-defined Service Group
You can organize some services together to form a service group, and apply the service group to policies directly
to facilitate management. The service group has the following features:
l Each service of the service book can be used by one or more service groups.
l A service group can contain both predefined services and user-defined services.
l A service group can contain another service group. The service group of StoneOS supports up to 8 layers of
nests.

The service group also has the following limitations:
l The name of a service and service group should not be identical.
l A service group being used by any policy cannot be deleted. To delete such a service group, you must first end
its relationship with the other modules.
l If a user-defined service is deleted from a service group, the service will also be deleted from all of the service
groups using it.
Configuring a Service Book
This section describes how to configure a user-defined service and service group.
Configuring a User-defined Service
1. Select Configuration Management > Object Configuration > Service Book > Service.
2. Click New.
Configure the following options.

Service Configuration
Service Type the name for the user-defined service into the textbox.
Member Specify a protocol type for the user-defined service. The available
options include TCP, UDP, ICMP and Others. If needed, you can
add multiple service items.
Click New and the parameters for the protocol types are
described as follows:
TCP/UDP Destination port:
l Min - Specifies the minimum port number of

the specified service entry.
l Max - Specifies the maximum port number of

the specified service entry. The value range is 0
to 65535.
Source port:
l Min - Specifies the minimum port number of

the specified service entry.
l Max - Specifies the maximum port number of

the specified service entry. The value range is 0
to 65535.
Notes: The minimum port

number cannot exceed the max-
imum port number.
ICMP Type: Specifies an ICMP type for the service

entry. The value range is 3 (Destination-Unreach-
able), 4 (Source Quench), 5 (Redirect), 8 (Echo),
11 (Time Exceeded), 12 (Parameter Problem), 13

Service Configuration
(Timestamp) and 15 (Information).
Min Code: Specifies a minimum value for ICMP

code. The value range is 0 to 5.
Max Code: Specifies a maximum value for ICMP

code. The value range is 0 to 5.
Notes: The minimum port

number cannot exceed the max-
imum port number.
Others Protocol: Specifies a protocol number for the service

entry. The value range is 1 to 255.
Description If it's needed, type the description for the service into the text box.
3. Click OK.
Configuring a User-defined Service Group
1. Select Configuration Management > Object Configuration > Service Book > Service Group .
2. Click New.

Service Group Configuration
Name Type the name for the user-defined service group into the text box.
Description If needed, type the description for the service into the text box.
Member Type Add services or service groups to the service group. System sup-
ports at most 8-layer nested service group.
Expand Pre-defined Service or User-defined Service from the left

pane, select services or service groups, and then click Add to add
them to the right pane. To remove a selected service, select it
from the right pane, and then click Remove.
3. Click OK.
Viewing Details
To view the details of a service entry, take the following steps, including the name, protocol, destination port and
reference:
1. Click Configuration Management > Object Configuration > Service Book > Service.
2. In the service Configuration page, select an address entry from the member list, and view the details under the
list.

Application Book
Application has some specific features, like corresponding protocol, port number, application type, etc. Applic-
ation is an essential element for the configuration of multiple Device modules including NAT rules etc.
System ships with multiple predefined applications and predefined application groups. Besides, you can also cus-
tomize user-defined application and application groups as needed. All these applications and application groups
are stored in and managed by application book.
Editing a Predefined Application
You can view and use all the supported predefined applications and edit TCP timeout, but cannot delete any of
them. To edit a predefined application:
1. Select Configuration Management > Object Configuration > APP Book > Application .
2. Select the application you want to edit from the application list, and click Edit.
3. In the Application Configuration page, edit TCP timeout for the application.
Creating a User-defined Application
You can create your own user-defined applications. By configuring the customized application signature rules, the
system can identify and manage the traffic that crosses into the device, thus identifying the type of the traffic.
To create a user-defined application:
1. Select Configuration Management > Object Configuration > APP Book > Application .
2. Click New.

Option Description
Name Specify the name of the user-defined application.
Description Specify the description of the user-defined application.
Timeout Configure the application timeout value. If not, the system will use
the default value of the protocol.
Signature Select the signature of the application and then click Add.
To create a new signature, see "Creating a Signature Rule" on Page
229.
3. Click OK.
Creating a User-defined Application Group
To create a user-defined application group:

1. Select Configuration Management > Object Configuration > APP Book > Application Groups
2. Click New.

Option Description
Name Specifies a name for the new application group.
Description Specifies the description for the application group.
Member Add applications or application groups to the application group. The

Option Description
system supports at most 8-layer nested application group.

Expand Application or Application Group from the left pane, select
applications or application groups, and then click Add to add them to
the right pane. To remove a selected application or application group,
select it from the right pane, and then click Remove.
3. Click OK.
Creating an Application Filter Group
Application Filter Group allows you to create a group to filter applications according to application category, sub-
category, technology, risk, and attributes.
To create an application filter group:
1. Select Configuration Management > Object Configuration > APP Book > Application Filters.
2. Click New.

1. Type an application filter group name in the Name text box.
2. Specifies the filter condition. Choose category, subcategory, technology, risk and characteristic by sequence in
the drop-down list. You can click Clear Filter to clear all the selected filter conditions according to your need.
3. Click OK.
Creating a Signature Rule
By configuring the customized application signature rules, the system can identify and manage the traffic that
crosses into the device. When the traffic matches all conditions defined in the signature rule, it hits this signature
rule. Then the system identifies the application type.
To create a new signature rule:
1. Select Configuration Management > Object Configuration > APP Book > Static Signature Rule.
2. Click New.

Option Description
Source
Zone Specify the source security zone of the signature rule.
Address Specify the source address. You can use the Address Book type or
the IP/Netmask type.
Destination

Option Description
Address Specify the source address. You can use the Address Book type or
the IP/Netmask type.
Protocol
Enable Click the Enable button after the App-Signature Rule to configure
the protocol of the signature rule.
Type When selecting TCP or UDP,
l Destination Port: Specify the destination port number of the

user-defined application signature. If the destination port num-
ber is within a range, the system will identify the value of min-
port as the minimum port number and identify the value of
max-port as the maximum port number. The range of des-
tination port number is 0 to 66535. The port number cannot
be 0. For example, the destination port number is in the range
of 0 to 20, but it cannot be 0.
l Source Port: Specify the source port number of the user-

defined application signature. If the source port number is
within a range, the system will identify the value of min-port as
the minimum port number and identify the value of max-port
as the maximum port number. The range of source port num-
ber is 0 to 66535.
When selecting ICMP:
l Type: Specify the value of the ICMP type of the application sig-
nature. The options are as follows: 3 (Destination-Unreach-
able), 4 (Source Quench)， 5 (Redirect), 8 (Echo), 11 (Time
Exceeded), 12 (Parameter Problem), 13 (Timestamp), 15
(Information), and any (any represents all above values).
l Min Code: Specify the value of the ICMP code of the applic-
ation signature. The ICMP code is in the range of 0 to 5. The

Option Description
default value is 0-5.

When selecting Others:
l Protocol: Specifies the protocol number of the application sig-

nature. The protocol number is in the range of 1 to 255.
Action
App-Signature Select Enable to make this signature rule take effect after the con-
Rule figurations. Otherwise, it will not take effect.
Continue Without clicking this button, if the traffic satisfies the user-defined sig-
Dynamic Iden- nature rule and the system has identified the application type, the sys-
tification tem will not continue identifying the application. To be more
accurate, you can click this Enable button to set the system to con-
tinue dynamically identification.
3. Click OK.

Schedule
System supports schedule. This function allows configurations to take effect in a specified time. The schedule con-
sists of periodic schedule and timeframe . The periodic schedule specifies a time point or time range by periodic
schedule entries, while the timeframe decides a time range in which the periodic schedule will take effect.
Periodic Schedule
Periodic schedule is the collection of periods specified by all the schedule entries within the schedule. You can add
up to 16 schedule entries to a periodic schedule. These entries can be divided into 3 types:
l Daily: The specified time of every day, such as Everyday 09:00 to 18:00.
l Days: The specified time of a specified day during a week, such as Monday Tuesday Saturday 09:00 to 13:30.
l Period: A continuous period during a week, such as from Monday 09:30 to Wednesday 15:00.
Timeframe
Timeframe is a time range in which periodic schedule will take effect. If no timeframe is specified, the periodic
schedule will take effect as soon as it is used by some module.
Creating a Schedule
To create a schedule:

1. Select Configuration Management > Object Configuration > Schedule.
2. Click New.

Option Description
Name Specify a name for the new schedule.

Option Description
Add Click Add and then specify a type for the periodic schedule.
Type l Daily - The specified time of every day. Click

this radio button, and then, in the Time section,
select a start time and end time from the Start
Time and End Time drop-down list respect-
ively.
l Days - The specified time of a specified day dur-

ing a week. Click this radio button, and then
select days in the Days and Time section, and
finally select a start time and end time from the
Start Time and End Time drop-down list
respectively.
l Period - A continuous period during a week.

Click this radio button, and then in the Duration
section select a start time and end time from the
Start Time and End Time drop-down list
respectively.
Preview Preview the detail of configured periodic schedule in

the Preview section.
Delete Select the entry you want to delete from the period schedule list
below, and click Delete.
Timeframe
Start Time Specify the start time of the timeframe.
End Time Specify the end time of the timeframe.
3. Click OK.

Intranet Assets
Intranet assets refer to IT assets owned by an endpoint that are essential to its ability to operate and make profit.
Those assets include key servers, endpoint groups, networking devices, data storage server etc. Since critical assets
are essential for business day-to-day operations, they are grown to targets of cyber-attacks. Therefore, the critical
assets in a company need to be secured and protected with even stronger defense mechanisms comparing with
other individual endpoints.
There are three sources of intranet assets:
l Traffic identification: This source indicates that the device identifies active assets in the network by recog-
nizing whether the traffic contains IP addresses within the specified asset range. It is a passive way of dis-
covering assets. Traffic identification can discover new assets in real-time and is both timely and flexible.
l Active scanning: This source indicates that the device actively scans the network to identify active assets. It is
an active way of discovering assets. Active scanning requires creating and executing scan tasks and can obtain
more comprehensive asset information. For instructions on configuring active asset scanning, please refer to
Creating an Asset Scanning Task.
l Manual configuration: This source indicates that you manually add assets that meet certain criteria to the asset
list through manual configuration or manual import. For more information about manual configuration of
intranet assets, please refer to Creating an Intranet Assets. For more information about manually importing
intranet assets, please refer to Importing Assets.
After configuring intranet asset object, it can cooperate with "Traffic Monitor" on Page 128 function, monitor
the traffic of all the intranet assets, and you can view the intranet assets risk monitor details and threat/ traffic
topology in the Security Analysis.
Related links:

Configuring Intranet Assets
Configuring intranet assets includes the following content:
l Configuring the Asset Range
l Configuring an Asset Scanning Task
l Scan Report
l Asset List
Configuring the Asset Range
Asset range defines the scope of intranet assets. For assets from all sources, they can only become real assets and
be added to the asset list if they fall within the specified asset range.
Select Configuration Management > Asset Configuration > Asset Range.
l Click and select filter conditions from the drop-down list, including name, type and IP. To delete the
filter, hover your mouse on the filter condition to be deleted and click × on its right.
l Select an asset range entry and click Delete to delete it.
l Double-click an asset range entry, or select one and click Edit to edit its configuration information on the
Asset Range Configuration page.
l Turn on the switch after Hostname Detect to enable the hostname detection feature. When this function is
enabled, the system detects the corresponding hostnames according to the IP addresses in the current asset
range, and displays the detected hostnames on the Security Analysis > Endpoint page. By default, Hostname
Detection is disabled.

Creating an Asset Range
To create an asset range, take the following steps:
1. Select Configuration Management > Asset Configuration > Asset Range.
2. Click New.
On the Asset Range Configuration page, configure the following options.

Option Description
Name Specifies the name of the intranet asset range. The value
range is 1 to 63 characters.
Description Enter the description for the intranet asset range. The value
range is 0 to 127 characters.
Type Specifies the type of the intranet asset, which can be spe-
cified as a server (group) or a endpoint group (Endpoint
group is an endpoint collections within a specified network
segment).
IP Specifies the IP address of the intranet asset.

When the address type is "IP/Netmask":
l If you want to configure a server, specify the internet

asset type as Server (Group) and the mask as 32.

Option Description
l If you want to configure a server group, specify the

internet asset type as Server (Group) and don’t spe-
cify the mask as 32. The mask range is 1-31 or
128.0.0.0-255.255.255.254.
l If you want to configure the intranet segment, specify

the intranet asset type as Endpoint Group and spe-
cify a mask. The mask range is 1-32 or 128.0.0.0-
255.255.255.255.
When the address type is "IP/Range":
l Only when the intranet asset type is specified as Server

(Group) , can you specify an IP range typed IP
address.
Service Type The system supports automatic identification of server /

endpoint service types, and displays in Service Type column
of "Server List" on Page 50 and "Endpoint Risk Monitor"
on Page 76 list.
When the type of intranet asset is server, the service type of
the server should be specified. Click the drop-down list,
select the service type check box.
Exception IP When the intranet asset is specified as a server group, you

can specify an exception IP address.
l The specified exception IP will not be automatically

recognized as the server for this server group.
Under the Exception IP list, click the Add button, then the
list will add an entry, enter the IP address to be excluded, the
default mask is 32.
To delete the exception IP, select the exception IP entry and
click Delete button.

3. Click OK.
Importing the Asset Range
The system supports to import intranet asset files in .csv format. Before importing, you need to download the tem-
plate file and fill in the asset range information according to the format requirements.
During importing, the system will check the legality of the file. If the check is successful, the import will be com-
pleted. If the check fails, the import will be terminated, and the reason for the failure and the number of the suc-
cessful entries will be displayed.
To import asset range to the device, take the following steps:
l Select Configuration Management > Asset Configuration > Asset Range.
l Click Import to go to the Import Assets Range panel.
l Click Browse to select the intranet asset file to be imported. The asset range information must be written in the
template file. If you do not have the template, click to download.
l If an asset range entry in the intranet asset file has the same name or IP address with the asset range entry
already existing in the system, it will be treated as a duplicate. You can specify the operation of the duplicate. In
the Duplicate Item Policy drop-down list, select the operation to be performed on duplicate entries in the file,
including Cover and Pass.
l Cover:
l If the asset range information of the duplicate items is exactly the same, no operation will be per-
formed.

l For duplicate items with the same name but different asset information, the asset range entry
information in the imported file will prevail, overwriting the current asset range entry information
in the system.
l For duplicate items with the same IP but different asset information, no operation will be per-
formed, but the details of the duplicate items will be displayed.
l Pass: Duplicated items will be skipped, and no operation will be performed. The number of skipped
items will be displayed.
l Click OK. During the import process, the system verifies the file to be imported (such as whether file
type, number of rows, field length, etc. meet the requirements). After the verification is successful, the
import will be completed, and the import result will be displayed. If the verification fails, the import will
not be performed, and the reason for the failure will be displayed.
Notes:
l It is recommended to back up the original asset range information before importing the
asset range.
l If the content of the imported intranet asset file is purely English, the imported file must
be in ASCII encoding .csv format; if the content contains Chinese, the imported file
must be in GBK encoding .csv format.
l The size of the imported intranet asset file must be no more than 1M.
l The content of the imported intranet asset file should be filled in according to the tem-
plate format. For more details, please see Importing File Template.
Importing the File Template
You should fill in the intranet asset information in the template file before importing.
The template is shown in the figure below.

The detailed format requirements of the intranet asset information are listed as follows:
l Lines 1-4 are the instruction for filling the template, lines 5-8 are the example for filling, and the official con-
tent starts from line 10. Therefore, do not delete line 1-10. Start filling in the information from line 10. Other-
wise, the importing will fail.
l Imported files cannot contain greater-than signs, less-than signs, or double quotes. Spaces can be contained,
but they cannot be placed at the beginning or the end.
l Requirements for the mandatory fields:
l Name: the length should be within 1-63 characters.
l Type: the valid values include "server", "server group" and "endpoint group".
l IP: IP address/netmask or IP range can be filled in. The corresponding netmask of "server" is 32, the
corresponding netmask range of "server group" is 1-31 or 128.0.0.0-255.255.255.254, and the cor-
responding netmask range of "endpoint group" is 1-32 or 128.0.0.0-255.255.255.255.
l Requirements for the optional fields:
l Service Type: the valid values include "DNS", "FTP", "HTTP", "HTTPS", "IMAP4",
"LDAP", "POP3", "SMTP", "HTTP PROXY", "SNMP", "MySQL" and "MSSQL". Values should be
separated by comma.
l Exclude IP: IP address/netmask or IP range can be filled in. Values should be separated by comma.
l Description: the length should be within 0-127 characters.
Exporting the Asset Range
The system supports to export intranet asset files in .csv format, of which the content is the asset range con-
figuration information currently saved by the system.
To export asset range configuration information, take the following steps:

l Select Configuration Management > Asset Configuration > Asset Range.
l Click Export to go to the Export Assets Range panel.
l If you want to export all asset range configuration information, select Export All Assets in the Export Assets
Range panel.
l If you want to export selected asset range configuration information, you should first select the target entry in
the asset range list, click Export and select Export Selected Assets.
l Click OK.
Notes: If the content of the exported intranet asset file is in purely English, the exported file is
in ASCII encoding .csv format; if the content contains Chinese, the exported file is in GBK
encoding .csv format.
Configuring an Asset Scanning Task
By configuring asset scanning tasks, the device can perform active scanning of the network environment to
identify more valid asset information therefore establish a more comprehensive asset inventory. After the task is
executed, users can view the detailed information of the scanned assets in the asset list.
Select Configuration Management > Asset Configuration > Asset Scan .

l Click and select filter conditions from the drop-down list, including take name, task status, task type,
network segment, and execution status. To delete a filter condition, hover your mouse on the condition to be
deleted and click × on its right.
l Select an asset scanning task entry and click Delete to delete it.
l Select an asset scanning task entry and click Edit to edit its configuration information on the Task Con-
figuration page.
l Select an asset scanning task entry and click Enable or Disable to enable or disable this task. When the asset
scanning task is disabled, its task status is shown as Disabled.
l Select a running task entry and click Stop Task to forcibly terminate this task. Terminated asset scanning tasks
will not generate scan reports.
Creating an Asset Scanning Task
To create an asset scanning task, take the following steps:
1. Select Configuration Management > Asset Configuration > Asset Scan .
2. Click New.
On the Task Configuration page, configure the following options.

Options Description
Task Name Specifies the name of the asset scanning task. The value range is 1 to
50 characters.
Network Seg- Specifies the network segment to be scanned. Address type can be
ment IP/Netmask or IP range.
l When the address type is specified as IP/Netmask, enter the IP

address and mask. The mask range is 24 to 32.
l When the address type is specified as IP Range, enter the start

IP address and end IP address.
Note: Only IPv4 addresses are supported for configuration.
Task Type Specifies the type of the asset scanning task, which includes Gen-
erate Periodically and Generate Now.
l Generate Periodically: Generate asset scanning tasks according

to the specified periodic schedule. When the task type is spe-
cified as Generate Periodically, you can specify its period type
and generation time.
l Period Type: Period type can be specified as Daily,

Weekly, Monthly, Quarterly, Harf Yearly, or Yearly.
l Generated At: Click the drop-down list to specify the gen-

eration time.
l When Period Type is specified as Daily, the gen-

eration time can be specified as a specific time of
day, ranging from 00: 00 to 23: 59.
l When Period Type is specified as Weekly, the gen-

day on a certain day of the week.
l When Period Type is specified as Monthly, the

Options Description
generation time can be specified as a specific time

of day on a certain day of the month.
l When Period Type is specified as Quarterly, the

of day on a certain day between the first and third
months of the current quarter.
l When Period Type is specified as Half Yearly, the

of day on a certain day between the first and six
months of the current half year.
l When Period Type is specified as Yearly, the gen-

day on a certain day between January and Decem-
ber.
l Generate Now: Generate the asset scanning task immediately.
Scan App & Turn on the switch to enable scanning of applications and versions
Version in the assets.
3. Click OK.
Scan Report
Once the asset scanning task is generated, the task will be immediately enabled and a corresponding scan report
will be generated upon completion of the task. Through the scan report, you can view detailed information about
the scanned assets.
Select Configuration Management > Asset Configuration > Scan Report.

l Click and select filter conditions from the drop-down list, including generation time, task name, task
type, and task result. To delete a filter condition, hover your mouse on the condition to be deleted and click ×
on its right.
l Select a scan report entry and click Delete to delete it.
l Select a scan report entry, click Export, and click OK in the popped up dialogue box. Then, an html format
scan report will be exported to your local computer.
Asset List
The Assit List page displays all intranet assets within the specified asset range.
Select Configuration Management > Asset Configuration > Asset List.
l Click and select filter conditions from the drop-down list, including asset IP, asset source, asset type,
operation system, and browser. To delete a filter condition, hover your mouse on the condition to be deleted
and click × on its right.
l Select an asset entry and click Delete to delete it.
l Select an asset entry and click Edit to edit its configuration information on the Asset Configuration page.
l When the device is connected to iSource V2.0R9 and later versions, the device receives and executes the asset
scanning tasks issued by iSource and will upload execution results of the iSource issued tasks and locally cre-
ated tasks to iSource.

l Turn on the switch behind Synchronize iSource Task to enable this feature. With Synchronize iSource
Task enabled, the device synchronizes the assets that are within the asset range from the scan result of
the asset scanning task issued by iSource to the local computer and displays these assets in the asset list
after the iSouce issued task is executed. By default, this function is disabled.
Notes:
l Asset scanning tasks issued by iSource can not be viewed on the Asset List page of the
BDS device, but can be viewed on the Event Log page of the BDS device.
l For assets from all sources, an asset can be added to the asset list only when the IP
address of this asses falls within the configured asset range meanwhile the current num-
ber of endpoints/servers has not reached the maximum specification. The maximum
specification of endpoints/servers supported by devices of different models varies.
Please refer to the actual device model.
l Deleting an intranet asset will also delete the associated items related to that intranet
asset. For example, you cannot view the asset details on the Threat Event page. Please
be cautious when performing this operation.
Creating an Intranet Asset
To create an intranet asset, take the following steps:

1. Select Configuration Management > Asset Configuration > Asset List.
2. Click New.
On the Asset Configuration page, configure the following options.

Option Description
IP Specifies the IP address of the intranet asset.
Description Enter the description for the intranet asset. The value range
is 0 to 31 characters.
OS Specifies the operation system (OS) used by the intranet

asset. The OS can be specified as FreeBSD, Linux, macOS,
Solaris, Windows, iOS, Android, WebOS, SymbianOS, Win-
dows Phone OS, BlackBerry, or Kindle.
Port/Protocol/Version Specifies the port, protocol, applications and versions used

by the of the intranet asset.
l Click New to specify the port number, transport layer

protocol, application layer protocol, applications and
versions. After the operation is completed, a new entry
will be added to the list, with a maximum of 65,535
entries supported.
l To delete an entry, select its check box and click

Option Description
Delete.
3. Click OK.
Notes: The IP address of the newly created asset must fall within the asset range. Otherwise,
the configuration fails.
Importing Assets
The system supports to import intranet asset files in .csv format. Before importing, you need to download the tem-
plate file and fill in the asset information according to the format requirements.
To import asset information to the device, take the following steps:
2. Click Import to go to Import Assets panel.
3. Click Browse to select the intranet asset file to be imported. The asset information must be written in the tem-
plate file. If you do not have the template, click to down-

load.
4. Click OK. During the import process, the system verifies the file to be imported (such as whether file type,
number of rows, field length, etc. meet the requirements). After the verification is successful, the import will be
completed, and the import result will be displayed. If the verification fails, the import will not be performed,
and the reason for the failure will be displayed.

Notes:
l It is recommended to back up the original intranet asset information before import-
ing an intranet asset.
l The size of the imported intranet asset file must be no more than 10M.
l The content of the imported intranet asset file should be filled in according to the tem-
plate format. Only English is supported to fill in the template. For more details, please
see Importing the File Template.
Importing the File Template
You should fill in the intranet asset information in the template file before importing.
The CSV template is shown in the following picture.
The detailed format requirements of the intranet asset information are listed as follows:
l Lines 1-3 are the instruction for filling the template, lines 4-7 are the example for filling, and the official con-
tent starts from line 9. Therefore, do not delete line 1-9. Start filling in the information from line 10. Other-
wise, the importing will fail.
l Imported files cannot contain greater-than signs, less-than signs, or double quotes. Spaces can be contained,
but they cannot be placed at the beginning or the end.
l Requirements for the mandatory fields:
l IP: Enter the IP address of the intranet asset.
l Requirements for the optional fields:
l Operation system: the valid values include "FreeBSD", "Linux", "macOS", "Solaris", "Windows",
"iOS", "Android", "WebOS", "SymbianOS", "Windows Phone OS", "BlackBerry", or "Kindle".

l Segment Type: Enter the segment type of the intranet asset. The valid values include "general purpose",
"terminal server", "print server", "proxy server", "remote management", "game console", "media
device", "pda", "phone", or "storage-misc".
Exporting Assets
The system supports to export intranet asset files in .csv format, of which the content is the asset configuration
information currently saved by the system.
To export asset configuration information, take the following steps:
2. Click Export to go to the Export Assets panel.
3. If you want to export all asset configuration information, select Export All Assets in the Export Assets panel.
4. If you want to export selected asset configuration information, you should first select the target entry in the
asset list, click Export and select Export Selected Assets.
5. Click OK.
Notes: If the content of the exported intranet asset file is in purely English, the exported file is
in ASCII encoding .csv format; if the content contains Chinese, the exported file is in GBK
encoding .csv format.

ARP Defense
System provides a series of ARP defense functions to check various ARP attacks on the network, including:
l ARP Learning: Devices can obtain IP-MAC bindings in an Intranet from ARP learning, and add them to the
ARP list. By default this function is enabled. The devices will always keep ARP learning on, and add the learned
IP-MAC bindings to the ARP list. If any IP or MAC address changes during the learning process, the devices
will add the updated IP-MAC binding to the ARP list.
l ARP binding: support to configure the IP-MAC address static binding information manually, and dynamic bind-
ing information can also be obtained through the default ARP learning function and IP-MAC scan function.
l ARP Inspection: Devices support ARP Inspection for TAP interfaces. With this function enabled, system will
inspect all ARP packets passing through the specified TAP interfaces, and compare the IP-MAC cor-
respondence of the ARP packets with the static IP-MAC bindings in the ARP list.

Configuring ARP Defense
Configuring Binding Settings
Devices support IP-MAC binding, to enhance network security check. The bindings obtained from ARP/MAC
learning and ARP scan are known as dynamic bindings, and those manually configured are known as static bind-
ings.
Adding a Static IP-MAC-Port Binding
To add a static IP-MAC-Port binding, take the following steps:
1. Select Configuration Management > ARP Defense > IP-MAC Binding.
2. Click New.
In the IP-MAC Binding Configuration, configure the corresponding settings.

Option Description
MAC Specify a MAC address.
IP Specify an IP address.
Description Specify the description for this item.
Obtaining a Dynamic IP-MAC Bindings
Devices can obtain dynamic IP-MAC binding information from IP-MAC scan.

To configure the ARP scan, take the following steps:
2. Select Binding Configuration and then click IP-MAC Scan from the pop-up menu.
3. In the IP-MAC Scan dialog box, enter the start IP and the end IP.
4. Click OK to start scanning the specified IP addresses. The result will display in the table in the IP-MAC bind-
ing page.
Bind the IP-MAC Binding Item
To bind the IP-MAC binding item, take the following steps:
2. Select Binding Configuration and then click Bind All from the pop-up menu.
3. In the Bind All dialog box, select the binding type: IP-MAC。
4. Click OK to complete the configurations.
To unbind an IP-MAC binding item:
2. Select Binding Configuration and then click Unbind All from the pop-up menu.
3. In the Unbind All dialog box, select the unbinding type: IP-MAC.
4. Click OK to complete the configurations.
Importing/Exporting Binding Information
To import the binding information, take the following steps:

2. Select ... Others and then click lmport from the pop-up menu.
3. In the Import dialog box, click Browse to select the file that contains the binding information. Only the UTF-8
encoding file is supported.
4. Click OK to import the binding information to a file.
To export the binding information, take the following steps:
2. Select ... Others and then click Export from the pop-up menu.
3. Choose the binding information type.
4. Click OK to export the binding information to a file.
Configuring ARP Inspection
Devices support ARP Inspection for TAP interfaces. With this function enabled, system will inspect all ARP pack-
ets passing through the specified TAP interfaces, and compare the IP-MAC correspondence of the ARP packets
with the static IP-MAC bindings in the ARP list.
l If the IP address is in the ARP list and the MAC address matches, no threat event is detected and relevant
threat log information is not recorded;
l If the IP address is in the ARP list but the MAC address does not match, system will detect the threat event and
record the relevant threat log information;
l If the IP address is not in the ARP list, no threat event is detected and relevant threat log information is not
recorded.
The TAP interface of the system support ARP Inspection. This function is disabled by default.
To configure ARP Inspection of the TAP interface, take the following steps:
1. Select Configuration Management > ARP Defense > ARP Inspection .
2. System already lists the existing TAP interfaces.

3. Double-click the item of a TAP interface.
4. In the Interface Configuration page, select the Enable check box.
5. Click OK to save the settings and close the page.

Chapter 8 Threat Detection
Threat detection, the device can detect the attack behavior and the C&C behavior of the endpoint , thus locating
the endpoint infected by the malware, that is, the attack source of the intranet and the endpoint who initiates the
C&C behavior. Users can further remove the malware on these endpoints in time to reduce the damage to the
intranet security.
Threat protection includes:
l "Anti Virus" on Page 260: can detect the common file types and protocol types which are most likely to carry
the virus and protect. Hillstone device can detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP,
and the file types of archives (including GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE ,
HTML, MAIL, RIFF and JPEG.
l "Intrusion Detection System" on Page 268: can detect against mainstream application layer protocols (DNS,
FTP, POP3, SMTP, TELNET, MYSQL, MSSQL, ORACLE, NETBIOS), against web-based attacks and
common Trojan attacks.
l "Attack Detection" on Page 328: detect various types of network attacks, and take appropriate actions to pro-
tect Intranet against malicious attacks, thus assuring the normal operation of the Intranet and systems.
l "Abnormal Behavior Detection" on Page 352: detect the network traffic of the detection object according to a
specific detection dimension in the system. If it exceeds the set detection dimension threshold, system will
determine whether the detection object has a threat in this dimension, and further determine whether there is
abnormal behavior or whether it is infected by malware.
l "Advanced Threat Detection" on Page 361: can intelligent analysis the suspicious traffic of endpoint, to detect
malicious behavior and to identify APT (Advanced Persistent Threat) attack.
l "Deception Detection" on Page 364 :can uses IP addresses that are not used in the intranet environment, and
enable the deception service of application layer protocol (FTP, HTTP, MYSQL, SSH, etc.) for the deception
detection object. If there is a intranet endpoint access and use these deception service, the endpoint may be
infected with malware, the system will report the threat events and logs.
l "Anti-Spam" on Page 305: It can filter the mails transmitted by SMTP and POP3 protocol through the cloud
server, and discover the mail threats.
258
l "Sandbox" on Page 342: can uses the cloud sandbox technology. The suspicious file will be uploaded to the
cloud side. The cloud sandbox will collect the actions of this file, analyze the collected data, verify the legality of
the file, give the analysis result to the system.
l "Botnet Detection" on Page 313: It can detect botnet host in the internal network timely, as well as locate and
take other actions according to the configuration.
The threat protection configurations based on security zones.
l If a security zone is configured with the threat protection function, the system will perform detection on the
traffic that is destined to the binding zone specified in the rule, and then do according to what you specified.
Threat Detection Signature Database

Threat detection signature database includes a variety of virus signatures, Intrusion Detection signatures, Abnor-
mal behavior detection signatures , Advanced threat detection signatures, Sandbox Whitelist signatures and decep-
tion model databases. By default system updates the threat protection signature database everyday automatically.
You can change the update configuration as needed. Hillstone devices provide two default update servers:
https://update1.hillstonenet.com and https://update2.hillstonenet.com. Hillstone device supports auto update
and local update.
According to the severity, signatures can be divided into three security levels: critical, warning and informational.
Each level is described as follows:
l Critical: Critical attacking events, such as buffer overflows.
l Warning: Aggressive events, such as over-long URLs.
l Informational: General events, such as login failures.
259
Anti Virus
With the Anti Virus function configured in StoneOS, the device can detect various threats including worms, Tro-
jans, malware, malicious websites, etc., and take appropriate actions against the attacks according to your con-
figurations.
Anti Virus function can detect the common file types and protocol types which are most likely to carry the virus
and protect.
l Detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP
l Detect file types of GZIP, BZIP2, TAR, ZIP, RAR, PE , HTML, MAIL, RIFF and JPEG.
The virus signature database includes over 10,000 signatures, and supports both daily auto update and real-time
local update. For more information, see "Upgrading System" on Page 414.
260
Configuring Anti-Virus
This chapter includes the following sections:
l Preparation for configuring Anti-Virus function
l Configuring Anti-Virus function
l Configuring Anti-Virus global parameters
Preparing
Before enabling Anti-Virus, make the following preparations:
1. Make sure your system version supports Anti-Virus.
2. Import an Anti-Virus license and reboot. The Anti-Virus will be enabled after the rebooting.
Notes:
l You need to update the Anti-Virus signature database before enabling the function for
the first time. For more information about how to configure the update. To assure a
proper connection to the default update server, you need to configure a DNS server for
StoneOS before updating.
Configuring Anti-Virus Function
The Anti-Virus configurations are based on security zones.
l If a security zone is configured with the Anti-Virus function, the system will perform detection on the traffic
that is destined to the binding zone specified in the rule, and then do according to what you specified.
To realize the zone-based Anti-Virus:
1. Create a zone. For more information about how to create, refer to "Security Zone" on Page 191.
2. In the Zone Configuration page, expand Threat Detection.
261
3. Enable the threat detection you need, and select an Anti-Virus rule from the profile drop-down list below; or
you can click + from the profile drop-down list below, to create an Anti-Virus rule, see Configuring_Anti-
Virus_Rule.
Configuring an Anti-Virus Rule
To configure an Anti-Virus rule:
1. Select Configuration Management > Threat Detection Configuration > Anti-Virus > Profile.
2. Click New.
262
In the Anti-Virus Rules Configuration page , enter the Anti-Virus rule configurations.
Option Description
Name Specifies the rule name.
File Types Specifies the file types you want to scan. It can be GZIP, JPEG,
MAIL, RAR, HTML etc.
Protocol Types Specifies the protocol types (HTTP, SMTP, POP3, IMAP4, FTP)
you want to scan and specifies the action the system will take after
virus is found.
Capture Pack- Click the Enable button after Capture Packet to enable the capture
ets function.
Malicious Web- Click the Enable button after Malicious Website Access Control to
site Access Con- enable the function.
trol
Enable label E- If an email transferred over SMTP is scanned, you can enable label
mail email to scan the email and its attachment(s). The scanning results will
be included in the mail body, and sent with the email. If no virus has
been detected, the message of "No virus found" will be labeled; oth-
erwise information related to the virus will be displayed in the email,
including the filename, result and action.
Type the end message content into the box. The range is 1 to 128.
3. Click OK.
Notes: By default, according to virus filtering protection level, system comes with three
default virus filtering rules: predef_low, predef_middle, predef_high. The default rule is not
allowed to edit or delete.
Configuring Anti-Virus Whitelist Function
If false positives occur when anti-virus detection is performed on a file or URL, you can add the file MD5 value
or URL to an anti-virus whitelist. You can also edit and delete the anti-virus whitelist.
263
Creating an Anti-Virus Whitelist
To create an anti-virus whitelist, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Anti-Virus > Whitelist.
2. Click New.
Configure the following options:

Option Description
Name Enter the name of the whitelist.
Type Specifies the whitelist type. Valid values: MD5 and URL.
MD5/URL Enter the file MD5 value or URL based on the type you specify.
3. Click OK.
Notes: At most 1,000 anti-virus whitelists can be added.
Editing an Anti-Virus Whitelist
To edit an anti-virus whitelist, take the following steps:
2. In the whitelist list, select the whitelist that you want to edit and click Edit.
3. On the Whitelist Configuration page, edit the whitelist configuration.
Deleting an Anti-Virus Whitelist
To delete an anti-virus whitelist, take the following steps:
2. In the whitelist list, select the whitelist that you want to delete and click Delete.
264
Configuring Anti-Virus Global Parameters
To configure the AV global parameters:
1. Select Configuration Management> Threat Detection Configuration > Anti-Virus > Configuration .
In AV Global Configuration page, enter the AV global configurations.

Option Description
Anti-Virus Click the Enable button to enable Anti-Virus.
Log Aggregate The system can aggregate logs based on the aggregation rules (logs
Type with the same virus name and aggregation type) to reduce the num-
ber of logs. This prevents log servers from receiving redundant logs.
The number of aggregated logs is displayed in the threat log details. In
this section, select one of the following aggregation types:
l Do Not Merge - The system stores each Anti-Virus log in the

database without aggregation.
l Source IP - The system aggregates Anti-Virus logs that have

the same source IP address and comply with the other aggreg-
ation rule.
l Destination IP - The system aggregates Anti-Virus logs that

have the same destination IP address and comply with the
other aggregation rule.
265
Option Description
l Source IP,Destination IP - The system aggregates Anti-Virus

logs that have the same source and destination IP addresses
and comply with the other aggregation rule. By default, this
aggregation type is selected.
Aggregate Time If the Log Aggregate Type parameter is set to Source IP, Destin-
ation IP, or Source IP,Destination IP, you can specify the time gran-
ularity of aggregating and storing Anti-Virus logs in the database. The
system stores logs that comply with the aggregation rules only once
within the same time granularity. Valid values: 10 to 600. Default
value: 10. Unit: seconds.
Compressed file The system can decompress compressed files in transit. To con-
processing figure decompression, click Configuration . In the Decom-
pression Configuration panel, configure the following options:
l Max Decompression Layer: Specifies how many layers of nes-

ted compressed files the internal antivirus scanner can decom-
press before it executes the virus scan. Valid values: 1 to 5.
l Exceed Action : Records logs for files whose number of layers

exceeds the specified upper limit.
l Encrypted Compressed File: Specifies the method that is used

to process encrypted compressed files.
266
Option Description
l No Action - Do not execute virus scan on encrypted

compressed files. The system may continue scan the files
based on the configuration.
l Log Only - Generate relevant logs only without scanning

encrypted compressed files.
2. Click OK.
267
Intrusion Detection System
Intrusion Detection System is designed to monitor various network attacks in real time and take appropriate
actions (like block) against the attacks according to your configuration. It can detect the following types of attacks:
l Scanning
l Network attacks
l Deny of service
l Phishing
l Spam
l Malware
The detection performed by IDS consists of two methods: signature matching and protocol parse.
l Signature matching: IDS abstracts the interested protocol elements of the traffic for signature matching. If the
elements are matched to the items in the signature database, the system will process the traffic according to the
action configuration. This part of detection is configured in the Select Signature section.
l Protocol parse: IDS analyzes the protocol part of the traffic. If the analyze results shows the protocol part con-
tains abnormal contents, the system will process the traffic according to the action configuration. This part of
detection is configured in the Protocol Configuration section.
IDS configurations includes the following two parts:
l "Configuring IDS" on Page 269
l "IDS Global Configuration" on Page 302
268
Configuring IDS
The IDS configurations are based on security zones .
To realize the zone-based IDS:
3. Enable the IDS you need, and select an IDS rules from the profile drop-down list below; or you can click +
from the profile drop-down list below, to create an IDS rule, see Configuring_an_IDS_Rule.
Configuring an IDS Rule
System has three default IDS rules: predef_default , predef_loose and no_ips.
l The predef_default rule includes all the IDS signatures , and by default the package is not captured.
l The predef_loose includes all the IDS signatures , and by default capture the package.
l The no_ips includes no IDS signatures.
You can also customize IDS profiles. The configuration includes five parts:
l Basic Information
l Vulnerability Detection
l Lightweight Web Detection
l Password Detection
l Abnormal Flow Detection
To configure an IDS rule:
1. Select Configuration Management > Threat Detection Configuration > Intrusion Detection System >
Profile.
2. Click New to create a new IDS rule. To edit an existing one, select the check box of this rule and then click
Edit. To view it, click the name of this rule.
269
Note: A navigation bar is located on the right side of the IDS Configuration page. You can click any option to
go to the corresponding section.
3. Configure the basic information of the profile:

Option Description
Name In the Name text box, enter the name of the newly-created IDS pro-
file.
If you just configure the name and click OK, this profile will not take
effect.
Global Packet Click the Enable button of Global Packet Capture to capture pack-
Capture ets.
Description Type the description information into the Description text box.
270
4. In the Vulnerability Detection section, click next to Vulnerability Detection to expand this section, including
Signature Set and Protocol Max Scan Length .
5. In the Select Signature area, the existing signature sets and their settings will be displayed in the table. Select the
desired signature sets. You can also manage the signature sets, including New, Edit, and Delete.
i. In the Signature Set area, the existing signature sets and their settings will be displayed in the table. You
can manage the signature sets, including New, Edit, and Delete. When creating a new signature set rule,
you can select Filtering Signature or Selection Signature as needed to filter and retrieve the signature
database to select the desired signature sets.
l Filtering Signature: Filter signature sets by certain filter conditions. Click the Filter Signature but-
ton to search for the signatures you want. In this way, you can quickly select the signatures that
have been classified by system.
l Selection Signature: Select a particular signature set from the signature database. In this way, you
can quickly select a particular signature.
271
ii. Click New and select Filtering Signature or Selection Signature to create a new signature set rule.
Option Description
Name Specify the name of signature.
Capture Capture the abnormal packets that match the configured signature
package set. You can view them in the threat log.
Filtering If Filtering Signature is selected: System categorizes the signatures

Signature according to the following aspects (aka main categories): affected
OS, attack type, protocol, severity, confidence, released year,
affected application, and bulletin board. A signature can be in sev-
eral subcategories of one main category. For example, the sig-
nature of ID 200211 is in the Linux subcategory, the FreeBSD
subcategory, and Other Linux subcategory at the same time.
You can view the detailed information of the signature by clicking

the signature ID, and you can select one or more signatures. Click
the Disable or Enable button to disable or re-enable the signature.
Note: The enabled/disabled state here is only for the current pro-
file, but the global state is not affected.
When selecting main category and subcategory, note the following
272
Option Description
matters:
l You can select multiple subcategories of one main category.

The logic relation between them is OR.
l The logic relation between each main category is AND.
l For example, you have selected Windows and Linux in OS

and select HIGH in Severity. The chosen signatures are
those whose severity is high and meanwhile whose affected
operating system is either Windows or Linux.
Selection If Selection Signature is selected: Type the signature information

Signature into the Keyword text box, and system will perform fuzzy search
in the following fields: signature ID, signature name, and descrip-
tion.
After the matched signature is found, select the signature, and it

will be added to the Selected Signatures tab, indicating the sig-
nature is included in the signature set.
After the matched signature is found, select the signature, and
273
Option Description
then click the Enable or Disable button to disable or re-enable the

signature. The enabled/disabled state here is only for the current
profile, but the global state is not affected.
Note: You create several signature sets and some of them contain a particular sig-
nature. If the actions of these signature sets are different and the attack matches
this particular signature, system will adopt the following rules:
l If one signature set is configured with Capture Packet, system will capture
the packets.
l The action of the signature set created by Selection Signature has higher pri-
ority than the action of the signature set created by Filter.
iii. Click OK to complete signature set configurations.
iv. In the Disable Signature area, the signatures that are Disabled in the template will be shown. Select
one or more signatures, and then click the Enable button to re-enable the signature.
6. In the Protocol Max Scan Length section of Vulnerability Detection , click the max scan length of any pro-
tocol in the table to modify it. You can configure the max scan length of the HTTP, DNS, FTP, MSRPC,
POP3, SMTP, SUNRPC, and Telnet protocols. Default max scan length: 4096 bytes. Valid values: 0 to 65535
bytes, in which 0 indicates no limits.
7. In the Lightweight Web Detection section, click next to Lightweight Web Detection to expand this section.
Option Description
Allow Methods Specify the HTTP method that is allowed, including Get, Post, Con-
274
Option Description
net, Options, WebDAV, Put, Head, Trace, Delete, and Others.
Suspicious UA Turn on the switch to enable the Suspicious UA Detection function.

Detection With this function enabled, the system detects User-Agent in HTTP
Request messages. When User-Agent is detected as abnormal in
HTTP messages, you can specify the action to handle User-Agent.
Action : Specify the action to be performed when suspicious UA is

detected.
l Log Only: Record a log.
l Reset: Reset connections (TCP) or send destination unreach-

able packets (UDP) and also generate logs.
l Block IP: Block the IP address of the attacker and specify a

block duration.
l Block Time: Default value: 60. Valid values: 60 to 3600.

Unit: Second. If you want to specify a longer blocking
duration, you can select a greater duration unit ("hour"
or "day") , or you can select "permanent" to permanently
block the IP address of the attacker.
l Block Service: Block the service of the attacker and specify a

block duration.
l Block Time: Default value: 60. Valid values: 60 to 3600.

Unit: Second. If you want to specify a longer blocking
duration, you can select a greater duration unit ("hour"
or "day") , or you can select "permanent" to permanently
block the service of the attacker.
To protect the Web server, select Web Server in the Lightweight Web Detection tab.
Protecting the Web server means the system can detect the following attacks: high frequency access control,
sensitive file scan, SQL injection, XSS injection, external link check, hotlinking check, iframe check, ACL,
275
and HTTP request flood and take actions when detecting them. A pre-defined Web server protection rule
named default is built in. By default, this protection rule is enabled and cannot be disabled or deleted.
Configure the following settings to protect the Web server:
Option Description
Name Specify the name of the Web server protection rule.
Configure Specify domains protected by this rule.

Domain Click the link and the Configure Domain dialog appears. Enter the
domain names in the Domain text box. At most 5 domains can be
configured. The traffic to these domains will be checked by the pro-
tection rule.
The domain name of the Web server follows the longest match rule
from the back to the front. The traffic that does not match any rules
will match the default Web server. For example, you have configured
two protection rules: rule1 and rule2. The domain name in rule1 is
abc.com. The domain name in rule2 is email.abc.com. The traffic
that visits news.abc.com will match rule1, the traffic that visits www.e-
mail.abc.com will math rule2, and the traffic that visits www.-
abc.com.cn will match the default protection rule.
High Frequency Click the Enable button to enable the High Frequency Access
Access Control Control feature. When this function is enabled, system will block
the traffic of this IP address，whose access frequency exceeds
the threshold.
l Threshold: Specifies the maximum number of times a single

source IP accesses the URL path per minute. When the fre-
quency of a source IP address exceeds this threshold, system
will block the flow of the IP. The value ranges from 1 to 65535
times per minute.
l URL Path: Click the link and the URL Page Configuration page
appears. Click New and enter the URL path in the Path text
276
Option Description
box. After the configuration, all paths that contain the name of
the path are also counted. System accesses the frequency stat-
istics for HTTP requests that access these paths. If the access
frequency of the HTTP request exceeds the threshold, the
source IP of the request is blocked, and the IP will not be able
to access the Web server. For example: configure'/home/ab',
system will perform a frequency check on the 'access/home/-
ab/login' and '/home/BC/login' HTTP requests. URL path
does not support the path format which contains the host name
or domain name, for example: you can not configure
www.baidu.com/home/login.html, you should configure '/
home / login.html', and 'www.baidu.com' should be configured
in the corresponding Web server domain name settings. You
can configure up to 32 URL paths. The length of each path is
in the range of 1-255 characters.
Sensitive File Select Enable to enable the Sensitive File Scan function for Web
Scan servers. In Sensitive File Scan attacks, an attacker traverses the
sites in the Web server by using a file scanning tool. This way, the
attacker can obtain sensitive information of the Web server, such
as the directory structure, background files, and backup files.
If an attacker attempts to scan sensitive files on the Web server,

the Web server returns a large number of response packets with
the status code "404". In this case, the system counts the number
of 404 responses returned by the Web server per minute. ① If the
number is greater than 10, the system parses the URLs in all
HTTP requests and matches them with the built-in sensitive file
dictionary. If the number of times that the parsed URL matches
the sensitive file dictionary exceeds the specified threshold, the sys-
tem performs the user-specified protection actions. The specified
actions can be Log Only, Block IP, or Block Service. ②If the
277
Option Description
number is equal to or greater than 100, the system determines the

behavior as a sensitive file scanning attack and performs the spe-
cified protection action.
l Threshold: Specifies the threshold for the system to defend

against sensitive file scanning attacks. If the number of
times that URL paths match sensitive file dictionaries per
minute exceeds the threshold, the system performs the user-
specified protection actions. Default value: 10. Valid values:
10 to 100. Unit: times/min.
SQL Injection Click the Enable button to enable SQL injection check.
Protection
l Capture Packets: Capture the abnormal packets. You can view
them in the threat log.
l Sensitivity: Specifies the sensitivity for the SQL injection pro-

tection function. The higher the sensitivity is, the lower the
false negative rate is.
l Check point: Specifies the check point for the SQL injection
check. It can be Cookie, Cookie2, Post, Referer or URI.
XSS Injection Click the Enable button to enable XSS injection check for the HTTP
Protection protocol.

l Sensitivity: Specifies the sensitivity for the XSS injection pro-

tection function. The higher the sensitivity is, the lower the
false negative rate is.
l Check point: Specifies the check point for the XSS injection
check. It can be Cookie, Cookie2, Post, Referer or URI.
278
Option Description
External Link Click the Enable button to enable external link check for the Web
Check server. This function controls the resource reference from the
external sites.

l External link exception: Click this link, the External Link Excep-
tion Configuration dialog appears. All the URLs configured on
this dialog can be linked by the Web sever. At most 32 URLs
can be specified for one Web server.
Hotlinking Click the Enable button to enable Hotlinking Check. System

Check checks the headers of the HTTP packets and obtains the source
site of the HTTP request. If the source site is in the Hotlinking
Exception list, system will release it; otherwise, log or reset the con-
nection. Thus controlling the Web site from other sites and to pre-
vent chain of CSRF (Cross Site Request Forgery cross-site request
spoofing) attacks occur.
l Hotlinking Exception: Click the 'Hotlinking Exception' to open

the Hotlinking Exception Configuration page, where the con-
figured URL can refer to the other Web site. Each Web server
can be configured with up to 32 URLs.
Iframe check Click the Enable button to enable iframe checking. System will
identify if there are hidden iframe HTML pages by this function,
then log it or reset its link. After iframe checking is enabled, sys-
tem checks the iframe in the HTML page based on the specified
iframe height and width, and when any height and width is less
than or equal to the qualified value, system will identify as a hidden
iframe attack, record, or reset connection that occurred.
l Height: Specifies the height value for the iframe, range from 0
279
Option Description
to 4096.
l Width: Specifies the width value of the iframe, range from 0 to

4096.
ACL Click the Enable button to enable access control for the Web server.
The access control function checks the upload paths of the websites
to prevent the malicious code uploading from attackers.
l ACL: Click this link, the ACL Configuration dialog appears.

Specify websites and the properties on this dialog. "Static"
means the URI can be accessed statically only as the static
resource (images and text), otherwise, the access will handle as
the action specified (log only/reset); "Block" means the
resource of the website is not allowed to access.
HTTP Request Click the Enable button to enable the HTTP request flood pro-
Flood Pro- tection.
tection
l Request threshold: Specifies the request threshold. When the
number of HTTP connecting request per second reaches the
threshold and this lasts 20 seconds, the system will treat it as a
HTTP request flood attack, and will enable the HTTP request
flood protection.
When the HTTP request flood attack is discovered, you can make
the system take the following actions:
l Authentication: Specifies the authentication method. The sys-

tem judges the legality of the HTTP request on the source IP
through the authentication. If a source IP fails on the authen-
tication, the current request from the source IP will be blocked.
The available authentication methods are:
l Auto (JS Cookie): The Web browser will finish the

authentication process automatically.
280
Option Description
l Auto (Redirect): The Web browser will finish the authen-

tication process automatically.
l Manual (Access Configuration): The initiator of the

HTTP request must confirm by clicking OK on the
returned page to finish the authentication process.
l Manual (CAPTCHA): The initiator of the HTTP request

must confirm by entering the authentication code on the
returned page to finish the authentication process.
l Crawler-friendly: If this check box is selected, the system will

not authenticate to the crawler.
l Request limit: Specifies the request limit for the HTTP request
flood protection. After configuring the request limit, the system
will limit the request rate of each source IP. If the request rate
is higher than the limitation specified here and the HTTP
request flood protection is enabled, the system will handle the
exceeded requests according to the action specified (Block
IP/Reset). To record a log, Click the Enable button.
l Proxy limit: Specifies the proxy limit for the HTTP request
flood protection. After configuring the proxy limit, the system
will check whether each source belongs to the each source IP
proxy server. If belongs to, according to configuration to limit
the request rate. If the request rate is higher than the limitation
specified here and the HTTP request flood protection is
enabled, the system will handle the exceeded requests accord-
ing to the action specified (Block IP/Reset). To record a log,
Click the Enable button.
l White List: Specifies the white list for the HTTP request flood
281
Option Description
protection. The source IP added to the white list not check the
HTTP request flood protection.
8. Click Password Detection to unfold this section. Then, enable Weak Password Detection . This way, the sys-
tem detects the strength of plaintext passwords over HTTP/FTP/Telnet/POP3/IMAP/SMTP in the profile
to prevent security risks caused by weak passwords. To set the weak password detection parameters, click Con-
figure.
i. Turn on the Weak Password Detection switch to enable this function. Then, the system checks the
strength of the plaintext password which is set under the FTP/Telnet/POP3/IMAP/SMTP/HTTP pro-
tocols in this profile. The password is detected as weak if it meets the conditions configured in the Weak
Password Detection section. In this case, the system issues an alarm log to prevent potential security
risks caused by a weak password. Click Configure to configure the detection parameters of the weak
password.
Note: When SSL proxy is configured in the policy, you can detect weak password for encrypted pro-
tocols such as HTTP.
In the Weak Password Detection panel, configure the following options:

Option Description
Specify the minimum password length. If a password is

Password shorter than the specified length, the system regards the pass-
Length word as a weak one. Valid values: 6 to 50. Default value: 6.
Unit: characters.
Specify the minimum password character types. If the number of

character types in a password is less than the specified value, the
Password Char- system regards the password as a weak one. The character types
acter Type that the system can detect include numbers, uppercase letters,
lowercase letters, and special characters. Valid values: 1 to 4.
Default value: 2.
Other Situ- Other situations of a weak password include same usernames

ations and passwords, passwords with consecutive numbers or let-
282
Option Description
ters, and anonymous FTP logins.
l User Name Equals Password: If you enable the button,

passwords that are the same as usernames are regarded
as weak passwords.
l Continuous Character Detection : If you enable the but-

ton, passwords that contain no less than 8 identical con-
secutive characters or 8 consecutive letters in
alphabetical order or reverse-alphabetical order are
regarded as weak passwords. Example: 1aaaaaaaa,
abcdefgh, and 87654321.
l FTP Anonymous Login Detection : If you enable the

button, passwords the FTP server uses for anonymous
users are regarded as weak passwords.
You can specify custom weak passwords. If a password detected

Specify Weak by the system matches the specified password, the password is
Password regarded as a weak one. At most 100 custom weak passwords
can be specified.
ii. Turn on the HTTP Plain Text Detection switch to enable this function. Then, the system checks the
password field in the HTTP packet. If the password is not encrypted, an alarm log is generated.
Note: When the login is successful, the system performs plaintext detection only against the password in
the HTTP packet but not the HTTPs packet because the HTTPS protocol is not transmitted in plaintext
by default.
iii. In the HTTP Password Detection Configuration section, you can configure the username field , pass-
word field, success-login response code, success-login field, fail-login response code, and fail-login field in
the HTTP login packet. The system can determine whether the login password is weak and whether
there is brute-force attack by parsing the username, password, and login results contained in the HTTP
login packet. The system is configured with a list of default username field, password field, and login res-
ult fields. However, the content of the HTTP protocol depends on the negotiation between the client
283
and the server, therefore, to avoid false negatives, you can customize fields that tell information about
the username, password, successful login, and failed login in the actual HTTP packet. This way, the sys-
tem detects weak password and brute-force attacks and perform corresponding actions according to the
configured rules.
Configure the following options in the HTTP Password Detect Configuration

Option Description
Username Specifies the username field in the HTTP login packet. The user-
Field(s) name field is case insensitive. Multiple fields can be separated
with a semicolon. For example, username;user;usrname;j_user-
name.
Password Field Specifies the password field in the HTTP login packet. The pass-
(s) word field is case insensitive. Multiple fields can be separated
with a semicolon. For example, password;passwd;pass;pwd;j_pass-
word.
Success-login Specifies the success-login response code(s) in the HTTP login

Response packet. Multiple codes can be separated with a semicolon. For
Code(s) example, 200;302;201.
Success-login Specifies the success-login field in the HTTP login packet. The
Field(s) success-login field is case insensitive. Multiple fields can be sep-
arated with a semicolon. For example, loginsuccess;login-success.
Fail-login Specifies the fail-login response code(s) in the HTTP login

Response packet. Multiple codes can be separated with a semicolon. For
Code(s) example, 200;302;201;303.
Fail-login Field Specifies the fail-login field in the HTTP login packet. The fail-
(s) login field is case insensitive. Multiple fields can be separated with
a semicolon. For example, loginerror;login-error;loginerr.
9. In the Abnormal Flow Detection section, click next to Abnormal Flow Detection to expand this section,
including Rebound Shell Detection and Protocol Configuration .
284
i. Turn on the switch next to Rebound Shell Detection and configure this function.
Option Description
Mode Specify the detection mode of the system for a rebound shell
attack.
l Low Misreport: System scans for keywords of rebound

shell attacks and reports logs only when the keywords are
matched for more than four times, it can be used in scen-
arios with high system performance requirements.
l High Detection: System scans for keywords of rebound

shell attacks and reports logs when the keywords are
matched for more than two times . It can be used in scen-
arios with high requirements for attack detection.
ii. In the Protocol Configuration area, click . The protocol configurations specify the requirements that
the protocol part of the traffic must meet. If the protocol part contains abnormal contents, the system
will process the traffic according to the action configuration. The system supports the configurations of
HTTP, DNS, FTP, MSRPC, POP3, SMTP, SUNRPC, and Telnet.
In the HTTP tab, configure the following settings:
285
Option Description
Max Scan Length : Specify the maximum length of scanning

when scanning the HTTP packets.
Banner Detection : Click the Enable to enable protection against
HTTP server banners.
l Banner information - Type the new information into the

box that will replace the original server banner information.
Protocol Anomaly Detection : Click Enable to analyze the
HTTP packets. If abnormal contents exist, you can:
l Protocol Anomaly list: Click to open the Protocol

Anomaly List page, which will display the signature rules
HTTP
related to the HTTP protocol anomaly in this profile.
Select one or more rules and click Enable to enable the
rules; and click Disable to disable the rules.
l Capture Packets: Capture the abnormal packets. You can

view them in the threat log.
Max URI Length : Specify a max URI length for the HTTP pro-
tocol. If the URI length exceeds the limitation, you can:

Allowed Methods: Specify the allowed HTTP methods.
In the DNS tab, configure the following settings:

Option Description

when scanning the DNS packets.
DNS
Protocol Anomaly Detection : Click Enable to analyze the DNS
packets. If abnormal contents exist, you can:
286
Option Description


In the FTP tab, configure the following settings:

Option Description

when scanning the FTP packets.
Banner Detection : Click the Enable button to enable protection
against FTP server banners.
l Banner Information: Type the new information into the

Protocol Anomaly Detection : Click the Enable button to ana-
lyze the FTP packets. If abnormal contents exist, you can:
FTP

Max Command Line Length : Specifies a max length (including
carriage return) for the FTP command line. If the length exceeds
287
Option Description
the limits, you can:

Max Response Line Length : Specifies a max length for the FTP
response line.If the length exceeds the limits, you can:

In the MSRPC tab, configure the following settings:

Option Description

when scanning the MSRPC packets.
lyze the MSRPC packets. If abnormal contents exist, you can:

MSRPC rules; and click Disable to disable the rules.

Max bind length : Specifies a max length for MSRPC's binding
packets. If the length exceeds the limits, you can:

Max request length : Specifies a max length for MSRPC's request
packets. If the length exceeds the limits, you can:
288
Option Description

In the POP3 tab, configure the following settings:

Option Description

when scanning the POP3 packets.
against POP3 server banners.

lyze the POP3 packets. If abnormal contents exist, you can:

POP3

carriage return) for the POP3 command line. If the length
exceeds the limits, you can:

Max Parameter Length : Specifies a max length for the POP3 cli-
ent command parameter. If the length exceeds the limits, you
289
Option Description
can:

Max failure time: Specifies a max failure time (within one single
POP3 session) for the POP3 server. If the failure time exceeds

In the SMTP tab, configure the following settings:

Option Description

when scanning the SMTP packets.
against SMTP server banners.

lyze the SMTP packets. If abnormal contents exist, you can:
SMTP

290
Option Description
carriage return) for the SMTP command line. If the length

exceeds the limits, you can:

Max Path Length : Specifies a max length for the reverse-path
and forward-path field in the SMTP client command. If the
length exceeds the limits, you can:

Max Reply Line Length : Specifies a max length reply length for
the SMTP server. If the length exceeds the limits, you can:

Max Text Line Length : Specifies a max length for the E-mail
text of the SMTP client. If the length exceeds the limits, you can:

Max Content Type Length : Specifies a max length for the con-
tent-type of the SMTP protocol. If the length exceeds the limits,
you can:

Max Content Filename Length : Specifies a max length for the
filename of E-mail attachment. If the length exceeds the limits,
you can:

291
Option Description
Max Failure Time: Specifies a max failure time (within one single
SMTP session) for the SMTP server. If the length exceeds the
limits, you can:

In the SUNRPC tab, configure the following settings:

Option Description

when scanning the SUNRPC packets.
Protocol Anomaly Detection : Click the Enable button to

analyze the SUNRPC packets. If abnormal contents exist, you
can:

SUNRPC

In the Telnet tab, configure the following settings:

Option Description

when scanning the Telnet packets.
Telnet
lyze the Telnet packets. If abnormal contents exist, you can:
292
Option Description


Username/Password Max Length : Specifies a max length for
the username and password used in Telnet. If the length exceeds

10. Click Save to complete the protocol configurations.
11. Click OK to complete the IDS rule configurations.
Viewing Details about IDS Profile
The system supports to view detailed configuration about predefined IDS profiles.
To view details about an IDS profile, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Intrusion Detection System > Pro-
file.
2. Select a predefined IDS profile from the list.
3. Click View in the upper part to view the details about the profile.
Editing an IDS Profile
The system supports to edit an configured IDS profile.
To edit an IDS profile, take the following steps:
293
file.
2. Select a custom IDS profile from the list.
3. Click Edit in the upper part to view the details about the profile.
4. Refer to Configuring IDS Profiles to edit parameters related to the Basic Information, Vulnerability Pro-
tection, Web Protection, Password Detection, and Abnormal Flow Detection options.
5. Click OK.
Notes: You cannot edit or delete predefined IDS profiles.
Deleting an IDS Profile
The system supports to delete a custom IDS profile and its configuration.
To delete an IDS profile, take the following steps:
file.
2. Select one or more custom IDS profiles from the list.
3. Click Delete to delete the profile and its configuration.
Cloning an IDS Profile
The system supports to clone an IDS profile. To generate a new IDS profile, you only need to modify some para-
meters of the cloned IDS profile.
To clone an IDS profile, take the following steps:
file.
294
2. Select an IDS profile from the list.
3. Click Clone in the upper part and enter a new profile name in the Name field.
4. A cloned IDS profile is generated in the list.
295
Signature List
Select Configuration Management > Threat Detection Configuration > Intrusion Detection System > Sig-
nature List. You can see the signature list.
The upper section is for searching signatures. The lower section is for managing signatures.
Searching Signatures
l In the upper section, click to select the condition in the drop-down list to search the sig-
natures that match the condition.
296
Managing Signatures
You can view signatures, create a new signature, load the database, delete a signature, edit a signature, enable a sig-
nature, and disable a signature.
l View signatures: In the signature list, click the + of a signature to view the details.
l Create a new signature: click New.
In the User-defined Signature page, configure the following settings:

Option Description
Name Specifies the signature name.
Description Specifies the signature descriptions.
Protocol Specifies the affected protocol.
Flow Specifies the direction.
l To_Server means the package of attack is from server to the

client.
l To_Client means the package of attack is from client to the

server.
297
Option Description
l Any includes To_Server and To_Client.
Source Port Specifies the source port of the signature.
l Any - Any source port.
l Included - The source port you specified should be included. It

can be a port, several ports, or a range. Specifies the port num-
ber in the text box, and use "," to separate.
l Excluded - The source port you specified should be excluded.

It can be a port, several ports, or a range. Specifies the port
number in the text box, and use "," to separate.
Destination Specifies the destination port of the signature.

Port
l Any - Any destination port.
l Included - The destination port you specified should be

included. It can be a port, several ports, or a range. Specifies
the port number in the text box, and use "," to separate.
l Excluded - The destination port you specified should be

excluded. It can be a port, several ports, or a range. Specifies
the port number in the text box, and use "," to separate.
Dsize Specifies the payload message size. Select "----",">", "<" or "=" from
the drop-down list and specifies the value in the text box. "----" means
not set the parameter.
Severity Specifies the severity of the attack.
Attack Type Select the attack type from the drop-down list.
Application Select the affected applications. "----" means all applications.
Operating Sys- Select the affected operating system from the drop-down list. "----"
tem means all the operating systems.
Bulletin Board Select a bulletin board of the attack.
298
Option Description
Year Specifies the released year of attack.
Detection Filter Specifies the frequency of the signature rule.
l Track - Select the track type from the drop-down list. It can be
by_src or by_dst. System will use the statistic of source IP or
destination IP to check whether the attack matches this rule.
l Count - Specifies the maximum times the rule occurs in the spe-
cified time. If the attacks exceed the Count value, system will
trigger rules and act as specified.
l Seconds - Specifies the interval value of the rule occurs.
Configure Content, click New to specify the content of the signature:

Option Description
Content Specifies the signature content. Select the following check box if
needed:
l HEX - Means the content is hexadecimal.
l Case Insensitive - Means the content is not case sensitive.
l URI - Means the content needs to match URI field of HTTP

request.
Relative Specifies the signature content location.
l If Beginning is selected, system will search from the header of

the application layer packet.
l Offset: System will start searching after the offset from

the header of the application layer packet. The unit is
byte.
l Depth: Specifies the scanning length after the offset. The

unit is byte.
299
Option Description
l If Last Content is selected, system will search from the content

end position.
l Distance: System will start searching after the distance

from the former content end position. The unit is byte.
l Within: Specifies the scanning length after the distance.

The unit is byte.
l Load the database: After you create a new signature, click Load Database to make the newly created signature
take effect.
l Edit a signature: Select a signature and then click Edit. You can only edit the user-defined signature. After edit-
ing the signature, click Load Database to make the modifications take effect.
l Delete a signature: Select a signature and then click Delete. You can only delete the user-defined signature.
After deleting the signature, click Load Database to make the deletion take effect.
l Enable/Disable signatures: After selecting signatures, click Enable or Disable.
Signatures are categorized by protocols, and identified by a unique signature ID. The signature ID consists of two
parts: protocol ID (1st bit or 1st and 2nd bit) and attacking signature ID (the last 5 bits). For example, in ID
605001, "6" identifies a Telnet protocol, and "00120" is the attacking signature ID. 1st bit in signature ID identify
protocol anomaly signatures, the others identify attacking signatures. The mappings between IDs and protocols
are shown in the table below:
ID Protocol ID Protocol ID Protocol ID Protocol
1 DNS 7 Other-TCP 13 TFTP 19 NetBIOS
2 FTP 8 Other-UDP 14 SNMP 20 DHCP
3 HTTP 9 IMAP 15 MySQL 21 LDAP
4 POP3 10 Finger 16 MSSQL 22 VoIP
5 SMTP 11 SUNRPC 17 Oracle - -
6 Telnet 12 NNTP 18 MSRPC - -
300
In the above table, Other-TCP identifies all the TCP protocols other than the standard TCP protocols listed in the
table, and Other-UDP identifies all the UDP protocols other than the standard UDP protocols listed in the table.
301
IDS Global Configuration
Configuring the IDS global settings includes:
l Enable the IDS function
l Specify how to merge logs
l Specify the aggregate Time
Click Configuration Management > Threat Detection Configuration > Intrusion Detection System > Con-
figuration to configure the IDS global settings.
Option Description
IDS Click/clear the Enable button to enable/disable the IDS function. By

default, IDS function is enabled.
Merge Log System can merge IDS logs which have the same protocol ID, the same
Signature ID, the same log ID, and the same merging type. Thus it can
help reduce logs and avoid to receive redundant logs. The function is dis-
abled by default.
Select the merging types in the drop-down list:
l ---- - Do not merge any logs.
l Source IP - Merge the logs with the same Source IP.
l Destination IP - Merge the logs with the same Destination IP.
l Source IP, Destination IP - Merge the logs with the same Source IP
and the same Destination IP. This type is the default aggregation
type.
Aggregate Time Specifies the time granularity for IPS IDS threat log of the same merging
type ( specified above) to be stored in the database. At the same time gran-
ularity, the same type of log is only stored once. It ranges from 10 to 600
seconds. The default value is 10 seconds.
After the configurations, click OK to save the settings.
302
Configuring IDS White list
The device detects the traffic in the network in real time. When a threat is detected, the device generates alarms or
blocks threats. With the complexity of the network environment, the threat of the device will generate more and
more warning, too much threat to the user can not start making the alarm, and many of them are false positives.
By providing IDS whitelist, the system no longer reports alarms or blocks to the whitelist, thus reducing the false
alarm rate of threats. The IDS whitelist consists of source address, destination address, and threat ID, and the
user selects at least one item for configuration.
To configure an IDS white list :
1. Select Configuration Management > Threat Detection Configuration > Intrusion Detection System >
Whitelist .
2. Click New.
303
In the White List Configuration page, enter the White List configurations.
Option Description
Name Specifies the white-list name.
Source Address Specifies the source address of the traffic to be matched by IPS.
Destination Specifies the destination address of the traffic to be matched by IPS.

Address
Signature ID Select the signature ID from the drop-down list. A whitelist can be
configured with a maximum of one threat ID. When the threat ID is
not set, the traffic can be filtered based on the source and destination
IP address. When user have configured threat ID, the source
address, destination address and threat ID must be all matched suc-
cessfully before the packets can be released.
3. Click OK.
304
Anti-Spam
This feature may not be available on all platforms. Please check your system's actual page if your device delivers
this feature.
The system is designed with an Anti-Spam function, which enables user to identify and filter mails transmitted by
SMTP and POP3 protocol through the cloud server, timely discover the mail threats, such as spam, phishing and
worm mail, and then process the found spam according to the configuration, so as to protect the user's mail client
or mail server.
Notes: The Anti-Spam function will not work unless an Anti-Spam license has been installed .
Related Topics:
l "Configuring Anti-Spam" on Page 306
l "Configuring an Anti-Spam User-defined Blacklist" on Page 310
l "Anti-Spam Global Configuration" on Page 312
305
Configuring Anti-Spam
l Preparation for configuring Anti-Spam function
l Configuring Anti-Spam function
l Configuring an Anti-Spam Profile
l Configuring an Anti-Spam User-defined Blacklist
Preparing
Before enabling Anti-Spam, make the following preparations:
1. Make sure your system version supports Anti-Spam.
2. Import an Anti-Spam license and reboot. The Anti-Spam will be enabled after the rebooting.
Notes: To assure a proper connection to the cloud server, you need to configure a DNS
server for StoneOS before configuring the anti-spam.
Configuring Anti-Spam Function
The Anti-Spam configurations are based on security zones .
l If a security zone is configured with the Anti-Spam function, system will perform detection on the traffic that
is matched to the binding zone specified in the rule, and then do according to what you specified.
To realize the zone-based Anti-Spam, take the following steps:
1. Create a zone. For more information, refer to "Security Zone" on Page 191.
306
3. Enable the threat protection you need and select an Anti-Spam rule from the profile drop-down list below; or
you can click + from the profile drop-down list. To create an Anti-Spam rule, see Configuring an Anti-Spam
Rule.
Configuring an Anti-Spam Profile
To configure an Anti-Spam rule, take the following steps:
1. Select Configuration Management >Threat Detection Configuration > Antispam > Profile.
2. Click New
In the Anti-Spam Configuration page, enter the Anti-Spam rule configurations

Option Description
307
Option Description
Mail Protocol Type Specifies the mail protocol (SMTP, POP3), spam category and
action.
spam category:
l Confirmed Spam: The mail from spam source.
l Bulk Spam: The malicious mass mail from uncertain spam

sources.
l Suspected Spam: The mail from suspicious spam sources.
l Valid Bulk: Mass mail from legitimate senders.

Action:
l Log Only - Only generates log. This is the default action
User-defined Black- Click the Enable button to enable the Antispam User-defined
list Blacklist. When it is enabled, the email from the sender who is in
the User-defined Blacklist will be directly identified as spam, and
then system will process it according to the action specified by
users, log or reset connection.
Whitelist of Sender The whitelist is used to specify the mail domains or email that will
not be filtered by Anti-Spam. Each Anti-Spam profile can specify
up to 64 whitelist items.
l Select "Domain " or "Email " and enter the corresponding

parameter values in the text box. The parameter values
range from 1 to 255 characters. When "Domain" is selec-
ted, the maximum length between the two periods (.) is
only 63 characters.
l Click Add to add the domain name or email address to

whitelist of sender.
308
Option Description
l Select the domain or email address of sender item, and

click Delete to delete the items of sender.
3. Click OK.
Notes: By default, system comes with one default spams filtering rules: predef_default. The
default rule is not allowed to edit or delete.
309
Configuring an Anti-Spam User-defined Blacklist
You can add the sender's domain name or email address to the User-defined Blacklist. When Anti-Spam User-
defined Blacklist function is enabled, system will directly identify the email from the User-defined Blacklist as
spam, and reset the link or record to the threat log.
To configure an Anti-Spam User-defined Blacklist, take the following steps:
1. Select Configuration Management >Threat Detection Configuration > Antispam > User-defined Black-
list and click New.
2. In < User-defined Blacklist Configuration > page, select Sender Domain or Sender E-mail and enter the cor-
responding parameter values in the text box. The parameter values range from 1 to 255 characters. When
Sender Domain is selected, the maximum length between the two periods (.) is only 63 characters.
3. Click OK.
To export the sender User-defined Blacklist, take the following steps:
1. Select Configuration Management >Threat Detection Configuration > Antispam > User-defined Black-
list.
2. Click Export and all the item of the User-defined Blacklist will be exported as an file in the format of ".text ".
The exported User-defined Blacklists can be imported on another device. To import the sender User-defined
Blacklist, take the following steps:
1. SelectConfiguration Management >Threat Detection Configuration > Antispam > User-defined Blacklist
and click Import.
310
2. In the<Import User-defined Blacklist> page, click the Browse to select the User-defined Blacklist file to be
imported.
3. Click OK to import User-defined Blacklist .
311
Anti-Spam Global Configuration
To configure the Anti-Spam global settings, take the following steps:
1. Click Configuration Management >Threat Detection Configuration > Antispam > Configuration .
2. Type in the mail scan maximum limit in the Mail Scan Upper Limit text box. The range is 512 Kb to 2048 Kb,
the default value is 1024 Kb.
312
Botnet Detection
Botnet refers to a kind of network that uses one or more means of communication to infect a large number of
hosts with bots, forming a one-to-many controlled network between the controller and the infected host, which
will cause a great threat to network and data security.
The botnet detection function can detect botnet host in the internal network timely, as well as locate and take
other actions according to the configuration.
The botnet detection configurations are based on security zones. If the botnet detection profile is bound to a
security zone, the system will detect the traffic destined to the specified security zone based on the profile con-
figuration.
DGA Detection
DNS as the domain name resolution protocol, is designed to resolve fixed domain names to IP addresses. Due to
the use of domain name is convenient, and is widely used, so the attacker will take different means to use the
domain name to generate attack. For example, A IP address can correspond to multiple domain name, the server
according to the endpoint field of HTTP packet to find the Goal URL, the malware will use this feature by modi-
fying the endpoint field to disguise the domain name, and generate the abnormal behavior. DGA, is the domain
generation algorithm, this algorithm will generate a large number of pseudo random domain name, and will be
used by malware.
To solve these problem, system supports to enable DGA detection function to detect DNS response messages
and detect whether the device is attacked by DGA domain name. If a DGA domain name is detected, the system
will perform the specified processing actions on the detected DGA domain name according to the configuration
of the botnet prevention rules (record the related threat log or reset the connection).
DNS Tunnel Detection

DNS tunnel is a kind of covert channel, which establishes communication by encapsulating other protocols in
DNS protocol for transmission. However, most firewalls and detection devices release DNS traffic, and DNS
tunnel attacks formally use the features of the release to implement operations such as remote control and file
transfer, which cause harm to users' network security and data security. Therefore, the detection, warning, and
processing of DNS tunnels are particularly important.
313
System provides the DNS tunnel detection function. Through the detection of DNS request messages and the
monitoring of DNS traffic, the feature extraction and comprehensive analysis of the DNS tunnel can be realized.
At the same time, the specified processing action can be performed on the detected DNS tunnel ( Record the rel-
evant threat log or reset the connection) to prevent the threat brought by the DNS tunnel.
Notes: The botnet prevention function is controlled by license. To use the botnet prevention
function, install the Botnet Prevention license.
Related Topics:
l "Configuring Botnet Detection" on Page 315
l "Address Library" on Page 318
l "Botnet Detection Global Configuration" on Page 326
314
Configuring Botnet Detection
l Preparation for configuring Botnet Detection function
l Configuring Botnet Detection function
Preparing
Before enabling botnet detection, make the following preparations:
1. Make sure your system version supports botnet detection.
2. Import a botnet detection license and reboot. The botnet detection will be enabled after the rebooting.
Notes:
l You need to update the botnet detection signature database before enabling the function
for the first time. To assure a proper connection to the default update server, you need
to configure a DNS server for system before updating.
Configuring Botnet Detection Function
The Botnet Detection configurations are based on security zones.
To realize the zone-based Botnet Detection, take the following steps:
3. Enable the threat detection you need and select a Botnet Detection rule from the profile drop-down list below;
or you can click + from the profile drop-down list. To create a Botnet Detection rule, see Configuring a Bot-
net Detection Rule.
315
Configuring a Botnet Detection Rule
You can use default botnet detection rules or create a custom botnet detection rule. The default botnet detection
rules cannot be edited or deleted.
To configure a Botnet Detection rule, take the following steps:
1. Click Configuration Management > Threat Detection Configuration > Botnet Detection > Profile.
2. Click New.
In the Botnet Detection Rule Configuration page, enter the Botnet Detection rule configurations.
Option Description
Protocol Types Specifies the protocol types (TCP, HTTP, DNS) you want to scan
and specifies the action the system will take after the botnet is found.
l Log Only - Only generates log.
DNS Tunnel Detection: Click the Enable button to enable the DNS
tunnel detection function, and click the drop-down list to specify the
processing actions after the DNS tunnel is detected (Log Only).
316
Option Description
DGA Detection: Click tthe Enable button to enable the DGA detec-
tion function, and click the drop-down list to specify the processing
actions after the DGA domain name is detected (Log Only).
3. Click OK.
317
Address Library
The address library includes a predefined address library and a custom address library, each of which contains a
block list and an exclude list, which are described as follows:
l Exclude list: When the traffic matches to the IP address or domain name in the list, system will not control the
traffic with botnet prevention function.
o Predefined exclude list: It contains IPs and domains automatically obtained through the botnet pre-
vention signature database.
o Custom exclude list: It contains IPs, domains and URLs manually added by the user.
l Block list: When the traffic matches to the IP address, domain name or URL in the list, system will control the
traffic with botnet prevention function.
o Predefined block list: It contains IPs, domains and URLs automatically obtained through the botnet pre-
vention signature database.
o Custom block list: It contains IPs, domains and URLs manually added by the user.
The traffic matching sequence will be: Custom exclude list > Custom block list > Predefined exclude list > Pre-
defined block list.
Configuring the Exclude List
Creating a Custom Exclude List
To create a custom exclude list entry, take the following steps:
1. Click Configuration Management > Threat Detection Configuration > Botnet Detection > Address
Library.
2. In the Exclude List tab, click New to open the Exclude Entry Configuration page.
318
3. Click IP, Domain or URL to specify the entry type.
l IP: Enter the IP address and Port in the text box. If not specified the port,it will be any port.
l Domain: Enter the domain name in the text box. You can click the enable button of "Including sub-
domains" to specify the domain as a wildcard domain.
l URL: Select http or https in the drop-down list and enter the URL in the text box.
4. Click OK.
Deleting a Custom Exclude List
To delete a custom exclude list entry, take the following steps:
Library.
2. In the Exclude List tab, select the entry you want to delete from the exclude list.
3. Click Delete.
Filtering a Entry in the Exclude List
Users can filter and view an exclude list entry in the predefined address library and the custom address library. To
filter an exclude list entry, take the following steps:
Library.
2. In the Exclude List tab, click the Filter button to add filtering conditions and search out the filtered entry.
Configuring the Block List
Creating a Custom Block List
To create a custom block list entry, take the following steps:
319
Library.
2. In the Block List tab, click New to open the Blocklist Entry Configuration page.
3. Click IP, Domain or URL to specify the entry type.
l IP: Enter the IP address and Port in the text box. If not specified the port, it will be any port.
l Domain: Enter the domain name in the text box. You can click the enable button of "Including sub-
domains" to specify the domain as a wildcard domain.
l URL: Select http or https in the drop-down list and enter the URL in the text box.
4. Click OK.
Deleting a Custom Block List
To delete a custom block list entry, take the following steps:
1. ClickConfiguration Management > Threat Detection Configuration > Botnet Detection > Address
Library.
2. In the Block List tab, select the entry you want to delete from the block list.
3. Click Delete.
Filtering a Entry in the Block List
Users can filter and view a block list entry in the predefined address library and the custom address library. To fil-
ter a block list entry, take the following steps:
Library.
2. In the Block List tab, click the Filter button to add filtering conditions and search out the filtered entry.
Adding to Exclude List
To add a block list entry to the exclude list, take the following steps:
320
Library.
2. In the Block List tab, click Add to exclude list under the Operation column in the block list to add the entry to
the exclude list.
Configuring the Blacklist Library
The blacklist library is stored as a file containing a collection of blacklist entries, including IP addresses, domain
names, or URLs.
You can manually import/export the blacklist library or automatically update the blacklist library file from a spe-
cified server.
To manually import a blacklist library file, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Botnet Detection > Address
Library.
2. In the Block List tab, click Blacklist Library Details.
3. In the Blacklist Library Details panel, click Import Blacklist Library.
321
4. Select Incremental Import or Overwrite Import.
l Incremental Import: Continue to import a blacklist library file on top of the existing file.
l Overwrite Import: Overwrite the existing blacklist library file with a new one.
5. In the File Name field, click Browse and select a file from your PC.
6. Click OK.
To configure auto update, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Botnet Detection > Address
Library.
2. In the Block List tab, click Blacklist Library Details.
3. Click Update Configuration .
4. Enable Auto Update to automatically update the blacklist library file from the specified server.
322
Option Description
Type Specifies the time interval, including every day, every week, or a cus-
tom period.
l Daily: Automatically updates the file at a specified time every day.

You can specify the point in time. Default value: 00:00. Valid val-
ues: 00:00 to 23:59.
l Weekly: Automatically updates the file at a specified time every

week. You can specify the day of the week and then the point in
time. Default value: 00:00 on Monday. Valid values: 00:00 on
Monday to 23:59 on Sunday.
l Custom Period: Automatically updates the file after a custom time

period. Valid values: 30 to 10080 minutes.
Server Specifies the server type, including FTP, TFTP, HTTP, or HTTPS.
Type
IP Address If you set the server type to FTP or TFTP, enter the IP address of the
server.
URL If you set the server type to HTTP or HTTPS, enter the URL of the
server in the field. The URL needs to be 1 to 255 characters in length.
Note:
l The URL of the HTTP server needs to start with "http://" and the
URL of the HTTPS server needs to start with "https://".
l The URL for the HTTP/HTTPS server needs to end with a file
name suffix such as .csv, .json, .stix2, .ioc, or .xml. Example:
http://192.1.1.1:8080/chfs/shared/SERVER/ftp/test/score.csv
Virtual Specifies the virtual router of the server.

Router
User Name If you set the server type to FTP, enter the username used to log on to the
FTP server.
323
Option Description
Password If you set the server type to FTP, enter the password of the FTP user-
name.
Change Password: To change your password, enable Change Pass-

word when you edit the update configuration. With this function
enabled, you can enter a new password. This way, the password cor-
responding to the username used to log in to the FTP server is
changed.
Import Select the import mode, including incremental import and overwrite
Mode import.
l Incremental Import: Continue to import a blacklist library file on

top of the existing file.
l Overwrite Import: Overwrite the existing blacklist library file with a

new one.
File Name If you set the server type to FTP or TFTP, enter the name of the file to
be imported.
5. Click OK.
6. You can also click OK And Update Now to save the settings and update the blacklist library immediately.
Notes:
l The manually imported or automatically updated blacklist library files support the fol-
lowing formats: CSV/STIX/OpenIOC. The file name extension can be

.csv/.json/.stix2/.ioc/.xml. For CSV files, the format is as shown in the following
example, in which the first column displays the type, including IPv4/domain/URL, and
the second column displays the blacklist address of the corresponding type.
324
l The size of manually imported or automatically updated blacklist library files varies
based on the model of devices.
l The blacklist library files to be imported or automatically updated will be checked for
redundancy in the order of import. If the format and content of the blacklist library file
are valid, the import will be successful. The corresponding logs will display the total num-
ber of blacklist entries in the imported file, the actual number of imported blacklist
entries, and the number of duplicate blacklist entries.
l When manually importing or automatically updating the blacklist library file, if the impor-
ted blacklist entries exceed the blacklist and whitelist capacity of botnet prevention of
the device, the manual import will fail; In this case, the maximum number of entries that
fit within the total blacklist and whitelist capacity of botnet prevention of the device, and
the remaining blacklist entries will not be imported.
You can also perform the following operations:
l Export Blacklist Library: Click Export Blacklist Library to export blacklist library file to your PC.
l Delete Blacklist Library: Click Delete Blacklist Library to delete the blacklist library file.
l Blacklist Database Query: In the search box, enter an IP address, domain, or URL and click Query to search
for the specified blacklist entry.
Notes: The export/delete/query operations can be performed only on the blacklist library, but
do not affect the blacklist in the Creating a Custom Block List section.
325
Botnet Detection Global Configuration
To configure the Botnet Detection global settings, take the following steps:
1. Click Configuration Management > Threat Detection Configuration > Botnet Detection > Con-
figuration .
In Botnet Detection Global Configuration page, enter the botnet detection global configurations.
Option Description
Botnet Detec- Click the enable button to enable or disable the Botnet Detection
tion function. To make the status of the Botnet Detection function take
effect, restart the device.
Log Aggregate The system can aggregate logs based on the aggregation rules (logs
Type with the same domain name and aggregation type) to reduce the num-
ber of logs. This prevents log servers from receiving redundant logs.
The number of aggregated logs is displayed in the threat log details. In
this section, select one of the following aggregation types:
l Do Not Merge - The system stores each botnet detection log

in the database without aggregation.
l Source IP - The system aggregates botnet detection logs that

have the same source IP address and comply with the other
aggregation rule.
l Destination IP - The system aggregates botnet detection logs
326
Option Description
that have the same destination IP address and comply with the
other aggregation rule.
l Source IP,Destination IP - The system aggregates botnet

detection logs that have the same source and destination IP
addresses and comply with the other aggregation rule. By
default, this aggregation type is selected.
Aggregate Time If the Log Aggregate Type parameter is set to Source IP, Destin-
ation IP, or Source IP,Destination IP, you can specify the time gran-
ularity of aggregating and storing botnet detection logs in the
database. The system stores logs that comply with the aggregation
rules only once within the same time granularity. Valid values: 10 to
600. Default value: 10. Unit: seconds.
DNS Tunnel Specify the minimum interval at which logs are recorded when the
Log Interval system detects DNS tunneling attacks. Valid values: 1 to 3600.
Default value: 60. Unit: seconds.
2. Click OK.
327
Attack Detection
There are various inevitable attacks in networks, such as compromise or sabotage of servers, sensitive data theft,
service intervention, or even direct network device sabotage that causes service anomaly or interruption. The
device is designed with attack detection functions to detect various types of network attacks, and take appropriate
actions to protect Intranet against malicious attacks, thus assuring the normal operation of the Intranet and sys-
tems.
Devices provide attack detection functions based on security zones, and can take appropriate actions against net-
work attacks to assure the security of your network systems.
Configuring Attack Detection

To configure the Attack Detection based on security zones:
1. Select Configuration Management> Network Configuration > Zone.
2. Double-click the security zone to configure its attack detection function.
3. In the Zone Configuration page, click the Enable button of Attack Detection.
328
4. Click Configure to configure the settings of Attack Detection.
In the Attack Detection dialog box, configure the following parameters.

Option Description
IP address or IP range in the whitelist is exempt from attack detec-

tion check.
Click Configure.
Whitelist l IP/Netmask - Specifies the IP address and netmask and click

Add to add to the whitelist.
l Address entry - Specifies the address entry and click Add to

add to the whitelist.
Flood Pro- An appropriate attack detection threshold is crucial for con-
tection figuring attack detection. Flood protection threshold learning col-
Threshold lects statistics on the maximum rate of traffic that passes through
329
Option Description
a normal network environment. Then, this function provides a

proper reference value for the attack detection threshold. The
Flood Protection Threshold Learning function is supported for
SYN flood attacks, DNS Query flood attacks, DNS Recursive
Learning
Query flood attacks, DNS Reply flood attacks, UDP flood
attacks, ICMP flood attacks, and SIP flood attacks. For more
information, see Configuring Flood Protection Threshold Learn-
ing.
Enable All: Click the Enable button to enable all the Attack Detec-
Enable All
tion functions for the security zone.
ICMP Flood: Click the Enable button to enable ICMP flood detec-
tion for the security zone.
l Threshold - Specifies a threshold for inbound ICMP pack-

ets. If the number of inbound ICMP packets destined to
one single IP address per second exceeds the threshold, the
system will identify the traffic as an ICMP flood and take
the specified action. The value range is 1 to 50000. The
default value is 1500.
Flood Attack UDP Flood:: Click the Enable button to enable UDP flood detec-
Detection tion for the security zone.
l Src Threshold - Specifies a threshold for outbound UDP

packets. If the number of outbound UDP packets ori-
ginating from one single source IP address per second
exceeds the threshold, system will identify the traffic as a
UDP flood and take the specified action. The value range is
1 to 50000. The default value is 1500.
l Dst Threshold - Specifies a threshold for inbound UDP

packets. If the number of inbound UDP packets destined to
330
Option Description
one single port of one single destination IP address per

second exceeds the threshold, system will identify the traffic
as a UDP flood and take the specified action. The value
range is 1 to 50000. The default value is 1500.
DNS Query Flood: Click the Enable button to enable DNS query
flood detection for the security zone.
l Src threshold - Specifies a threshold for outbound DNS query

packets. If the number of outbound DNS query packets ori-
ginating from one single IP address per second exceeds the
threshold, StoneOS will identify the traffic as a DNS query
flood and take the specified action.
l Dst threshold - Specifies a threshold for inbound DNS

query packets. If the number of inbound DNS query pack-
ets destined to one single port of one single IP address per
second exceeds the threshold, StoneOS will identify the
traffic as a DNS query flood and take the specified action.
Recursive DNS Query Flood: Click the Enable button to enable

recursive DNS query flood Detection for the security zone.
l Src Threshold - Specifies a threshold for outbound recursive

DNS query packets. If the number of outbound DNS query
packets originating from one single IP address per second
exceeds the threshold, StoneOS will identify the traffic as a
DNS query flood and take the specified action.
l Dst Threshold - Specifies a threshold for inbound recursive

DNS query packets. If the number of inbound DNS query
packets destined to one single port of one single IP address per
second exceeds the threshold, StoneOS will identify the traffic
as a DNS query flood and take the specified action.
331
Option Description
DNS Reply Flood: Click the Enable button to enable DNS reply
flood.
l Src Threshold - Specifies a threshold for outbound recursive

DNS query packets. If the number of outbound DNS query
packets originating from one single IP address per second
exceeds the threshold, StoneOS will identify the traffic as a
DNS reply flood and take the specified action.
l Dst Threshold - Specifies a threshold for inbound recursive

DNS query packets. If the number of inbound DNS query
packets destined to one single port of one single IP address per
second exceeds the threshold, StoneOS will identify the traffic
as a DNS reply flood and take the specified action.
SYN Flood: Click the Enable button to enable SYN flood detection
for the security zone.
l Src Threshold - Specifies a threshold for outbound SYN pack-

ets (ignoring the destination IP address and port number). If
the number of outbound SYN packets originating from one
single source IP address per second exceeds the threshold,
StoneOS will identify the traffic as a SYN flood. The value
range is 0 to 50000. The default value is 1500. The value of 0
indicates the Src threshold is void.
l Dst Threshold - Specifies a threshold for inbound SYN pack-

ets destined to one single destination IP address per second.
l IP-based - Click IP-based and then type a threshold

value into the box behind. If the number of inbound
SYN packets destined to one single destination IP
address per second exceeds the threshold, StoneOS will
identify the traffic as a SYN flood. The value range is 0
332
Option Description
to 50000. The default value is 1500. The value of 0 indic-

ates the Dst threshold is void.
l Port-based - Click Port-based and then type a threshold

value into the box behind. If the number of inbound
SYN packets destined to one single destination port of
the destination IP address per second exceeds the
threshold, StoneOS will identify the traffic as a SYN
flood. The value range is 0 to 50000. The default value is
1500. The value of 0 indicates the Dst threshold is void.
After clicking Port-based, you also need to type an
address into or select an IP Address or Address entry
from the Dst address combo box to enable port-based
SYN flood detection for the specified segment. The
SYN flood attack detection for other segments will be IP
based. The value range for the mask of the Dst address
is 24 to 32.
SIP Flood: Click this button to enable SIP flood detection for the
security zone.
l Dst threshold - Specifies the threshold of the number of the

SIP INVITE messages with the same destination IP to be
received by the device. That is to say, the device determines
that it is attacked by the SIP flood attack when it receives more
SIP INVITE messages with the same destination IP than the
configured threshold. In this scenario, the device takes further
measures to deal with this attack.
l Action - Specifies the action of the system when it is attacked

by the SIP flood attack. When the system detects the attack, it
inspects whether there is a real SIP client behind the sub-
333
Option Description
sequent source IP address. If yes, the system bypasses the sub-

sequent SIP INVITE messages sent by this source IP. Other-
wise, the system will perform the configured action for the SIP
INVITE messages sent by this source IP in three seconds.
There are two system actions: Drop or Alarm. The action of
Drop is the default action and it means dropping the INVITE
messages. The action of Alarm means that the system sends an
alarm but still bypasses the INVITE messages.
Scan/Spoof ICMP Redirect: Click this button to enable ICMP redirect attack
Detection detection.
IP Address Sweep : Click this button to enable IP address sweep

detection for the security zone.
l Threshold - Specifies a time threshold for IP address sweep. If

over 10 ICMP/TCP packets from the same source IP address
are sent to different hosts within the specified time threshold,
StoneOS will identify them as an IP address sweep attack. The
value range is 1 to 1,800,000 milliseconds. The default value is
2.
IP Protocol Scan : Click this button to enable IP protocol Scan detec-

l Threshold - Specifies a time threshold for IP protocol scan. If

packets of over 10 different IP protocols from the same
source IP address are sent to the same host within the specified
time threshold, StoneOS will identify them as an IP protocol
scan attack. The value range is 1 to 1,800,000 milliseconds.
TCP Port Scan : Click this button to enable port scan detection for
the security zone.
334
Option Description
l Threshold - Specifies a time threshold for port scan. If over 10

TCP SYN packets are sent to different ports within the period
specified by the threshold, StoneOS will identify them as a TCP
port scan attack. The value range is 1 to 1,800,000 mil-
liseconds. The default value is 5.
UDP Port Scan : Click this button to enable UDP Port Scan detec-
l Threshold - Specifies a time threshold for UDP port scan. If

over 10 UDP packets from the same source IP address are
sent to different ports within the specified time threshold,
StoneOS will identify them as a UDP port scan attack. The
value range is 1 to 1,800,000 milliseconds. The default value is
5.
Ping of Death Attack: Click the Enable button to enable Ping of

Death attack detection for the security zone. If any Ping of Death
attack has been attacked, StoneOS will drop the attacking packets,
and also give an alarm.
Teardrop Attack: Click the Enable button to enable Teardrop attack

detection for the security zone. If any Teardrop attack has been
attacked, StoneOS will drop the attacking packets, and also give an
Denial of Ser- alarm.
vice Detection
IP Fragment: Click the Enable button to enable IP fragment detec-
IP Option : Click the Enable button to enable IP option attack detec-

tion for the security zone. StoneOS will defend against the following
types of IP options: Security, Loose Source Route, Record Route,
Stream ID, Strict Source Route and Timestamp.
Land Attack: Click the Enable button to enable Land attack detec-
335
Option Description
Large ICMP Packet: Click the Enable button to enable large ICMP
packet detection for the security zone.
l Threshold - Specifies a size threshold for ICMP packets. If the

size of any inbound ICMP packet is larger than the threshold,
StoneOS will identify it as a large ICMP packet and take the
specified action. The value range is 1 to 50000 bytes. The
Protocol Anom- TCP Anomalies: Click the Enable button to enable TCP anomalies
aly Report detection for the security zone.
5. To restore the system default settings, click Restore Default.
6. Click OK.
Configuring Flood Protection Threshold Learning
Configuring Flood Protection Threshold Learning Parameters
To configure flood protection threshold learning parameters, take the following steps:
2. On the Zone Configuration page, expand Threat Detection .
3. Click the Enable button next to Attack Detection and then Configure.
336
4. In the Attack Detection panel, click Configure next to Flood Protection Threshold Learning.
In the Flood Protection Threshold Learning Configuration panel, configure the following options:
Option Description
Specifies the type of flood protection threshold learning. Valid val-

ues: One Time and Periodic. Default value: One Time.
One Time: Runs the learning task only once, which will be auto-
matically stopped after completion.
Periodic: Runs the learning task periodically based on the interval.

You need to manually stop the learning task. If you set the type to
this value, you also need to specify the periodic interval.
l Periodic Interval: This value specifies the interval between the

last time when the learning task ends and the next time when
Learning Type
the learning task starts. To specify an interval, enter a time
period in the field and select a time unit from the drop-down
list. Valid units: minutes, hours, and days.
l If the time unit is set to days, valid values of the interval

are 1 to 365 days and the default value is 7 days.
l If the time unit is set to hours, valid values of the interval

are 1 to 8760 hours and the default value is 1 hour.
l If the time unit is set to minutes, valid values of the inter-

val are 10 to 525600 minutes and the default value is
337
Option Description
1440 minutes.
Specifies the duration of flood protection threshold learning. To

do this, enter a time period in the field and select a time unit from
the drop-down list. Valid units: minutes, hours, and days.
l If the time unit is set to days, valid values of the duration are 1
Learning Dur- to 365 days and the default value is 1 day.
ation l If the time unit is set to hours, valid values of the duration are 1
to 8760 hours and the default value is 1 hour.
l If the time unit is set to minutes, valid values of the duration

are 10 to 525600 minutes and the default value is 1440
minutes.
Final threshold learning result=Maximum traffic rate within learn-

ing duration * Coefficient. Specifies the coefficient of flood pro-
tection threshold learning. Unit: %. You can select Default, Loose,
Strict, or customize a coefficient.
Coefficient l Default: The coefficient is 200.
l Loose: The coefficient is 4000.
l Strict: The coefficient is 100.
l Custom: The coefficient range is from 100 to 4000.
Specifies the mode of applying the flood protection threshold

learning result. Valid values: Manually and Automatically. Default
value: Manually.
Apply Mode l Manually: Applies the threshold learning result to the threshold
configuration of a flood attack detection item based on your
requirements. For more information, see Viewing and Apply-
ing Flood Protection Threshold Learning Result.
338
Option Description
l Automatically: The threshold configuration of all enabled flood

attack detection items will be automatically configured with the
threshold learning result and these threshold configurations will
be automatically applied.
5. Click OK.
Enabling Flood Protection Threshold Learning
After you configure flood protection threshold learning parameters, you can start flood protection threshold learn-
ing. To do this, take the following steps:
1. Select Configuration Management > Network Configuration > Zone.
2. In the list of zones whose Attack Detection function is enabled, click Status in the AD Intelligent Learning
column. In the Flood Protection Threshold Learning Status panel, click Start Learning.
3. After flood protection threshold learning is started, you can view details such as the duration completed,
remaining duration, and learning result. You can also click Stop Learning to stop flood protection threshold
learning.
339
Viewing and Applying Flood Protection Threshold Learning Result
After flood protection threshold learning is completed, you can view and apply the learning result. To do this, take
the following steps:
3. Click the Enable button next to Attack Detection and then Configure.
4. Click View Result next to Flood Protection Threshold Learning. In the Flood Protection Threshold Learn-
ing Result panel, view threshold learning result of each flood attack type, including completed results and tem-
porary results. To use a temporary result, you need to record this result and manually replace the threshold of
the corresponding flood attack detection item with this result.
5. Select the flood attack type whose threshold learning result you want to apply and click Apply.
Notes:
l The Flood Protection Threshold Learning function takes effect only if the Attack Detec-
tion function and corresponding flood attack detection items are enabled.
340
l Flood protection threshold learning parameters cannot be edited when flood protection
threshold learning is in progress.
l The minimum value of actual flood protection threshold learning result is 1500 and the
maximum value is consistent with that of the flood attack detection item you can con-
figure.
l If the device is restarted, you need to start flood protection threshold learning again.
341
Sandbox
This feature may not be available on all platforms. Please check your system's actual page if your device delivers
this feature.
A sandbox executes a suspicious file in a virtual environment, collects the actions of this file, analyzes the collected
data, and verifies the legality of the file.
The Sandbox function of the system uses the cloud sandbox technology. The suspicious file will be uploaded to
the cloud side. The cloud sandbox will collect the actions of this file, analyze the collected data, verify the legality
of the file, give the analysis result to the system .
The Sandbox function contains the following parts:
l Collect and upload the suspicious file: The Sandbox function parses the traffic, and extracts the suspicious file
from the traffic.
l If there are no analyze result about this file in the local database, system will upload this file to the cloud
intelligence server, and the cloud server intelligence will upload the suspicious file to the cloud sandbox
for analysis.
l If this file has been identified as an illegal file in the local database of the Sandbox function, system will
generate corresponding threat logs and cloudsandbox logs.
Additionally, you can specify the criteria of the suspicious files by configuring a sandbox profile.
l Check the analysis result returned from the cloud sandbox and take actions: The Sandbox function checks the
analysis results of the suspicious file returned from the cloud sandbox, verifies the legality of the file, saves the
result to the local database. If this suspicious file is identified as an illegal file, you need to deal with the file
according to the actions (reset the connection or report logs) set by system. If it's the first time to find malicious
file in local sandbox, system will record threat logs and cloud sandbox logs and cannot stop the malicious link.
When malicious file accesses the cached threat information in the local machine, the threat will be effective
only by resetting connection.
l Maintain the local database of the Sandbox function: Record the information of the uploaded files, including
uploaded time and analysis result. This part is completed by the Sandbox function automatically.
342
Notes: The Sandbox function is controlled by license. To use the Sandbox function, install the
Cloud sandbox license.
Related Topics: Configuring Sandbox
Configuring Sandbox
l Preparation for configuring the Sandbox function
l Configuring the Sandbox rules
l Sandbox global configurations
Preparation
Before enabling the Sandbox function, make the following preparations:
1. Make sure your system version supports the Sandbox function.
2. The current device is registered to the Hillstone Cloud Service Platform.
3. Import the Cloud sandbox license and reboot. The cloud sandbox function will be enabled after rebooting.
You can use the local sandbox without licenses.
Configuring Sandbox
System supports the zone-based Sandbox. To create the zone-based Sandbox, take the following steps:
1. Click Configuration Management > Threat Detection Configuration > Sandbox > Configuration . Click
the Enable button of Cloud Sandbox or Local Sandbox to enable the sandbox function. If no cloud sandbox
license is installed, you can enable the Free Cloud Sandbox function. The Free Cloud Sandbox function only
supports to detect PE files.
2. Click Configuration Management > Threat Detection Configuration > Sandbox > Profile to create a sand-
box rule you need.
343
3. Bind the sandbox rule to a zone. Click Configuration Management > Network Configuration> Zone. In
the Zone Configuration dialog, select Threat Protection tab. Check the Enable check box of Sandbox, and
select a sandbox rule from the profile drop-down list below; or you can click Add Profile from the profile
drop-down list below, to create a sandbox rule, see Configuring a Sandbox Rule.
Configuring a Sandbox Rule
A sandbox rule contains the files types that device has detected, the protocols types that the device has detected,
the white list settings, and the file filter settings.
l File Type: Support to detect PE, APK, JAR, MS-Office, PDF, SWF, RAR, ZIP and Other (File types other
than those mentioned above) file.
l Protocol Type: Support to detect HTTP, FTP, POP3, SMTP, IMAP4 and SMB protocol.
l White list: A white list includes domain names that are safe. When a file extracted from the traffic is from a
domain name in the white list, this file will not be marked as a suspicious file and it will not be upload to the
cloud sandbox or the local sandbox.
l File filter: Mark the file as a suspicious file if it satisfies the criteria configured in the file filter settings. The ana-
lysis result from the cloud sandbox or the local sandbox determines whether this suspicious file is legal or not.
l Actions: When the suspicious file accesses the threat items in the local sandbox, system will deal with the mali-
cious file with the set actions.
There are four built-in sandbox rules with the files and protocols type configured, white list enabled and file filter
configured. The three default sandbox rules includes predef_low, predef_middle, predef_high and predef_pe.
l predef_low: A loose sandbox detection rule, whose file type is PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4/SMB, with white list and file filter enabled.
l predef_middle: A middle-level sandbox detection rule, whose file types are PE/APK/JAR/MS-Office/PDF
and protocol types are HTTP/FTP/POP3/SMTP/IMAP4/SMB, with white list and file filter enabled.
l predef_high : A strict sandbox detection rule, whose file types are PE/APK/JAR/MS-
Office/PDF/SWF/RAR/ZIP/Other and protocol types are HTTP/FTP/POP3/SMTP/IMAP4/SMB,
with white list and file filter enabled.
344
l predef_pe: A sandbox detection rule, whose file type is only PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4/SMB, with white list and file filter enabled.
To create a new sandbox rule, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Sandbox > Profile.
345
2. Click New to create a new sandbox rule. To edit an existing one, select the check box of this rule and then click
Edit.
In the Sandbox Configuration page, configure the following options.
346
Option Description
Name Enter the name of the sandbox rule. The value range is 1 to 31 char-
acters.
Actions When the suspicious file accesses the threat items in the local sand-
box, system will deal with the malicious file with the set actions.
Actions:
l Record logs only - When detecting malicious files, system will

pass traffic and record logs only (threat log and cloud sandbox
log).
White List Click the Enable button to enable the white list function.
A white list includes domain names that are safe. When a file extrac-
ted from the traffic is from a domain name in the white list, this file
will not be marked as a suspicious file and it will not be upload to the
cloud sandbox or the local sandbox.
You can update the white list in Configuration Management > Sys-
tem Configuration> Upgrade Management > Signature Database

Update > Sandbox Whitelist Database Update.
Certificate Click the Enable button to enable the verification for the trusted
verify certification. After enabling, system will not detect the PE file
whose certification is trusted.
File upload By default, the file will be uploaded to the cloud sandbox or the
local sandbox when it marks it is classified as suspicious. Since
some suspicious files contain user’s sensitive information, you
can disable the function of suspicious file uploading, which will pre-
vent the suspicious file from being uploaded to the cloud sandbox
or the local sandbox.
Click the Disable button to disable the function of suspicious file

uploading.
File Filter: Mark the file as a suspicious file if it satisfies the criteria configured in the
file filter settings. The analysis result from the cloud sandbox or the local sandbox
347
Option Description
determines whether this suspicious file is legal or not. The logical relation is AND.
File Type Mark the file of the specified file type as a suspicious file. Click the
Enable button of the file type, select Cloud Sandbox Detection to
specify that suspicious files will be uploaded to the cloud sandbox for
detection, or select Local Sandbox Detection to specify that sus-
picious files will be uploaded to the local sandbox for detection. The
system can mark the PE(.exe), APK, JAR, MS-Office, PDF, SWF,
RAR, ZIP and Other (File types other than those mentioned above)
file as a suspicious file now. You cannot upload files of other types to
the cloud sandbox. If no file type is specified, the Sandbox function
will mark no file as a suspicious one.
Protocol Specifies the protocol to scan. System can scan the HTTP, FTP,
POP3, SMTP, IMAP4 and SMB traffic now. If no protocol is spe-
cified, the Sandbox function will not scan the network traffic.
After specifying the protocol type, you have to specify the dir-
ection of the detection. You can specify the detection direction of
HTTP, FTP and SMB as upload, download or bothway. The
detection direction of SMTP can only be specified as upload. The
detection direction of POP3 and IMAP4 can only be specified as
download.
l Upload - The direction is from client to server.
l Download - The direction is from server to client.
l Bothway - The direction includes uploading and downloading

directions.
Sandbox Global Configurations
To configure the sandbox global configurations, take the following steps:
348
1. Select Configuration Management > Threat Detection Configuration > Sandbox > Configuration .
2. Click the Enable button of Cloud Sandbox to enable the cloud sandbox function. If you do not have a cloud
sandbox license, you can enable the Free Cloud Sandbox function. The Free Cloud Sandbox function is valid
for one year and only supports to detect PE files.
3. Click the Enable button of Local Sandbox to enable the local sandbox function, and then specifies the IP
address and the port for the local sandbox. You can use the local sandbox without licenses.
4. Specify the file size for the files you need. The file that is smaller than the specified file size will be marked as a
suspicious file.
349
5. If you select Benign file check box, system will record cloud sandbox logs of the file when it marks it as a
benign file. By default, system will not record logs for the benign files.
6. If you select Greyware file check box, system will record cloud sandbox logs of the file when it marks it as a
greyware file. A greyware file is the one system cannot judge it is a benign file or a malicious file. By default, sys-
tem will not record logs for the greyware files.
Notes: If both the cloud sandbox and the local sandbox are disabled when the device turns on,
you need to reboot the device after clicking the Enable button.
Threat List
The threat list means the list of threat items in the local sandbox. There are three sources of the threat items:
l The local sandbox finds suspicious files and reports to the local sandbox or to the cloud sandbox. After veri-
fying the file is malicious, the local sandbox or to the cloud sandbox will send the analysis results and MD5
to the device, and the threat item will be listed in the threat list.
l The Hillstone device finds suspicious file and successfully queries MD5 of the threat in the cloud sandbox or
the local sandbox, the threat item will be listed in the threat list.
l The Hillstone device receives the synchronous threat MD5 from the Hillstone cloud service platform and
matches the threat, the threat item will be listed in the threat list.
You can filter and check threat items through specifying MD5 or the name of virus on the threat list page, as well
as add the selected threat item to trust list. Take the following steps:
1. Click Configuration Management > Threat Detection Configuration > Sandbox > Threat List.
2. Select the threat item that needs to be added to the trust list and click Add to Trust List button. When threat
item is added, once it's matched, the corresponding traffic will be released.
Trust List
You can view all the sandbox threat information which can be detected on the device and add them to the trust
list. Once the item in trust list is matched, the corresponding traffic will be released and not controlled by the
350
actions of sandbox rule.
To remove threat items in the trust list, take the following steps:
1. Click Configuration Management > Threat Detection Configuration > Sandbox > Trust List.
2. Select the threat item that needs to be removed in the trust list and click Remove from Trust List button. The
threat item will be removed from the trust list.
351
Abnormal Behavior Detection
When an endpoint is infected by malware, it will send various attacks in the intranet, such as Web attack, port /
address scanning, etc. At the same time, the endpoint will be connected with the C&C server, accept new attack
instructions, these networks attack behavior and C&C behavior are different from normal network behavior.
System provide abnormal behavior detection function based on security zones. This function can distinguish mali-
cious network behavior and normal network behavior, and detect the network traffic of the detection object1
according to a specific detection dimension 2in the system. If it exceeds the set detection dimension threshold 3,
system will determine whether the detection object has a threat in this dimension, and further determine whether
there is abnormal behavior or whether it is infected by malware. If it is determined that abnormal behavior exists
and is infected, combined with the abnormal behavior modeling database4, system will report corresponding
threat events and generate related threat logs.
The followings are the concept description of the Abnormal Behavior Detection:
1. Detection object: The protected objects configured in the Endpoint Detection in this chapter and the pro-
tected objects configured in "Configuring Intranet Assets" on Page 237.
2. Detection Dimension: According to the different detection items, the system specifies multiple categories of
detection dimensions, such as Scan, HTTP Protocol Exception Check, Suspicious Behavior, etc.
3. Detection Dimension Threshold: Each specific detection dimension in the system has a default threshold, and
it is determined whether a threat is generated in this dimension by whether it exceeds the threshold. According
to different application scenarios, you can specify whether to enable or disable a certain detection dimension,
and can also specify its threshold size. For configuration of detection dimension threshold, refer to Abnormal
Behavior Detection Global Configuration.
4. Abnormal Behavior Modeling Database: The abnormal behavior modeling database includes the abnormal
information of the traffic, which are description of the abnormalities, the reason for the abnormalities, and the
suggestions. The information in the database helps you analyze and resolve the abnormal problems. By default,
System will update the database at the certain time everyday, and you can modify the updating settings accord-
ing to your own requirements. System supports automatically update and manual update, see "Upgrading Sys-
tem" on Page 414.
352
At the same time, after the device enabled the abnormal behavior detection function, the DGA domain name
detection were enabled at the same time. For specific function introduction, refer to DGA Domain Name Detec-
tion.
Endpoint Detection
You can enable the Endpoint Detection function for the specific zone. Enabling this function can achieve the fol-
lowing targets:
l Establish a data model for each endpoint whose endpoint name can be identified
l Analyze the network behavior of endpoint
l Define the corresponding signature dimension for different network behavior
l Detect the abnormal behavior of the endpoint based on the signature dimension and find the more hidden
threat attack.
The results are displayed in Risk Assessment page, see Viewing_the_Abnormal_Behavior_Detection_Inform-

ation.
Enabling Endpoint Detection:
3. Click the Enable button after the Abnormal Behavior Detection .
4. Click Global Configuration to open the Abnormal Behavior Detection Configuration page, enable / dis-
able the detection dimension and set the corresponding threshold.
5. Click the Enable button after the Endpoint Detection . To enable the abnormal behavior detection of the
HTTP and suspicious file factor, Click the Enable button after the Advanced Detection . To capture and save
the corresponding evidence that leads to the alarm of abnormal behavior, Click the Enable button after the
Forensic.
Notes: Advanced detection function will consume system resources, may affect the per-
formance of the system after enabling this function.
353
DGA Domain Name Detection
DNS as the domain name resolution protocol, is designed to resolve fixed domain names to IP addresses. Due to
the use of domain name is convenient, and is widely used, so the attacker will take different means to use the
domain name to generate attack. For example, A IP address can correspond to multiple domain name, the server
according to the endpoint field of HTTP packet to find the Goal URL, the malware will use this feature by modi-
fying the endpoint field to disguise the domain name, and generate the abnormal behavior. DGA, is the domain
generation algorithm, this algorithm will generate a large number of pseudo random domain name, and will be
used by malware.
To solve these problem, DGA domain name detection can be used as an important basis to determine the mali-
cious behavior. After the device enabled the abnormal behavior detection function, the DGA domain name detec-
tion function was enabled at the same time. The system will detect the DNS response message and set up a list of
DNS mapping (The DNS mapping list is used to store domain names and IP addresses, the pseudo random
domain name generated by DGA algorithm, and the black and white list of DGA domain name.) The device can
detect the malware and abnormal behavior attack according the DNS mapping, generate the threat logs and dis-
play the results in Risk Assessment page, see Viewing_the_Abnormal_Behavior_Detection_Information.
The black and white list of DGA domain names includes the following types:
l Predefined black and white list: the black and white list of DGA domain names synchronizing from the
cloud by updating the malware behavior model database.
l Custom whitelist: users have been added to the White List of DGA domain names as needed.
Abnormal Behavior Detection Global Configuration

Each specific detection dimension in the system has a default threshold. By detecting whether the dimension
threshold is exceeded, it is determined whether the endpoint \ server has a threat in this dimension. For example:
The default threshold of "SYN Port Scan Attack" is 400. If a endpoint is detected through this dimension and
more than 400 failed SYN connections are detected within 5 minutes, then a SYN port scanning attack is determ-
ined to have occurred.
By default, all detection dimensions are enabled, and detect with default threshold. The Abnormal Behavior
Detection Configuration page displays all detection dimensions that can be enabled / disabled and the threshold
can be manually specified. According to different application scenarios, the user can specify whether to enable or
disable a certain detection dimension and specify its threshold value.
354
To configure the Abnormal Behavior Detection global settings, take the following steps:
1. Select Configuration Management >Threat Detection Configuration > Abnormal Behavior Detection .
355
2. Select the check box of the detection dimension to be enabled.
3. Enter the threshold value in the corresponding threshold text box. The default threshold is shown as below.
The default threshold of detection dimension

Type Name Default Threshold
Scan SYN Port Scan Attack 400/5 minutes
IP Address Scan Attack 100/5 minutes
Port Scan Attack 400/5 minutes
SMB Service Scan Attack 400/5 minutes
Abnormal Mail Send- Suspicious SPAM Attack 100/5 minutes

ing Behavior
HTTP Protocol Suspicious HTTP Request Via TOR -

Exception Check Visiting Malicious Websites -
Lots of Suspicious HTTP Response 1000/5 minutes

Error Codes
Suspicious Behavior SMB NETBIOS Evasion -
FTP Command Evasion -
URL Obfuscation -
Suspicious External Remote Control -
Lots of SMTP Connections 100/5 minutes
Suspicious SSDP Activities 40/5 minutes
Suspicious NETBIOS Activities 200/5 minutes
SMB Port Scan 40/5 minutes
356
Type Name Default Threshold
Brute Force Telnet Brute Force Attack 100/5 minutes
LDAP Brute Force Attack 400/5 minutes
SSH Brute Force Attack 100/5 minutes
POP3 Brute Force Attack 100/5 minutes
FTP Brute Force Attack 100/5 minutes
SMTP Brute Force Attack 100/5 minutes
IMAP4 Brute Force Attack 100/5 minutes
MYSQL Brute Force Attack 100/5 minutes
RDP Brute Force Attack 100/5 minutes
SMB Brute Force Attack 100/5 minutes
VNC Brute Force Attack 100/5 minutes
DNS Protocol Excep- ISP DNS Sinkhole -

tion Check
Mining Malicious Bitcoin Mining Activities -
4. Click next to Risk Application to expand this section. You can select the Risk Application check box or turn
on the switch next to Risk Application Detection . With this function enabled, the system can identify risky
applications and generate alarm logs. By default, this function is disabled.
5. Click Configure next to the Risk Application Detection . In the Risk App Configuration panel, configure the
detection function of remote control tool.
Configure the following options:
357
Option Description
Remote Control Click the button to enable the detection for risky applications of
Tool the remote control tool type. By default, this button is disabled.
Enable All Click the button to enable the detection for four remote control tools
at a time, including SunLogin, ToDesk, TeamViewer, and
WebSocket. To separately enable detection for a remote control tool,
select the corresponding check box. By default, this button is dis-
abled.
Notes:
l The professional application signature database needs to be installed before the
system can detect the above remote control tools.
l Each device has a built-in standard application signature database, which sup-
ports only the detection for risky applications of the remote control tool
TeamViewer.
l To make the Risky Application Detection function take effect, make sure that the
Application Identification function of security zone is enabled. To do this, click
the button next to Application Identification on the Zone Configuration page.
6. In the Other Detections section, click configure next to Interzone Host Illegal Connection. In the Interzone
Host Illegal Connection panel, configure the following options and click OK.
Option Description
Enable Turn on the switch to enable the Interzone Host Illegal Connection
function. This function allows the device to detect intranet assets in
the closed network and IP flow that does not fall under the specified
IP range so that threats can be detected in a timely manner. By
default, this function is disabled.
Note: This function is applicable only to closed network.
IP Range Type Specifies the IP range type of interzone host illegal connection, includ-
ing Default, Same as Configured Internal IP, and Custom.
358
Option Description
l Default: Sets the IP range type to the default IP range, which

contain the configure internal IP range and custom IP range.
Then, click the IP Range field, select IP/Netmask, IPv4
Range, IPv6 Prefix, and IPv6 Range from the drop-down list,
enter the corresponding value, and then click Add.
l Custom: Sets the IP range type to the custom IP range. Then,

click the IP Range field, select IP/Netmask, IPv4 Range, IPv6
Prefix, and IPv6 Range from the drop-down list, enter the cor-
responding value, and then click Add.
7. In the Other Detections section, click configure next to Invalid Endpoint Access Detection. In the Invalid
Endpoint Access Detection panel, turn on the switch next to Enable to check whether the accessed endpoints
are valid so that threats can be detected in a timely manner. By default, this function is disabled. After you com-
plete the configuration, click OK.
8. Click OK.
9. To restore the default threshold and enabled status of all detection dimensions, click the Restore Default, and
then click the OK.
Viewing the Abnormal Behavior Detection Information

To view the Abnormal Behavior Detection information:
1. Select Security Analysis > Threat Event, and then the page will redirect to the " Threat Monitor" on Page 84
page.
2. Click , select Detected Engine and Abnormal Behavior Detection in the drop-down list, and
then click threat entry name in the list.
359
3. Click Threat tab, view the Abnormal Behavior Detection information and the trend chart of the actual value,
predictive value ( baseline, thresholds ) of the detected object.
4. Click Knowledge Base tab, view the threat attack description information.
360
Advanced Threat Detection
Advanced Threat Detection , is on the basis of learning advanced threat detection signatures, to analysis the sus-
picious traffic of endpoint, detect malicious behavior to identify APT (Advanced Persistent Threat) attack and
generate the threat logs.
Notes:
l You need to update the Malware behavior modeling database before enabling the func-
tion for the first time. By default, System will update the database at the certain time
everyday, and you can modify the updating settings according to your own require-
ments, see "Upgrading System" on Page 414.
Configuring Advanced Threat Detection

To realize the zone-based Advanced Threat Detection, you need:
3. Click the Enable button after the Advanced Threat Detection .
4. If you need to capture packets, click the Capture Packets button, the system will save the evidence messages,
and support to download it.
Viewing Advanced Threat Detection Information

To view the Advanced Threat Detection information:
1. Click Security Analysis > Threat Event, and then the page will redirect to the " Threat Monitor" on Page 84
page.
2. Click , select Detected Engine and Advanced Threat Detection in the drop-down list, and
then click threat entry name in the list.
361
3. View the advanced threat detection information, malware reliability information etc.
362
4. Click Evidential packetsdrop-down list and select View, to view the details of packets.
5. Click Correlated Packets to view the details of relation packets.
6. Click Evidential packetsdrop-down list and select Download, the data packets can be downloaded.
7. Click to modify the threat status.
363
Deception Detection
Deception detection technology is a kind of deception technology to attackers. Its essence lies in delaying attack
behaviors from attackers or inducing attackers to operate attacks. By capturing and analyzing attack behaviors, it
can enable uses to speculate the intention of attacks, so as to enhance the protection ability of system with tech-
nology and management methods.
The system provides the function of deception detection. It exploits the IP addresses that are not used in the
intranet environment, and enables the deception service of application layer protocol (FTP, HTTP, MYSQL,
SSH, etc.) for the deception detection object. If a intranet endpoint accesses and uses these deception service, the
endpoint may be infected by malware, and then system will report the related threat events and logs.
Preparing
Before enabling Deception Detection, make the following preparations:
l In the configuration of deployment, please make sure the physical connection of the deception detection inter-
face and the switches is correct, and ensure that the monitored endpoint network segment is accessible to the
IP address of the deception detection interface.
l You need to update the deception model database before enabling the function for the first time. For more
information about how to configure the update. To assure a proper connection to the default update server,
you need to configure a DNS server for StoneOS before updating.
Configuring Deception Detection

To configure the deception detection, take the following steps:
1. Configure interface properties. Specify the IP address, binding the interface to the deception zone. For the con-
figuration of interface, refer to "Configuring an Interface" on Page 195.
2. Click Configuration Management > Threat Detection Configuration> Deception Detection .
364
3. Click New to add a deception detection object.
In the Deception Detection page, enter the deception detection object configurations
Option Description
Name Specifies the name of deception detection object.
Binding Inter- Specifies the binding interface of deception detection object.

face
Note：This interface must be chose an interface that has been
bound to the deception zone. If the selected interface is not bound
to the deception zone, click Edit button to bind the interface to
the deception zone.
Binding IP Specifies the binding IP of deception detection object.
Description Enter the description for the deception detection object。
365
4. Expand Protocol, enable the required protocol and specify the corresponding port number.
Enabling/ Disabling a Deception Detection Object

By default the configured deception detection object will take effect immediately. You can terminate its deception
detection by disabling the deception detection object.
To enable/disable a deception detection object, take the following steps:
1. Click Configuration Management > Threat Detection Configuration> Deception Detection .
2. Select the deception detection object that you want to enable/disable.
3. Click Enable or Disable.
366
Viewing the Deception Detection Information
To view the deception detection information, take the following steps:
1. Click Security Analysis > Threat Event, and then the page will redirect to the " Threat Monitor" on Page 84
page.
2. Click , select Detected Engine and Deception Detection in the drop-down list, and then
click threat entry name in the list.
3. View the deception detection information in the Threat Analysis tab.
4. Click Knowledge Base tab to view the specified threat description, solution etc.
5. Click Associated Threats tab to view the other threat events associated with the selected deception detection
threat event.
6. Click History tab to view the selected threat historical information.
7. Click to modify the threat status.
367
Web Attack Detection
There are a great deal of HTTP traffic in the network, at the same time various attacks aiming at the HTTP
traffic, such as HTTP Flood attack. The HTTP flood attack exhausts the resources of the server so that the
server fails to respond to normal calls. The system provides the Web Attack Detection function to detect all
traffic on the device in real time. If it detects attacks, the system will generate threat logs. Detecting all traffic may
degrade system performance and you can select to only detect the traffic of intranet asset servers or server
groups.
Web Attack Detection configurations include the following parts:
l Configuring Web Attack Detection Global Configuration
l Configuring Web Attack Detection Rule Configuration
l Viewing Predefined Rule
l Configuring User-defined Rule
l Configuring Web Attack Detection Whitelist
Configuring Web Attack Detection Function

The Web Attack Detection configurations are based on security zones. The system detects the Web attacks to the
traffic from the interface of the security zone if you enable the Web Attack Detection function when configuring
the security zone.
To realize the zone-based Web Attack Detection, take the following steps:
3. Click the Enable button behind the Web Attack Detection .
4. Click Global Configuration to go to the Web Attack Detection Configuration page, enable/disable the
Web Attack Detection and the Full Flow Detection .
5. Click OK.
368
Configuring Web Attack Detection Global Configuration
Web Attack Detection global configurations include the following two parts:
l Enable/Disable the Web Attack Detection
l Enable/Disable the Full Flow Detection
To configure the Web Attack Detection global configurations, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Web Attack Detection >
Global Configuration .
2. Click the Enable button behind the Web Attack Detection. You need to reboot the device to make the func-
tion take effect. By default, the Web Attack Detection function is disabled.
3. After enabling the Web Attack Detection, you can click the Enable button behind the Full Flow Detection .
If Full Flow Detection is enabled, the system will detect all traffic of the device. Otherwise, the system only
detects the traffic of intranet asset servers or server groups. By default, the Full Flow Detection function is
disabled.
4. Click OK.
Notes:
l After Web attack detection is enabled and the device is rebooted, the session spe-
cifications of the device change.
l If Full Flow Detection is enabled, the performance of the device may be affected.
369
Configuring Web Attack Detection Rules
The rule configuration page contains all Web Attack Detection rules in the system, including predefined rules,
user-defined rules, and sub-type rules. They are shown in the following three lists:
l The above Type list shows the types of predefined rules and user-defined rules supported by the system,
and the status of each rule.
l The right Sub-types list shows the sub-type rules under the predefined rule, and the status of each rule.
l The below Rule Management list shows the ID, Name, Status, Severity, Capture Packet, and parameters of
the rules.
You can find the required rule by selecting its type and sub-type, and then you can enable/disable the rule as
needed. When a certain rule type is enabled, the rule list or the parameter configuration page may be displayed
below. Then, you can edit the rule parameters. By default, most rules with high confidence and a high severity are
enabled, such as Directory Traversal.
Enabling/Disabling Web Attack Detection Rules
To enable/disable Web Attack Detection rules, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Web Attack Detection > Rule
Configuration .
370
2. The device supports three methods for enabling/disabling rules.
l To configure the status of all rules of a specified rule type in one click, locate the specified type on the
Type list. If you click the button in the Status column and switch it to a disabled state, you can disable
all sub-type rules and specific rules of this type with one click. If you switch the status of rules to
enable state, you can restore the previous status of the rules. Hover over your mouse over a specified
type to view the description of the attack types that can be detected by the rule.
l To configure the status of all rules of a specified rule sub-type in one click, locate the specified sub-
type on the Sub-type list. If you click the button in the Status column to switch it to a disabled state,
you can disable all rules of this sub-type with one click. If you switch the status of rules to enable state,
you can restore the previous status of the rules. Hover over your mouse over a specified sub-type to
view the configuration suggestions for the sub-type rule and the description of the attack types that
can be detected.
l To configure the status of a specific rule, locate the specified rule on the Rule Management list.
l Click the Enable button in the Status column to enable the specified rule and this rule is disabled
when you switch it to disable.
371
l To quickly configure the status of all rules on the list, click in the Status column and select Edit
> Close to disable all rules on the list. To restore them to be enabled, select Edit > Open .
3. Click the capture packet button on the Rule Management list to enable the packet capture function. If the
packet capture function is enabled, the system will capture abnormal packets. You can view abnormal data
in the Attack Content of Threat Log . To quickly enable the packet capture function for all rules on the list,
click in the Capture Packets column and select Edit > On . To quickly disable the packet capture func-
tion for all rules on the list, select Edit > Off.
4. Click OK.
Filtering Web Attack Detection Rules
On the specific rule list, you can use filter conditions to filter rules. To do this, take the following steps:
Configuration .
2. Click in the upper-left corner of the Rule section and configure filter conditions as needed. The rules
that meet the specified filter conditions are displayed on the list. The filter conditions include ID and name.
You can configure multiple filter conditions and these conditions are in the AND logical relation.
You can also click a rule ID to go to the Rule Details panel. This panel displays the rule ID, name, release date,
CNNVD-ID, CVE-ID, type, subtype, severity, accuracy, found in, affected scope, configuration suggestion, fix
suggestion, and description.
Editing the Sort Order of Web Attack Detection Rules
On the specific rule list, you can edit the sort order of existing web attack detection rules. To do this, take the fol-
lowing steps:
Configuration . In the Rule section, sort predefined rules in ascending or descending order based on rule status
or severity.
372
l To sort predefined rules based on status, click in the Status column and select Ascending Sort or Des-
cending Sort. Ascending Order indicates that the rules are sorted in the order from disabled to enabled,
while Descending Order indicates the opposite, from enabled to disabled.
l To sort predefined rules based on severity, click in the Severity column and select Ascending Sort or
Descending Sort. Ascending Order indicates that the rules are sorted in the order from Critical to Low,
while Descending Order indicates the opposite, from Low to Critical.
Notes: You cannot sort rules based on both rule status and severity at the same time.
Editing Rule Parameters
You can view and edit parameters of some types of Web attack detection rules, such as DDoS attacks, XSS, Mal-
ware, etc. The system supports the following two methods to edit parameters of rules.
l Edit the parameters on the parameter Configuration page;
l Edit the rule on the specific rule list.
Enables the specified rule type or sub-type and edit parameter values in the lower part of the page. The following
table describes the parameter modification rules.
Enable DDoS > HTTP Flood, and configure the following options.
Option Description
Severity Specifies the severity of the HTTP Flood.
HTTP Flood Quick Attack
Count Period Specifies the period for counting requests.
Threshold Specifies the threshold of requests in the specified period, If the number of the requests
exceeds the threshold, the situation will be considered as an HTTP Flood attack.
Custom URL If the option is selected, it specifies the URLs to be protected in the URLs list.
HTTP Flood Slow

Attack
373
Option Description
Request Timeout Specifies the timeout value of HTTP requests.
Times Specifies threshold for the consecutive timeout of HTTP request.
Enable XSS > CSRF, and configure the following options.

Option Description
From URL Specifies the URL in the form.
Target URL Specifies the destination URL.
Enable Illegal Resource Access > Illegal Upload/Illegal Download, and configure the options as follows. The system
will filter types of uploaded or downloaded files. Enable Illegal Resource Access > Hotlinking, and configure the
options as follows. You can specify the URL which can be referenced as a link.
Option Description
Severity Specifies the severity of illegal upload, download, and chain theft respectively in illegal
resource access.
File Size Limit Specifies the maximum size of a file to be uploaded or to be downloaded.
File Extension Limit Specifies the limited file types to be uploaded or to be downloaded. Type the extensions into
the text box.
Enable MIME If the check box is selected, the system will detect the MIME type of a downloaded file. You
can view the abnormal data in logs.
MIME Type Specifies the MIME type to be detected.
Referer Address that Specifies the URL which can be referenced as a link. Click + to add more URLs.
can be referenced as
links
The following URLs When enabled, the system will allow the specified URL to request access without the referer.
can be accessed Click + to add more URLs. An empty list means all URLs can be accessed without a referer.
without referer
Enable Malware, and configure the following options.

Option Description
Enable Malware > WebShell to detect Web Shell attacks.
374
Option Description
Count Period Specifies the period for counting visits.
URL Access Limit Specifies the threshold of visits from the client IP. If the number of visits from the client IP
is smaller than the threshold in the count period, the URL is considered suspicious and will
be matched with features.
IP Limit for Specified Specifies the threshold of the client IPs that access a URL. If the number of the client IPs
URL that access a URL is smaller than the threshold in the specified period, the URL is con-
sidered suspicious and will be matched with features.
Enable Malware > Malicious Behavior to detect illegal access.
Severity Specifies the severity of malicious behavior.
Count Period Specifies the period for counting visits.
URL Access Limit Specifies the threshold of URLs accessed by a client IP in the specified period. If the num-
ber of the requests exceeds the threshold, the client IP will be considered as a malicious user.
Request Method Specifies the HTTP request method, including POST, GET and HEAD. You can select
them all.
Request Limit Specifies the threshold of requests from the client IP to the URL in the specified period. If
the times exceeds the threshold, the client IP will be considered as a malicious user.
Returning Status Specifies the threshold of times that the server returns a status code (non-200) to the client
Code Limit IP in the specified period, after which the client IP will be considered as a malicious user.
Enable Malware > Brute-force Cracking to detect brute-force cracking of passwords.
Severity Specifies the severity of brute-force cracking.
Login URL Specifies the URL of the login page.
Referer Check With the check box is selected, you can specify the source page, which is to be matched in
the following list, of the login page to be matched in the following list. Click + to add more
addresses to the source page. After the configuration is completed, the system will check the
source page of the login page. If the address of the source page is not on the list, the system
will consider it as abnormal data.
Request Method Select the request method, and the system will count the login frequency according to the
selected request method.
375
Option Description
Request Limit (GET) When the request method is selected as GET, you can specify the threshold for login fre-
quency in the specified period. If the login frequency exceeds or equals to the threshold, the
situation will be considered as a bruteforce cracking attack.
Request Limit When the request method is selected as POST, you can specify the threshold for login fre-
(POST) quency in the specified period. If the login frequency exceeds or equals to the threshold, the
situation will be considered as a bruteforce cracking attack.
Count Period Specify the period for counting login frequency.
Enables the specified rule type or subtype and edit parameter values in the Rule Management list. To edit a para-
meter in the Parameter column, click the icon, and the Rule Parameter Edit dialog box will appear. If there is
no icon in the Parameter column, it means the parameter cannot be edited. The following table describes the
parameter modification rules.
Descriptions of options in the Parameter column.

Option Description
When HTTP Protocol Anomaly is enabled, configure the editable parameters in the Parameter column as fol-
lows:
URL max length Configure the maximum URL length in HTTP requests. The value range is 1 to 10240. The
User-agent max Configure the maximum length of the User-agent HTTP request header. The value range is
length 1 to 10240. The default value is 4096.
Referer max length Configure the maximum length of the Referer HTTP request header. The value range is 1
to 10240. The default value is 4096.
Accept-charset max Configure the maximum length of the Accept-charset HTTP request header. The value
length range is 1 to 10240. The default value is 4096.
Content max length Configure the maximum length of the Content HTTP request header. The value range is 1
Cookie max length Configure the maximum length of the Cookie HTTP request header. The value range is 1
Cookie max number Configure the maximum number of cookies in the Cookie HTTP request header. The value
376
Option Description
Accept max length Configure the maximum length of the Accept HTTP request header. The value range is 1 to
Range max number Configure the maximum number of ranges in the Range HTTP request header. The value
HTTP header max- Configure the maximum number of HTTP headers. The value range is 1 to 256. The
imum number default value is 128.
Header name max Configure the maximum length of HTTP header names. The value range is 1 to 256. The
length default value is 128.
Header value max Configure the maximum length of HTTP header values. The value range is 1 to 10240. The
length default value is 4096.
Argument max num- Configure the maximum number of parameters of HTTP requests are sent to the web-
ber server. The value range is 1 to 2048. The default value is 256.
Argument max total Configure the maximum length of parameters of HTTP requests are sent to the webserver.
length The value range is 1 to 131072. The default value is 8192.
Response header Configure the maximum length of HTTP response header values. The value range is 1 to
value max length 4096. The default value is 1024.
Response header Configure the maximum length of HTTP response header names. The value range is 1 to
name max length 128. The default value is 64.
Max number of mul- Configure the maximum number of files uploaded by multipart. The value range is 1 to 128.
tipart file uploads The default value is 64.
When Injection Attack > XML Injection is enabled, configure the editable parameters in the Parameter
column as follows:
Request XML text The value range is 1 to 131072. The default value is 1024.
max total length
When Information Leakage > Keyword Leakage is enabled, configure the editable parameters in the Para-
meter column as follows:
Keywords Keywords that can be configured to prevent information leakage. Multiple keywords are sep-
377
Option Description
arated by semicolons (;).
When Information Leakage > Personal Information Leakage is enabled, configure the editable parameters in
the Parameter column as follows:
Allowed_Mainland_ Allows users to configure a publicly available mobile phone number in Mainland China. Mul-
China_phone_num- tiple mobile phone numbers are separated by semicolons (;). The default value is None.
ber
Allowed_email_ Allows users to configure a publicly available email address. Multiple email addresses are sep-
address arated by semicolons (;). The default value is None.
When Special Web Vulnerability > Web Application Vulnerability is enabled, configure the editable parameters
in the Parameter column as follows:
Cookie rememberMe The value range is 1 to 10240. The default value is 2048.
max length
Viewing Predefined Rules
The system supports 9 predefined rule types: HTTP Protocol Anomaly, DDoS, Injection Attack, XSS, Inform-
ation Leakage, Access Detection, Special Web Vulnerability, Illegal Resource Access, and Malware. Each type con-
tains multiple sub-types for you to refer directly to detect common attacks. You can enter the Predefined Rule
page to view ID, Name, Type, Subtype, Severity, Accuracy, Release Date of rules.
Types of detection rules and their sub-types:

Option Description
HTTP Protocol ----

Anomaly
DDoS HTTP Flood.
Injection Attack SQL Injection, LDAP Injection, SSI Directive Injection, XPath Injection, Command Injec-
tion, Remote File Inclusion, Local File Inclusion, Code Injection, Email Injection, XML
Injection, and Other Injection.
XSS XSS and CSRF.
378
Option Description
Information Leakage Server Information Leakage, Database Information Leakage, Directory Content Leakage,
Code Information Leakage, Keyword Leakage, Personal Information Leakage, and Other
Leakage.
Access Detection Scanner, Crawler and Directory Traversal.
Special Web Vul- Web Server Vulnerability, Web Framework Vulnerability, Web Application Vulnerability,
nerability and Other Vulnerability.
Illegal Resource Illegal Upload, Illegal Download, and Hotlinking.

Access
Malware WebShell, Malicious Behavior, Trojan and Brute-force Cracking.
To view predefined rules, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Web Attack Detection > Pre-
defined Rule.
2. In the left-side Predefined Rule Tree navigation pane, click All Predefined Rule to expand all predefined
rules.
3. In the left-side navigation pane, click a predefined rule type. All predefined rules of this type are displayed
on the right side.
379
4. Click in the upper left corner. The filter conditions include ID, Name, Type, severity, Descrip-
tion, Keyword, CNNVD-ID\CVE-ID, and the last three months' rules. You can configure multiple filter
conditions. The logical relationship between the filter conditions is AND.
Rule Search
System supports to search for vulnerability information in CNNVD and CVE databases. The system will obtain
the latest vulnerability information from the official CNNVD website every week and save it. The saved vul-
nerability information and CNNVD entries will be mapped and will be released with the updated signature data-
base every week.
l CNNVD: China National Vulnerability Database of Information Security (CNNVD) is run by China
Information Technology Security Evaluation Center (CNITSEC) to provide services of vulnerability ana-
lysis and risk assessment, which is fundamental to China's information security. The CNNVD Compatibility
Service is the service provided by CNNVD for information security practitioners to conduct standardized
assessment and certification of vulnerability information related to their products/services. With the inform-
ation security products/services of the CNNVD Compatibility Service, vulnerabilities can be given stand-
ardized names and descriptions, which improves and strengthens the sharing of vulnerability information
and the service capabilities of China's domestic information security industry. By using the CNNVD-ID,
vulnerability information can be shared across security platforms, strengthening the capabilities of security
products.
l CVE: Common Vulnerabilities and Exposures. CVE is a dictionary of publicly disclosed cyber security vul-
nerabilities and exposures. It identifies a unique name and a standardized description for each vulnerability
and exposure. You can access the fix information of the CVE entries in a separate database that is com-
patible with CVE to fix security vulnerabilities.
You can add a filter condition: CNNVD-ID or CVE-ID, and enter the specific content into the search box behind
the filter condition. For example, to search for information related to the vulnerability CNNVD-ID-201808-740,
you can type 201808-740 into the search box behind CNNVD-ID, and then the security rule corresponding to
the vulnerability will be displayed.
380
Click + in front of a specified rule and you can see the detail information dialog, including the ID, Name, Release
Date, CNNVD-ID\CVE-ID, Type, Severity, Accuracy, Found in, Affected Scope, Configuration Suggestion, Fix
Suggestion, and Description. Click - to close the details page.
Configuring User-defined Rule
You can configure user-defined rules as needed to detect specified attacks.
To create user-defined rules, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Web Attack Detection > User-
defined Rule.
2. Click New. To edit/delete a user-defined rule, select the user-defined rule check box and click Edit/Delete.
381
In the Rule Configuration page, configure the following options.
Option Description
Name Specifies the name of the rule. The value range is 1 to 255 characters.
Direction Specifies a traffic detection direction. You can select Request, Response, or Both .
Matching Condi- Click New to create a matching condition. Specifies the Field, Sub-field, Operator,
tion Matching Text/Regular Expression, Decoding, and Case Insensitive of the rule. You
can create a maximum of 32 matching conditions. Click the Delete button to delete the
unneeded matching conditions.
Severity Select the severity of threats in the drop-down list, including Critical, High, Medium,
and Low.
Alarm Message Specifies the alarm message to be shown in logs.
Description Specifies the description of the rule.
3. Click OK.
Configuring Web Attack Detection Whitelist
The system provides the whitelist for the Web attacks detection function. For traffic that matches the whitelist,
the system skips the detection. For traffic that does not match the whitelist, the system continues to detect Web
attacks. The whitelist consists of source and destination addresses. You can select at least one item to configure.
When multiple matching conditions are configured, only the traffic that matches all conditions is considered to be
on the whitelist. The system does not detect Web attacks for traffic on the whitelist. You can configure whitelist as
required.
To create a whitelist, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Web Attack Detection >
Whitelist.
2. Click New. To edit/delete an IP address on the whitelist, select the check box in front of the IP address and
click Edit/Delete.
382
In the Whitelist Configuration page, configure the following options.
Option Description
Name Specifies the name of the address on the whitelist. The value range is 1 to 255 char-
acters.
Type By default, the IP type here is IPv4. Valid values: IPv4 and IPv6.
Source Address Specifies the source address of the whitelist entry, then the system filters the source
addresses of all HTTP traffic passing through the device.
Destination Address Specifies the destination address of the whitelist entry, then the system filters the des-
tination addresses of all HTTP traffic passing through the device.
3. Click OK.
Click to add filter conditions. You can add Name, Source Address, or Destination Address, then the sys-
tem automatically displays the whitelist that meets the filter conditions.
Encrypted Traffic Detection

Traffic processed by using encryption technology is called encrypted traffic. Malicious traffic is typically hidden
by using SSL/TLS encryption protocols, which is difficult to detect and can pose great threats to network security.
After you configure the Encrypted Traffic Detection function, the system extracts feature data from encrypted
traffic and detects the data based on the detection model in the encrypted traffic detection database. If abnormal
encrypted traffic is detected, the system records threat logs.
383
The system supports daily automatic update of the encrypted traffic detection database or you can manually
update the database in real time. For more information, see the Updating Signature Database section of the
"Upgrading System" on Page 414 topic.
Configuring the Encrypted Traffic Detection Function

To configure the Encrypted Traffic Detection function, take the following steps:
1. Select Configuration Management > Threat Detection Configuration > Encrypted Traffic Detection .
384
On the Encrypted Traffic Detection page, configure the following options:
Option Description
Detection Click the button to enable or disable the Encrypted Traffic Detection
Switch function. By default, this function is disabled.
Predefined Click the button to enable or disable the predefined domain whitel-
Domain Whitel- ist. By default, the whitelist is enabled. The predefined domain
ist whitelist contains 10,000 common domain names. If traffic comes
from a domain in the predefined domain whitelist, the traffic is
considered as normal traffic and will not be detected by the
Encrypted Traffic Detection function. You can update the pre-
defined domain whitelist by updating the encrypted traffic detec-
tion database.
IP Whitelists Traffic from the IP address or CIDR block in the whitelist is not
detected by the Encrypted Traffic Detection function. To con-
figure an IP whitelist, take the following steps:
1. Click New. The Whitelist Configuration panel appears.
2. In the White List ID field, enter the whitelist ID. Valid values: 1
to 64, which indicates that you can create up to 64 entries in the
whitelist.
3. In the Type field, specify the IP address type. Valid values:

IPv4 and IPv6.
4. In the Content Type field, specify the content type of the IP

whitelist. Valid values: Source IP based and Destination IP
based.
5. In the Member field, add an address member to the IP whitel-

ist.
l If the Type parameter is set to IPv4, you need to specify

the IPv4 address and subnet mask to be added to the
whitelist.
385
Option Description
l If the Type parameter is set to IPv6, you need to specify

the IPv6 address and prefix length to be added to the
whitelist. Valid values of the prefix length: 120 to 128.
6. Click OK. You can view added IP whitelist entries in the IP

whitelist list. To edit or delete an entry, select this entry and
click Edit or Delete.
2. Click OK.
386
Chapter 9 System Management
The system management include:
l "System Information" on Page 188
l "Device Management" on Page 388
l "Configuration File Management" on Page 404
l "SNMP" on Page 407
l "Upgrading System" on Page 414
l "License" on Page 419
l "Mail Server" on Page 425
l "Connecting to HSM" on Page 436
l "Connecting to Hillstone Cloud Service Platform" on Page 441
l "Connecting to the Threat Trace Server" on Page 439
l "PKI" on Page 445

Device Management
Introduces how to configure Administrator, Trust Host, MGT Interface, System Time, NTP Key and system
options.
Administrators
Device administrators of different roles have different privileges.
The system has defined the following administrator roles, which cannot be deleted or edited:
l Administrator: Permission for reading, executing and writing. This role has the authority over all features. You
can view the current or historical configuration information.
l Administrator(read-only): Permission for reading and executing. You can view the current or historical con-
figuration information.
l Operator: You have the authority over all features except modify the Administrator's configuration, and no
permission for check the log information.
l Auditor: You can only operate on the log information, including view, export and clear.
Notes:
l The device ships with a default administrator named hillstone. You can modify the set-
ting of hillstone. However, this account cannot be deleted.
l Other role of administrator (except default administrator) cannot configure admin set-
tings, except modifying its own password.
l System auditor can manage one or multiple logs, while only system administrator can
manage the log types.
l ThreatSensor series device does not support to configure the Operator.
Creating an Administrator Account
To create an administrator account:
388 Chapter 9 System Management

1. Select Configuration Management > System Configuration > Device Management > Administrators.
2. Click New.
3. In the Configuration page, enter values.

Option Description
Name Type a name for the system administrator account.
Role From the Role drop-down list, select a role for the administrator
account. Different role have different privilege.
l Administrator: Permission for reading, executing and writing.

This role has the authority over all features.
l Operator: You have the authority over all features except

modify the Administrator's configuration, and no permission
for check the log information.
l Auditor: You can only operate on the log information, includ-

ing the view, export and clear.

Option Description
l Administrator(read-only): Permission for reading and execut-

ing. You can view the current or historical configuration
information.
Notes: ThreatSensor series device does not

support to configure the Operator.
Password Type a login password for the admin into the Password box. The
password should meet the requirement of Password Strategy.
Confirm Pass- Re-type the password into the Confirm Password box.
word
Login Type Select the access method(s) for the admin, including Console, Telnet,
SSH, HTTP and HTTPS. If you need all access methods, select
Select All.
Description Enter descriptions for the administrator account.
4. Click OK. The newly-created administrator account will be displayed in the list.
Admin Roles
Device administrators of different roles have different privileges. The system supports pre-defined administrator
roles and customized administrator roles. The pre-defined administrator role cannot be deleted or edited. You can
customize administrator roles according to your requirements:
To create a new administrator role:

1. Select Configuration Management > System Configuration > Device Management > Admin Roles.
2. Click New.
3. In the Configuration page, configure as follows:

Option Description
Role Enter the role name.

Option Description
CLI Specify the administrator role's privileges of CLI.
WebUI Click module name to set the administrator role's privilege. rep-
resents the administrator role does not have privilege of the specified
module, and cannot read and write the configurations of the specified
module. represents the administrator role has the read privilege of
the specified module, and cannot write the configurations. rep-
resents the administrator role can read and write the configurations
of the specified module.
Description Specify the description for this administrator role.
Notes: ThreatSensor series device does not support to configure the role's privilege of Incid-
ent Response and Report & Log.
API Token
After you enable the SMS or Email authentication, the administrator can only use the API token authentication
when logging in to the device by using RESTful API. You can create an API token for a specified administrator
and update, renew, clear, enable, and disable the API token.
Creating an API Token
To create an API token, take the following steps:

1. Select Configuration Management > System Configuration > API Token .
2. Select the administrator that you want to manage and click Create.
3. On the API Token Configuration page, configure the following options:

Option Description
Name Displays the name of the administrator that wants to create an

API token.
Validity Period Specifies the validity period of the API token. Valid values: 10 days,
30 days, 60 days, 180 days, 365 days, Long Term, and User-defined.
Default value: 60 days.
Custom Validity If the Validity Period parameter is set to User-defined, you need to
Period configure this parameter. Valid values: 0 to 365 days.
4. Click OK. The newly created API token will be displayed in the API token list and will be enabled by
default.
In the API token list, you can also perform the following operations after selecting an API token:
l Click Update to update the API token and its validity period. A new API token will be generated after the
update.
l Click Renew to renew the API token in the enabled or expired state. The value of the API token does not
change after the renewal. For example, if the validity period of the administrator "test" is 10 days, the current
date November 17, 2022, and the expiration date November 25, 2022, the expiration date will be renewed to
November 27, 2022 after the renewal.
l Click Clear to delete an API token. If you delete an administrator, the system automatically deletes its API
token.

l Click Enable to enable an API token. The validity period of the API token will be recalculated. For example, if
the original validity period is 30 days, the validity period will become 30 days again after you enable this API
token.
l Click Disable to disable an API token.
Trust Host
Device only allows the trust host to manage the system to enhance the security. Administrator can specify an IP
range, and hosts in the specified IP range are trust hosts. Only trust hosts could access the management interface
to manage the device.
Creating a Trust Host
To create a trust host:
1. Select Configuration Management > System Configuration > Device Management > Trusted Host.
2. Click New.
3. In the Trust Host Configuration page, enter values.

Option Description
Type Specifies the type of host. You can select IP/Netmask or IP

Range.

Option Description
l IP/Netmask: Type the IP address and netmask into the IP box

respectively.
l IP Range: Type the start IP and end IP into the IP box respect-
ively.
Login Type Select the access methods for the trust host, including Telnet,
SSH, HTTP and HTTPS.
4. Click OK.
Management Interface
Device supports the following access methods: Console, Telnet, SSH and WebUI. You can configure the timeout
value, and port number. When accessing the device through Telnet, SSH, HTTP or HTTPS, if login fails three
times in one minute, the IP address that attempts the login will be blocked for 2 minutes during which the IP
address cannot connect to the device.
To configure the access methods:
1. Select Configuration Management > System Configuration > Device Management > Management Inter-
face.

2. Configure the following options.
Option Description
Console Configure the Console access method parameters.
l Timeout: Type the Console timeout value into the Timeout

box. The value range is 0 to 60. The default value is 10. The
value of 0 indicates never timeout. If there is no activities until
timeout, system will drop the console connection.
Telnet Configure the Telnet access method parameters.
l Timeout: Specifies the Telnet timeout value. The value range is

1 to 60. The default value is 10.
l Port: Specifies the Telnet port number. The value range is 1 to

SSH Configure the SSH access method parameters.
l Timeout: Specifies the SSH timeout value. The value range is 1

l Port: Specifies the SSH port number. The value range is 1 to

Web Configure the WebUI access method parameters.
l Timeout: Specifies the WebUI timeout value. The value range

is 1 to 1440. The default value is 10.
l HTTP Port: Specifies the HTTP port number. The value

l HTTPS Port: Specifies the HTTPS port number. The value

3. Click OK.

Notes: When changing HTTP port, HTTPS port or HTTPS Trust Domain, the web server
will restart. You may need to log in again if you are using the Web interface.
System Time
You can configure the current system time manually, or synchronize the system time with the NTP server time
via NTP protocol.
Configuring the System Time Manually
To configure the system time manually:
1. Select Configuration Management > System Configuration > Device Management > System Time.
2. In the System Time Configuration page, configure the followings.

Option Description
Sync with Local Specifies the method of synchronize with local PC. You can select
PC Sync Time or Sync Zone&Time.
l Sync Time: Synchronize the system time with local PC.
l Sync Zone&Time: Synchronize the system zone&time with

local PC.
Specified the Configure parameter of system time.

system time.
l Time Zone: Select the time zone from the drop-down list.
l Date: Specifies the date.
l Time: Specified the time.
3. Click OK.

Configuring NTP
To ensure the system is able to maintain a accurate time, the device allows you to synchronize the system time
with a NTP server on the network via NTP protocol.
To configure NTP:
1. Select Configuration Management > System Configuration > Device Management > System Time.
2. In the System Time Configuration page, configure the followings.

Option Description
Enable NTP Click the Enable button to enable the NTP function. By default, the
NTP function is disabled.
Authentication Click the Enable button of Authentication to enable the NTP

Authentication function.
NTPServer Specifies the NTP server that device need to synchronize with. You
can specify at most 3 servers.
l IP: Type IP address of the server .
l Key: Select a key from the Key drop-down list. If you enable
the NTP Authentication function, you must specify a key.
l Source interface: Select an interface for sending and receiving

NTP packets.
l Specify as a preferred server: Click Specify as a preferred

server to set the server as the first preferred server. The sys-
tem will synchronize with the first preferred server.
Sync Interval Type the interval value. The device will synchronize the system time
with the NTP server at the interval you specified to ensure the sys-
tem time is accurate.
Time Offset Type the time value. If the time difference between the system time
and the NTP server's time is within the max adjustment value you

Option Description
specified, the synchronization will succeed, otherwise it will fail.
3. Click OK.
NTP Key
After enabling NTP Authentication function, you need to configure MD5 key ID and keys. The device will only
synchronize with the authorized servers.
Creating a NTP Key
To create an NTP key:
1. Select Configuration Management > System Configuration > Device Management > NTP Key.
2. Click New.
3. In the NTP Key Configuration page, enter values.

Option Description
Key ID Type the ID number into the Key ID box. The value range is 1 to
65535.
Password Type a MD5 key into the Password box. The value range is 1 to 31.
Confirm Pass- Re-type the same MD5 key you have entered into the Confirm Pass-

Option Description
word word box.
4. Click OK.
Option
Specifies system options, including system language, administrator authentication server, host name, password
strategy and reboot.
To change system option:
1. Select Configuration Management > System Configuration > Device Management > Option
2. In the System Setting tab, configure the following options.
Option Description
System Main- Configure the system language and administrator authentication

tenance server.
l System Language: You can select Chinese or English accord-

ing to your own requirements.
l Administrator Authentication Server: Select a server to authen-

ticate the administrator from the drop-down list.
Host Con- In some situation, more than one devices are installed within a net-
figuration work. To distinguish among these devices, different names should be
assigned to different devices. The default host name is assigned
according to the model.
l Hostname: Type a host name you want to change into the

Hostname box.
l Domain: Type a domain name you want to specify into the

Domain box.
l Country/Region: Select the country or region where the device

Option Description
is located in the Country/Region drop-down list.
Login Strategy To prevent illegal users from obtaining user name and password via
brute-force cracking, you can configure the brute-force cracking
defense by locking out IP, within the specified period, if the failed
attempts reached the specified times, the IP will be locked for a while.
l Maximum count of login attempts: Type the allowed times of

login failure into the Maximum count of login attempts box.
The default value is 3, and the range is 1 to 5.
l Locking Time: Type the lockout time into the Locking Time
box. The default value is 2 minutes, and the range is 1 to 65535
minutes.
Password Configure the length and complexity of login password.

Strategy
l Minimum Password Length: Specifies the minimum length of
password. The value range is 4 to 16 characters. The default
value is 4.
l Password complexity: Specifies the complexity of admin-

istrator's password. Unlimited means no restriction on the selec-
tion of password characters.
3. Click OK.
Rebooting the System
Some operations like license installation or image upgrading will require the system to reboot before it can take
effect.
To reboot a system:

1. Go to Configuration Management > System Configuration > Device Management > Option , and click
the System Option tab.
2. Click Reboot, and select Yes in the prompt.
3. The system will reboot. You need to wait a while before it can start again.
System Debug
System debug is supported for you to check and analyze the problems.
Failure Feedback
To enable the failure feedback function, take the following steps:
1. Select Configuration Management> System Configuration> Device Management> Option .
2. In the System Setting page, click the Enable button for Failure feedback, and then system will automatically
send the technical support file to the manufacturer.
System Debug Information
System debugging helps you to diagnose and identify system errors by the exported file.
To export the system debugging information, take the following steps:
1. Select Configuration Management > System Configuration > Device Management> Option .
2. Click Export, system will pack the file in /etc/local/core and prompt to save tech-support file. After selecting
the saved location and click OK, you can export the file successfully.
Password Reset Management

The password reset function enables you to change passwords through the security question. You can easily reset
the password without knowing the previous password. If this function is configured and enabled, when you enter
the wrong username or password for three consecutive times through the console port, the system will prompt
you to reset the password by the security question. To configure the password reset function, take the following
steps:

1. Select Configuration Management > System Configuration > Device Management > Password Reset Man-
agement.
2. Click the Enable button and configure the following options.

Option Description
Password Reset Click the Enable button to enable the password reset function.
Security Problem Specify the type of Security Problem as User-defined or Predefined.

Type
Security Question Configure the security question. If the type of Security Problem is specified as user-
defined, enter a user-defined security question in the text box. If the type of Security
Problem is specified as predefined, select a predefined security question from the
drop-down list. The value range is 1 to 256 characters. The security question can only
include letters, numbers, and special characters (excluding "). Chinese characters can-
not be included in the security question.
Security Answer Configure the security answer. The value range is 1 to 256 characters. The security
answer can only include letters, numbers, and special characters (excluding "). Chinese
characters cannot be included in the security question.
Confirm Security Enter the security answer again in the text box which must be consistent with the con-
Answer tent in the security answer text box.
3. Click OK.

Configuration File Management
System configuration information is stored in the configuration file, and it is stored and displayed in the format of
command line. The information that is used to initialize the Hillstone device in the configuration file is known as
the initial configuration information. If the initial configuration information is not found, the Hillstone device will
use the default parameters for the initialization. The information being taking effect is known as the current con-
figuration information.
System initial configuration information includes current initial configuration information (used when the system
starts) and backup initial configuration information. System records the latest ten saved configuration inform-
ation, and the most recently saved configuration information for the system will be recorded as the current initial
configuration information. The current configuration information is marked as Startup; the previous nine con-
figuration information is marked with number from 0 to 8, in the order of save time.
You can not only export or delete the saved configuration files, but also export the current system configurations.
Backing Up/Restoring Configuration Files

To manage the system configuration files:
1. Select Configuration Management > System Configuration > Configuration File Management > Con-
figuration File List.
2. In the Configuration File List page, configure the followings.
l Export: Select the configuration file you want to export, and click Export.
l Delete: Select the configuration file you want to delete, and click Delete.
l Backup Restore: You can restore the system configurations to the saved configuration file or factory
default, or you can backup the current configurations.

Configure the following settings:
Option Description
Back up Cur- Type descriptions for the configuration file into Description
rent Con- box. Click Start to backup.
figurations
Restore Con- Roll back to Saved Configurations:

figuration
l Select Backup System Configuration File: Click this but-
ton, then select Backup Configuration File from the list.
Click OK.
l Upload Configuration File: Click this button. In the

Importing Configuration File dialog box, click Browse and
choose a local configuration file you need in your PC. If
you need to make the configuration file take effect, select
the check box. Click OK.
Restore to Factory Defaults:
l Click Restore, in the Restore to Factory Defaults dialog

box, click OK. The device will restart automatically. All
configurations will be deleted, including the backed-up con-

Option Description
figuration files. The database content will not be cleared.
l To clear the content in the database, including the threat

logs, reports, and captured packets, see "Chapter 11 CLI"
on Page 460.
3. In the Current Configurations page, you can view the current configuration file.
Notes: Device will be restored to factory defaults. Meanwhile, all the system configurations
will be cleared, including backup system configuration files.
Viewing the Current Configuration

To view the current configuration file:
1. Select Configuration Management > System Configuration > Configuration File Management > Current
Configurations.
2. Click Export to export the current configuration file.

SNMP
Device is designed with a SNMP Agent, which can receive the operation request from the Network Management
System and feedback corresponding information of the network and the device.
Device supports SNMPv1 protocol, SNMPv2 protocol and SNMPv3 protocol. SNMPv1 protocol and SNMPv2
protocol use community-based authentication to limit the Network Management System to get device inform-
ation. SNMPv3 protocol introduces an user-based security module for information security and a view-based
access control module for access control.
Device supports all relevant Management Information Base II (MIB II) groups defined in RFC-1213 and the
Interfaces Group MIB (IF-MIB) using SMIv2 defined in RFC-2233. Besides, the system offers a private MIB,
which contains the system information and statistics information of the device. You can use the private MIB by
loading it into an SNMP MIB browser on the management host.
SNMP Agent
The device is designed with a SNMP Agent, which provides network management and monitors the running
status of the network and devices by viewing statistics and receiving notification of important system events.
To configure an SNMP Agent:
1. Select Configuration Management > System Configuration > SNMP > SNMP Agent.
2. In the Agent Configuration page, configure the following options.

Option Description
SNMP Agent Click the Enable button to enable the SNMP Agent function.
ObjectID The Object ID displays the SNMP object ID of the system. The
object ID is specific to an individual system and cannot be modified.
System Contact Type the SNMP system contact information of the device into the
System Contact box. System contact is a management variable of the
group system in MIB II and it contains the ID and contact of rel-
evant administrator of the managed device. By configuring this para-
meter, you can save the important information to the device for the
possible use in case of emergency.

Option Description
Location Type the location of the device into the Location box.
Host Port Type the port number of the managed device into the Host Port box.
Local Type the SNMP engine ID into the Local EngineID box.
EnginelID
3. Click Apply.
Notes: SNMP Engine ID identifies an engine uniquely. SNMP Engine is an important com-
ponent of the SNMP entity (Network Management System or managed network device)
which implements the functions like the reception/sending and verification of SNMP mes-
sages, PDU abstraction, encapsulation, and communications with SNMP applications.
SNMP Host
To create an SNMP host:
1. Select Configuration Management > System Configuration > SNMP > SNMP Host.
2. Click New.
In the SNMP Host Configuration page, enter values.

Option Description
Type Select the SNMP host type. You can select IP Address, IP Range or
IP/Netmask.
l IP Address: Type the IP address for SNMP host into Host-

name box.
l IP Range: Type the start IP and end IP into the Hostnamebox

respectively.
l IP/Netmask: Type the start IP address and Netmask for

SNMP host into the Hostnamebox respectively.
SNMP Version Select the SNMP version.
Community Type the community for the SNMP host into the Community box.
Community is a password sent in clear text between the manager and
the agent. This option is only effective if the SNMP version is V1 or
V2C.
Permission Select the read and write permission for the community. This
option is only effective if the SNMP version is V1 or V2C.
l RO: Stand for read-only, the read-only community is only

allowed to read the MIB information.
l RW: Stand for read-write, the read-write community is allowed

to read and modify the MIB information.
3. Click OK.
Trap Host
To create a Trap host:

1. Select Configuration Management > System Configuration > SNMP > Trap Host.
2. Click New.
In the Trap Host Configuration page, configure the following options.

Option Description
Host Type the domain name or IP address of the Trap host into the Host
box.
Trap Host Port Type the port number for the Trap host into the Trap Host Port
box.
SNMP Agent Select the SNMP version from the SNMP Agent drop-down list.
l V1 or V2C: Type the community for the Trap host into the
Community box.
l V3: Select the V3 user from the V3 User drop-down list. Type
the Engine ID for the trap host into the Engine ID box.
3. Click OK.
V3 User Group
SNMPv3 protocol introduces a user-based security module. You need to create an SNMP V3 user group for the
SNMP host if the SNMP version is V3.
To create a V3 user group:

1. Select Configuration Management > System Configuration > SNMP > V3 User Group .
2. Click New.
In the V3 Group Configuration page, configure the following options.

Option Description
Name Type the SNMP V3 user group name into the Name box.
Security Model The Security model option displays the security model for the SNMP
V3 user group.
Security Level Select the security level for the user group.
Security level determines the security mechanism used in processing
an SNMP packet. Security levels for V3 user groups include No
Authentication (no authentication and encryption), Authentication

(authentication algorithm based on MD5 or SHA) and Authentic-
ation and Encryption (authentication algorithm based on MD5 or

SHA and message encryption based on AES and DES).
Read View Select the read-only MIB view name for the user group. If this para-
meter is not specified, all MIB views will be none.
Write View Select the write MIB view name for the user group. If this parameter
is not specified, all MIB views will be none.
3. Click OK.

V3 User
If the selected SNMP version is V3, you need to create an SNMP V3 user group for the SNMP host and then add
users to the user group.
To create a user for an existing V3 user group:
1. Select Configuration Management > System Configuration > SNMP > V3 User.
2. Click New.
In the V3 User Configuration page, enter values.

Option Description
Name Type the SNMP V3 user name into the Name box.
V3 User Group Select an existing user group for the user from the Group drop-down
list.
Security Model The Security model option displays the security model for the SNMP

Option Description
V3 user.
Remote IP Type the IP address of the remote management host into the
Remote IP box.
Authentication Select the authentication protocol. By default, this parameter is

None, i.e., no authentication.
Authentication Type the authentication password into the Authentication password

Password box.
Confirm Pass- Re-type the authentication password into the Confirm Password box
word to make confirmation.
Encryption Select the encryption protocol.
Encryption Type the encryption password into the Encryption Password box.
Password
Confirm Pass- Re-type the encryption password into the Confirm Password box to
word make confirmation.
3. Click OK.

Upgrading System
The upgrade wizard helps you:
l Upgrade system to a new version or roll back system to a previous version.
l Update the Signature Database.
Upgrading Firmware
To upgrade firmware:
1. Select Configuration Management >System Configuration > Upgrade Management > Upgrade Firmware.
2. In the Upgrade Firmware page, configure the followings.

Upgrade Firmware
Backup Con- Make sure you have backed up the configuration file before upgrad-
figuration File ing. Click Backup Configuration File to backup the current firm-
ware file, the system will automatically redirect to Configuration File
Management page after backup.
Current Version The current firmware version.
Upload Firm- Click Browse to select a firmware file from your local disk.
ware
Reboot Select the Reboot now to make the new firmware take effect check
box and click Apply to reboot system and make the firmware take
effect. If you click Apply without selecting the check box, the firm-
ware will take effect after the next startup.
Choose a Firmware for the next startup
Choose a Firm- Select the firmware that will take effect for the next startup.
ware for the
next startup
Reboot Select the Reboot now to make the new firmware take effect check

Upgrade Firmware
box and click Apply to reboot system and make the firmware take
effect. If you click Apply without selecting the check box, the firm-
ware will take effect after the next startup.
Upgrading Database Data

After you upgrade the system to a new version, both the earlier and new versions of data, such as logs, monitoring
data, and reports, exist in the database. Due to the format inconsistency between these two versions of data, you
may not be able to view the earlier version of data. To ensure that system features can be displayed and used prop-
erly, you need to upgrade the earlier version of data in the database to the data in the format that complies with
the new version. If you do not need the earlier version of data, delete it.
Notes: Only manual database data upgrade is supported.
If earlier version of data exists in the system, a message that reminds you to upgrade data appears when you logs
into the system. You can view the data before the upgrade is completed.
l Select Don't remind me to close the dialog box. To view the dialog box again, hover your mouse over the noti-
fication icon in the upper-right corner and select Database Data Upgrade Notification from the drop-down
list.
l Click View Details to upgrade or delete database data on the Database Data Upgrade page.
To upgrade database data, take the following steps:
1. Select Configuration Management > System Configuration > Upgrade Management > Database Data
Upgrade.

2. Configure the following options:
Option Description
Database Oper- You can upgrade or delete earlier-version data in the system data-
ation base.
l Upgrade Earlier-version Data: If you click this option, you

can upgrade earlier version of data whose format is incon-
sistent with that of new version of data.
l Delete Earlier-version Data: If you click this option, you can

delete earlier version of data whose format is inconsistent with
that of new version of data. This operation does not affect
other data whose format complies with the format of the new
version of data.
Note: If the system is downgraded to a lower version, To Be

Upgraded is displayed in the Database Data Upgrade Status field.
In this case, you can click Upgrade Earlier-version Data to down-
grade database data to data in the format that complies with the
new version. For more information about how to downgrade the
system version, see Upgrading Firmware.
Database Data Displays the upgrade status of data in the system database.
Upgrade Status
l To Be Upgrade: If earlier version of data whose format is
inconsistent with that of new version of data exists in the sys-
tem, this status is displayed.
l Upgrading: If earlier version of data whose format is incon-

sistent with that of new version of data exists in the system, this

Option Description
status is displayed after you click Upgrade Earlier-version

Data. In the meantime, the upgrade progress and the time con-
sumed are displayed.
l Upgrade Not Required: If earlier version of data is

upgraded or deleted, this status is displayed because all data-
base data are in the complied format.
Updating Signature Database

To update each signature database:
1. Select Configuration Management >System Configuration > Upgrade Management > Signature Database
Update.
2. In the Signature Database Update page, configure the followings.

Option Description
Current Version Show the current version number.
Remote Update Configure update parameters of Application identification database,

Anti-Virus signature database, IDS signature database, Botnet C&C
detection signature database, Sandbox Whitelist signature database,
MITRE ATT&CK® Knowledge Base, Web Attack database.
l Update Now: Click Update to update the signature database

right now.
l Auto Update: Click Enable button and specify the auto update
time. Click Save to save your changes.
l Configure Update Server: By default system updates the sig-

nature database everyday automatically. You can change the
update configuration as needed. devices provide two default
update servers: https://update1.hillstonenet.com and
https://update2.hillstonenet.com. You can customize the serv-

Option Description
ers according to your need. In the pop-up Auto Update Settings

dialog, specify the server IP or domain name and Virtual
Router.
l Configure Proxy Server: When the device accesses the Internet

through a HTTP proxy server, you need to specify the IP
address and the port number of the HTTP proxy server. With
the HTTP proxy server specified, various signature database
can update normally. Click Configure Proxy Server, then
enter the IP addresses and ports of the main proxy server and
the backup proxy server.
Abnormal behavior modeling database, Malware behavior modeling
database, Deception detection modeling database, Threat Tag Data-
base.
l Update Now: Click Update to update the signature database

right now.
l Auto Update: Click Enable button and specify the auto update
time. Click Save to save your changes.
l Server: By default system updates the signature database every-

day automatically. You can change the update configuration as
needed. Devices provide two default update servers:
https://update1.hillstonenet.com and https://up-
date2.hillstonenet.com. You can customize the servers accord-
ing to your need. In the pop-up Auto Update Settings dialog,
specify the server IP or domain name and Virtual Router.
l Server: Devices provide a default update servers: https://sec-

cloud.hillstonenet.com.
Local Update Click Browse and select the signature file in your local PC, and then
click Upload.

License
Licenses authorize users to use features and services. If you do not buy and install the corresponding license, the
features and services based on license cannot be used.
There are following licenses:
Platform License Description Valid Time
Factory License Preset 5 licenses. A package of licenses, You cannot modify the
including Platform License, StoneShield existing configuration
License, AVLicense, IDS License, APP DB when the license expired.
License. System will restore to fact-
The device have been pre-installed factory ory defaults when the
license for 30 days in the factory. device reboot.。
Trial License The trial license provides 90 day trial period, You cannot modify the
the supported function of trial license is same existing configuration
as factory license. when the license expired.
System will restore to fact-
ory defaults when the
device reboot.
Base License The supported function of base license is You cannot modify the
same as factory license. existing configuration
when the license expired.
System will restore to fact-
ory defaults when the
device reboot.
Service License Description Valid Time
Platform Trial Platform license is the basis of the other You cannot modify the
licenses operation. If the platform license is existing configuration
invalid, the other licenses are not effective. when the license expired.
You do not need to apply alone. The valid System will restore to fact-
time of license is same as trial license. ory defaults when the
device reboot.

Platform Base You can install the platform base license System cannot upgrade
after the device formal sale. The license the OS version when
provide basic function. License expired. But sys-
tem could work normally.
StoneShield A package of features, including Abnormal System cannot update all

Behavior Detection, Advanced Threat Detec- signature databases when
tion, and corresponding signature database license expires. But the
update. functions included and
You do not need to apply alone. The valid rules could be used nor-
time of license is same as factory / trial / mally.
base license.
AntiVirus Providing antivirus function and antivirus sig- System cannot update the
nature database update. antivirus signature data-
You do not need to apply alone. The valid base when License
time of license is same as factory / trial / expired. But antivirus func-
base license. tion could be used nor-
mally.
IDS Providing IDS function and IDS signature System cannot update the
database update. IDS signature database
You do not need to apply alone. The valid when License expired. But
time of license is same as factory / trial / IDS function could be
base license. used normally.
APP signature APP signature license is issued with platform System cannot update the
license, you do not need to apply alone. The APP signature database
valid time of license is same as platform when License expires.
license.
You do not need to apply alone. The valid
time of license is same as factory / trial /
base license.
Sandbox License Providing sandbox function and white list The valid time including 1
update, authorizing the number of suspicious year, 2 years and 3 years.
files uploaded per day. System cannot analyze the

Including 2 licenses: Sandbox-300, Sandbox- collected data and cannot
500 and Sandbox-1000. The number of files update the white list when
allowed to upload per day is different for dif- the license expires. The
ferent licenses. sandbox protection func-
tion can only be used
according to the local data-
base cache results. If you
restart the device, the func-
tion cannot be used.
Antispam Providing Anti-Spam function. The Anti-Spam function

cannot be used when the
license expires.
Botnet C&C Providing Botnet C&C Detection function. System cannot update all
Detection signature databases when
license expires. But the
functions included and
rules could be used nor-
mally.
Threat Intel- Providing Threat Intelligence function. System cannot upload

ligence data to the cloud platform
and obtain information
from the cloud platform
when the license expires.
Applying for a License

Before you apply for a license, you have to generate a license request first.
1. Select Configuration Management > System Configuration > License.
2. In the License Request section, input user information. All fields are required.
3. Click Generate, and then appears a bunch of code.
4. Send the code to your sales contact. The sales person will issue the license and send the code back to you.

Installing a License
After obtaining the license, you must install it to the device.
1. Select Configuration Management > System Configuration > License.
2. In the License Request section, configure options as below.

Option Description
Upload License Select Upload License File. Click Browse to select the license file,
File using the TXT format, and then click OK to upload it.
Manual Input Select Manual Input. Type the license string into the box.
Online Install- Select the Online Installation radio button and click the Online
ation Installation button, your purchased licenses will be automatically
installed. It should be noted that the licenses must be in activated
status in the Hillstone Online Registration Platform(https://on-
linelic.hillstonenet.com/reqlicense). (To activate the license, you need
to log into the platform using your username and password of the
platform.The username is the same as your mailbox which was
provided when placing an order. Hillstone will send the password by
e-mail. Then activate the licenses that need to be installed. If you pur-
chased the device from the Hillstone agent, please contact the agent
to activate the licenses.)
3. Click OK.
4. Go to Configuration Management > System Configuration > Device Management > Settings & Options,
and click the System Options tab.
5. Click Reboot, and select Yes in the prompt.
6. The system will reboot. When it starts again, installed license(s) will take effect.

Verifying License
For vBDS, after the installation of the new platform license, the SN number of the device will be changed to a vir-
tual SN (vSN). If you want to continue to obtain function or sub licenses, they can be applied for through the vSN
number. Since the license does not depend on the SN number of the original system after the re-installation of sys-
tem, the new license that was originally applied for can still be effective. At the same time, Hillstone provides the
public network License Management System (LMS) and the internal network LMS to verify and manage licenses,
which can ensure the security of licenses. You need to connect vBDS to the license server to verify the validity of
a license to prevent the license from being cloned.
The system supports two verification ways, one is connecting vBDS to the public network LMS via Internet, and
the other is connecting vBDS to the internal network LMS via LAN. You can choose one of them as needed.
l Internet: The way to verify validity through the public network LMS is suitable for some small-scale private or
public cloud scenarios. After the vBDS connects to the public network LMS, the LMS will verify validity of the
license. If a cloned license is found, the cloned device (the device on which the license is installed at a later time
point) will be immediately restarted.
l Intranet: The way to verify validity through the internal network LMS is suitable for large-scale private or
industry cloud scenarios. After the vBDS connects to the LMS, the LMS will verifies validity of the license. If a
cloned license is found, the cloned license on the cloned device on which the license is installed at a later time
point will be uninstalled and this device will be immediately restarted.
Notes:
l If vBDS is not connected to LMS for verification, the device will be restarted every 30
days.
l The version of the LMS to which vBDS 3.6 and later connect needs to be 3.6 or later.
To verify licenses, take the following steps:

1. Select Configuration Management > System Configuration > License > License Verify.
2. In the License Server Status panel, the server's authentication and distribution connection status, auto reboot
time, server IP address, server port, and verification type will be displayed.
Click configuration . In the License Verification Configuration panel, select one of the following methods to
verify licenses as needed:
l Internet: Select Internet and click OK. This way, the vBDS's licenses are verified by using the server on
the Internet.
l Intranet: Select Intranet, specify the service address and port, and then click OK. This way, the vBDS's
licenses are verified by using the Intranet LMS server.
3. Select Configuration Management > System Configuration > Device Management > Settings & Options,
and click the System Options tab.
4. Click Reboot, and select Yes in the prompt. In the System Options tab, click Reboot and then Yes.
5. After the system restarts, the licenses take effect.
Notes: When you verify your license through a server on the Internet, make sure that the inter-
face used to connect to the server is bound to the trust-vr zone, and the interface bound to the
zone can access Internet.

Mail Server
By configuring the mail server in the Mail Server page, system can send the log messages to the specified email
address.
Creating a Mail Server

To create a mail server:

1. Select Configuration Management > System Configuration > Mail Server .
Option Description
Name Type a name for the mail server into the box.
Server Type Domain name or IP address for the mail server into the box.
Transmission Select the transmission mode for the email.

Mode
l PLAIN: Specifies that the mail is sent in plain text and is not
encrypted. This mode is the default transmission mode.
l STARTTLS: STARTTLS is an extension to the plain text com-

munication protocol that upgrades plain text connections to
encrypted connections. Specified in this mode, the mail will be
transmitted using encrypted mode.
l SSL: SSL protocol is a security protocol that provides security

and data integrity for network communication. Specified in this
mode, the mail will be transmitted using encrypted mode.
Port Type the port number for the mail server into the box. The range is 1
to 65535. The default port number is different for different trans-
mission modes, PLAIN: 25, STARTTLS: 25, SSL: 465.
Virtual Router From the Virtual Router drop-down list, select the Virtual Router for
the SMTP server.
Verification Click the Enable button of mail verification to enable it if needed.

Type the username and its password into the corresponding boxes.
Email Type the email address that sends mail.
2. Click Apply.
Extended Services
SBDS device supports to connect to other Hillstone products to provide more services. Currently, the extended
services include connecting iSource, Hillstone Cloud, RAS, Threat Trace Server and Hillstone Security Man-
agement ( HSM ). For specific configurations, refer to one of the following topics:

l "Connecting to iSource" on Page 427
l "Connecting to the Threat Trace Server" on Page 439
l "Connecting to HSM" on Page 436
Connecting to iSource
iSource——Intelligent Security Operation System is a holographic data-driven AI analysis and operation system.
It is composed of an analysis platform and a wealth of probes. It can provide customers in various industries with
functions such as network threat analysis, situation presentation and traceability, and solve customer monitoring
blind zones , potential safety hazards, inefficient operation and maintenance and other issues. iSource has the abil-
ity to collect holographic data, collect data through various types of data probes, conduct intelligent data mining
and analysis based on massive network traffic, threat events and endpoint logs, presenting the global network
security and threat situation, and support multiple dimensions core functions such as screencast display, linkage
response, and work order make the safe operation of the enterprise under control.
At present, iSource supports 5 types of data sources, which come from network devices, traffic sensor, threat
sensor, Linux system devices, and user hosts. The specific information is as follows:
l Network device: Send the Syslog information and NetFlow information of Hillstone device to the iSource plat-
form.
l Traffic sensor: mirror the traffic of the network device to the traffic sensor, and then send the meta data after
analysis and extraction to the iSource platform.
l Threat sensor: After detecting, monitoring and analyzing the received mirrored traffic, the threat sensor sends
the generated threat information to the iSource platform.
l Linux system device: Send the Linux log information that conforms to the Syslog protocol generated by the
Linux system device to the iSource platform.
l Host: Send the host process creation, network access, file operation, registry modification and other related
behavioral information (Sysmon) collected by the BDS ThreatTrace Client to the iSource platform.
Each BDS system has an iSource module inside it. When the BDS device is configured with correct iSource para-
meters, it can connect to iSource, the iSource can receive and further analyze information about the BDS device.

l Sensor mode: The BDS device acts as the threat sensor to connect to iSource, sending threat logs, NetFlow
information, and Meta Data to iSource.
l Cascade mode: The BDS device acts as the subordinate platform to cascade with iSource, sending information
about threat events to iSource.
Notes: For more information about iSource, please refer to iSource User Guide.
iSource Typical Deployment
The typical deployment of iSource mainly includes four parts: the iSource Security Operation Platform (referred
to as iSource Platform), traffic sensor, threat sensor, and ThreatTrace Client. Typical deployment includes stand-
alone deployment and cluster deployment.
Stand-alone Deployment
The iSource platform (single machine) , traffic sensor and threat sensor are deployed in the intranet environment,
and the ThreatTrace client is deployed on the user's server or endpoint. After the deployment is completed, the
iSource platform can receive information (Meta Data, Syslog, NetFlow, Linux, Sysmon, threat information) from
traffic sensor, threat sensor, Linux system device, network device, and user servers and endpoints, so as to control
all network for monitoring and analysis.
The stand-alone deployment scenario is shown in the figure below:

Cluster Deployment
As the amount of user data increases, a single iSource platform may not be able to meet the needs of users. In
response to this problem, the iSource platform supports cluster deployment, that is, you can deploy multiple
iSource platforms, thereby alleviating the pressure on the data volume of a single iSource platform.
When the number of iSource platforms in the cluster is greater than or equal to 3, the iSource platform cluster will
support High Availability (HA) by default, which can provide backup solutions in the event of device failure.
When one iSource platform in the cluster fails and becomes unavailable, other iSource platforms in the cluster will
continue to receive and process data to ensure uninterrupted data communication and effectively enhance the reli-
ability of the network.
Refer to the following cluster deployment topology. The iSource platform (cluster), traffic sensor, and threat
sensor are deployed in the intranet environment, and the ThreatTrace client is deployed on the user's server and
endpoint. All iSource platforms in the cluster are deployed on the Layer 2 network. The first iSource platform
deployed is the HA Master. The HA Master will allocate available resources for other iSource platforms accord-
ing to its configured internal IP network segment (IP address). After deployment, HA Master can receive all
information (Meta Data, Syslog, NetFlow, Linux, Sysmon, threat information) from traffic sensor, threat sensor,

Linux system device, network device, and user servers and endpoints, and then transfer the data Information is
distributed to other iSource platforms in the cluster through internal IP addresses.
The cluster deployment scenario is shown in the figure below:
Connecting to iSource
The system can connect to iSource in sensor mode or cascade mode.
Sensor Mode
To connect to iSource in sensor mode, take the following steps to configure iSource parameters:
1. Select Configuration Management > System Configuration > Extended Services. In the iSource section,
click in the lower-left corner. In the iSource panel, set the Connection Mode to Sensor Mode.

2. Turn on the switch next to Enable.
3. Enter the IP address of the iSource platform in the IP field.
4. Enter the server port used to connect to iSource in the Port field.
5. In the Version field, select the software version used by iSource. The data that you can send to iSource varies
with the software version. Please check the software version before you choose. Currently, only iSource
V2.0R4 and later versions are supported.
6. In the Data Upload Configuration section, configure the following options as needed.
l Turn on the switch next to Threat Log to send threat logs to iSource. By default, this feature is disabled.
l Turn on the switch next to MetaData to send meta data that are parsed, analyzed, and extracted from
mirrored traffic to iSource. By default, this feature is disabled. Meta data can only be sent to iSource
V2.0R4 - V2.0R8.
l Turn on the switch next to Evidential packets to send threat-related evidential packets captured by the
device to iSource. By default, this feature is disabled. Evidential packets can only be sent to iSource
V2.0R9 and later versions.

l Turn on the switch next to NetFlow to send the NetFlow information of the device to iSource. This
way, the system binds the NetFlow default profile default_profile to the bypass zone tap-bds. By default,
this feature is disabled. The default configuration of the default profile (default_profile) is: template
refresh rate - 30 minutes/20 packets; active timeout value - 5 minutes; does not include enterprise field
information and automatically obtains the source interface for sending NetFlow traffic information.
7. Click OK.
Notes:
l When iSource Version is specified as "V2.0R4 below", system will use 7777 as the
server port number by default; when iSource Version is specified as "V2.0R4 and
later", system will use 4433 as the server The port number by default.
l When iSource Version is specified as "V2.0R4 and later", it supports enabling the
MetaData and NetFlow functions in the Data Upload Configuration , that is, NetFlow
information and MetaData information can only be sent to V2.0R4 and later of iSource.
Cascade Mode
To connect to iSource in cascade mode, take the following steps to configure iSource parameters:
1. Select Configuration Management > System Configuration > Extended Services. In the iSource section,
click in the lower-left corner. In the iSource panel, set the Connection Mode to Cascade Mode.

2. Enter the IP address of the iSource platform in the Superior Platform IP field.
3. Enter the port used by iSource to control the connection in the Superior Platform IP field. By default, 59443
is used.
4. Enter the cascade password used to connect to iSource in the Superior Platform Cascade Password field. The
password can be 1 to 31 characters in length.
5. In the Subordinate Platform Information section, you can enter the platform name, contact name, contact
number, and email address.
6. In the Data Upload Configuration section, turn on the switch next to Threat Event and select the threat event
severity, including critical, high, medium, and low.
7. Click OK.

Notes:
l When BDS is used as a sensor platform, it cannot connect to iSource in cascade mode.
l iSource to which BDS connects in cascade mode needs to be V2.0R8 or later.
Viewing the Connection Status of iSource
Select Configuration Management > System Configuration > Extended Services. In the iSource section, view
the connection status of iSource.
l Connection Mode: Displays the mode in which iSource is connected, including Sensor Mode and Cascade
Mode.
l Status: Displays the connection status of iSource, including Connected and Disconnected.
l Sensor Mode
l Server IP/Domain: Displays the IP address or domain of iSource.
l Server Port: Displays the port number of iSource.

l Cascade Mode
l Superior Platform Name: Displays the name of iSource.
l Superior Platform IP: Displays the IP address of iSource.
l Superior Platform Port: Displays the port number of iSource.
l SN: Displays the SN of iSource.

Connecting to HSM
Hillstone Security Management (HSM) is a centralized management platform to manage and control multiple Hill-
stone devices. Using WEB2.0 and RIA (Rich Internet Application) technology, HSM supports visualized interface
to centrally manage policies, monitor devices, and generates reports.
Each BDS system has an HSM module inside it. When the BDS device is configured with correct HSM para-
meters, it can connect to HSM and be managed by HSM.
Notes: For more information about HSM, please refer to HSM User Guide.
HSM Deployment Scenarios
HSM normally is deployed in one of the two scenarios: installed in public network or in private network:
l Installed in public network: HSM is remotely deployed and connected to managed devices via Internet. When
the HSM and managed devices have a accessible route, the HSM can control the devices.

l Installed in private network: In this scenario, HSM and the managed devices are in the same subnet. HSM can
manage devices in the private network.
Connecting to HSM
To configure HSM parameters in the BDS, take the following steps:
1. Select Configuration Management> System Configuration > Extended Services. Click the Edit button in
the Connecting to HSM section.
2. Click Enable of HSM Agent field to enable this feature.
3. Input HSM server's IP address in the Sever IP/Domain text box. The address cannot be 0.0.0.0 or
255.255.255.255, or mutlicast address.

4. Enter the port number of HSM server.
5. Click OK.
Notes: The Syslog Server part shows the HSM server's syslog server and its port.

Connecting to the Threat Trace Server
In order to trace the network threat behavior detected by the BDS device in the user endpoint process, Hillstone
provides the threat trace function.
Install the BDS ThreatTrace Client on the user endpoint of the internal network, so as to collect the endpoint
related behaviors such as process creation, network access, file operation, and registry modification. Then, deploy
a threat trace server to store the collected endpoint information. Finally, the BDS device will obtain the collected
information by connecting to the threat trace server, so as to trace threat behaviors.
To deploy the device, refer to the following deployment scenarios.

Notes: For detailed deployment methods of BDS ThreatTrace client and threat trace server,
please refer to the BDS Threat Trace Deployment Guide.
Connecting to the Threat Trace Server
To connect to the threat trace server, take the following steps:
1. Select Configuration Management> System Configuration > Threat Trace Server.
2. Click the Enable button of Connect to Server.
3. Type the threat trace server IP address into the Server IP text box.
4. The default port number (9200) is displayed after the Server Port.
5. Click OK.
After the connection is successful, you can see that the connection status is Connected after the Status of the
page.

Connecting to Hillstone Cloud Service Platform
Hillstone Cloud Service Platform is a cloud security services platform, which provides cloud services including
CloudView, Cloud Sandbox and CloudVista (Threat Intelligence Center). Hillstone Cloud Service is the cloud cap-
ability center of Hillstone and the brain of the cloud-network integration. After the service is enabled, your device
will be connected with the Hillstone cloud, which will provide you with a wider range of threat intelligence,
improve the protection capability of your device, and enable you to carry out real-time monitoring, inspection and
report acquisition of the device and traffic on the cloud anytime and anywhere. These Hillstone cloud applications
can greatly enhance the security, visibility, and usability of networks.
l CloudView: CloudView is a SaaS product. It is deployed on the public cloud to provide users with online on-
demand services. Hillstone devices register with the cloud service platform and upload device information,
traffic data, threat events, system logs and so on to the cloud service platform, and the visual display is
provided by CloudView . Users can monitor the device status, gain reports and threat analysis through the Web
or mobile phone APP. For more information about CloudView, refer to the CloudView FAQs.
l Cloud Sandbox: It is a technology adopted by the Sandbox function. After a suspicious file being uploaded to
the Hillstone cloud service platform, the cloud sandbox will collect behaviors of the file, analyze the collected
data, verify the legality of the file, send the analysis result to system and deal with the malicious file according to
the actions set by system. For specific configurations of cloud sandbox, refer to Threat Prevention > Sand-
box.
l CloudVista (Threat Intelligence Center): Threat Intelligence function can upload some elements in the logs gen-
erated by each module to the cloud service platform, such as IP address, domain, etc. The cloud service plat-
form will check whether the elements have threat intelligence through the threat center. You can view threat
intelligence information related to elements through the threat intelligence center.
Connecting to Hillstone Cloud Service Platform

To connect to the Hillstone Cloud Service Platform, take the following steps:
1. Select Configuration Management > System Configuration > Connecting to Hillstone Cloud Service Plat-
form.

2. At the lower-left corner, click the Edit button. The Hillstone Cloud Service Platform configuration page
appears.
In this page, configure the following options.

Option Description
Address Enter the IP address or domain name of the cloud service plat-
form. The default value is cloud.hillstonenet.com.cn.
User Enter the username of the cloud service platform and bind the
device with this account. Click the Register button and sign up for
an account on the Hillstone cloud service login page. Click
Unbind to remove the binding relationship between the device
and the account.
Password Enter the password of the user.

Option Description
Change Password When you edit the cloud platform configuration, the Change Pass-
word function is available. After you enable this function, you can
enter a new password in the change password field and save the
configuration.
Monitor Data Select the monitor data type that you want to upload to the cloud
Report platform, including the Traffic Rank, If you enable Select All, all
monitor data is uploaded. Currently, only Traffic Rank is sup-
ported.
3. Click the Hillstone CloudView button. The Hillstone CloudView page appears.
In this page, configure the following options.

Option Description
Enable Click the Enable button to enable the Hillstone

CloudView service.
Upload Data Item Check the checkbox of the data items that need to be
uploaded to the cloud service platform.
Cloud Inspection Click the Enable button to enable the cloud inspection
function and upload the collected inspection data to the
cloud service platform. With the cloud inspection func-
tion, the device can receive and execute the inspection
instructions from the cloud, and upload the collected
inspection data to the cloud service platform, which
enables you to carry out real-time monitoring and man-
agement on the cloud anytime and anywhere.
Scan QR code to connect to Scan the QR code using a QR reader app on your smart-
Hillstone CloudView use phone or mobile device to connect to Hillstone
APP CloudView via APP.
Visit CloudView Click the button to visit CloudView.

4. Click the Cloud Sandbox button. In the Cloud Sandbox page, click Sandbox and configure the cloud sandbox
function in the sandbox configuration page. For more information about the cloud sandbox, refer to Threat
Prevention > Sandbox.
5. Click the CloudVista button. In the CloudVista page, click the Enable button to enable the CloudVista service.
The CloudVista service is controlled by license. To use the CloudVista service, install the threat intelligence
license.
6. Click the Enable button to join the user experience improvement program. This function will upload the
threat prevention data to the cloud service platform. The uploaded data will be used for internal research to
reduce the false positives and improve the protection capability of your device.
7. Click EULA & Privacy to read confidentiality and privacy statements, user authorizations and other content.

PKI
PKI (Public Key Infrastructure) is a system that provides public key encryption and digital signature service. PKI
is designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-
repudiation of data transmitted over the Internet. The certificate of PKI is managed by a public key by binding
the public key with a respective user identity by a trusted third-party, thus authenticating the user over the Inter-
net. A PKI system consists of Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority),
Digital Certificate and related PKI storage library.
PKI terminology:
l Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private
key. The public key is widely distributed, while the private key is only known to the recipient. The two keys in
the key pair complement each other, and the data encrypted by one key can only be decrypted by the other key
of the key pair.
l CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts
requests for certificates and verifies the information provided by the applicants based on certificate man-
agement policy. If the information is legal, CA will sign the certificates with its private key and issue them to the
applicants.
l RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate
and CRL issued by CA to directory servers in order to provide directory browsing and query services.
l CRL: Each certificate is designed with expiration. However, CA might revoke a certificate before the date of
expiration due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will
issue a CRL to announce the certificate is invalid, and list the series number of the invalid certificate.
PKI is used in the following two situations:
l IKE VPN: PKI can be used by IKE VPN tunnel.
l HTTPS/SSH: PKI applies to the situation where a user accesses a Hillstone device over HTTPS or SSH.
l "Sandbox" on Page 342: Support the verification for the trust certification of PE files.

Creating a PKI Key
1. Select Configuration Management > System Configuration > PKI > Key.
2. Click New.
In the PKI Key Configuration dialog, configure the following.

Option Description
Label Specifies the name of the PKI key. The name must be unique.
Key con- Specifies the generation mode of keys, which includes Generate and
figuration mode Import.
Key Pair Type Specifies the type of key pair, either RSA、ECC, or DSA or SM2.
Key Modulus Specifies the modulus of the key pair. The modulus of RSA and DSA
is 1024 (the default value), 2048, 512 or 768 bits, and the modulus of
SM2 is 256.
EC group Specifies the EC group of the key pair when you choose ECC. It
includes P-256, P-384, P-521 elliptic curves. The default EC group is
P-256.
Type Specifies the type of key , including Encryption Key and Key Pair .
l Encryption Key - Protects the signing key pair by digital envel-

ope. If you select this option, you should specify the signing key
pair when importing key.

Option Description
l Key Pair - If you select this option, you should specify the
imported key pair type as RSA, or DSA or SM2.
Import Key Browse your local file system and import the key file.
3. Click OK.
Creating a Trust Domain
1. Select Configuration Management > System Configuration > PKI > Trust Domain .
2. Click New.

In the Basic Configuration tab, configure values for basic properties.
Option Description
Basic
Trust Domain Enter the name of the new trust domain.
Enrollment Use one of the two following methods:

Type
l Select Manual Input, and click Browse to find the certificate
and click Import to import it into system.
l Select Self-signed Certificate, and the certificate will be gen-

erated by the device itself.
Notes:
l The system will check the validity of the
imported certificate. "Subject Type-

e=CA" needs to be included in the
"Basic Constraints" field of the impor-
ted CA certificate.
l The self-signed certificate generated will

contain the "SSL client authentication"
or "SSL server authentication" property.
Key Pair Select a key pair.
Subject
Name Enter a name of the subject.
Country Enter the name of applicant's country or region. Only an abbre-

(Region) viation of two letters are allowed, like CN.
Location Optional. The location of the applicant.
State/Province Optional. State or province name.
Organization Optional. Organization name.

Option Description
Basic
Organization Optional. Department name within applicant's organization.

Unit
Optional Configuration
IP Click New to specify the IP address to be added to the Subject

Alternative Name list. Both IPv4 and IPv6 addresses are supported.
DNS Name Click New to specify the DNS name to be added to the Subject
Alternative Name list. The value range is from 1 to 255 characters.
3. Click Apply Certificate, and a string of code will appear.
4. Copy this code and send it to CA via email.

5. When you receive the certificate sent from CA. Click Browse to import the certificate.
6. (Optional) In the CRL tab, configure the following.

Certification Revocation List
Check l No Check - System does not check CRL. This is the default
option.
l Optional - System accepts certificating from peer, no matter if

CRL is available or not.
l Force - System only accepts certificating from peer when CRL

is available.
URL 1-3 The URL address for receiving CRL. At most 3 URLs are allowed,
and their priority is from 1 to 3.
l Select http:// if you want to get CRL via HTTP.
l Select ldap:// if you want to get CRL via LDAP.
l If you use LDAP to receive CRL, you need to enter the login-
DN of LDAP server and password. If no login-DN or pass-
word is added, the transmission will be anonymous.
Auto Update Update frequency of CRL list.
Manually Get the CRL immediately by clicking Obtain CRL .

Update
7. Click OK.
Importing/Exporting Trust Domain

To simplify configurations, you can export certificates (CA or local) and private key (in the format of PKSC12) to
a computer and import them to another device.

To export a PKI trust domain, take the following steps:
1. Select Configuration Management > System Configuration > PKI > Trust Domain Certificate.
2. Select a domain from drop-down menu.
3. Select the radio button of the item you want to export, and click Export.
If you choose PKCS, you need to set up password.
4. Click OK, and select a storage path to save the item.
To import the saved trust domain to another device, take the following steps:
1. Log in the other device, select Configuration Management > System Configuration > PKI > Trust Domain
Certificate.
2. Select a domain from drop-down menu.
3. Select the radio button of the item you want to import, and click Import.
If you choose PKCS, you need to enter the password when it was exported.
4. Click Browse and find the file to import.
5. Click OK. The domain file is imported.
Importing Trust Certification

System will not detect the PE file whose certification is trusted. To import trust certification of PE files, take the
following steps:
1. Select Configuration Management > System Configuration > PKI > Trusted Root Certificate.
2. Click Import and choose a certificate file in your PC.
3. Click OK and then the file will be imported.
Configuring a Certificate Chain

A certificate chain consists of a root CA certificate, any intermediate CA certificates, and a CA-signed user cer-
tificate. Browsers consider that the certificate of the current user is valid and trusted only of each certificate in the

certificate chain is valid. A root CA certificate lies in the top most position of the chain of trust hierarchy. Inter-
mediate certificates branch off root certificates like branches of trees. They act as middle-men between the pro-
tected root certificates and the server certificates issued out to the public. There will always be at least one
intermediate certificate in a chain, but there can be more than one.
Creating a Certificate Chain
To create a certificate chain, take the following steps:
1. Select Configuration Management > System Configuration > PKI > Cert-chain .
2. Click New.
On the Cert-chain Configuration page, configure the following options:

Name Specifies the name of the certificate chain, which can be 1 to 31 char-
acters.
Import Cer- Specifies the format of the certificate chain. Valid values: PKCS#7,
tificate Type PKCS#12, and CERT-BUNDLE. CERT-BUNDLE indicates PEM-
formatted certificate chains.
Password For certificate chains in the PKCS#12 format, you need to specify
the password that is used for decryption.
Certificate Click Browse and select a certificate chain file that you want to
import from your PC. A certificate chain can contain at most 6 cer-
tificates. These certificates need to be able to complete a chain but
there is no limitation on the order of these certificates.

Key Pair If the type of the certificate chain is PKCS#7 or CERT-BUNDLE,
you can import the private key of the last-level certificate used for
encryption and decryption. Click Browse and select a private key file
that you want to import from your PC.
3. Click OK.
Exporting a Certificate Chain
To export a certificate chain to your PC, take the following steps:
1. Select Configuration Management > System Configuration > PKI > Cert-chain .
2. Select a certificate chain from the list.
3. Click Export Cert-chain . If the certificate chain is in the PKCS#12 format, you need to enter a password.
Configuring Certificate Validity Check
By default, the system sends an alarm per day a week before the certificate expires. When the certificate expires,
the system records an event log at critical level.
To configure certificate validity check, take the following steps:
1. Select Configuration Management > System Configuration > PKI > Validity Check.
On the Validity Check page, configure the following options:

Validity Check Turn on the switch to enable certificate validity check. By default,
this function is enabled.
Validity Check Specifies the interval at which certificate validity is checked. Valid val-
Interval ues: 1 to 100, in hours. Default value: 24.
The Prewarning Specifies the warning days before certificate expiration. Valid values:
Time 1 to 1000, in hours. Default value: 168.
2. Click OK.

Chapter 10 Diagnostic Tool
System supports the following diagnostic methods:
l Packet Capture Tool: Captures packets in the system. After capturing the packets, you can export them to
your local disk and then analyze them by third-party tools.
l Test Tools: DNS Query, Ping and Traceroute can be used when troubleshooting the network.

Packet Capture Tool
Users can capture packets in the system by Packets Capture Tools. After capturing the packets, you can export
them to your local disk and then analyze them by third-party tools.
Configuring Packet Capture Tools

To capture packets:
1. Select Configuration Management> System Configuration > Diagnostic Tool > Packet Capture Tool.
2. Click New.
In the Packet Capture Configuration page, configure the following options .

Option Description
Name Enter the name of the packets capture entry.
Source Specifies the source IP address or the user/user group of the packet.
l Address: Select the Address radio button and enter the IP

address in the text box.
455 Chapter 10 Diagnostic Tool

Option Description
l User/User Group: Select the User/User Group radio button

and select the user/user group from the drop-down list.
Destination Specifies the destination IP address o of the packet.
l Address: Select the radio button and enter the IP address in the
text box.
l URL: Select the radio button and enter the URL in the text box.
Application Specifies the application type of the packet
Protocol Specifies the protocol type or the protocol number of the packet.
Source Port Specifies the source port of the packet.
Destination Specifies the destination port of the packet.

Port
File Size Specifies the maximum size of the captured packet file. When the file
size reaches the maximum size, the system stops the capturing. The
range of the value is from 2M to 20M. The default value is 10M.
Description Enter the entry description in the text box.
3. Click OK.
4. For each entry, click Start button in the Capture Packets column to start capturing packets. The system dis-
plays the progress under the table. Hover your mouse over the progress, the system displays the size of the
completed capture packets.
5. To stop capturing packets, click Stop button next to the progress bar or theStop button in the Capture Packets
column.
6. After you stop capturing packets or the capturing is completed, click Download to save the captured packets
to a specified location.

Notes:
l The system allows you to create at most 5 packets capture entries.
l For each entry, system only saves the latest results of packets capture. When you start an
entry again, the system will ask you whether to cover or export the results generated in
the last time. Click Cover to cover the results generated in the last time; click Export to
export the results generated in the last time; or you can click Cancel to cancel the pack-
ets capture.

Test Tools
DNS Query, Ping and Traceroute can be used when troubleshooting the network.
DNS Query
To check the DNS working status of the device:
1. Select Configuration Management > System Configuration > Diagnostic Tool > Test Tools.
2. Type a domain name into the DNS Query box.
3. Click Test, and the testing result will be displayed in the list below.
Ping
To check the network connecting status:
2. Type an IP address into the Ping box.
4. The testing result contains two parts:
l The Ping packet response. If there is no response from the target after timeout, it will print Destination
Host Not Response, etc. Otherwise, the response contains sequence of packet, TTL and the response
time.
l Overall statistics, including number of packet sent, number of packet received, percentage of no
response, the minimum, average and maximum response time.
Traceroute
Traceroute is used to test and record gateways the packet has traversed from the originating host to the des-
tination. It is mainly used to check whether the network connection is reachable, and analyze the broken point of
the network. The common Traceroute function is performed as follows: first, send a packet with TTL 1, so the
first hop sends back an ICMP error message to indicate that this packet can not be sent (because of the TTL

timeout); then this packet is re-sent, with TTL 2, TTL timeout is sent back again; repeat this process till the packet
reaches the destination. In this way, each ICMP TTL timeout source address is recorded. As the result, the path
from the originating host to the destination is identified.
To test and record gateways the packet has traversed by Traceroute:
2. Type an IP address into the Traceroute box.

Chapter 11 CLI
In CLI, you can configure the basic network settings of the device, including the interface settings of MGT0 and
the route settings. You can also restore the device to the factory settings.
Logging into a Device

Connect to a device via Console, Telnet, or SSH. In the logging prompt, provide the following parameters:
login: hillstone
password: hillstone
After verifying your credentials, your log into the device. Now, you are in the global configuration mode.
Notes: After the first login, the user needs to modify the default user name and password.
Configuring Interfaces
For the device with MGT0 interface, you can configure the MGT0 interface. This interface is bound to the mgt
zone and its default IP address is 192.168.1.1.
In the global configuration mode, use the following command to enter into the interface configuration mode.
interface mgt0
In the interface configuration mode, use the command below to bind the interface to a layer 2 zone or a layer 3
zone. Use the no form to the cancel the settings.
zone zone-name
In the interface configuration mode, use the command below to set the IP address for a interface. Use the no
form to the cancel the settings.
ip address ip-address/mask
In the interface configuration mode, use the command below to enable the management mode for a interface.
Use the no form to the cancel the settings.
manage {ssh | telnet | ping | snmp | http | https }
Chapter 11 CLI 460

Configuring Route
In the global configuration mode, use the command below to add a static route:
ip route { A.B.C.D/M | A.B.C.D A.B.C.D} A.B.C.D
l A.B.C.D/M | A.B.C.D A.B.C.D – Specify the destination network.
l A.B.C.D – Specify the next hop.
Restore Device to Factory Settings

In the global configuration mode, use the command below to restore the device to factory settings.
unset all
l a - Enter a and press Enter to delete all configurations, including the backup system configurations. The data-
base content will not be cleared.
l b - Enter b and press Enter to delete all configurations and database content, including the backup system con-
figurations, threat logs, reports, and captured packets.
l c - Enter c and press Enter to cancel the restore.
461 Chapter 11 CLI

BDS WebUI User Guide V5.0

Uploaded by

Copyright:

Available Formats

BDS WebUI User Guide V5.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BDS WebUI User Guide V5.0

Uploaded by

Copyright:

Available Formats

Hillstone Networks

BDS WebUI User Guide

Commercial use of the document is forbidden.

5201 Great America Pkwy, #420

Santa Clara, CA 95054

About this Guide:

For more information, refer to the documentation site: https://docs.hillstonenet.com.

To provide feedback on the documentation, please write to us at:

Chapter 1 Getting Started Guide 18

Deploying Tap Mode 20

Changing the Initial Configurations 21

Initial Visit to Web Interface 24

Configuring Network Connections 27

Configuring MGT Interface 27

Configuring DNS Server 28

Configuring Destination Route 28

Preparing the System 30

Creating System Administrators 30

Adding Trust Hosts 31

Updating Signature Database 33

Configuring Intranet Assets 34

Monitoring Data Display 36

Server Risk Monitor 37

Endpoint Risk Monitor 37

Chapter 2 Risk Assessment 41

Server Risk Monitor Overview 43

Endpoint Risk Monitor Overview 44

Threat Monitor Overview 45

Screening Monitoring Mode 46

Chapter 3 Security Analysis 48

Server Risk Monitor 49

Server Threat Topology 59

Modifying the Layout of Page 63

Viewing the Details of Server 64

Server Traffic Topology 67

Modifying the Layout of Page 70

Viewing the Details of Server Traffic Monitor 71

Viewing the Result of Traffic Monitor 72

Viewing the Traffic TOP 10 Server 75

Endpoint Risk Monitor 76

Endpoint Risk Monitor Details 76

Viewing the Abnormal Traffic Monitor Result of Endpoint 83

Viewing the Threat Intelligence 86

Viewing the Threat Details 88

Hot Threat Intelligence 104

Viewing Hot Threat Intelligence 107

Chapter 4 Incident Response 108

Threat Alarm Rule 109

Configuring a Threat Alarm Rule 109

Enabling/Disabling the Threat Alarm Rule 115

Deleting the Threat Alarm Rule 115

Customizing Alarm Sound 115

Viewing the Details of Threat Sound Alarm 116

White List Management 118

Creating a White List 118

Viewing the White List 119

Linkage Device 123

Creating a Linkage Device 123

Connectivity Test 125

Enabling/Disabling the Linkage Device 125