HOW TO WRITE HILLSTONE RFP

2021

Intersecting Human and Artificial Security Intelligence

as a Force Multiplier in Enterprise Defense

Hillstone Confidential, For Internal Training Only!

 Request For Proposal
• Close the deal with the Hillstone USP is the most ideal case, always try to do
that first
• There is no 100% neutral RFP, there is always one vendor or two behind the
RFP. Whoever controls the RFP has the biggest winning chance, so we need
to find the way to influence it
• If we have the chance to write the RFP, know who might be our biggest threat
and competitor (especially in pricing), and their potential product offering,
tailor the RFP to limit the major competitors by either totally block it from
participating, or force it to use a much more expensive model to compete.
• Hillstone RFP Template is located in Partner Portal

2
 General Rules with Some Examples - 1

Certification q NSSlab Recommended - Be careful with it. Know who you want to compete with. Palo Alto, Cisco ASA,
Juniper, Barracuda, Watchguard and Cyberoam are NOT recommended.
q Gartner MQ – Be careful with it. Know who you want to compete with. Hillstone is both Enterprise firewall
and UTM MQ, and recently in IPDS MQ.
Hardware q Built-in Dual Power Supply Options – E1606 and above support Dual AC, and E1700 and above can
support both dual AC or dual DC
q Height in Rack Unit – For example, a 5U hardware with up to 680Gbps throughput, or 2.5U with up to
80Gpbs throughput
q IO Options – Various number of IO options available with the IOC or IOM modules. For example, E3960
(10Gpbs) has 2XSFP+ built in, E3965 (10Gbps) has two 2XSFP+ built in, and can extend to 10XSFP+
ports by adding the IOC-8SFP+
q Lightning Surge Immunity – All Hillstone firewall products (E/T/X) has the lightning surge protection
design
Performance -> q Datasheet – Identify the hardware model for the project, try to use multiple performance numbers for that
Need to study specific model.
model and the competitors’ q Maximum Concurrent Session – Always a good weapon to compete against Palo Alto and etc.
potential offering q New Session Per Second – A key performance benchmark to compete again Fortinet and Palo Alto
q IPSec Throughput – Hillstone has good IPSec throughout
q Any Other Performance Combination – Study the datasheet

3
 General Rules with Some Examples - 2
Software q SmartDNS
q Major Ones for E/T/X/V q NAT Pool Expansion
q See Details in Rest of this q Carrier Grade NAT
Document or the USP q Application Routing (P2P, URL and etc.)
document q Intelligent LLB
q SLB
q iQoS – 2-Level 8-Pipe Nesting
q iQoS – Flexi-QoS

Software (Major T) q Unknown Threat Detection

q Major Ones for T/I/S q Abnormal Behavior Detection
q See Details in Rest of this q Risk Mitigation Measures: auto mitigation measures for threat behaviors in case of service interruption
Document or the USP q Risk Management: network risk index and risky hosts
document q Threat Kill Chain Mapping

Software (Minor) q Read following 80+ pages, and pick up what you feel useful for your project
q Need to provide product screenshot as proof
TCO q Hillstone is more competitive with more than 1-Year warranty and subscription services, for example,
ask for 5-Years of warranty and subscription services
q Use BDL1 rather than BDL2 for regular NGFW tender, which will be more competitive

4
 The Devil is in the Detail
Following detailed features are supported in all Hillstone products, unless specified otherwise
What’s important is the DETAIL
You may use these details and corresponding screen capture for your RFP

5
 Traffic Mirroring (E/T/X/V-E)
The device Ethernet interface mirroring allows users to mirror the traffic of one interface to
another interface (analytic interface) for analysis and monitoring. The system supports below
filtering conditions: source IP, destination IP, source port, destination port, protocol!TCP, UDP,
ICMP", and also supports to choose the traffic direction: upstream, downstream, bidirectional.

6
 NAT444 (E/T/X)
Support NAT444 and able to export NAT444 static mapping entries.

7
 NAT Port Expansion (E/T/X)
In order to solve the public IP resource limitation, Hillstone device supports NAT port expansion
to expand the network address port resources for single public IP after NAT. It can extend single
public IP to support up to 880,000 private IPs.

8
 NAT Address Availability Track (E/T/X/V-E)
Support NAT public address availability track, support NAT public address pool availability track,
So that the business will not be interrupted due to unusable public IP address.

9
 Bidirectional Forwarding Detection (BFD) (E/T/X)
Support BFD function, BFD can integrate with static route, OSPF route, and BGP route. It can
monitor the forwarding and connection status of the link and detect the communication failures
quickly. Thus, the backup communication can be established to restore the communication in
time.

10
 Comprehensive Routing Support (E/T/X/V-E)
Support static route, ECMP, PBR, dynamic IPv4 route such as BGP, RIPv1/v2, OSPF, ISIS (Non
transparent transmission) .

11
 PBR (E/T/X/V-E)
Policy-based route supports to select route based on IP address, service protocol , application,
schedule; it supports to set at least two links traffic load balance based on weight.

12
 User-defined ISP Routing (E/T/X)
Be able to upload ISP routing table, and configure the routing per ISP

13
 HA Tracking (E/T/X/V-E)
Support interface, HTTP, PING, ARP, DNS, TCP based track object to achieve HA switch-over.

14
 Twin-mode HA (E/X)
Support two HA pairs in the active-active datacenters, with session, firewall policy sync, support
application migration from one active data center to another and avoid asymmetric routing issues.

ADMIN-MASTER(M)(config)# show twin-mode

Twin-mode configuration:
Enable: Enable
Mode: active-active
Node ID: 0
Hello interval: 1(s)
Hello threshold: 10
Priority: 49
Preempt: 3(s)
Local IP: 1.1.1.1/24
Peer IP: 1.1.1.2

Twin-mode status:
State: ADMIN-MASTER
Sync state: COLD-SYNC-DONE

Twin-mode peer status:

State: ADMIN-BACKUP
Sync state: COLD-SYNC-DONE
Node ID: 1
Priority: 111
Hello interval: 1(s)
Last update ticks: 3171(s)

Twin-mode link virtual interface:

Control link interface number: 1
ethernet1/2 quality 10
Data link interface number: 1
ethernet1/4 quality 10
Current heartbeat tx interface: ethernet1/2
Current other control tx interface: ethernet1/2

15
 DNS Proxy (E/T/X/V-E)
Support multi-exit based DNS proxy function. It is able to manage the DNS server addresses of
different WAN links according to configuration, if one link failed, traffic will be switched
automatically to other link as well as DNS server at same time. Thus avoiding the slow access or
disconnection due to cross ISP resolution

16
 SmartDNS (E/T/X/V-E)
Support SmartDNS: When Internet users accessing to internal servers, the DNS domain IP for
Carrier 1 is Carrier 1 address, while the DNS domain IP for Carrier 2 customer is Carrier 2
address.

17
 Link Overload Protection (E/T/X/V-E)
Support link overload protection. If one Internet link is congested, the traffic will be switched
automatically to other link; When the interface bandwidth is below the specified high watermark,
the system will conclude the link is normal; when the interface bandwidth exceeds or equals to
the specified high watermark, the system will conclude the link is congested; if congestion
occurred, the system will not conclude the link restores to normal until the interface bandwidth is
below or equals to the specified low watermark.

18
Dynamic Switch-over Based on Interface Time Delay
(E/T/X/V-E)
Support dynamic switch-over based on interface time delay: system detects the time delay of
one or multiple external destinations from multiple egress interfaces. If the interface time delay
exceeds the specified threshold, the new session traffic will not be forwarded via this interface
but go to others. When the time delay of this interface dropped under the threshold, the new
session traffic will be allowed to forward via this interface.

19
 Application Protocol Based Route (E/T/X/V-E)
Support application based route, selecting the route base on application. For example, steer the
traffic of application P2P downloading, P2P video to one or multiple specified Internet link, and
support load balance for multi-link.

20
 SLB (E/T/X/V-E)
Support server load balancing with three types of SLB algorithms: weighted hash algorithm,
weighted round robin, and weighted least connection.
Support the real-time display for all server status and current connections in Web page

21
 Virtual Switch and Virtual Router (E/T/X/V-E)
Support Virtual switch function, each virtual switch has its own MAC address list
Support Virtual routing function, each virtual route has its own route list

22
 VSYS (E/T/X)
Each virtual system can have customized CPU resources, session number, policy number, zone
number, SNAT number, DNAT number, IPSEC VPN tunnel number, Session limit rules number,
IPS function, URL function, keyword category, logs etc.

23
 NetFlow (E/T/X/V-E)
The device can collect user's ingress traffic, and send it to the server with NetFlow data analysis
tool, so as to detect, monitor and charge traffic.

24
 DDoS Protection (E/T/X/V-E)
Support to defend below attacks, including: DNS Query Flood, SYN Flood, UDP Flood, ICMP
Flood, Ping of Death, Smurf, WinNuke#TCP Split Handshake. Support two actions: log, block.
Support configure different threshold and action for each zone.

25
 Geo Policy (E/T/X/V-E)
Support to configure policy based on Geolocation.

26
 Redundant Policy Check (E/T/X/V-E)
Support policy redundancy check

27
 Unified Firewall Policy (E/T/X/V-E)
Built-in highly integrated intelligence filtering engine, able to configure below conditions in one
single policy rule: traditional 5-tuple information, Application, Service, Schedule, Security engine
(IPS, URL filter, Antivirus, Sandbox, SSL proxy).

28
 Configuration Roll Back (E)
Support configuration roll back

29
 Web Authentication (E/T/X/V-E)
Support customized Web authentication page
Support WebAuth based on MAC

31
 SSO-NTLM (E/T/X/V-E)
Support SSO-NTLM single sign-on authentication

32
 SSO – AD Polling (E/T/X)
Support single-sign-on: Windows AD, Agentless AD SSO function (AD Polling)

33
 PIM (E/T)
Support the Protocol Independent Multicast (PIM) function

34
 APPID (E/T/X/V-E)
Support to identify and control 3000+ applications, including 200+ mobile applications

35
 APPID Category (E/T/X/V-E)
Support application filter with at least six dimensions, including: Name, Category, Subcategory,
Technology, Risk level, Characteristic; Technology includes: Browser based, Client server,
Network protocol, Peer to peer; Risk has total five levels: 1, 2, 3, 4, 5; Characteristic including:
capable of file transfer, widely used, excessive bandwidth, evasive, prone to misuse, tunnels
other applications, has known vulnerabilities, used by malware

36
 Session Limiting (E/T/X/V-E)
Support session limit based on source IP, destination IP, schedule, application protocol (mysql,
ms-sql, sqlnet, P2P download, video, game etc.) and limit new connections, concurrent sessions

37
 Email Filtering (E/X/V-E)
Support email filter for sender address, recipient address, subject, content, attachment name etc.

38
 Data Security (E/T/V-E)
Support file transfer control based on file name, type and size
Support file transfer control in following protocols: HTTP, HTTPS, FTP, SMTP, POP3
Support file signature and suffix identification for over 100 file types
Support content filtering

39
 Traffic Quota (E/T)
Support the user traffic quota function

40
 SSL Proxy (E/T)
Support 3 SSL proxy work mode: require, exempt, offload. Require Mode –cert-subject-name as whitelist, will perform proxy when certificate CN value is matched with CN in
name list; Exempt mode - cert-subject-name as blacklist, will no proxy when certificate CN value is matched with CN in name list; Offload mode – Will do proxy for https when
https connection detected, then decrypt the HTTPS traffic, and send the HTTPS traffic as plaintext to the Web server.
Support customized action for SSL proxy, check the expired server certificate, support Decrypt, Block, Bypass actions.

Support blocking SSL version: TLS 1.0, TLS 1.1, SSL V3

Support blocking encryption algorithms: DES, 3DES, RC4, RC2, customize action for unsupported algorithms.

41
 IPSec VPN (E/T/X/V-E)
Support standard IPSec IKEV1, IKEV2 protocols
Support pre-share key, digital certificate, Xauth to create tunnel.
Support DH group key exchange: group 1, 2, 5, 14, 15, 16
Support Deflate compression algorithm etc.

42
 USB-Key (E/T/X/V-E)
Support hardware USB-key authentication by username/password + digital certificate, digital
certificate, support to match with certificate CN, OU subject.

43
 SSLVPN - SMS Authentication (E/T/X/V-E)
Support SMS based login authentication

44
 SSLVPN – Hardware ID (E/T/X/V-E)
Support client host ID binding authentication

45
 SSLVPN Host Check (E/T/X/V-E)
Support to the security status of the hosts running SSL VPN clients, and according to the
checking result, the SSL VPN server will determine the security level for each host and assign
corresponding resource access permission. The checked factors are operating system, system
patch, IE version, IE security level, file path, running process, installed service, running service,
firewall, anti-spyware software, antivirus software, auto update, registry key value

46
 SSLVPN – Cookie (E/T/X/V-E)
Support to automatically delete privacy data after disconnection such as cookie

47
 PKI – CA (E/T/X/V-E)
Support certificate revocation, generate standard certificate revocation list (CRL), export multiple
3rd party CRL at same time, support CRL auto update (hourly/daily/weekly)

48
 PKI (E/T/X/V-E)
Support PKCS#12 and PKCS#12-der

49
 CLI and WebUI Management (E/T/X/V-E)
Support both Command Line Interface, and Web GUI interface for management. Support
scripting from SSH/Telnet terminal

50
 System OS Backup (E/T/X/V-E)
Support to store two OS image in device, able to choose the firmware for startup in Web page.
Avoiding the network disconnection due to incorrect configuration or system problem. Assure the
system stability

51
 Password Strength (E/T/X/V-E)
Support to customize minimum password length, password complexity

52
 Admin Roles (E/T/X/V-E)
Support at least 3 Admin roles, including Admin, Operator, Auditor

53
 Syslog (E/T/X/V-E)
Support standard SYSLOG and binary format log; support distributed storage of binary log to
multiple log servers, the distributed algorithm supports Round robin, Src IP HASH

54
 Traffic Statistic (E/T/X/V-E)
Support traffic statistics according to 64 byte, 128 byte, 256 byte, 512 byte packet

55
 System Load Statistics (E/T/X/V-E)
Support to display device total traffic, interface traffic, new sessions/s, concurrent sessions in
Web page

56
 Per IP Statistics (E/T/X/V-E)
Support IP based statistics for total traffic, upstream traffic, downstream traffic, concurrent
sessions in real-time, last 60 minutes, last 24 hours, last 30 days

57
 APP Statistics (E/T/X/V-E)
Support application based statistics for traffic, concurrent sessions in real-time, last 60 minutes,
last 24 hours, last 30 days

58
 URL Statistics (E/T/X/V-E)
Support the URL statistics in bar chart or pie chart for real-time, last 60 minutes, last 24 hours,
last 30 days URL hit.

59
 iQoS (E/T/X/V-E)
Support Two level 8 layers pipe nesting, able to do two dimensional traffic control.
Support to set max bandwidth, min bandwidth for multi-layer pipes and limit the min/max
bandwidth per IP/User

60
 URL Filtering (E/T/X/V-E/CloudHive/S)
Support 64+ URL category, control access to bad websites, support to inquire URL category
database for specific URL.
Support URL control based on URL keyword.
Support customized URL warning page for block and audit.

61
 Safe Search (E/T/V-E)
Support safe search function in URL filtering profile to detect the "SafeSearch" setting of search
engine and perform corresponding control actions.

62
 IPS Configuration (E/T/X/V-E/CloudHive/S/I)
Support two working mode: IPS and log only, support to enable IPS function in security policy
and zone, enable IPS based on attack direction (at least support ingress\egress\bidirectional)

63
 IPS Signature (E/T/X/V-E/CloudHive/S/I)
8000+ IPS signatures, support to search signature base on protocol type, operating system,
attack type, severity, signature ID etc.
4000+ HTTP signatures

64
 SQL and XSS (E/T/X/V-E/CloudHive/S/I)
Support SQL injection protection, XSS injection protection, support protection for HTTP check
point: URI, Cookie, Referer, Post

65
 IPS – External Link Check (E/T/X/V-E/CloudHive/S/I)
Support external link check, support customized external link exception for type HTTP, HTTPS,
FTP

66
 Challenge Collapsar (CC) Attack Protection
(E/T/X/V-E/CloudHive/S/I)
Support CC attack protection with request limit, proxy limit, customized threshold, crawlers-
friendly methods. Support 4 authentication methods: JS Cookie, Redirect, Access confirm,
CAPCHA

67
 Embedded IPS Knowledge Base
(E/T/X/V-E/CloudHive/S/I)
Embedded IPS knowledge base with detailed signature description and solution

68
 AV Signature (E/T/X/V-E/CloudHive/S/I)
Over 2 million virus signatures

69
 AV Configuration (E/T/X/V-E/CloudHive/S/I)
Support to enable AV function base on security policy and zone

70
 AV Features (E/T/X/V-E/CloudHive/S/I)
When detecting virus and malicious website, support at least 3 actions: fill magic, reset
connection, log only
Support virus detection for compressed files such as RAR, ZIP, GZIP, BZIP2, TAR; support multi-
layer compressed file detection for no less than 5 decompression layer, and customize action for
exceed behaviors

71
 AV Warning (E/T/X/V-E/CloudHive/S/I)
Support warning for malicious website and virus, alert the user that the website is malicious
website or virus has been detected.

72
 AV Encrypted File (E/T/X/V-E/CloudHive/S/I)
Support customized action for encrypted compressed file

73
 SandBox (E/T/V-E/S/I)
Support PE file detection
Support white list setting which will not be uploaded for detecting
Support enable sandbox base on security policy
Sandbox analysis feedback should include: process behavior, registry behavior etc.
Support check threat log base on sandbox threat detection engine

74
 Anti-Spam (T/S/I)
Support Real-time Spam Classification and Prevention
Support both SMTP and POP3 email protocols
Support both inbound and outbound detection

75
 Botnet C&C Prevention (E/T/V-E/S/I)
Support Effectively discover intranet bots and prevent further attacks of advanced threats through comparison of
information obtained with the C&C address database.
Support two types of C&C address database: IP address database (excluding IPv6 addresses) and the domain database.
Support TCP, HTTP, and DNS protocol detection.

76
 IP Reputation (E/T/X/V-E/S)
Support to filter the traffic from the IP with low IP reputation, including Botnet, Spam, Tor nodes,
Compromised, Brute-forcer, and so on.
Support to log, drop or block packets if the malicious traffic hits the IP reputation list.
Support to filter the bots IP address$Botnet server IP

77
 Alarm (E/T/X/V-E)
Support continuous alarm and peak alarm. Continuous alarm: if detected data higher/lower than the set threshold and last certain period,
will generate continuous alarm; Peak alarm: if detected data higher/lower than the set threshold, will generate peak alarm.
Support triggering condition based on device CPU utilization, memory utilization, disk space utilization, SNAT resource, new sessions,
concurrent sessions, chassis temperature, CPU temperature, interface total/uplink/downlink bandwidth, monitor device in real-time and
generate alarm to Admin if condition triggered.
Support real-time detection and alarm function for accessibility and usability of network node, including: latency, packet loss rate; support
the real-time monitor for service/network node, including: WEB, Email, file service!FTP", LDAP, DNS and customized protocol.

78
 Global Fault Detection (T/S/I)
Support fault detecting based on zone, interface, service, application, user, time etc., provide
graphic display in WEB page for policy, session limit, QOS, SNAT, DNAT etc. and locate the fault
point faster.

79
 Packet Path Detection (E/T/S/I)
Support packet path detection tool by emulation packet, online packet etc., provide graphic
display in WEB page for whole process that the packet pass through in each FW function
modules. Which helps to quickly locate the abnormal module.

80
 Packet Capture Tool (T/S/I)
Support online packet capture tool, which can be used to capture online packet according to
source address, destination address, application, protocol, source port, destination port, file size
etc.

81
 Reporting (E/T/S/I)
Support to automatically generate report in PDF format, and send via FTP
Support to generate report based on schedule: day, week, month, year
Support report items on security threat, network traffic, URL content, system etc.

82
 Risky Host Detection (E/T/S/I)
Support to display host risk status in WEB page

83
 IPS Packet Capture (T/S/I)
Support packet capture for global IPS signature database or specific protocols

84
 Unknown Malware (T/S/I)
Support to identify and prevent malwares, including: Trojan, Worm, Virus, Adware, Riskware,
Hacking tool, Grayware, Spyware etc.
Adopt advanced threat detecting engine, use behavior analysis technology to detect unknown
threat (such as shell and variant ), and provide detailed analysis for unknown threat, including:
name, domain, known malware URL, URI, malware certainty etc.

85
 Forensic Analysis (T/S/I)
Support to view and download PCAP in WEB page

86
 ATD Signature (T/S/I)
Independent update file for ATD database, support auto update and manual update

87
 ABD (T/S/I)
Abnormal behavior detection: adopt abnormal behavior detecting engine, automatically learn
host and server behaviors, and generate high threshold, low threshold, actual value, predictive
value, analyze the hidden abnormal behavior based on baseline deviation and together with ABD
database

88
 Server Profiling (T/S/I)
Server abnormal behavior detection: monitoring and modeling the WEB server at real-time,
generating high threshold, low threshold, actual value, predictive value, analyze the abnormal
behavior of Web server based on baseline deviation and together with ABD database

89
 ABD Signature (T/S/I)
Independent update file for ABD database, support auto update and manual update

90
 Auto Risk Mitigation (T/S/I)
Support auto mitigation for threat behavior to avoid serious impact on business. Action includes: bandwidth control,
session control!new sessions and concurrent session", IP block
Have mitigation rule database, allowed to customize mitigation rule, mitigation rule database is independent file and
support auto update and manual update

91
 Compromised Hosts Detection and Report (T/S/I)
Support statistics and display of attacks that host received, evaluate the host risk and generate
the risk level (critical, high, medium, low"; allow to check the detailed log information for specific
host, including: threat name/type, attacker, victim etc.

92
 Risky Host Stats (T/S/I)
Support to display the host number in different risk levels, support the filter in real-time, last 60
minutes, last 24 hours, last 7 days, last 30 days, customized time range

93
 Threat Stats (E/T/S/I)
Support to display the threat number in different risk levels, support the filter in real-time, last 60
minutes, last 24 hours, last 7 days, last 30 days, customized time range

94
 Risk Originating (T/S/I)
Support the geo location display for threat source or risky host. Support to display the geo
location of threat or risky host in threat map (Such as country China, US etc."

95
 Manual Risk Analysis (T/S/I)
Administrator can manually arbitrate the threat

96
 Cyber Kill Chain Mapping (T/S/I)
Ability to map detected threats into cyber kill chain and show their stages

97
 Cloud-based Threat Intelligence
Push Service (S/I)
This feature pushes the most popular threat intelligence information in the industry in the form of
a pop-up window.

98
 SD-WAN VPN Network (HSM)
Create a VPN network that binds with a Hub node and generate VPN configuration profile.

99
 SD-WAN Configuration Package (HSM)
The configuration bundle is used to issue service configurations after VPN network established,
including policies, routing, NAT, and interfaces.

100
 SD-WAN ZTP Configuration (HSM)
The generated ZTP configuration package is used for the default configuration of branch device
deployment.

101
 +1 408 508 6750
inquiry@hillstonenet.com
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com
102