1

2
3
You are able to manage the device by connecting to Console port or Ethernet port.
Picture 1 – Accessing a Device via Console Port:
Ø PC serial Port is connected to Gateway Console port by RS-232 Serial Cable
Ø In PC, start the terminal emulation program (HyperTerminal or Secure CRT)
and use the following parameters:
• Baud rate: 9600 bps
• 8 data bit
• 1 stop bit
• no flow control

Picture 2 – Accessing a Device via Ethernrt port (Telnet、SSH、HTTP、

HTTPS):
If you want use HTTP/HTTPS to login WebUI, using an Ethernet cable to connect PC
and the Interface ethernet0/0 of Hillstone device, with default IP address
192.168.1.1/24, has all its services enabled. After assigning an IP address for
your PC (The address should be of the same subnet with 192.168.1.1/24), You
can visit its WebUI address http://192.168.1.1 at Web browser.
Default username and password is hillstone

4
• Hillstone security appliance enabled all the management functions for
admin interface Ethernet0/0 by default. IP address is 192.168.1.1.
Username and password is hillstone.
You can login device through HTTP or HTTPS.
• We are following the same 3 steps under WebUI: Configure Interface; add
Route, and add Policy

5
6
7
8
9
10
11
12
13
14
15
1. System administrator has 4 management roles: Administrator, Administrator
(read-only), Operator and Auditor.
2. Privilege: Different role of administrator account has different privilege.
3. Only the Admin/default Admin role can add, edit or delete accounts, other
role of administrators can only modify its own password and limited features.

16
17
1. The other role of administrator (except the default Admin) can modify its own
password and has different privilege. Only the Admin can set their login type and
manage the log types.
2. CLI：
SG-6000(config)# admin user username
SG-6000(config-admin)# password
WORD (length: 1-31) Password of administrator

SG-6000(config-admin)# role ?
admin Administrator role
admin-read-only Admin read only role
auditor Auditor role
operator Operator role

SG-6000(config-admin)# access
any Allowed any login type
console Allowed login from console
http Allowed login from HTTP
https Allowed login from HTTPS

18
 ssh Allowed login from SSH
telnet Allowed login from telnet

SG-6000# show admin user

====================================================
============
Username Role Console Telnet SSH HTTP HTTPS
---------------------------------------------------------------------
-------------
hillstone Admin Y Y Y Y Y
admin1 Admin-Read-Only - - - - Y
auditor1 Auditor - - - - Y
operator1 Operator - - Y - Y

18
1. By default, the device’s trust host IP range is 0.0.0.0/0, which means all hosts
are trust hosts. In the trust host list, all trust host range will be valid. Therefore,
you are suggested to configure a proper trusted IP range and delete the default
range “0.0.0.0/0”afterwards.
2. You can use 2 types to add trust host: IP/netmask (Such as 192.168.1.0/24) or
IP range (192.168.1.1-192.168.1.100).
When subnet is configured as the same (24), 192.168.1.10/24 = 192.168.1.0/24.
If you only want 1 PC (192.168.1.10) to be the trust host, please make sure the
netmask is 32, otherwise the netmask will be recognized as a segment subnet
address.
3. CLI：
SG-6000(config)# admin host
any Any ip address
range Add a host range login type
A.B.C.D Host IP address
A.B.C.D/M Host IP address and mask length

SG-6000(config)# show admin host

=====================================

19
IP range Login type
---------------------------------------------------------------------
----
0.0.0.0/0 Telnet SSH HTTP HTTPS
---------------------------------------------------------------------
----

19
You can change the default management port, we can also support two-factor certificate
authentication (you need set PKI certificate at device)
CLI：
1. Console
SG-6000(config)# console timeout
<0-60> Idle time in minutes
2. Telnet
SG-6000(config)# telnet port
<1-65535> Telnet service port(23: default)
SG-6000(config)# telnet timeout
3. SSH
SG-6000(config)# ssh port
<1-65535> SSH service port(22: default)
SG-6000(config)# ssh timeout
4. HTTP
SG-6000(config)# http port
<1-65535> HTTP port (1-65535)
5. HTTPS

20
SG-6000(config)# https port

show console
show telnet
show ssh
show http

20
1. System time will affect log recorded time、VPN tunnel created time
and schedule. All logs are recorded based on device system time,
therefore the accuracy of system time is very important.
2. Three Methods can be used to set system time:
• Synchronize with your local PC time by clicking Sync button in
WebUI
• Set the Time zone, date and time manually in WebUI/ Command
“clock time” and “clock zone”
• Auto NTP synchronization wit NTP server via NTP protocol

21
22
23
24
1. Use the command to save firewall’s configuration file;
2. 1 firewall can store at most 10 copies of configuration files;
3. Startup configuration file saves initial configuration information that is used
for system starting. You can restore the system configurations to the saved
configuration file or factory default, or you can backup the current
configurations;
4. The default configuration file will be used when there is no startup file;
5. System will automatically keep the latest 10 copies of configuration files. The
current one is saved as the startup configuration, and others are marked as
backup 0-8 according to their saving time.

25
26
1. Save the configuration information of the security gateway in the command
line format;
2. One security gateway can save up to 10 configurations;
3. The configuration information saved in the configuration file to initialize the
security gateway is called initial configuration information, and the security
gateway performs initialization work at startup by reading the initial
configuration information;
4. If the initial configuration information cannot be found, the security gateway is
initialized with the default configuration of the security gateway;
5. The system records the configuration information saved in the last ten times.
The configuration information saved last time will be recorded as the current
initial configuration information of the system. The current system configuration
information is marked with "Startup"; It is marked with Backup 0~8 successively.

27
28
Two copies of system firmware can be stored in
Hillstone device. System will backup the
firmware specified by admin while uploading
new one.
The current upgraded StoneOS will be used to
start up the device after upgrading by default.
Admin can also specify the StoneOS that is used
for the next startup.
The command format of different StoneOS version may not be the same, it’s better to back up current
system configuration before upgrading new StoneOS. After the upgrading you can connect to console to
monitor the booting process and find whether all the configuration is loaded.

You can find the latest firmware at KB site

29
Remote update: make sure device is connected with Internet, and DNS server is
configured at device (PPPoE and DHCP no need to set DNS as the DNS will be
automatically signed)

Local update: IPS、AV and URL database, please go to site

update1.hillstonenet.com

30
Bootloader has 2 working modes: Automatic mode and interactive mode.
1. Under the auto mode, Bootloader tries to start the StoneOS, if no StoneOS available or the StoneOS is
invalid, system booting will be stopped. The Admin must upgrade the StoneOS via Sysloader.
2. You can press the “ESC” key when system booting by following the prompt, the Bootloader is switched
into interactive mode. The purpose of this mode is to load the Sysloader. Under this mode, you can start the
Sysloader that stored in Flash, or download the new Sysloader and start via TFTP.

StoneOS could be upgraded by:

Using command “import image from ftp server server-ip” in CLI
Using a upgrade wizard in WebUI
Entering sysloader
License used to authorize users features, services or extending the performance. If you do not
buy and install the corresponding License, the features, services and performances which is
based on License will not be used, or can not achieve the higher performance.
First, let’s have a look the platform license. Platform license is a MUST for a device to work.
Two types of platform license are offered: Platform Trial and Platform Base.
Ø Platform Trial
Platform trial is designed to meet customer trial needs before a final sale. A 15 days platform trail license
is pre-installed in factory. The trial time is accumulated through real device power-on time. Multiple
platform trial license can be installed in one device to get more trial time. For example, there is a device
with a 30 days trial platform license, and the admin powers on the device 8 hours per day. So the
device could work ( 30*3=90 ) days.

Note: After the trial has expired, administrator can NOT make any configuration change for the
device. Device can still work under the existing configuration before rebooting. Within a three months
time period after the expiration, one out of 5000 http requests will be redirected to a warning page to
remind that the device needs a formal platform license. After the three months, all http connections
will be redirect to warning page.
Ø Platform Base
Platform base is the formal license for a device after the final sale . It has an expiration date, it works for
limiting StoneOS upgrading and after-sale service.
A device with 1 year platform license could work continually after the license expired,
but could not upgrade to new Stone OS version

32
33
Licenses are used to authorize the users' features,
authorize the users' services, or extend the performance.
If you do not buy and install the corresponding license,
the features, services, and performance
which is based on the license will not be used or cannot
be achieved.

34
Now let me show you how to apply for a license:
First step, login to WebUI, Click System->License, fill out the user information
and click Generate. A unique license requesting code will be automatically
generated by the system. You need copy this requesting code and use it to apply
for the license

Please open a new ticket at our case system and copy this as the case notes.
Once we received the case, we will help to generate the trial license

35
Step 2:
Submit the license requesting code followed with: device SN; user name;
contact name ; contact method; requested feature (platform trial, AV,
QoS, etc.). You can submit the request through Hillstone online case
platform or send Email to Hillstone license team.
If you are applying for a trail license, the trail period time should be attached as
well

36
After the request get approved, an email as shown below will be sent
from Hillstone. You are able to copy the license code and paste to device
A license code starts with “license: （colon）” and ends with “==“

37
Step3: Install the license
WebUI： Click System ->License, and select Manual input . Paste the license code
and then click OK.
Make sure the license code starts with “license: （colon）” and ends with “==“
Reboot the device to make the new feature license take effect.
You can also install the license via CLI:
Use the following command:
hostname# exec license install +license code (copy the code without license:
（colon))
Message “successfully install the license!” will be displayed in a few seconds.
Reboot the device if needed to make the new license take effect.

39
40
41