Chapter 2 Security Management and Operation

Reshape.Security
Embrace Cyber Resilience

© 2022 Hillstone Networks | All rights reserved.

1
 1 Default System Management

2 License Management
Agenda
3 Firmware Upgrading

4 Device Management

2 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Device Management Method
• You can access the device directly or remotely by using CLI or
WebUI.
• Support to manage via console、telnet、ssh、http、https

COM Ethernet0/0
or MGT

Parameter Value Parameter Value

9600 or Interface Eth0/0 or MGT
Baud Rate
115200 bit/s Username hillstone
Data bit 8 password hillstone
Stop bit 1 Management IP 192.168.1.1
3 | See. Understand.Flow
Act. control None © 2022 Hillstone Networks | All rights reserved.
 WebUI
Manage the device via GUI，only HTTPS enabled by default
Default management setting:
- Management Port: ethernet 0/0 or MGT
- https://192.168.1.1
- Username/password: hillstone/hillstone

4 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 CLI Access (1)
Manage the device via CLI，only SSH enabled by default
Default management setting:
- Management Port: ethernet 0/0 or MGT
- SSH 192.168.1.1
- Username/password: hillstone/hillstone

5 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 CLI Access (2)
Access the device via console
Default management setting:
- Baud rate 9600
- Username/password: hillstone/hillstone

6 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Virtualized Management
• Under vitrulized firewall vFW, E0/0 management
IP will be automatically assigned.
• Use “show interface” command to see the
interface IP, use https to access WebUI

7 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Default Password Change

Under the Level of Protection (LOP) system, default password change is an important security
measure aimed at preventing the misuse of default passwords and unauthorized access.

During the initial login to the StoneOS system, administrators are required to change the default
password. The new password must meet the system's password complexity requirements, which
include numbers, letters, underscores, etc.

8 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 CLI Configuration Mode
• Execution mode
Ø The execution mode is the CLI mode right after you enter the username and password. In this mode, you can only
configure the device with your privilege.
• hostname#

• Global configuration mode

Ø In execution mode, typing “configure” leads you into the global configuration mode where you can modify the device settings. The
command prompt is as follows:
• hostname(config)#

• Sub-module configuration mode

Ø Some specific features can only be set in their own sub-module configuration modes. Use different commands to enter different sub-
module configuration modes, e.g., the command interface ethernet0/0 can lead you to the interface configuration mode of ethernet0/0,
where the command prompt is as the following:
• hostname(config-if-eth0/0)# //For example, configure the interface eth0/0

9 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Commonly Used Show Commands

• show version //check system version info.

• show interface //check interface info.
• show ip route //check routings
• show snat //check source NAT
• show dnat //check destination NAT
• show policy //check policy
• show configuration //check current settings
• save //save current settings
• unset all //reset device to factory default

10 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Check System Status - CLI

In CLI, show is used to check SG-6000# show version

Hillstone Networks StoneOS software, Version 5.5
system status: Copyright (c) 2009-2020 by Hillstone Networks
Ø Device Hardware Platform
Product name: SG-6000-E1600 S/N: 2508132161001434
Ø Device SN Assembly number: B102
Ø StoneOS version Boot file is SG6000-M-3-5.5R7P4.bin from flash
Built by buildmaster8 2020/02/11 13:42:52
Ø Device running time/status
Ø Licenses Uptime is 0 day 22 hours 36 minutes 27 seconds
System language is "en"
Ø ……
VRouter feature: disabled

IPS feature: enabled

IPS magic: 4f091997b9b65ef441b19b86d33f77bf49fb

APP feature: enabled

APP magic: b99d863d7d12a2962d5e98b20f375f0c7791

11 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Check Interface Status - CLI
• Check interface status:

SG-6000# show interface

H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up

==========================================================
Interface name IP address/mask Zone name H A L P MAC address Description
----------------------------------------------------------------------------------------------------
----
ethernet0/0 192.168.1.1/24 trust D U D D 001c.5482.ff63 ------
ethernet0/1 192.168.10.1/24 trust U U U U 001c.5482.ff64 ------
ethernet0/2 0.0.0.0/0 NULL D U D D 001c.5482.ff65 ------
ethernet0/3 0.0.0.0/0 NULL D U D D 001c.5482.ff66 ------
ethernet0/4 200.0.0.200/24 untrust U U U U 001c.5482.ff67 ------
vswitchif1 0.0.0.0/0 NULL D U D D 001c.5482.ff74 ------
==========================================================
SG-6000#

12 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Restore to Factory Settings
• Caution：Resetting your device will erase all configurations, including the settings that have been saved.
• CLI
Ø Command: unset all
• WebUI
Ø System>Configuration File Management>Backup Restore>『Restore』
• CLR button (hard reset)
Ø CLR button is in the pin hole of device’s front panel. When Admin forget the device’s password, it
can be used to restore device to factory default.
Ø To restore device to factory default, take the following steps:
1. Power off the device.
2. Use a pin to press CLR button through the pinhole, keep pressing and power on the device
3. Keep pressing CLR button until STA and ALM indicators turn constant red, then release the pin,
the system will start to reset itself.
4. System will reboot automatically once restoring complete.

13 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 2 License Management

14 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

License

• license is used to authorize users to access certain functions, services, or to

enhance performance.
• Types of licenses include:
Ø Platform License

Ø Function License

Ø Service License

15 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Platform License

Platform Trial License
The platform license serves as the If expired, You will unable to No need to reboot to take effect
foundation for the operation of other modify the existing
licenses. If the platform license is invalid, all configuration, and the system
other licenses will not take effect. The will restore to factory defaults
device comes pre-installed with a 15-day when the device reboot.
trial license, which supports the same
functionalities as the official license.

Platform Commercial License After the device is officially sold, it can
install the official platform license. This
license provides basic firewall functionality
and VPN (Virtual Private Network)
capabilities.
If expired, the device can still No need to reboot to take effect
work normally, but you
cannot upgrade to the OS
version after expiration date.

16 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Function License
Function License Description What happen If license Whether need to reboot the
expired device
Virtual System License Authorize the number of available VSYS. No expiration date Need to reboot device each
time you install this license.
SSL VPN Trail License Authorize the maximum number of SSL VPN connections If expired, the number of No need to reboot device
(maximum number of SSL VPN users allowed by the platform), available SSL VPN connections
but the usage duration is relatively short. The specific duration returns to the default number.
is determined by the agreement at the time of application, such
as 30 days. Multiple SSL VPN trial licenses can be stacked to
extend the usage time.

QoS/iQoS License Activate QoS function. No expiration date No need to reboot

ZTNA Commercial License Authorize the maximum number of ZTNA (Zero Trust Network No expiration date No need to reboot
Access) connections. It takes precedence over trial licenses.
Multiple ZTNA licenses can be combined to allow for a higher
maximum number of users. In cases where the SCVPN (Site-to-
Client VPN) authorization quantity is insufficient, ZTNA licenses
can be borrowed to extend the number of SSL VPN
connections. However, the login method for ZTNA cannot
borrow SCVPN licenses.

17 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Service License
Service License Description What happen if license expired Whether need to reboot device
Anti virus (AV) License Provides virus filtering function and After expiration, it is not possible to The device needs to be rebooted for
virus signature database upgrading. upgrade the virus signature database, the first installation, but the
but the virus filtering function subsequent renewals do not require a
continues to work normally. reboot.
Intrusion Prevention System (IPS) Provides intrusion prevention function After expiration, it is not possible to The device needs to be rebooted for
License and IPS signature database upgrading. upgrade the IPS signature database, the first installation, but the
but the IPS function continues to work subsequent renewals do not require a
normally. reboot.
URL DB License Provides URL classification database After expiration, the online querying The device needs to be rebooted for
and online querying function for URL function for the URL classification the first installation, but the
classification database. database is not available, but the subsequent renewals do not require a
custom URL and URL filtering function reboot.
continue to work normally.

Application Signature Database
License
Provides application signature After expiration, it is not possible to No need to reboot device
database upgrade functionality. upgrade the APP signature database.
Application signature database licenses
do not need to be applied separately;
they are issued along with the platform
license and have the same validity
period.

18 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 All License Display
• At license page, it displays not only all supported licenses by this device, but also the installed license / Not
installed license

19 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Apply for a License (1)

• Step 1: Generate a license request

• WebUI: System > License > Apply For, fill out the user information and click 『Generate』

20 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Apply for a License (2)

• Step 2: Send the license request to Hillstone Regional Sales/SE (via Email / copy and paste it
at case description filed)

• A license request contains:

• Device SN
• Device Model
• Deal registration ID
• Requested license types (such as platform trial, AV, QoS, etc.)
• Customer name
• Contact name
• Contact method
• license requesting code that was generated by StoneOS

21 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Apply for a License (3)
• An email as shown below will be sent from Hillstone if application is approved and license
has been issued
• Copy the license code and install it at device.
• A license code starts with “license:” and ends with “==“

22 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Install a License from WebUI
• Step 3: Install the license
Ø WebUI： Click System > License > Import, and select Manual input. Paste the
license code here and then click 『Upload』. Or upload the license file

23 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Install a License via CLI

• Use the following command to install a license:

Ø hostname# exec license install +license code
• Message “successfully install the license!” will be displayed in a few seconds.
• Reboot the device if needed to make the new license take effect.

24 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 3 Firmware Upgrading

25 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Device Booting Process

• The firewall start-up system consists of 3 parts:

–Bootloader – The first started program when the device is powered on. Bootloader loads StoneOS
or Sysloader and makes them start.
–Sysloader –The program that upgrades StoneOS and other selective operations.
–StoneOS – The operating system running on the device.

• When a device is powered on, the Bootloader tries to start StoneOS or Sysloader. The Sysloader is
used to select existing StoneOS in the system or upgrade StoneOS via FTP, TFTP or USB Host
interface. Or you can upgrade firmware in WebUI after login.

• The upgrade of Sysloader is performed by the Bootloader via TFTP.

26 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 StoneOS Upgrade
System>Upgrade Management
2 copies of system firmware can be stored in the device. System will back up the firmware specified by admin
while uploading new StoneOS version. Firmware can be switched between 2 copies. Firmware downloading
address: https://images-en.hillstonenet.com/login

27 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Configuration File Management
• Before upgrading the version, it is recommended to back up the configuration file. Click on the 'Backup Restore'
button to create a backup for the current software version. Once the backup is completed, the system will
automatically redirect you to the 'Configuration File Management' page, where the backed-up files will be displayed
in the configuration file list.
• System > Current Configurations

28 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 4 System Management

29 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 System Time
System > Device Management > System Time
『Sync』with local PC、manually configure、sync with NTP server

30 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Signature Database Update
• Support two update methods: online update (FW can access to Internet, and DNS server configured) and local
offline update
- update1.hillstonenet.com
- update2.hillstonenet.com

31 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Password Security

• Password security is an important aspect of ensuring system and data security. Specifying
password policy requirements, password generation and management, storage, protection,
regular password changes, compliance, and audit requirements can enhance password
security and reduce the risks of password guessing, cracking, and misuse. Compliance and
security are crucial to the level of protection.
• Password Security:
Ø Password complexity
Ø Password reset management

32 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Separation of Three Powers

• In Level of Protection 2.0, "System Management," "Audit Management," and "Security

Management" impose specific requirements on the management entities, privilege controls,
and control processes for system administrators, audit administrators, and security
administrators respectively. It also requires that the management system within the Security
Management Center adheres to the "separation of powers" authorization management model.

• The concept of a super administrator is abolished, and there are three individuals fulfilling the
roles of system administrator, audit administrator, and security administrator. Each person has
their own account, and it is mandatory for the administrator and auditor roles to be held by
different individuals.

33 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 System Administrator
• A default administrator named “hillstone” is bundled with the system with the default password “hillstone”. You can
modify its settings (such as change the password), but this admin account can not be deleted.

• Default 4 roles of administrator accounts (with different privilege):

– Administrator: Permission for reading, executing and writing. This role has the authority over all features.
– Administrator(read-only): Permission for reading and executing. You can view the current or historical configuration
information.
– Operator: You have the authority over all features except modify the Administrator’s configuration, and no
permission for check the log information.
– Auditor: You can only operate on the log information, including the view, export and clear.

• User-defined Admin Role

34 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Configure Admin Roles
System>Device Management>Admin Roles：

35 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Configure System Administrator

• System>Device Management>Administrators：

• NETCONF (Network Configuration Protocol):

It provides a mechanism for managing
network devices, allowing users to use this
mechanism to perform operations such as
adding, deleting, modifying, and querying
network devices.

36 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Trusted Host
• Trusted Host
• Device only allows the trust host to manage the system to enhance the security.
Administrator can specify an IP range, and hosts in the specified range are trust
hosts. > Device Management > Trusted Host
System

Please be careful with difference：192.168.1.0/24 192.168.1.2/24 192.168.1.2/32

Create New Trusted Host at first, and then delete the default one.
37 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Interface Management

• The system supports access through

Console, Telnet, SSH, and WebUI methods.
Users can configure timeout duration, port
numbers, and HTTPS’s PKI trust domains
for various access methods.
• When logging into the device using Telnet,
SSH, HTTP, or HTTPS, by default, if there
are three consecutive login failures from the
same IP address within one minute, the
system will lock the IP address for two
minutes. The locked IP address will be
unable to establish a connection with the
device during this two-minute period.
• System > Device Management >
Management Interface:

38 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 3rd Party AAA Server Admin Authentication
• System > Device Management > Setting & Option
• Support Radius and Tacacs+ server to be used as device admin authentication. You can log in to the firewall
through the account and password of the third-party AAA server and manage the FW.

39 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Multi factor Authentication

Multi-Factor Authentication (MFA), is a straightforward security practice that adds an additional

layer of protection beyond a username and password. With MFA enabled, when users perform
actions, they need to provide not only their username and password (first-factor authentication)
but also undergo a second-factor authentication. By combining multiple factors of authentication,
MFA provides enhanced security for your account and resources.

40 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Security Authentication Management

System > Device Management > Security Authentication Management

41 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Storage Management

42 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

Task 1: Initialization Management of Security Devices

• Initialization management of security products is the primary task after the successful
deployment of the product. In this task, the administrator needs to perform basic configuration
management on the next-generation firewall. This includes interface management, time zone
and time settings, and installing and verifying licenses. It is also important to review system-
related information to ensure that the current system meets the requirements for secure
operation. If necessary, perform operations such as firewall firmware upgrades and updating
signature database.
Ø Update system time.
Ø Familier with license installation and verification.
Ø Understand the firewall upgrade process and associated precautions.
Ø Signature database updating.

43 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.

 Task 2: System Compliance Configuration
• In this task, to ensure proper protection and management of sensitive data and resources, it is important to meet the compliance requirements
of the security product. The administrator needs to classify resources and management into different security levels and assign appropriate
protective and control measures for each security level. The default administrator user 'hillstone' has the highest level of management and
access privileges. Therefore, it is necessary to create different administrator roles to accommodate operations at different security levels and
impose certain limitations on the accounts.To address the security risks associated with a single authentication method, it is necessary to
implement additional combinations of identity authentication technologies to enhance the security of user accounts.
• Here are some specific configurations to ensure security:
Ø Separation of Powers:
• Create an audit administrator with the username 'auditor' and password 'Hillstone!1'.
Ø Login Restrictions:
• Password Rules: Set a minimum password length of 10 characters, requiring a combination of uppercase letters, lowercase letters,
numbers, and special characters, and prohibit the use of historical passwords.
• Login Failure: After three consecutive password entry failures, lock the account for 10 minutes.
• WebUI Login: Hide the HTTPS port 443 and use port 8443 for login.
• Device IP Restriction: Only allow login from the IP subnet 200.0.0.0/24.
Ø Multi-Factor Authentication Techniques:
• When logging into the device, use email to receive a verification code.
44 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
 +1 408 508 6750
inquiry@hillstonenet.com
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com