Hillstone防火墙维护手册

Hillstone防火墙维护手册2022/10/171.概述防火墙作为企业核心网络中的关键设备，需要为所有进出网络的信息流提供安全保护，对于企业关键的实时业务系统，要求网络能够提供7某24小时的不间断保护，保持防火墙系统可靠运行及在故障情况下快速诊断恢复成为维护人员的工作重点。

Hilltone防火墙提供了丰富的冗余保护机制和故障诊断、排查方法，通过日常管理维护可以使防火墙运行在可靠状态，在故障情况下通过有效故障排除路径能够在最短时间内恢复网络运行。

本文对Hilltone防火墙日常维护进行较系统的总结，为防火墙维护人员提供设备运维指导。

2.Hilltone防火墙日常维护围绕防火墙可靠运行和出现故障时能够快速恢复为目标，Hilltone防火墙维护主要思路为：通过积极主动的日常维护将故障隐患消除在萌芽状态；故障发生时，使用恰当的诊断机制和有效的故障排查方法及时恢复网络运行；故障处理后及时进行总结与改进避免故障再次发生。

2.1.防火墙硬件部分日常维护2.1.1.防火墙机房要求机房的卫生状况，要求清洁，防火墙上没有灰尘。

温度（摄氏℃）工作环境温度0℃－40℃工作环境湿度（%）10%－95%2.1.2.防火墙电源检查检查防火墙电源插头有无松动。

检查防火墙LED电源指示灯颜色：电源指示灯颜色:PWR1PWR2电源1电源2绿色常亮橙色常亮红色常亮绿色常亮橙色常亮红色常亮电源1工作正常电源工作异常电源工作异常，系统处于关闭状态电源2工作正常电源工作异常电源工作异常，系统处于关闭状态防火墙维护手册2.1.3.防火墙风扇低端产品防火墙风扇固定在产品内；高端产品风扇为模块化设计，可热插拔；检测防火墙风扇风扇指示灯有否告警；检测风扇风力是否适中风扇指示灯颜色:FAN风扇状态绿色常亮橙色常亮红色常亮风扇工作正常一个风扇损坏，系统正常运行风扇系统发生严重故障将自动进入关闭状态2.1.4.防火墙前面板指示灯检查根据防火墙指示灯状况，可迅速查看防火墙某部分出现故障，以及防火墙运行情况。

Hillstone防火墙维护手册Hillstone 山石网科20XX年X月目录1概述 (3)2Hillstone防火墙日常维护 (4)** 防火墙硬件部分日常维护 (5)** 防火墙机房要求 (5)** 防火墙电源检查 (5)** 防火墙风扇 (5)** 防火墙前面板指示灯检查 (6)** 防火墙模块及数据接口检查 (7)** 防火墙系统部分日常维护 (7)** 防火墙OS版本检查 (7)** 防火墙温度和风扇检查 (8)** 防火墙session利用率检查 (8)** 防火墙CPU利用率检查 (8)** 防火墙内存利用率检查 (9)** 防火墙接口状态检查 (9)** 防火墙路由检查 (11)** 防火墙fib状态检查 (11)** 防火墙日志检查 (12)** 常见故障排查指南 (13)** 防火墙CPU过高的处理 (13)** 设备session数过多的处理 (14)** HA异常的处理 (14)** 内网用户丢包的处理 (15)** 目的NA T不生效的处理 (16)** 设备无法管理的处理 (16)** 策略配置与优化(policy) (16)** 故障处理工具 (17)** 系统诊断工具 (17)** debug诊断与排错 (18)** 防火墙备份和恢复 (22)** 防火墙配置备份 (22)** 防火墙配置恢复 (23)** 防火墙出厂配置 (24)** 防火墙软件升级 (24)** 防火墙常用命令 (28)** 查看设备序列号 (28)** 重启防火墙 (29)** 查看防火墙接口状态 (30)** 查看防火墙安全区域 (30)** 查看防火墙路由表 (31)** 查看防火墙安全策略311概述防火墙作为企业核心网络中的关键设备，需要为所有进出网络的信息流提供安全保护，对于企业关键的实时业务系统，要求网络能够提供7*24小时的不间断保护，保持防火墙系统可靠运行及在故障情况下快速诊断恢复成为维护人员的工作重点。

Hillstone X-SeriesData Center Firewall X10800X10800The Hillstone X10800 Data Center Firewall offers outstanding performance, reliability, andscalability, for high-speed service providers, large enterprises and carrier networks. The product is based on an innovative fully distributed architecture that fully implements firewalls with high throughput, concurrent connections, and new sessions. Hillstone X10800 also supportslarge-capacity virtual firewalls, providing flexible security services for virtualized environments, and features such as application identification, traffic management, intrusion prevention, and attack prevention to fully protect data center network security.FrontRearProduct HighlightHigh Performance based on Elastic Security ArchitectureWith traffic explosively increasing, data center firewalls need powerful capabilities to handle high traffic and massive concurrent user access, as well as the ability to effectively cope with sudden bursts of user activity. Therefore, data center firewalls must not only have high throughput but also extremely high concurrent connections and new session processing capabilities.The Hillstone X10800 Data Center Firewall adopts an inno-vative, fully distributed architecture to implement distributed high-speed processing of service traffic on Service Modules (SSMs) and Interface Modules (IOMs) through intelligent traffic distribution algorithms. Through patented resource management algorithms, it allows for the full potential of dis-tributed multi-core processor platforms, to further increase the performance of firewall concurrent connections, new sessions per second, and achieve a fullly linear expansionof system performance. The X10800 data center firewall can process up to 1 Tbps, up to 10 million new sessionsper second, and up to 480 million concurrent connections. The device can provide up to 44 100GE interfaces, 88 10G interfaces, or 22 40GE interface, 132 10G interface expansion capabilities. Moreover, the packet forwarding delay is less than 10us, which can fully meet a data center’s demand for real-time service forwarding.Carrier Grade ReliabilityThe hardware and software of the X10800 data center fire-wall delivers 99.999% carrier-grade reliability. It can support active/active or active/passive mode redundant deployment solutions to ensure uninterrupted service during single failure. The entire system adopts a modular design, supporting con-trol module redundancy, service module redundancy, inter-face module redundancy and switching module redundancy, and all modules are hot-swappable.The X10800 data center firewall supports multi-mode and single-mode optical port bypass modules. When the device is running under a special condition, such as power off, the system will start in Bypass mode to ensure uninterrupted operation of business. It also provides power redundancy, fan redundancy and other key components to guarantee reliability.Twin-mode HA effectively solves the problem of asymmetric traffic in redundant data centers. The firewall twin-mode isa highly reliable networking mode building on dual-device backup. Two sets of active/passive firewalls in the two data centers are connected via a dedicated data link and control link. The two sets of devices synchronize session information and configuration information with each other.Leading Virtual Firewall TechnologyVirtualization technology is more and more widely used in data centers. The X10800 data center firewall can logically divide a physical firewall into upwards of 1000 virtual fire-walls for the data center’s virtualization needs, providing virtual firewall support capabilities for large data centers. At the same time, users can dynamically set resource for each virtual firewall based on actual business conditions, suchas CPUs, sessions, number of policies, ports, etc., to ensure flexible changes in service traffic in a virtualized environment. Each virtual firewall system of X10800 data center firewalls not only has independent system resources, but also can be individually and granularly managed to provide independent security management planes for different services or users. Granular Application Control and Comprehensive SecurityThe X10800 data center firewall uses advanced in-depth application identification technology to accurately iden-tify thousands of network applications based on protocol features, behavior characteristics, and correlation analysis, including hundreds of mobile applications and encrypted P2P applications. It provides sophisticated and flexible application security controls.The X10800 data center firewall provides intrusion prevention technology based on deep application identification, proto-col detection, and attack principle analysis. It can effectively detect threats such as Trojans, worms, spyware, vulnerability attacks, and escape attacks, and provide users with L2-L7Product Highlight (Continued) FeaturesNetwork Services• Dynamic routing (OSPF, BGP, RIPv2)• Static and Policy routing• Route controlled by application• Built-in DHCP, NTP, DNS Server and DNS proxy • Tap mode – connects to SPAN port• Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and Trunking)• L2/L3 switching & routing• Virtual wire (Layer 1) transparent inline deploymentFirewall• Operating modes: NAT/route, transparent (bridge), and mixed mode• Policy objects: predefined, custom, and object grouping• Security policy based on application, role and geo-location• Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323 • NAT and ALG support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN• NAT configuration: per policy and central NAT table• VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing• Global policy management view• Security policy redundancy inspection, policygroup, policy configuration rollback• Policy Assistant for easy detailed policydeployment• Policy analyzing and invalid policy cleanup• Comprehensive DNS policy• Schedules: one-time and recurringIntrusion Prevention• Protocol anomaly detection, rate-based detection,custom signatures, manual, automatic push orpull signature updates, integrated threat encyclo-pedia• IPS Actions: default, monitor, block, reset(attackers IP or victim IP, incoming interface) withexpiry time• Packet logging option• Filter Based Selection: severity, target, OS, appli-cation or protocol• IP exemption from specific IPS signatures• IDS sniffer mode• IPv4 and IPv6 rate based DoS protection withthreshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination)• Active bypass with bypass interfaces• Predefined prevention configurationAnti-Virus• Manual, automatic push or pull signature updates• Flow-based Antivirus: protocols include HTTP,SMTP, POP3, IMAP, FTP/SFTP• Compressed file virus scanningAttack Defense• Abnormal protocol attack defense• Anti-DoS/DDoS, including SYN Flood, DNS QueryFlood defense• ARP attack defenseURL Filtering• Abnormal protocol attack defense• Anti-DoS/DDoS, including SYN Flood, DNS QueryFlood defense• ARP attack defense• Flow-based web filtering inspection• Manually defined web filtering based on URL, webcontent and MIME header• Dynamic web filtering with cloud-based real-timecategorization database: over 140 million URLswith 64 categories (8 of which are security related)• Additional web filtering features:- Filter Java Applet, ActiveX or cookie- Block HTTP Post- Log search keywords- Exempt scanning encrypted connections oncertain categories for privacy• Web filtering profile override: allows administratorto temporarily assign different profiles to user/group/IP• Web filter local categories and category ratingoverridenetwork security. Among them, Web protection function can meet the deep security protection requirements of Web server; Botnet filtering function can protect internal hosts from infection.The X10800 data center firewall supports URL filtering for tens of millions of URL signature library. It can help admin-istrators easily implement web browsing access control and avoid threat infiltration of malicious URLs. It also provides Anti-virus feature that can effectively detect and block mal-wares with low latency.The intelligent bandwidth management of X10800 data center firewall is based on deep application identification and user identification. Combined with service application priorities, the X10800 data center firewall can implement fine-grained, two-layer, eight-level traffic control based on policies and provide elastic QoS functions. Used with functions such as session restrictions, policies, routing, link load balancing, and server load balancing, it can provide users with more flexible traffic management solutions.Strong Network AdaptabilityThe X10800 data center firewall fully supports next-genera-tion Internet deployment technologies (including dual-stack, tunnel, DNS64/NAT64 and other transitional technologies). It also has mature NAT444 capabilities to support static mapping of fixed-port block of external network addresses to intranet addresses. It can generate logs based on session and user for easy traceability. Enhanced NAT functions (Full-cone NAT, port multiplexing, etc.) can fully meet the require-ments of current ISP networks and reduce the cost of user network construction.The X10800 data center firewall provides full compliance with standard IPSec VPN capabilities and integrates third-gen-eration SSL VPN to provide users with high-performance, high-capacity, and full-scale VPN solution. At the same time, its unique plug-and-play VPN greatly simplifies configuration and maintenance challenges and provides users with convenient and remote secure access services.IP Reputation• Identify and filter traffic from risky IPs such as botnet hosts, spammers, Tor nodes, breached hosts, and brute force attacks• Logging, dropping packets, or blocking for different types of risky IP traffic• Regular IP reputation signature database upgrade Endpoint Identification and Control• Support to identify endpoint IP, endpoint quantity, on-line time, off-line time, and on-line duration • Support 10 operation systems, including Windows, iOS, Android, etc.• Support query based on IP, endpoint quantity, control policy and status etc.• Support the identification of accessed endpoints quantity across layer 3, logging and interference on overrun IP• Redirect page display after custom interference operation• Supports blocking operations on overrun IP Application Control• Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk • Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference• Actions: block, reset session, monitor, traffic shaping• Identify and control cloud applications in the cloud • Provide multi-dimensional monitoring and statistics for cloud applications, including risk category and characteristicsQuality of Service (QoS)• Max/guaranteed bandwidth tunnels or IP/user basis• Tunnel allocation based on security domain, interface, address, user/user group, server/server group, application/app group, TOS, VLAN• Bandwidth allocated by time, priority, or equal bandwidth sharing• Type of Service (TOS) and Differentiated Services (DiffServ) support• Prioritized allocation of remaining bandwidth • Maximum concurrent connections per IP• Bandwidth allocation based on URL category • Bandwidth limit by delaying access for user or IP • Automatic expiration cleanup and manual cleanup of user used trafficServer Load Balancing• Weighted hashing, weighted least-connection, and weighted round-robin• Session protection, session persistence and session status monitoring• Server health check, session monitoring and session protectionLink Load Balancing• Bi-directional link load balancing• Outbound link load balancing includes policy based routing, ECMP and weighted, embeddedISP routing and dynamic detection• Inbound link load balancing supports SmartDNSand dynamic detection• Automatic link switching based on bandwidth,latency, jitter, connectivity, application etc.• Link health inspection with ARP, PING, and DNSVPN• IPSec VPN- IPSEC Phase 1 mode: aggressive and main IDprotection mode- Peer acceptance options: any ID, specific ID, ID indialup user group- Supports IKEv1 and IKEv2 (RFC 4306)- Authentication method: certificate andpre-shared key- IKE mode configuration support (as server orclient)- DHCP over IPSEC- Configurable IKE encryption key expiry, NATtraversal keep alive frequency- Phase 1/Phase 2 Proposal encryption: DES,3DES, AES128, AES192, AES256- Phase 1/Phase 2 Proposal authentication:MD5, SHA1, SHA256, SHA384,SHA512- Phase 1/Phase 2 Diffie-Hellman support: 1,2,5- XAuth as server mode and for dialup users- Dead peer detection- Replay detection- Autokey keep-alive for Phase 2 SA• IPSEC VPN realm support: allows multiple customSSL VPN logins associated with user groups (URLpaths, design)• IPSEC VPN configuration options: route-based orpolicy based• IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundanttunnel, VPN termination in transparent mode• One time login prevents concurrent logins with thesame username• SSL portal concurrent users limiting• SSL VPN port forwarding module encrypts clientdata and sends the data to the application server• Supports clients that run iOS, Android, andWindows XP/Vista including 64-bit Windows OS• Host integrity checking and OS checking prior toSSL tunnel connections• MAC host check per portal• Cache cleaning option prior to ending SSL VPNsession• L2TP client and server mode, L2TP over IPSEC,and GRE over IPSEC• View and manage IPSEC and SSL VPN connec-tions• PnPVPNIPv6• Management over IPv6, IPv6 logging and HA• IPv6 tunneling, DNS64/NAT64 etc• IPv6 routing protocols, including static routing,policy routing, ISIS, RIPng, OSPFv3 and BGP4+• IPS, Application identification, URL filtering,Access control, ND attack defense, iQoS• Track address detectionVSYS• System resource allocation to each VSYS• CPU virtualization• Non-root VSYS support firewall, IPSec VPN, SSLVPN, IPS, URL filtering• VSYS monitoring and statisticHigh Availability• Redundant heartbeat interfaces• Active/Active and Active/Passive mode• Standalone session synchronization• HA reserved management interface• Failover:- Port, local & remote link monitoring- Stateful failover- Sub-second failover- Failure notification• Deployment options:- HA with link aggregation- Full mesh HA- Geographically dispersed HATwin-mode HA• High availability mode among multiple devices• Multiple HA deployment modes• Configuration and session synchronization amongmultiple devicesUser and Device Identity• Local user database• Remote user authentication: TACACS+, LDAP,Radius, Active• Single-sign-on: Windows AD• 2-factor authentication: 3rd party support,integrated token server with physical and SMS• User and device-based policies• User group synchronization based on AD andLDAP• Support for 802.1X, SSO Proxy• WebAuth page customization• Interface based Authentication• Agentless ADSSO (AD Polling)• Use authentication synchronization based onSSO-monitor• Support MAC-based user authenticationAdministration• Management access: HTTP/HTTPS, SSH, telnet,console• Central Management: Hillstone Security Manager(HSM), web service APIs• System Integration: SNMP, syslog, alliancepartnerships• Rapid deployment: USB auto-install, local andremote script execution• Dynamic real-time dashboard status and drill-inmonitoring widgets• Language support: EnglishFW Throughput (Maximum) (1)IPSec Throughput (Maximum) (2)IMIX Throughput(3)NGFW Throughput (4)Threat Protection Throughput (5)Concurrent Sessions (Maximum)New Sessions/s(6)IPS Throughput (Maximum) (7)Virtual Systems (Default/Max)I/O ModuleMaximum InterfacesMaximum Power Consumption Power SupplyManagement Interfaces Network Interfaces Expansion Module Slot Dimension (W × D × H)WeightCompliance and CertificateSpecificationsSG-6000-X10800Logs & Reporting• Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms • Encrypted logging and log integrity with HSA scheduled batch log uploading• Reliable logging using TCP option (RFC 3195) • Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets, URL etc.• Comprehensive event logs: system and adminis -trative activity audits, routing & networking, VPN, user authentications, WiFi related events• IP and service port name resolution option • Brief traffic log format option• Three predefined reports: Security, Flow and network reports• User defined reporting• Reports can be exported in PDF , Wordl and HTML via Email and FTPStatistics and Monitoring• Application, URL, threat events statistic and monitoring• Real-time traffic statistic and analytics• System information such as concurrent session, CPU, Memory and temperature• iQOS traffic statistic and monitoring, link status monitoring• Support traffic information collection and forwarding via Netflow (v9.0)Module OptionsDescriptionmodule 100GE, 10GE interface moduleQoS service module Security control moduleNetwork Interface4 QSFP28 100GEinterfaces, 8 SFP+ 10Gbinterfaces, transceiver notincluded N/AN/ASlot expansion slot Occupies 1 universal expansion slot expansion slot Occupies 1 universal expansion slot expansion slot Occupies 1 universal expansion slot Weight12.67 lb (5.75 kg)12.56 lb (5.70 kg)7.6 lb (3.45 kg)NOTES:(1) FW Throughput data is obtained under single-stack UDP traffic with 1518-byte packet size;(2) IPSec throughput data is obtained under Preshare Key AES256+SHA-1 configuration and 1400-byte packet size packet; (3) IMIX throughput data is obtained under UDP traffic mix (68 byte : 512 byte : 1518 byte =5:7:1);(4) NGFW throughput data is obtained under 64 Kbytes HTTP traffic with application control and IPS enabled;(5) Threat protection throughput data is obtained under 64 Kbytes HTTP traffic with application control, IPS, AV and URL filtering enabled; (6) New Sessions/s is obtained under TCP traffic;(7) IPS throughput data is obtained under bi-direction HTTP traffic detection with all IPS rules being turned on;(8) At least 3 AC power modules are required for full load operation with AC power, and at least 4 DC power modules are required for full load operation with DC power.Unless specified otherwise, all performance, capacity and functionality are based on StoneOS5.5R7. Results may vary based on StoneOS ® version and deployment.IOM-P100-300IOM-P40-300SWM-300QSM-300SSM-300SCM-300。

Hillstone⼭⽯⽹科防⽕墙⽇常运维操作⼿册⽬录⼀、设备基础管理 (1)1.1设备登录 (1)1.1.1 通过CLI管理设备 (1)1.1.2 通过WebUI管理设备 (2)1.2管理员帐号及权限设置 (4)1.2.1 新增管理员 (4)1.2.1 修改管理员密码 (5)1.3 License安装 (6)1.4设备软件升级 (7)1.5设备配置备份与恢复 (9)1.5.1 备份设备配置 (9)1.5.2 恢复设备配置 (12)1.6系统诊断⼯具的使⽤ (14)⼆、对象配置 (16)2.1 配置地址薄 (16)2.2 配置服务簿 (17)三、⽹络配置 (21)3.1 配置安全域 (21)3.2 配置接⼝ (22)3.3 配置路由 (23)3.4 配置DNS (24)四、防⽕墙配置 (26)4.1 配置防⽕墙策略 (26)4.1.1 新增防⽕墙安全策略 (26)4.1.2 编辑防⽕墙安全策略 (27)4.2 配置NAT (28)4.2.1 配置源NAT (28)4.2.2 配置⽬的NAT (31)4.3 防⽕墙配置举例 (35)五、QOS配置 (44)5.1 配置IP QOS (45)5.2 配置应⽤QOS (46)六、常⽤⽇志配置 (48)⼀、设备基础管理1.1设备登录安全⽹关⽀持本地与远程两种环境配置⽅法，可以通过CLI 和WebUI 两种⽅式进⾏配置。

CLI同时⽀持Console、telnet、SSH 等主流通信管理协议。

1.1.1 通过CLI管理设备通过Console ⼝配置安全⽹关时需要在计算机上运⾏终端仿真程序（系统的超级终端、SecureCRT等）建⽴与安全⽹关的连接，并按如下表所⽰设置参数（与连接Cisco设备的参数⼀致）：通过telnet或者SSH管理设备时，需要在相应接⼝下启⽤telnet或SSH 管理服务，然后允许相应⽹段的IP管理设备（可信主机）。

对接⼝启⽤telnet或SSH管理服务的⽅法如下：⾸先在⽹络—>⽹络连接模式下的页⾯下⽅勾选指定接⼝，点击图⽰为的编辑按钮，然后在弹出的接⼝配置窗⼝中对接⼝启⽤相应的管理服务，最后确认即可：1.1.2 通过WebUI管理设备WebUI同时⽀持http和https两种访问⽅式，⾸次登录设备可通过默认接⼝ethernet0/0 （默认IP 地址192.168.1.1/24，该接⼝的所有管理服务默认均已被启⽤）来进⾏，登录⽅法为：1. 将管理PC 的IP 地址设置为与192.168.1.1/24 同⽹段的IP 地址，并且⽤⽹线将管理PC与安全⽹关的ethernet0/0 接⼝进⾏连接。

山石SA-2001A操作指导手册一, 山石SA2001A概述山石网科SA2001A多核安全网关是山石网科公司自主开发、拥有知识产权的新一代安全网关。

它基于角色、深度应用的多核 Plus®G2 安全架构突破了传统防火墙只能基于 IP 和端口的防范限制。

模块化设计处理器的应用实现了设备整体处理能力的极大提升，从而突破传统 UTM 在开启病毒过滤等功能后所带来的性能下降的局限。

百兆到万兆的处理能力使山石网科多核安全网关适用于多种网络环境，包括中小企业级市场、政府机关、大型企业、电信运营商和数据中心等机构。

丰富的软件功能为网络提供不同层次及深度的安全控制以及接入管理，例如基于角色深度应用安全的访问控制、IPSec/SSL VPN、应用带宽管理、病毒过滤、内容安全等。

二, 通过控制台配置山石SA2001A2.1 配置准备及图例准备好通过控制台端口配置所需的反转电缆,带串口的主机一台,电源线两跟以及相关主机配件;按照如下网络拓扑将主机与SA2001A相连.2.2 主机串口参数配置在主机上依次选开始—程序—附件—通讯—超级终端，单击超级终端出现下图所示界面：在名称下方框框中输入Hillstone,如：后确定，得到如下所示界面：这里可以在“连接时使用”中选择要使用的串口（一般默认选COM1即可），然后确定如下图：在“数据位数”中选“9600”，“数据流控制”中选“无”，如图：确定后得到下图：（注意：此界面是在已经做过配置的情况下。

）此时说明已经成功通过控制台端口将主机和SA2001A相连通，接下来就可以对SA2001A进行相关配制。

三，山石SA2001A常用配置命令介绍3.1 命令模式介绍3.1.1执行模式用户进入到 CLI 时的模式是执行模式。

执行模式允许用户使用其权限级别允许的所有的设置选项。

该模式的提示符如下所示，包含了一个井号（#）如下：hostname#3.1.2 全局配置模式全局配置模式允许用户修改安全网关的配置参数。

Version1.0Copyright 2022Hillstone Networks.All rights reserved.Information in this document is subject to change without notice.The software described in this document is fur-nished under a license agreement or nondisclosure agreement.The software may be used or copied only in accord-ance with the terms of those agreements.No part of this publication may be reproduced,stored in a retrievalsystem,or transmitted in any form or any means electronic or mechanical,including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Hillstone Networks.Hillstone Networks本文档仅面向山石网科内部读者，禁止外传及用于任何商业用途。

联系信息北京苏州地址：北京市海淀区宝盛南路1号院20号楼5层地址：苏州高新区科技城景润路181号邮编：100192邮编：215000联系我们：/about/contact_Hillstone.html关于本手册本手册为山石网科防火墙设备使用过程中的常见问题及解答。

获得更多的文档资料，请访问：https://针对本文档的反馈，请发送邮件到：*************************山石网科https://TWNO:TW-FAQ-AKXE-CN-V1.0-6/27/2022用内部使用内部使用内部使用内部使用内部使用内部使用内部使用内部使用目录目录常见问题及解答介绍目标读者10更多资源10产品优势及定位A系列防火墙优势及定位问答121.A系列防火墙产品定位是什么？122.A系列防火墙有哪些主要特点，这些特点有哪些优势？123.A系列智能下一代防火墙有哪些应用场景？13K系列防火墙优势及定位问答144.K系列防火墙产品定位是什么？145.K系列防火墙有哪些主要功能亮点？14X系列防火墙优势及定位问答156.X系列数据中心防火墙产品定位是什么？157.X系列数据中心防火墙有哪些主要特点，这些特点有哪些优势？158.X系列数据中心防火墙在软件上有哪些优势功能？159.X系列数据中心防火墙有哪些应用场景？1610.X系列防火墙在选型时，参照客户现网业务流量该如何选择配置模型？16功能类问答硬件平台18TOC -1用内部使用内部使用内部使用内部使用内部使用内部使用内部使用内部使用1.A系列产品的型号及支持的扩展模块有哪些？182.A系列设备可以安装哪些硬盘？183.A系列设备支持的电源情况？184.K系列产品的型号及支持的扩展模块有哪些？195.K系列设备可以安装哪些硬盘？196.K系列设备支持的电源情况？197.X系列防火墙的CPU是什么架构？208.X系列产品的型号及支持的扩展模块有哪些？209.X系列设备需要哪些扩展模块才能正常工作？2110.X系列设备的扩展模块是否支持热插拔？2111.X10800和X9180电源线是16A的还是10A的？2112.X系列QSM扩展模块与IOM/SIOM扩展模块在实现QoS功能上有什么区别？2113.E系列设备最多可以安装几块万兆接口扩展模块？2114.防火墙设备支持40G光模块型号TRAN-QSFP+BiDi吗？2215.防火墙哪些光接口支持拆分？2216.如何拆分100GE(QSFP28)光接口和40GE(QSFP+)光接口？2217.防火墙哪些光接口支持降速？2318.防火墙光接口如何进行降速？2419.防火墙哪些光接口支持光转电？2520.防火墙光接口如何进行光转电？2521.防火墙设备的硬盘可以保存多久的日志信息？2622.山石网科设备可以使用其他厂商的光模块吗？26TOC -2用内内部使用内部使用内部使用内部使用内部使用内部使用内部使用23.光纤连接器的接口有哪些类型？2624.B系列产品的型号及支持的扩展模块有哪些？2725.C系列产品的型号及支持的扩展模块有哪些？27规格参数/许可证/特征库2726.A系列设备的IPS特征库数量为多少个？2727.A系列防火墙能满足10万以上用户的添加和管理吗？2828.A系列的病毒库能支持到300W吗？2829.StoneOS支持的VSYS有无数量限制？2830.A5500支持的VSYS最大数量是多少？2831.防火墙的IPS、AV、僵尸网络防御（C2）特征库分别是和哪些厂商合作的？2832.如何查看垃圾邮件过滤功能的特征库？2933.如何查看特征库的历史升级情况?2934.部分功能测试许可到期后功能仍可以正常使用吗？2935.僵尸网络防御许可证过期后，还能使用该功能吗？2936.僵尸网络防御特征库数量是多少？2937.僵尸网络防御特征库会自动更新到最新版本吗？3038.防火墙许可证导入后是否需要重启设备？30版本升级3139.防火墙升级版本前要注意什么？3140.防火墙正式平台许可证过期，对版本升级有影响吗？3241.A系列防火墙能使用StoneOS 5.5R8软件版本吗？3242.A系列防火墙升级是否有限制？32TOC -3用内内部使用内部使用内部使用内部使用内部使用内部使用内部使用系统管理3343.A系列和X系列防火墙设备是否可以强制断电？3344.StoneOS支持其他语言吗？3345.系统的默认管理员可以编辑或删除吗？3346.防火墙支持哪些配置管理方式？3347.如何查看设备的推荐版本？3348.如何查询设备售后服务到期时间和硬件保修时间？3449.如何查看当前运行的版本和运行时间？3450.如何关闭系统调试功能？3451.如何查看设备的配置信息？3452.如何查看SNMP OID值？34零信任3553.零信任支持基于哪些维度进行权限控制？3554.零信任支持哪些双因子认证方式？3555.零信任使用什么客户端接入？3556.因为终端状态原因而无法访问特定资源的用户，可以通过调整终端设备的配置获取访问权限吗？35策略3557.防火墙安全域之间默认是允许信息传输的吗？3558.策略规则的匹配顺序是什么？3659.防火墙是否支持导入安全策略？3660.未匹配到任何防火墙安全策略的流量默认是允许通过还是拒绝通过？3661.防火墙是否支持策略的五元组快速查询以及针对策略未命中时间进行查询？36TOC -4用内内部使用内部使用内部使用内部使用内部使用内部使用内部使用62.什么是失效策略？3663.防火墙最大策略数量和策略中的源/目的IP或者端口数量有关联吗？3764.策略规则调用的源地址条目/目的地址条目数量有限制吗？3765.在两个内网区域间通过防火墙做内网隔离，如何配置防火墙策略？37VSYS3766.VSYS支持Netflow吗？3767.防火墙中存在多个VSYS时，可以实现单个VSYS重启吗？3868.VSYS的数量增加，是否会影响根VSYS的性能？38路由3869.路由的优先级顺序是什么？3870.哪些类型的路由支持IPv6？3871.哪些类型的路由支持BFD功能？38VPN3872.StoneOS支持哪些VPN？3873.SSL VPN支持对接手机身份验证器吗？如Google Authenticator。

HillStone SA-2001配置手册1 网络端口配置 (2)2 防火墙设置 (12)3 VPN配置 (14)4 流量控制的配置 (25)4.1P2P限流 (25)4.2禁止P2P流量 (26)4.3IP流量控制 (29)4.4时间的设置 (30)4.5统计功能 (33)5 基础配置 (36)本文是基于安全网关操作系统为Version 3.5进行编写，如版本不同，配置过程有可能不一样。

1 网络端口配置SA-2001安全网关前面板有5个千兆电口、1个配置口、1个CLR按键、1个USB接口以及状态指示灯。

下图为SA-2001的前面板示意图：将网线接入到E0/0。

防火墙的ethernet0/0接口配有默认IP地址192.168.1.1/24，但该端口没有设置为DHCP服务器为客户端提供IP地址，因此需要将PC机的IP地址设置为同一网段，例如192.168.1.2/24才能连上防火墙。

通过IE打开192.168.1.1，然后输入默认的用户名和密码（均为hillstone）登录后的首页面。

可以看到CPU、内存、会话等使用情况。

很多品牌的防火墙或者路由器等，在默认情况下内网端口都是划分好并且形成一个小型交换机的，但是hillstone的产品却需要自己手工设置。

在本文档中，我们准备将E0/0划分为UNTRUST口连接互联网，E0/1～E0/4总共4个端口我们则划到一个交换机中并作为TRUST口连接内网。

在网络－接口界面中，新建一个bgroup端口，该端口是一个虚拟的端口。

因为bgroup1接口需要提供路由功能，因此需要划入到三层安全域（trust）中。

输入由集团信息中心提供的IP地址。

在管理设置中，尽量将各个管理功能的协议打开，尤其是HTTP 功能。

建好bgroup1之后，对网络－接口页面中的e0/1～e0/4分别修改，依次将它们划归为bgroup1。

设置好交换机功能后，还需要设置DHCP功能，以便PC机接入时可以自动获取IP地址。

新一代多核安全网关SG-6000-M2105/M3100/M3108SG-6000是Hillstone山石网科公司全新推出的新一代多核安全网关系列产品。

其基于角色、深度应用的多核Plus?G2安全架构突破了传统防火墙只能基于IP 和端口的防范限制。

处理器模块化设计可以提升整体处理能力，突破传统UTM 在开启病毒防护或IPS等功能所带来的性能下降的局限。

SG-6000-M2105/M3100/M3108处理能力高达600Mbps-2Gbps，广泛适用于企业分支、中小企业等机构，可部署在网络的主要结点及Internet出口，为网络提供基于角色、深度应用安全的访问控制以及IPSec/SSLVPN、应用带宽管理、病毒过滤、入侵防护、网页访问控制、上网行为管理等安全服务。

产品亮点安全可视化●网络可视化通过StoneOS?内置的网络流量分析模块，用户可以图形化了解设备使用的状况、带宽的使用情况以及流量的趋势，随时、随地监控自己的网络，从而对流量进行优化和精细化的管理。

●接入可视化StoneOS?基于角色的管理(RBNS)模块，让网络接入更加精细和直观化，实现了对接入用户更加人性化的管理，摆脱了过去只能通过IP地址来控制的尴尬，可以实时地监控、管理用户接入的状态，资源的分配，从而使网络资源的分配更加合理和可控化。

●应用可视化StoneOS?内置独创的应用识别模块，可以根据应用的行为和特征实现对应用的识别和控制，而不仅仅依赖于端口或协议，即使加密过的数据流也能应付自如。

StoneOS?识别的应用多达几百种，而且跟随着应用的发展每天都在增加；其中包括P2P、IM(即时通讯)、游戏、办公软件以及基于SIP、H.323、HTTP等协议的应用，应用特征库通过网络服务可以实时更新。

全面的VPN解决方案SG-6000多核安全网关支持多种IPSecVPN的部署，它能够完全兼容标准的IPSecVPN。

SG-6000系列产品对VPN(包括SSLVPN)都提供硬件加速，结合多核平台的处理能力，可为用户提供高容量、高性能的VPN解决方案。

Hillstone统一智能防火墙安装手册目录第1章介绍 (1)第2章准备工作 (3)第3章安装与升级 (7)安装统一智能系统软件到虚拟机 (8)升级企业安全网关到指定的系统固件 (10)第4章初始化 (12)初始化 (12)第5章登录统一智能防火墙 (17)第6章高级功能设置 (18)查看统一智能系统接口信息 (18)配置统一智能系统接口 (18)修改统一智能系统登录密码 (18)升级统一智能防火墙 (18)通过WebUI升级 (18)通过CLI升级 (20)升级或回退企业安全网关的系统固件 (20)删除统一智能系统 (21)查看统一智能系统软件的版本及企业安全网关系统固件的版本 (21)配置可信主机 (21)智一能系统与企业安全网关连接通道的加密 (22)关于本手册手册内容该文档介绍统一智能防火墙的安装部署，具体内容包括：♦第1章介绍♦第2章准备工作♦第3章安装与升级♦第4章初始化♦第5章登录统一智能防火墙♦第6章高级功能设置手册约定为方便用户阅读与理解，本手册遵循以下约定：内容约定本手册内容约定如下：♦提示：为用户提供相关参考信息。

♦说明：为用户提供有助于理解内容的说明信息。

♦注意：如果该操作不正确，会导致系统出错。

♦『』：用该方式表示Hillstone设备WebUI界面上的链接、标签或者按钮。

例如，“点击『登录』按钮进入Hillstone设备的主页”。

♦< >：用该方式表示WebUI界面上提供的文本信息，包括单选按钮名称、复选框名称、文本框名称、选项名称以及文字描述。

例如，“改变MTU值，选中<手动>单选按钮，然后在文本框中输入合适的值”。

CLI约定本手册在描述CLI时，遵循以下约定：♦大括弧（{ }）：指明该内容为必要元素。

♦方括弧（[ ]）：指明该内容为可选元素。

♦竖线（|）：分隔可选择的互相排斥的选项。

♦粗体：粗体部分为命令的关键字，是命令行中不可变部分，用户必须逐字输入。

Hillstone防火墙维护手册2010/10/171.概述防火墙作为企业核心网络中的关键设备，需要为所有进出网络的信息流提供安全保护，对于企业关键的实时业务系统，要求网络能够提供7*24小时的不间断保护，保持防火墙系统可靠运行及在故障情况下快速诊断恢复成为维护人员的工作重点。

Hillstone防火墙提供了丰富的冗余保护机制和故障诊断、排查方法，通过日常管理维护可以使防火墙运行在可靠状态，在故障情况下通过有效故障排除路径能够在最短时间内恢复网络运行。

本文对Hillstone防火墙日常维护进行较系统的总结，为防火墙维护人员提供设备运维指导。

2.Hillstone防火墙日常维护围绕防火墙可靠运行和出现故障时能够快速恢复为目标，Hillstone防火墙维护主要思路为：通过积极主动的日常维护将故障隐患消除在萌芽状态；故障发生时，使用恰当的诊断机制和有效的故障排查方法及时恢复网络运行；故障处理后及时进行总结与改进避免故障再次发生。

2.1.防火墙硬件部分日常维护2.1.1.防火墙机房要求机房的卫生状况，要求清洁，防火墙上没有灰尘。

温度（摄氏℃）工作环境温度0 ℃－40℃工作环境湿度（%）10% －95%2.1.2.防火墙电源检查检查防火墙电源插头有无松动。

检查防火墙LED电源指示灯颜色：电源指示灯颜色:2.1.3.防火墙风扇低端产品防火墙风扇固定在产品内；高端产品风扇为模块化设计，可热插拔；检测防火墙风扇风扇指示灯有否告警；检测风扇风力是否适中风扇指示灯颜色:2.1.4.防火墙前面板指示灯检查根据防火墙指示灯状况，可迅速查看防火墙某部分出现故障，以及防火墙运行情况。

2.1.5.防火墙模块及数据接口检查系统防火墙接口状态检查检查模块安装是否松动，接口模块上指示灯是否正常。

已接有链路的端口link端为绿色常亮，ACT指示灯为黄色闪烁。

防火墙接口状态指示灯颜色:2.2.防火墙系统部分日常维护2.2.1.防火墙OS版本检查在防火墙上运行show version 查看当前软件版本和防火墙硬件设备系统持续运行时间及上次系统重启时间。

Version3.1.1Copyright2022Hillstone Networks.All rights reserved.Information in this document is subject to change without notice.The software described in this doc-ument is furnished under a license agreement or nondisclosure agreement.The software may be used or copied only in accordance with the terms of those agreements.No part of this publication may be reproduced,stored in a retrieval system,or transmitted in any form or any means electronic or mechanical,including photocopying and recording for any purpose other than the purchaser's per-sonal use without the written permission of Hillstone Networks.Hillstone Networks本文档禁止用于任何商业用途。

联系信息北京苏州地址：北京市海淀区宝盛南路1号院20号楼5层地址：苏州市高新区科技城景润路181号邮编：100192邮编：215000联系我们：https:///about/contact_Hillstone.html关于本手册本手册介绍山石网科的WAF产品的使用方法。

获得更多的文档资料，请访问：https://针对本文档的反馈，请发送邮件到：*************************山石网科https://TWNO:TW-CUG-WAF-3.1.1-CN-V1.0-10/31/2022目录目录1关于本手册1手册约定1内容约定1CLI约定1命令行接口（CLI）2CLI介绍2命令模式和提示符2执行模式2子模块配置模式2CLI命令模式切换2命令行错误信息提示3命令行的输入3命令行的缩写形式3自动列出命令关键字3自动补齐命令关键字4命令行的编辑4查看历史命令4快捷键4过滤CLI输出信息5分页显示CLI输出信息6设置终端属性6重定向输出6诊断命令7基础命令行索引8（一）配置可信主机8配置可信主机8配置IPv6可信主机8显示可信主机配置9（二）配置管理员9创建管理员9配置管理员角色9配置管理员密码10显示管理员配置10（三）配置主机名称11（四）配置管理端口号11配置Console管理接口11配置波特率11配置Telnet管理接口11配置SSH管理接口12配置WebUI管理接口12显示管理接口配置13（五）配置硬件强制Bypass功能13（六）配置接口14绑定接口到域14配置接口IP地址14配置接口最大传输单元（MTU）15配置接口管理功能15配置接口Local属性15切换接口工作模式16 IPv6地址配置16指定全局IPv6地址17指定无状态地址自动配置17指定EUI-64地址18指定接口IPv6最大传输单元18强制关闭接口18查看接口信息19显示接口的IPv6配置19（七）配置路由19添加目的路由条目19显示目的路由信息20开启/关闭多虚拟路由器模式20（八）主机防御20显示IP-MAC-端口绑定信息21显示MAC表信息21（九）设置DNS域名服务器21（十）配置NTP功能22开启/关闭NTP功能22配置NTP时钟服务器22（十一）配置监测对象23接口链路状态监测23（十二）配置HA24 HA组配置24指定优先级24配置抢占模式25指定监测对象25 HA连接配置25指定HA连接接口26指定HA连接接口IP地址26指定vWAF的HA心跳口MAC地址26配置vWAF使用接口的真实MAC27配置通过二层单播方式进行HA协商通信27指定HA连接接口的最大传输单元（MTU）28 HA簇配置28显示HA配置29（十三）开启WAF的动态调核功能29开启WAF的动态调核功能30配置在Core0上运行WAF应用平面进程的功能30显示CPU Core信息30（十四）配置日志服务器的日志结尾字符31显示日志服务器的日志结尾字符31（十五）简单网络管理协议（SNMP）32开启或者关闭SNMP代理功能32配置SNMP引擎ID33创建SNMPv3用户（IPv6远程管理主机）33配置trap报文目标主机33配置IPv6Trap报文目标主机34显示SNMP信息35关于本手册手册约定为方便用户阅读与理解，本手册遵循以下约定：内容约定本手册内容约定如下：l提示：为用户提供相关参考信息。

Hillstone Networks Hardware ReferenceGuideTW-QSG-IPS-EN-V1.0-Y18M03Installation Quick StartToolsCross screwdriverAntistatic glovesEthernet cablePrerequisiteBefore installation, make sure that you have taken the ESD prevention measures. Installing Mounting Rail AssembliesOnly devices of some models are shipped with Mounting Rail Assemblies. Pleasecheck your inventory. If there is no tray on your rack, install the mounting railassemblies first.The mounting ears are used to fix the position of the chassis but cannot bearweight. The mounting rail assemblies shipped with the device are used to supportthe chassis if there is no tray on your rack. The mounting rail assemblies are usedfor 19-inch racks, with a height of 1U.Step 1: Hold the mounting rail assembly and shift the tray surface upwards. In thedesired position, hook the front mounting ear onto the front rack post.Step 2: Keep the mounting rail assembly horizontal and adjust the length of it untilthe back mounting ear can hook the back rack post. Mark the positions of squaredholes on front and back rack posts.Step 3: Use the cross screwdriver to tighten the screws in the mounting railassembly until the rail cannot slide. Five screws are provided; arrange the positionof these screws on average according to the length of the mounting rail assembly.Step 4: Move the mounting rail assembly aside. Install floating nuts in the markedsquared holes.Step 5: Move the mounting rail assembly back and keep the center of the rack-mounting ear and the center of the rack hole horizontally even and tighten thescrews.Step 6: Repeat above steps to install the mounting rail assembly on the other side.The two mounting rail assemblies should be at the same horizontal surface.Installing Rear BracketsOnly devices of some models are shipped with rear brackets. Please check yourinventory. If there is no tray on your rack, install the rear brackets first.The mounting ears are used to fix the position of the chassis but cannot bearweight. The rear brackets shipped with the device are used to support the chassis ifthere is no tray on your rack. The rear brackets are used for 19-inch racks, with aheight of 1U.Step 1: Locate the pre-installed position and install the squared nuts in theaccessory to the aligned holes on the rear side of the cabinet. Note that thedistance between the upper and lower nuts is determined according to the spacingof the positioning holes on the rear bracket.Step 2: Hold the rear bracket with the tray facing up to align the holes of the rearbracket rail with the squared nut holes.Step 3: Use cross screwdriver to tighten the upper and lower two screws to securethe rear tray rail.Step 4: Repeat above steps to install the rear bracket on the other side. The tworear brackets should be at the same horizontal surface.Installing the Device on a RackStep 1: Use rack-mounting ear to mark the positions of floating nuts on the rackand then install the floating nuts.Step 2: Attach rack-mounting ears to the left and right side panels of the chassis respectively, and then fasten the rack-mounting ears with screws provided in the accessories.Step 3: Two people are needed to safely raise the device and place it on the tray of the rack or the rear brackets or the tray of the mounting rail assemblies. Alternatively, two people can place the device on the tray of lift first, and then use the lift to place the device on the tray of the rack or the tray of the mounting rail assemblies.Step 4: Keep the center of the rack-mounting ear and the center of the rack hole even and tighten the screws.Installing the Expansion ModuleStep 1: Make sure the power is switched off and you are properly wearing theantistatic gloves.Step 2: Face the front panel of the device.Step 3: Use a screwdriver to remove the blank panel from the expansion slot.Step 4: Even out the outline of the expansion module and the outline of theexpansion slot. Slide the expansion module into the slot until there is resistance.Step 5: Tighten the screws on the expansion module.The following table lists the extension modules of all models:∙"-B" means that the extension module is a bypass module which can bypass the device by connecting two networks directly. When a device is bypassed, two networks connected to the ports in a bypass pair connect to each otherdirectly through the Ethernet cable. For example, IOC-S-4GE-B-H has four gigabit Ethernet copper ports which can be grouped as two bypass pairs. The ports labeled 0 and 1 are in one bypass group; the ports labeled 3 and 4 are in another bypass group. When the device fails, reboots or accidentallydisconnects from power, the device will be bypassed: the LANs connected to Ethernet0 and Ethernet1 are directly connected; the LANs connected toEthernet2 and Ethernet3 are directly connected.∙The bypass function is supported on the electrical interfaces of factory standard and is enabled by default. The following table lists the bypass groups of allmodels:Removing the Expansion ModuleStep 1: Make sure the power is switched off and you are properly wearing theantistatic gloves.Step 2: Face the front panel of the device.Step 3: Loosen the screws on the expansion module.Step 4: Pull the expansion module out of the chassis.Connecting an AC Power CableStep 1: Make sure the power is switched off.Step 2: Insert the plug of the AC power cable into the power socket of the device.Step 3: Plug the other end of the AC power cable to the power socket of the powersource. If the device has dual power supplies, repeat step 2 and step 3.Step 4: Power on the switch of the device. Check the PWR LED on the front panel.A green shining light indicates correct power supply.Accessing a Device via Console PortStep 1: Connect one end of the console cable to a computer’s port, and the otherend to a device’s console port (labeled CON).Step 2: Start the terminal emulation program on the computer and use thefollowing parameters:Step 3: Power on the device for the system to start. In the login prompt, type thedefault login name (hillstone). In the password prompt, type the default password(hillstone). Press Enter to log in.Accessing a Device via WebUIStep 1: Use an Ethernet cable to connect your PC and the device.∙If the device has a MGT0 interface, connect the cable to this interface.∙If the device does not have a MGT0 interface, connect the cable to the e0/0 interface.Step 2: Assign an IP address to your PC. The address should be the same subnetwith 192.168.1.1/24.Step 3: In the PC, launch a web browser and visit http://192.168.1.1.Step 4: Type the default username (hillstone) and password (hillstone) into thetext boxes respectively.Step 5: Click Login to enter the home page.Connecting to the Internet (Transparent Mode)The device has pre-defined configurations of security zones, interfaces and securitypolicies for transparent mode, which facilitates deployment of the device in yournetwork environment. After deploying the device as shown in the following topo logy,intranet users can access the Internet. The configuration of interfaces, securityzones, security policy and IPS are described as follows.Completing ConfigurationYou have completed the initial configurations. For more information, refer to thecomplete set of user manuals here: /. ShutdownIf you want to shut down your device, please press the power switch at the back ofthe device. When the device is powered off, remove the power cord.。

Version 2.8Copyright 2021 Hillstone Networks.All rights reserved.Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Hillstone Networks.Hillstone Networks本文档禁止用于任何商业用途。

联系信息北京苏州地址：北京市海淀区宝盛南路1号院20号楼5层地址：苏州高新区科技城景润路181号邮编：100192 邮编：215000联系我们：https:///about/contact_Hillstone.html关于本手册本手册介绍山石网科公司的Web应用防火墙（W1060-GC）的硬件相关信息。

获得更多的文档资料，请访问：https://针对本文档的反馈，请发送邮件到：***********************山石网科https://TWNO: TW-HW-WAF(GC)-CN-V1.0-Y21M11产品中有毒有害物质或元素的名称及含量前言内容简介感谢您选用Hillstone Networks的Web应用安全产品-Web应用防火墙。

新一代多核安全网关SG-6000-M2105/M3100/M3108SG-6000是Hillstone山石网科公司全新推出的新一代多核安全网关系列产品。

其基于角色、深度应用的多核Plus?G2安全架构突破了传统防火墙只能基于IP 和端口的防范限制。

处理器模块化设计可以提升整体处理能力，突破传统UTM 在开启病毒防护或IPS等功能所带来的性能下降的局限。

SG-6000-M2105/M3100/M3108处理能力高达600Mbps-2Gbps，广泛适用于企业分支、中小企业等机构，可部署在网络的主要结点及Internet出口，为网络提供基于角色、深度应用安全的访问控制以及IPSec/SSLVPN、应用带宽管理、病毒过滤、入侵防护、网页访问控制、上网行为管理等安全服务。

产品亮点安全可视化●网络可视化通过StoneOS?内置的网络流量分析模块，用户可以图形化了解设备使用的状况、带宽的使用情况以及流量的趋势，随时、随地监控自己的网络，从而对流量进行优化和精细化的管理。

●接入可视化StoneOS?基于角色的管理(RBNS)模块，让网络接入更加精细和直观化，实现了对接入用户更加人性化的管理，摆脱了过去只能通过IP地址来控制的尴尬，可以实时地监控、管理用户接入的状态，资源的分配，从而使网络资源的分配更加合理和可控化。

●应用可视化StoneOS?内置独创的应用识别模块，可以根据应用的行为和特征实现对应用的识别和控制，而不仅仅依赖于端口或协议，即使加密过的数据流也能应付自如。

StoneOS?识别的应用多达几百种，而且跟随着应用的发展每天都在增加；其中包括P2P、IM(即时通讯)、游戏、办公软件以及基于SIP、H.323、HTTP等协议的应用，应用特征库通过网络服务可以实时更新。

全面的VPN解决方案SG-6000多核安全网关支持多种IPSecVPN的部署，它能够完全兼容标准的IPSecVPN。

SG-6000系列产品对VPN(包括SSLVPN)都提供硬件加速，结合多核平台的处理能力，可为用户提供高容量、高性能的VPN解决方案。

Hillstone防火墙维护手册2010/10/171.概述防火墙作为企业核心网络中的关键设备，需要为所有进出网络的信息流提供安全保护，对于企业关键的实时业务系统，要求网络能够提供7*24小时的不间断保护，保持防火墙系统可靠运行及在故障情况下快速诊断恢复成为维护人员的工作重点。

Hillstone防火墙提供了丰富的冗余保护机制和故障诊断、排查方法，通过日常管理维护可以使防火墙运行在可靠状态，在故障情况下通过有效故障排除路径能够在最短时间内恢复网络运行。

本文对Hillstone防火墙日常维护进行较系统的总结，为防火墙维护人员提供设备运维指导。

2.Hillstone防火墙日常维护围绕防火墙可靠运行和出现故障时能够快速恢复为目标，Hillstone防火墙维护主要思路为：通过积极主动的日常维护将故障隐患消除在萌芽状态；故障发生时，使用恰当的诊断机制和有效的故障排查方法及时恢复网络运行；故障处理后及时进行总结与改进避免故障再次发生。

2.1.防火墙硬件部分日常维护2.1.1.防火墙机房要求机房的卫生状况，要求清洁，防火墙上没有灰尘。

温度（摄氏℃）工作环境温度0 ℃－40℃工作环境湿度（%）10% －95%2.1.2.防火墙电源检查检查防火墙电源插头有无松动。

检查防火墙LED电源指示灯颜色：电源指示灯颜色:2.1.3.防火墙风扇低端产品防火墙风扇固定在产品内；高端产品风扇为模块化设计，可热插拔；检测防火墙风扇风扇指示灯有否告警；检测风扇风力是否适中风扇指示灯颜色:2.1.4.防火墙前面板指示灯检查根据防火墙指示灯状况，可迅速查看防火墙某部分出现故障，以及防火墙运行情况。

2.1.5.防火墙模块及数据接口检查系统防火墙接口状态检查检查模块安装是否松动，接口模块上指示灯是否正常。

已接有链路的端口link端为绿色常亮，ACT指示灯为黄色闪烁。

防火墙接口状态指示灯颜色:2.2.防火墙系统部分日常维护2.2.1.防火墙OS版本检查在防火墙上运行show version 查看当前软件版本和防火墙硬件设备系统持续运行时间及上次系统重启时间。