NIPS WebUI User Guide

StoneOS_WebUI_TechDocs | docs.hillstonenet.com
Copyright 2021Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Hillstone Networks.
Contact Information:
US Headquarters:
Hillstone Networks
Santa Clara, CA 95054
This guide gives you comprehensive configuration instructions of Hillstone Net- worksNIPS .
For more information, refer to the documentation site: https://docs.hillstonenet.com.cn
To provide feedback on the documentation, please write to us at: TechDoc- [email protected]
Hillstone Networks
TWNO: TW-WUG-SS-A-4.0-EN-V1.0-4/6/2021
Transparent Mode 33
Tap Mode 37
Routing Mode 39
Preparing the System 56
Adding Trusted Hosts 57
Updating Signature Database 58
Chapter 2 Dashboard 61
TOC - 1
Device Monitor 103
Alarms by Time 109
Alarm by Severity 110
Reporting 116
Report Task 125
Logging 133
Log Format 135
Threat Log 136
Event Log 137
Network Log 137
Configuration Log 138
Session Log 139
PBR Log 141
NAT Log 142
URL Log 143
CloudSandBox Log 144
Managing Logs 146
Adding Email Address to Receive Logs 158
Specifying a Unix Server 159
Chapter 6 Configuration Management 159
System and Signature Database 160
Viewing System and Signature DB Information 160
TOC - 5
Policy 163
Managing Security Policy Rules 181
Enabling/Disabling a Policy Rule 182
Exporting a Policy Rule 182
Importing a Policy Rule 182
Cloning a Policy Rule 183
Adjusting Security Policy Rule Position 183
Schedule Validity Check 183
Showing Disabled Policies 184
Implementing NAT 187
Configuring SNAT 188
Adjusting Priority 196
Hit Count 198
Hit Count Check 198
Enabling/Disabling a DNAT Rule 210
Copying/Pasting a DNAT Rule 210
Adjusting Priority 211
Hit Count 212
Hit Count Check 212
Pipes 214
Session Limit 234
Clearing Statistic Information 237
Importing/Exporting Binding Information 244
Configuring Authenticated ARP 244
Configuring ARP Inspection 246
Configuring DHCP Snooping 247
Configuring Host Defense 251
Security Protection Configuration 253
Intrusion Prevention System 255
Configuring IPS profiles 256
Anti Virus 306
Configuring Anti-Virus 307
Configuring the Decompression Control Function 311
Antispam 313
Configuring an Antispam User-defined Blacklist 318
Antispam Global Configuration 320
Address Library 321
Creating a Custom Address Entry 321
Botnet C&C Prevention Global Configuration 322
TOC - 9
Preparing 323
Configuring a Botnet C&C Prevention Rule 324
Perimeter Traffic Filtering 325
Configuring IP Blacklist 327
Static IP Blacklist 327
TOC - 10
Predefined URL DB 349
Upgrading Predefined URL Database Online 351
Upgrading Predefined URL Database from Local 351
User-defined URL DB 351
Importing User-defined URL 353
Clearing User-defined URL 353
Keyword Category 355
Warning Page 357
Sandbox 362
TOC - 11
Threat List 368
Trust List 369
Network Behavior Record 377
Viewing Logs of Network Behavior Recording 381
ACL 381
Advanced Threat Detection 403
Viewing Advanced Threat Detection Information 404
Hot Threat Intelligence 406
Mitigation 410
Enabling Mitigation 413
Viewing the Details of Threat Sound Alarm 420
Network Configuration 422
Security Zone 423
Management Interface 426
Interface 427
Creating an Ethernet Sub-interface/Aggregate Sub-interface/Redundant Sub-inter-
face 449
LLDP 456
Configuring an Analysis 464
NBT Cache 467
Configuring a DHCPv6 Relay Proxy 481
Chapter 5 Advanced Routing 482
Destination Route 483
Source Route 486
Source-Interface Route 490
Policy-based Route 493
Creating a Policy-based Route Rule 494
Adjusting Priority of a PBR Rule 500
Applying a Policy-based Route 501
DNS Redirect 502
RIP 504
TOC - 15
Enabling ALG 511
Configuring Protection Mode 517
Viewing Details 522
Service Book 524
Configuring a User-defined Service Group 530
Viewing Details 531
Creating a User-defined Application Group 534
Creating an Application Filter Group 535
Creating a Signature Rule 535
Viewing Details 540
SSL Proxy 541
Work Mode 542
Configuring SSL Proxy Parameters 543
Specifying the PKI Trust Domain of Device Certificate 544
Obtaining the CN Value 544
Importing Device Certificate to Client Browser 545
Configuring a SSL Proxy Profile 546
Working as Gateway of Web Servers 553
Configuring a SSL Proxy Profile 553
Binding a SSL Proxy Profile to a Policy Rule 556
Schedule 557
Configuring Radius Server 566
Configuring TACACS+ Server 570
Export User List 575
Import User List 576
Synchronizing Users 578
Synchronizing Users 579
Creating a Role Mapping Rule 584
Creating a Role Combination 585
Critical Assets 588
Connecting or Blocking the Critical Assets 589
Track Object 591
System Cnfiguration 596
Device Management 597
Configuring Login Options for the Default Administrator 599
Admin Roles 602
Trusted Host 603
Management Interface 605
System Time 608
Configuring NTP 609
Option 612
SNMP 620
License 636
TOC - 20
Installing a License 640
Extended Services 643
Cloud·View Deployment Scenarios 647
Connecting to Hillstone Cloud·View 647
One-click Disconnection 649
Send Object 649
High Availability 651
Basic Concepts 652
HA Cluster 652
HA Group 652
HA Selection 652
Importing/Exporting Trust Domain 667
Importing Trust Certification 668
Packet Path Detection 669
Emulation Detection 669
Online Detection 672
Imported Detection 675
Detected Sources 677
Create a Packet Capture Rule 680
Packet Capture Global Configuration 681
Test Tools 683
DNS Query 683
Configuring Interfaces 686
Configuring Route 687
Force to Close the Bypass Function 687
Repairing/Reseting Database 688
Conventions
Know the operate method of WebUI common controls, can complete the configuration of most functions.
The common controls and effect of operating as follows:
l Switching between the function category : Select the tab ( at the top of page).
l Switching between Chinese and English: click the drop-down button of the user name in the upper right corner, and then click the "-EN" button to switch.
TOC - 23
l Switching between the function : Click specific function node in level-2 navigation pane.
l Open the function list: Click in the level-2 navigation pane;
Close the function list: Click in the level-2 navigation pane.
l Viewing the specified column: Click icon, click "Column" in the drop-down list, select the specified
list.The system support for the list status memory function, the system will display the last con-
TOC - 24
figuration of the list status when logging in to the device.
TOC - 25
l To lock the column: Click icon, click "Lock" in the drop-down list, the locked column will be
always showing at the right of the list.
l To unlock the list: Click icon, click "Unlock".
l To restore the initial state of the list: double-click the list header and click "OK" in the dialog box.
l To restore the initial state of all the list: Click button of the user name in the top right corner of the
page and click "OK" in the dialog box.
TOC - 26
l To view the specified items by setting up filters: click button, select filter conditions from the
Filter drop-down list, and then select filter conditions as needed. To delete a filter condition, hover
your mouse on that condition and then click the icon. To delete all filter conditions, click the
icon on the right side of the row.
l To create a item, click New.
l To edit a item, select the check box and click Edit.
TOC - 27
l To delete the items, select the check box and click Delete.
l To copy a item, select the check box and click Copy.
l To paste a item, select the check box and click Paste.
TOC - 28
l To dispaly the hidden controls , click .
l To update the data displayed on the current page, click refresh.
l To search according one condition , click Filter. In the pop-up line, click +Filter to add a new filter
condition. Then select a filter condition from the drop-down menu and enter a value. And then press
Enter to start searching.
l To search according multiple conditions, click to add another filter condition, Then select a
filter condition from the drop-down menu and enter a value. And then press Enter to start searching.
TOC - 29
l To close the dialog, click 'X' at the top right corner of dialog.
l To save the current configuration, click OK.
l To cancel the current operation, click Cancel.
TOC - 30
l Click Apply, the modification will be took effect.
l Click next page buttons to jump to previous page , next page , dashboard or last page. Enter the page
number, jump to the corresponding page.
Explorer Compatibility
l IE11
l Chrome
TOC - 31
Chapter 1 Getting Started Guide
This guide helps you go through initial configuration and basic set-up of devices.
l Deploying Devices: for different scenarios, you can use different deployment modes.
l "Transparent Mode" on Page 33: Use this mode to analyze and transmit packets effi-
ciently, to record logs, reset the connection, or block the connection when detecting
attack behavior. To deploy in this mode conveniently, the device has pre-defined con-
figurations for security zones, interfaces, and policies.
l "Tap Mode" on Page 37: Use this mode to inspect the attack behavior and record logs.
l "Routing Mode" on Page 39: Use this mode when you want the routing and NAT functions provided by the device.
l "Initial Visit to Web Interface" on Page 54
l "Preparing the System" on Page 56
l Installing License
l Adding Trusted Hosts
l Updating Signature Databases
Chapter 1 Getting Started Guide 32
Transparent Mode
In the transparent mode, the device locates between the router and the switch and inspects the traffic. When detecting the attack behavior, the device can record logs, reset the connection, or block the connection.
The device has pre-defined configurations of security zones and security policies for transparent mode. Complete the following topology to use the transparent mode.
When using this transparent mode, the pre-defined configurations of interfaces, security zones where the interfaces locate, security policy between the security zones are described as below:
For S2060/S2160/S2200-C/S2560/S2660/S3060/S3100-C/S3260/S3300- C/S3560/S3860/S3960/S5560, you can use other interface pairs.
S600/S800/S1000-C/S1060/S1100-C/S1200-C/S1560
ect-a
Profile: l2-direct- a-default-ips
ect-a
S2060/S2160/S2200-C/S2560/S2660
eth0/0
S2060/S2160/S2200-C/S2560/S2660
eth0/2
Profile: l2-direct- b-default-ips
eth0/0
S3060/S3100-C/S3260/S3300-C/S3560/S3860/S3960/S5560
eth0/2
Profile: l2-direct- b-default-ips
Profile: l2-direct- c-default-ips
Tap Mode
In the tap mode, the device inspects the received mirror traffic. When detecting the attack behavior, the device records it. Meanwhile, the device can send the Reset packet from the ingress interface of the mirror traffic according to your IPS configurations.
The device has pre-defined configurations of security zones and security policies for tap mode. Complete the following topology to use tap mode.
Step1: Configure the switch to mirror the traffic to the interface that connects to S series device.
Step2: Bind the physical interface to the tap-a security zone. After the binding, this physical interface becomes the tap interface.
1. In the WebUI, select Configuration Management > Network Configuration > Interface.
2. Double-click the ethernet0/3 interface to open the Ethernet Interface page.
3. In the Ethernet Interface page, configure the following settings:
37 Chapter 1 Getting Started Guide
Binding
Zone Zone
TAP tap-a
After the configurations, the device will inspect the received mirror traffic. When using this tap mode, the configurations of interface, security zone where the interface locates, security policy between the security zones are described as below:
Interface Security Zone Security Policy
eth0/3 TAP security zone:
Profile: tap-a- default-ips
Routing Mode
In the routing mode, the device is deployed at the boundary of the network and provides the routing and NAT functions.
When using the routing mode, you need to configure the interface, trust zone, untrust zone, DMZ zone, and policies.
The example of deploying the device in the routing mode is based on the following topology.
Step 1: Connecting to the device
1. Connect one interface (e.g. ethernet0/1) to the ISP network and connect the other interface
(e.g. ethernet0/0) to the intranet.
2. Log into the WebUI. For more information, see "Initial Visit to Web Interface" on Page 54.
Step 2: Configuring interfaces
2. Double-click the ethernet0/1 interface to open the Ethernet Interface page. The eth-
ernet0/1 interface is connecting to the ISP network.
In the Ethernet Interface page, configure the following settings:
Option Value
Binding Zone
IP Address 202.10.1.2 (public IP address provided by your ISP)
Netmask 255.255.255.0
Management Select protocols that you want to use to access the device.
3. Click OK.
ernet0/0 interface is connecting to the intranet.
Option Value
Binding Zone
Option Value
Zone trust
Netmask 255.255.255.0
ernet0/2 interface is connecting to the intranet.
Option Value
Binding Zone
Netmask 255.255.0.0
6. Click OK.
Step 3: Creating a NAT rule to translate internal IP to public IP
1. Select Configuration Management > Policy > NAT > SNAT.
2. Click New.
Option Value
Option Value
3. Click OK.
Step 4: Creating a NAT rule to publish internal servers to public IP
1. Select Configuration Management > Policy > NAT > DNAT.
2. Select New > IP Mapping.
In the IP Mapping Configuration page, configure the following settings:
Option Value
Destination
Address
Select IP Address from the drop-down menu and enter "202.10.1.2" in the text box. When the destination IP address of the traffic is the one you entered, the device will transform the destination IP address to the one you specified in the Mapped to text box.
Mapped to Select IP Address from the drop-down menu and enter "10.89.19.2". The destination IP address will be trans- ferred to this mapping address.
3. Click OK.
Step 5: Creating a security policy to allow internal users access Internet
1. Select Configuration Management > Policy > Security Policy > Policy.
2. Select New > Policy.
Option Value
Source Zone trust
Option Value
Expand Protection, configure the IPS setting.
IPS Click the Enable button and select the predef-default profile. The action of this profile is to reset the packets that match the IPS rules.
3. Click OK.
Step 6: Creating a security policy to allow internet users access servers
1. Select Configuration Management > Policy > Security Policy > Policy.
2. Select New > Policy.
Option Value
Source Zone untrust
Option Value
Application -----
Expand Protection, configure the IPS setting.
IPS Click the Enable button and select the predef-default profile. The action of this profile is to reset the packets that match the IPS rules.
3. Click OK.
1. Select Configuration Management > Network Configuration > Routing > Destination
Route.
2. Click New.
Option Value
Gateway 202.10.1.1 (gateway provided by your ISP)
3. Click OK.
Initial Visit to Web Interface
Interface eth0/0 or MGT0 is configured with IP address 192.168.1.1/24 by default, it is open to all connection types. For the initial visit, use this interface.
To visit the web interface for the first time:
1. Go to your computer's Ethernet properties, set the IPv4 protocol as below.
2. Connect an RJ-45 Ethernet cable from your computer to the eth0/0 or MGT0 of the
device.
3. In your browser's address bar, type "http://192.168.1.1" and press Enter.
4. In the login interface, type the username, password and verification code. The default user-
name and password is hillstone and hillstone.
5. Click Login, and the device's system will initiate.
Notes: To ensure account security, one account can only be uesd for one user to log in to the WebUI at the same time. If multiple users need to log in with the same account, the user who logs in later will kick out the user who logs in before.
Preparing the System
Installing Licenses
After you obtain the license string or file from the sales person, take the following steps to install the license:
1. Select Configuration Management > System Configuration > License.
2. Choose one of the two ways to import a license:
l Upload License file: Select the radio button, click Browse, and select the license file
(a .txt file).
l Manual Input: Select the radio button, and paste the license code into the text box.
3. Click OK.
4. To make the license take effect, reboot the system. Go to Configuration Management > Sys-
tem Configuration > Device Management > Option, and click System Option > Reboot.
Creating a System Administrator
System administrator has the authority to read, write and execute all features in this system. And it can configure all modules in any mode, view the current and historical configurations.
To create a system administrator, take the following steps:
1. Select Configuration Management > System Configuration > Device Management >
Administrators.
2. Click New.
Option Value
Name Admin
Role Administrator
Password Hillstone@321
Confirm Pass-
3. Click OK.
Notes: The system has a default administrator "hillstone", which cannot be deleted or renamed.
Adding Trusted Hosts
Trusted host is administrator's host. Only computers included in the trusted hosts can manage the system.
To add a trusted host, take the following steps:
1. Select Configuration Management > System Configuration > Device Management > Trus-
ted Host.
Option Value
Login Type Select the login type allowed: Telnet, SSH, HTTP
and HTTPS
3. Click OK.
Updating Signature Database
Features that require constant updates of signature are license controlled. You must purchase the license in order to be able to update the signature libraries. By default, the system will automatically update the databases daily.
To update a database, take the following steps:
1. Select Configuration Management > System Configuration > Upgrade Management > Sig-
nature Database Update.
2. Find your intended database, and choose one of the following two ways to upgrade.
l Remote Update: Click OK And Online Update, and system will automatically update
the database.
l Local Update: Select Browse to open file explorer, and select your local signature file
to import it into the system.
Restoring to Factory Settings
Notes: Resetting your device will erase all configurations, including the settings that have been saved. Please be cautious!
To restore factory default settings via WebUI, take the following steps:
1. Select Configuration Management > System Configuration > Configuration File Man-
agement > Configuration File List..
2. Click Backup Restore.
3. In the Configuration Backup/Restore page, click Restore.
4. In the Restore to Factory Defaults page, click OK to confirm. To delete the history content
in the database, including threat logs, reports, and captured packets, select the Clear History
check box.
5. The device will automatically reboot and be back to factory settings. All configurations,
including the backed-up system configuration file and the history content in the database
will be deleted.
Chapter 2 Dashboard
The dashboard shows the system and threat information. The layout of the dashboard is shown below:
System Status
Display the current system CPU utilization, memory utilization, hard disk utilization, session utilization, and chassis temperature.
Threat Type/Detected by
Display the threat distribution and the threat trend through Threat Type and Detected by.
Threat Type: Select the Threat Type tab, and then system will display the number of threat events of various types, and display the changing trend of the threat events in different periods in the Threat Event Trends line chart.
l Click the number under the name of a certain threat type to open the iCenter > Threat page,
and then system will filter threat events by the corresponding threat type to display all intranet
threat events of the threat type in the list.
l Hover your mouse over the line chart to display the number of attacks of each threat type at
the specified time point.
Detected by: Select the Detected by tab, and then system will display the number of threat events detected by each detection engine, and display the changing trend of the threat events in different periods in the Threat Event Trends line chart.
62 Chapter 2 Dashboard
l Click the number under the name of a certain detection engine to open the iCenter > Threat
page, and then system will filter threat events by the corresponding detection engine to dis-
play all intranet threat events detected by the detection engine in the list.
l Hover your mouse over the line chart to display the number of attacks detected by each detec-
tion engine at the specified time point.
Hot Events
Display the names of the latest ten pieces of threat intelligence obtained. If system has been attacked by a threat described in a piece of certain threat intelligence, the intelligence will be displayed in red, otherwise it will be in blue. Click the name of a piece of intelligence to open the iCenter > Hot Threat Intelligence page, and system will display details of the selected intelligence in the list.
Top5 Threat Tags/Top5 Threats
Top5 Threat Tags: Select the Top5 Threat Tags tab to display the top 5 threat tags by the number.
l Click the the name of a certain threat tag to open the iCenter > Threat page, and then sys-
tem will filter threat events by the corresponding threat tag to display all intranet threat
events of the threat tag in the list.
l Click All to open the iCenter > Threat page, and then system will display details of all
threat events in the list.
Top5 Threats: Select the Top5 Threats tab to display the top 5 threats by the number of attacks.
l Click the name of a certain threat to open the iCenter > Threat page, and then system will
display details of the selected threat event in the list.
l Click All to open the iCenter > Threat page, and then system will display details of all
threat events in the list.
Threat Geographical Distribution
Display the top 5 threat distribution areas by the number of attacks.
l Hover your mouse over the map and scroll the mouse wheel to zoom in and out the map to
view the specific location of an attack source, or click the "+" and "-" icons on the left side of
the map to zoom in and out.
l Hover your mouse over a certain area to display the number of threats in the area.
Refresh Interval
You can specify the refresh interval as needed, and system will refresh the statistics on the page
according to the time period you set. Otherwise, you can select Manual and click to refresh
the statistics on the page immediately
Statistical Period
System supports the predefined time cycle and the custom time cycle. Click Last 30 Days on the top right corner to set the time cycle.
l Last 60 Minutes: Displays the statistical information within the latest 1 hour.
l Last 24 Hours: Displays the statistical information within the latest 1 day.
l Last 7 Days: Displays the statistical information within the latest 1 week.
l Last 30 Days: Displays the statistical information within the latest 1 month.
l Custom: Customize the time cycle. Select Custom to open the Custom Date and Time page, and then select the start time and the end time as needed. For the supported most dis- tant time in the past, you can specify the start time as a time point in the 30th day before the current time.
Chapter 3 iCenter
The multi-dimensional features show all the critical assets, risk computers, and threats threats of the whole network.
Hot Threat Intelligence
Hot threat intelligence page displays the intelligence of hot threats on the Internet, including IPS vulnerabilities, viruses, and threats detected by the cloud sandbox. You can view the details of the hot threats, or carry out protection operations to prevent them. Click iCenter > Hot Threat Intel- ligence to enter the Hot Threat Intelligence page. For detailed information, see "Hot Threat Intel- ligence" on Page 406.
Critical Assets
The Critical Assets page displays the detailed information of critical assets and the related threat information. Click iCenter > Critical Assets to enter the Critical Assets page.
Click the link of the critical asset name in the list to view the following information of this critical asset:
l Detailed information: Displays the name of the critical asset, the ComputerName/IP (If the
computername cannot be identified, IP will be displayed), operating system, status, zone, risk
level (the white line points to the risk level of this critical assets), and certainty.
l Threat information: Displays the kill chain, threats, and mitigation.
l In the Kill Chain tab, view the attacks and threats to this critical asset that exist in each
stage of the kill chain. A highlighted stage means there are attacks and threats in this
stage. Click this stage to display all threat information in this stage. Click the threat
name in the list to view the threat information.
l In the Threats tab, view all attacks and threats from or to the critical asset.
l In the Mitigation tab, view the mitigation actions and the mitigation rules.
l Statistical information: The statistics about the applications, traffic, and connections related to
the critical asset, including the statistic that the critical asset is the source IP of the sessions,
the statistic that the critical asset is the destination IP of the sessions, and the statistic that the
critical asset is source IP or destination IP.
l Internal connection: The Risk Computers tab displays the computer information that interacts
with the critical asset, the Address tab displays traffic and new sessions of IPs that interact
with the critical asset, the Application tab displays traffic and new sessions of applications that
Risk Computers
Risk computer refers to the attacker computer and the victim computer. Based on the threat level, the Risk Computers tab displays the statistics of all risk computers and threat information of the whole network. Select iCenter > Risk Computers.
Click a computer name link on the list to view detailed information about the risks, kill chain, and threat details.
l Detailed information: Displays the computer name/IP (if the computer name cannot be
identified, the IP will be displayed), operating system, status, zone, risk level (the white
line points to the risk level of this critical assets), and certainty.
l Kill Chain: View the threat about the risk computer in each phase of the kill chain.
l Threats: View all the threats about the risk computer.
l Mitigation: View all of the mitigation rules and the mitigation action results details of mit-
igation rules.
For a Mitigation function introduction, see "Mitigation" on Page 410.
Click a threat name link in the list to view the detailed information, source/destination, knowledge base and history about threat. For a detailed description , see the next section Threat .
Threat
Threats tab statistics and displays all threats information of the whole network within the specified period. Click iCenter, and click Threat tab.
Click a threat name link in the list to view the detailed information, source/destination, knowledge base and history about the threat.
l Threat Analysis: Depending on the threats of the different detection engine, the content of
Threat Analysis tab is also different.
l Anti Virus/IPS: Display the detailed threat information and view or download the
evidence packets.
For the Anti Virus/ IPS function introduction, see "Anti Virus" on Page 306/"Intru-
sion Prevention System" on Page 255.
l Attack Defense/Perimeter Traffic Filtering: Display the threat detailed information.
For the Attack Defense/Perimeter Traffic Filtering function introduction, see
"Attack-Defense" on Page 384/"Perimeter Traffic Filtering" on Page 325.
l Sandbox Threat Detection: Display the detailed threat information of the suspicious
file.
vior Detection" on Page 399.
l Advanced Threat Detection: Display the advanced threat detection information, mal-
ware reliability information etc.
For the Advanced Threat Detection function introduction, see "Advanced Threat
Detection" on Page 403.
l Anti-Spam:Display the spam filter information, such as sender and subject of spam.
For the Anti-Spam information, see "Antispam" on Page 313.
l Knowledge Base: Display the specified threat description, solution, etc. of the threats detec-
ted by IPS, Abnormal Behavior Detection and Advanced Threat Detection.
l Threat History: Display the selected threat historical information of the whole network .
l Admin Action: Click to modify the threat state (Ignore, Confirmed, False Positive,
Fixed).
Option Description
Change to Select the state of threat, includes Ignore, Confirmed,
False Positive and Fixed.
Marking
Scope
Select the marking scope of the threat entry. The system supports batch tagging of the threat entries of same source address or the same destination address.
Comment Specify the comment of the action.
Mitigation
System can identify the potential risks and network attacks dynamically, and take action on the risk that hits the mitigation rules. For the Mitigation function introduction, see "Mitigation" on Page 410.
Threat Alarm Rule
The threat alarm rules, including threat conditions and action method. When a threat event that meets the threat conditions (such as threat type, severity, behavior category, threat name, etc.) occurs, system will notify the user in time according to the action method specified in the rule (such as linked to the firewall, sound alarm or email), and the user can perform subsequent action processing for the threat event. For the Threat Alarm Rule function introduction, see Threat Alarm Rule.
Chapter 4 Monitor
The Monitor module analyzes the traffic via the device and provides the statistics in various aspects and styles.
System can monitor the following objects:
l User Monitor: Displays the users-based application statistics within the specified period (real-
time, latest 1 hour, latest 1 day, latest 1 month ). The statistics include the users that use
applications, application traffic and applications' concurrent sessions.
l Application Monitor: Displays the application statistics within the specified period (real-time,
latest 1 hour, latest 1 day, latest 1 month). The statistics include the users that used one applic-
ation, application traffic and applications' concurrent sessions.
l Computer Monitor:Displays the statistics of all risky computers of the whole network.
l URL Hit: Displays the accessed URL statistics within the specified period (real-time, latest 1
hour, latest 1 day, latest 1 month). The statistics include the users and IPs who are surfing,
and URLs accessed by users/IPs.
l Service/Network Monitor:Displays the statistics of packet loss rate and latency of ser-
vice/network nodes.
l Device Monitor: Displays the device statistics within the specified period (real-time, latest 1
hour, latest 1 day, latest 1 month), including the total traffic, interface traffic, zone, Online IP,
new/concurrent sessions, and hardware status.
l Application Block: If system is configured with Security Policy, the application block can
gather statistics on the applications and user/IPs.
l Monitor Configuration: Enable or disable some monitor items as needed.
Chapter 4 Monitor 80
User Monitor
This feature may vary slightly on different platforms . If there is a conflict between this guide and the actual page, the latter shall prevail.
User monitor displays the application statistics within the specified period (Realtime, latest 1 hour, latest 1 day, latest 1 month). The statistics include the application traffic and applications' concurrent sessions.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.
Notes: Non-root VSYS also supports user monitor, but does not support address book statistics.
Summary
Summary displays the user traffic/concurrent sessions ranking during a specified period or of specified interfaces/zones. Click Monitor > User Monitor > Summary.
l Select a different Statistical_Period to view the statistical information in that period of time.
l Click to refresh the monitoring data in this page.
l Click to close the current frame.
l Hover your mouse over a bar to view the user 's average upstream traffic, downstream traffic,
total traffic or concurrent sessions .
l When displaying the user traffic statistics, the Upstream and Downstream legends are used to
select the statistical objects in the bar chart.
81 Chapter 4 Monitor
Click Monitor > User Monitor> User Details.
l Click to select the condition in the drop-down list to search the desired users.
"+".
l Application(real-time): Select the Application(real-time) tab and display the detailed
information of the category, subcategory, risk level, technology, upstream traffic, down-
stream traffic, total traffic. Click Details in the list to view the line chart.
l Cloud Application (real-time): Select the Cloud Application tab to display the cloud
application information of selected user.
l URL (real-time): Select the URL tab to display the URL hit count of selected user.
l URL Category (real-time) : Select the URL Category tab to display the URL category hit
count of selected user.
l Traffic: Select the Traffic tab to display the traffic trends of selected user.
l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of selected user.
l Within the user entry list, hover your cursor over a user entry, and there is a button to its
right. Click this button and select Add to Black List.
Address Book Details
Click Monitor> User Monitor>Address Book Details.
l Click to select the condition in the drop-down list to search the desired address
entry.
l To view the detailed information of an address entry, select the address entry in the list, and
click "+".
l Application (real-time): Select the Application (real-time) tab to display the detailed
information of the upstream traffic, downstream traffic, and total traffic. Click Details in
the list to view the line chart.
l Cloud Application(real-time): Select the Cloud Application tab to display the cloud
application information of selected address book.
l User (real-time): Select the User tab to display the total traffic of selected address book.
l Traffic: Select the Traffic tab to display the traffic trends of selected address book.
sions trends of selected address book.
Monitor Address Book
The monitor address is a database that stores the user's address which is used for statistics.
Click Monitor > User Monitor > Select Address Book, and Click at the
top left corner.
In this page, you can perform the following actions:
l Click the desired address entry to add it to the left list.
l In the left list, click an address entry and click × to remove it from the list.
Statist ical Period
System supports the predefined time cycle and the custom time cycle. Click the time button on the top right corner of each tab to set the time cycle.
l Real-time: Displays the current statistical information.
l Last Hour: Displays the statistical information within the latest 1 hour.
l Last Day: Displays the statistical information within the latest 1 day.
l Last Month: Displays the statistical information within the latest 1 month.
Application Monitor
This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the latter shall prevail.
Application monitor displays the statistics of applications, application categories, application subcategories, application risk levels, application technologies, and application characteristics within the specified period (Realtime, latest 1 hour, latest 1 day, latest 1 month) .The statistics include theapplication traffic and applications' concurrent sessions.
Notes: Non-root VSYS also supports application monitor, but does not support to monitor application group.
Summary
The summary displays the following contents of specified interfaces/zones during a specified period:
l The concurrent sessions of top 10 hot and high-risk applications.
l The traffic/concurrent sessions of top 10 applications.
l The traffic/concurrent sessions of top 10 application categories.
l The traffic/concurrent sessions of top 10 application subcategories.
l The traffic/concurrent sessions organized by application risk levels.
l The traffic/concurrent sessions organized by application technologies.
l The traffic/concurrent sessions organized by application characteristics.
Click Monitor > Application Monitor > Summary.
l Select different Statistical_Period to view the statistical information in different periods of
time.
l From the drop-down menu, specify the type of statistics: Traffic or Concurrent Sessions.
l Click to refresh the monitoring data in this page.
l Click to close the current frame.
l Hover your mouse over a bar or a pie graph to view the concrete statistical values of total
traffic or concurrent sessions .
Click Monitor > Application Monitor > Application Details.
l Click the Time drop-down menu to select different Statistical_Period to view the statistical information in that periods of time.
l Click button and select Application in the drop-down menu. You can search the
desired application by entering the keyword of the application's name in the text field.
l To view the detailed information of a certain application, select the application group entry in
the list, and click "+".
l Users (real-time): Select the Users (real-time) tab to display the detailed information of
users who are using the selected application. Click in details column to see the
trends of upstream traffic, downstream traffic, total traffic.
l Traffic: Select the Traffic tab to display the traffic trends of selected application.
sions trends of the selected application.
l Description: Select the Description tab to display the detailed information of the selec-
ted application.
Group Details
Click Monitor > Application Monitor > Group Details.
l Click Time drop-down menu to select a different Statistical_Period to view the statistical information in that periods of time.
l Click button and select Application Group in the drop-down menu. You can search
the desired application group by entering the keyword of the application group name in the
text field.
l To view the detailed information of a certain application group, select the application group
entry in the list, and click "+".
l User (real-time): Select the Users (real-time) tab to display the detailed information of
users who are using the selected application group. Click in details column, you can
see the trends of the upstream traffic, downstream traffic, total traffic.
l Application(real-time): Select the Application(real-time) tab to display the detailed
information of applications in use which belongs to the selected application group. Click
in details column to see the trends of the upstream traffic, downstream traffic, total
traffic of the selected application.
l Traffic: Select the Traffic tab to display the traffic trends of selected application group.
sions trends of the selected application group.
Select Application Group
Click Monitor > Application Monitor > Select Application Group. There are global application groups in the right column.
l Click the desired application group entry to add it to the left list.
l In the left list, click an application group entry and click × to remove it from the list.
Statist ical Period
System supports the predefined time cycle and the custom time cycle. Click Real-time on the top right corner of each tab to set the time cycle.
Computer Monitor
Computer monitor displays the statistics of all risky computers of the whole network.
Computer Details
Computer details displays the statistics of all risky computers of the whole network.
l Click to select the condition in the drop-down list to search for the risky computers.
URL Hit Monitor
After the system is configured with , URL hit monitor displays URL visit statistics of user/IPs, statistics of accessed URLs and URL categories within the specified period (real-time, latest 1 hour, latest 1 day, latest 1 month).
Summary
Click Monitor > URL Hit > Summary.
l Hover your mouse over a bar, to view the hit count of User/IP, URL or URL Category .
l Click at top-right corner of every table and enter the corresponding details.
l Click and to switch between the bar chart and the pie chart.
User/IP
l The User/IPs and detailed hit count are displayed in the list below.
l Click "+" before a User/IP entry in the list to display the corresponding URL hit statistics in
the curve chart below.
l URL Trend: Displays the hit statistics of the selected User/IP, including the real-time
statistics and statistics for the latest 1 hour, 24 hours, and 30 days.
l URL: Displays the URLs' real-time hit count of selected User/IP. Click the URL link,
you can view the corresponding URLs detailed statistics page. Click the Detail link, you
can view the URL hit trend of the selected User/IP in the URL Filter Details page.
l URL Category: Displays the URL categories' read-time hit count of selected User/IP.
Click the URL category link, you can view the corresponding URL categories' detailed
statistics page. Click the Detail link, and you can view the URL category hit trend of
the selected User/IP.
l Click the Filter button at the top-left corner. Select User/IP and you can search the User/IP
hit count information by entering the keyword of the username or IP.
URL
Click Monitor > URL Hit > URL.
l The URL, URL category and detailed hit count are displayed in the list below.
l Click "+" before a URL entry in the list to view its detailed statistics.
l Statistics: Displays the hit statistics of the selected URL, including the real-time stat-
istics and statistics for the latest 1 hour, 24 hours, and 30 days.
l User/IP: Displays the User/IP's real-time hit count of selected URL. Click the User/IP
link and you can view the corresponding user/IPs detailed statistics page. Click the
Detail link and you can view the URL hit trend of the selected user/IP in the URL Fil-
ter Details page.
l Click the Filter button at the top-left corner. Select URL and you can search the URL hit
count information by entering the keyword of the URL.
l Click to refresh the real-time data in the list.
URL Category
l The URL category, count, and traffic are displayed in the list.
l Click "+" before a URL category entry in the list to view its detailed statistics displayed in the
Statistics, URL and User/IP tabs.
l Statistics: Displays the trend of the URL category visits, including the real-time trend
and the trend in the last 60 minutes, 24 hours, and 30 days.
l URL: Displays the visit information of the URLs, contained in the URL category, that
are being visited.
l User/IP: Displays the visit information of the users or IPs that are visiting the URL cat-
egory.
Statist ical Period
System supports the predefined time cycle and the custom time cycle. Click the time button on the top right corner of each tab to set the time cycle.
Service/Network Monitor
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers this feature.
The Service/Network Monitor page displays the latency of the service node that connects to the current Hillstone device and the latency and packet loss rate of the network node. Click Monitor > Service/Network Monitor.
l Use the table to view the name, detection type, interface, latency, packet loss rate (of network
nodes), and health status of the nodes. Click New.
In Node Configuration page, enter the service/network node configurations.
Option Description
Name Specify the name of the service/network node to be created.
Address Specify the address of the service/network node.
Interface Specify the interface that connects to the new node.
Group Name Specify the name of the group.
Interval Specify the detection frequency. The range is from 15s to 120s. The default value is 30s.
Type Specify the detection type. You can choose one type
from the following options:
l Customize. When selecting Customize, proceed to select TCP or UDP and then specify the corresponding port.
l ICMP.
l DNS. When selecting DNS, proceed to enter the port and the domain name.
l FTP. When selecting FTP, proceed to enter the port. To configure the advanced settings, select the Advanced checkbox to provide the username and password for logging into the FTP server and enter the path or file name in the FTP server.
l IMAP4. When selecting IMAP4, proceed to enter the port.
l POP3. When selecting POP3, proceed to enter the port.
l SMTP. When selecting SMTP, proceed to enter the port.
l LDAP. When selecting LDAP, proceed to enter the port. To configure the advanced settings, select the Advanced checkbox to provide the username and password for logging into the LDAP server.
l HTTP. When selecting HTTP, proceed to enter the port and the URL.
Option Description
Test Click Test to test whether the node is reachable or the service is available.
l Click to select the condition in the drop-down list. The nodes that meet the search-
ing conditions will be displayed in the table or the topology diagram.
l Viewing_Service/Network_Node_Monitor_information below the list.
l Health status of the network nodes descriptions.
Health status
color Description
packet loss rate>20%.
loss rate<=20%.
l Health status of the service nodes descriptions.
Health status
color Description
Green Healthy. Latency<2000ms.
Notes: System supports up to 100 nodes.
Viewing Service/Network Node Monitor Information
In the Service/Network Node page, you can view the monitoring results using following meth- ods:
l Select a node to view the latency/packet loss rate history trend during the latest 1 hour at the bottom of the page.
l Select a node and click at the top-right corner of the history trend chart to expand
this chart.
After expanding the chart, you can perform the following actions in the expanded chart:
l In the drop-down menu, select Last Hour, Last Day, Last
Week, Last Month, and Customize to display the statistics during the selected period of time. When selecting Customize, you can specify the time cycle accordingly in the newly appeared window. The maximum time cycle is 30 days.
l Click Trend Comparison. The Trend Comparison window appears. Choose comparison items from the Choose Comparison Items drop-down menu. System will display today's his-
tory trend and the history trend of the selected items in the trend comparison chart.
Device Monitor
The Device page displays the device statistics within the specified period, including the total traffic, sessions, CPU/memory status, hardware status, and key process.
Notes: The non-root VSYS does not have hardware status.
Summary
The summary displays the device statistics within last 24 hours. Click Monitor > Device > Sum- mary.
l Total traffic: Displays the total traffic within the specified statistical period.
l Hover your mouse over the chart to view the total traffic statistics at a specific point in
time.
l Select a different Statistical Period to view the statistical information in that period of
time.
l If IPv6 is enabled, the device traffic will show the total traffic of IPv4 and IPv6.
l Hardware status: Displays the real-time hardware status, including storage, chassis temperature
and fan status.
l Storage: Displays the percentage of disk space utilization.
l Click Storage for system to display the disk space utilization trend.
l Hover your mouse over the chart to view the disk space utilization statistics at a
specific point in time.
l Select a different Statistical Period to view the statistical information in that
period of time.
l Chassis temperature: Displays the current CPU/chassis temperature.
l Click Chassis Temperature for system to display the CPU/chassis temperature
trend.
l Hover your mouse over the chart to view the CPU/chassis temperature statistics
at a specific point in time.
l Select a different Statistical Period to view the statistical information in that
period of time.
l Fan status: Displays the operation status of the fan. Green indicates normal, and red indicates error.
l Power Status: Displays the status of power module. Green indicates normal, and red
indicates error or a power supply module is not used.
l Power Status: Displays the information of power module, including the state of power mod-
ule, voltage/current, temperature and fan speed .
l CPU/memory status: Displays the current CPU utilization, memory utilization and CPU temperature statistics of device/vSSM/vSCM.
l Click legends of CPU Utilization, Memory Utilization or CPU Temperature to specify
the histogram statistical objects. By default, it displays statistics of all objects.
l Hover your mouse over the histogram to view the detailed information, and the link
Details is displayed.
l Click Details to view the trend of specified histogram.
l Hover your mouse over the chart to view CPU utilization, memory utilization or
CPU temperature statistics at a specific point in time.
l Select a different Statistical Period to view the statistical information in different
period of time.
l Sessions: Displays the current sessions utilization.
l Hover your mouse over the chart to view the new sessions and concurrent sessions stat-
istics at a specific point in time.
l Select a different Statistical Period to view the statistical information in different period
of time.
l Key Process: Displays information about key processes on the device, including process
name, PID, state, priority, CPU, memory, and runtime.
Statist ical Period
System supports the predefined time cycle. The statistical period may vary slightly on different monitored objects. If there is conflict between this guide and the actual page, the latter shall pre-
vail. Select statistical period from the drop-down menu at the top right
corner of some statistics page to set the time cycle.
Application Block
If system is configured with "Security Policy" on Page 164 the application block can gather statistics on the applications and user/IPs.
Summary
The summary displays the application block's statistics on the top 10 applications and top 10 user- /IPs. Click Monitor > Application Block > Summary.
l Hover your mouse over a bar to view the block count on the applications and user/IPs.
l Click to switch between the bar chart and the pie chart.
l Click to close the chart.
l Click at the top-right corner of every table and enter the corresponding details page.
Application
l The applications and detailed block count are displayed in the list.
l To view the corresponding information of application block on the applications and user/IPs,
select the application entry in the list, and click "+".
l Statistics: Displays the block count statistics of the selected application, including the
real-time statistics and statistics for the latest 1 hour, 24 hours and 30 days.
l User/IP: Displays the user/IPs that are blocked from the selected application. Click a
user/IP in the list to display the corresponding block count statistics in the curve chart
below. Click to jump to the corresponding user/IPs page.
l Click to select the condition in the drop-down list. You can search the application
block information by entering the keyword of the application name.
User/IP
l The user/IP and detailed block count are displayed in the list.
l Click a user/IP in the list to display the corresponding block count statistics in the curve
chart below. Click to jump to the corresponding user / IPs page.
l Click to select the condition in the drop-down list. You can search the users/IPs
information.
Statist ical Period
System supports the predefined time cycle and the custom time cycle. Click (
) on the top right corner of each tab to set the time cycle.
l Real-time: Displays the statistical information within the realtime.
l Last Hour: Displays the statistical information within the latest 1 hour.
l Last Day: Displays the statistical information within the latest 1 day.
l Last Month: Displays the statistical information within the latest 1 month.
Alarm
The alarm feature can actively detect protected networks to locate suspicious issues and send out alarming messages. The rule that defines what behavior should be alerted is called alarm rule.
System can analyze alarm messages and display the analysis results in the form of a chart and time line. In addition, alarm messages can also be sent to system administrators by sending emails or sms text. In this way, the administrator can receive alerts in the first place and respond to the alarms.
Alarm as a Monitor
The alarms are show under the monitor module. When an occurrence defined in the alarm rule happens, the alarm message is generated and shown in the alarm page. For more information on alarm rules, refer to Alarm Rule.
In the alarm page, alarms are shown by three categories: alarms arranged by time, alarms arranged by severity levels and alarms details.
Alarms by Time
In the Time tab, alarm messages are on a two-dimensional coordinate axis. To see the alarm by time page, select Monitor > Alarm, and select the Time tab.
l Configuring filters: The left vertical axis shows the number of alarms. You may define the con-
ditions to filter alarms.
l Type: Select one or more types from the drop-down menu and click Add to add them to
the right.
l Severity: Select one or more severity levels. There are three severity hierarchy: critical, warning, and informational.
l Status: Select a message status from the drop-down menu: all, unread and read.
l Time: Select the time range when alarms are generated. You may select to view the last one hour, one day, one week, one month or other user-defined time.
l Hover over a dot (red, yellow or green) and click the link, and then you will be redirected to
the detail page of that alarm.
l Click to jump to the alarm rules configure page.
Alarm by Severity
Alarms in the Severity tab shows the number bar of alarm messages of different severity levels. Select Monitor > Alarm, and select the Severity tab.
l Configuring filters:
l Type: Select one or more types from the drop-down menu, and click Add to add
them to the right.
l Status: Select a message status from the drop-down menu: all, unread and read.
l Time: Select the time range when alarms are generated. You may select to view the last one hour, one day, one week, one month or other user-defined time.
l Click a bar, you will be redirected to the alarm details page.
Alarm Details
Select Monitor > Alarm, and click the All tab. You will be able to see all alarm messages and their detailed information.
l Configuring filters.
l Last Alarm Time: Select the time range when alarms are generated. You may select to
view the last one hour, one day, one week, one month or other user-defined time.
l Type: Select one or more types from the drop-down menu and click Add to add them to
the right.
l Severity: Select one or more severity levels. There are three severity hierarchy: critical,
warning, and informational.
l Status: Select a message status from the drop-down menu: all status, unread messages or/and read messages.
l Read at: Select what time the message is being read.
l Read by: Select which person has read the message.
l Comment: Select if you want to see messages with or without a comment.
l Reason: Type keywords you want to search in the reasons that trigger alarm.
l To read and comment alarms, take the following steps:
l Batch reading: Select all the check boxes of alarm messages you want to read, and click
Read Alarm. In the prompt, enter your comment, and click OK.
l Single reading: Hover your cursor over the Status column and click Read. In the prompt, enter your comment, and click OK.
l To add or modify a comment, take the following steps:
l Batch adding/modifying: Select all the check boxes of alarm messages you want to com-
ment, and click Add/Modify Comment. In the prompt, enter your comment, and click
OK.
l Single adding/modifying: Select the check boxes of alarm message you want to comment, and click Add/Modify Comment. In the prompt, enter your comment, and click OK.
l To view every messages in an alarm, take the following steps: Click the number in the Count column, and you will see every occurrence time of this
Authenticated User
Displays the user and its information that authenticated by user binding in "Adding User Binding" on Page 579.
Select Monitor > Authenticated User.
l Click and then specify the search conditions: select a AAA server , or enter the user
name.
l Click to delete the search conditions.
l Click to close the search fuction.
l Click Kick Out under the Operation column to kick the user out.
Monitor Configuration
You can enable or disable some monitor items as needed. The monitor items for Auth user are enabled automatically.
To enable/disable a monitor item, take the following steps:
1. Click Monitor > Monitor Configuration.
2. Select or clear the monitor item(s) you want to enable or disable.
3. Select subnet monitor address book in the IPv4 Subnet Monitor Address Book or IPv6 Sub-
net Monitor Address Book drop-down list. System will match the traffic which is sent from
the Internet to Subnet according to the specified address. If matched, the traffic will be
counted to the Subnet side.
4. Click OK .
Notes: After a monitor item is enabled or disabled in the root VSYS, the item of all VSYSs will be enabled or disabled(except that the non-root VSYS does not support this monitor item). You can not enable or disable monitor item in non-root VSYSs.
Chapter 5 Report & Log
Reporting
This feature may not be available on all platforms. Please check your system's actual page if your device delivers this feature.
System provides rich and vivid reports that allow you to analyze network risk, network access and device status comprehensively by all-around and multi-dimensional statistics and charts.
You can configure report task in "Report Template" on Page 118 and "Report Task" on Page 125, and view generated report files in "Report File" on Page 117.
Related Topics:
Chapter 5 Report & Log 116
Report File
Go to Report & Log > Report > Report File, and the report file page shows all the generated report files.
l Sort report files by different conditions: Select Group by Time, Group by Task or Group by Status from the drop-down list, and then select a time, task or status from the selective table, and the related report files will be shown in the report file table.
l The bold black entry indicates that the report file status is "unread".
l Click Delete to delete the selected report files.
l Click Export, the browser launches the default download tool, and downloads the selected report file.
l Click Mark as Read to modify the status of the selected report files.
l Click to select the condition in the drop-down list. In the text box, enter the
keyword to search for the report files.
l In the File Type column, click the icon of the report file to preview the report file. You can preview report files in PDF, HTML format, and you can download report files in WORD format.
Notes: If your browser has enabled "Blocking pop-up windows", you will not see the generated file. Make sure to set your browser "Always allow pop-up windows", or you can go to your blocked window history to find the report file.
117 Chapter 5 Report & Log
Report Template
Report templates define all the contents in the report files. To generate the report file, you need to configure the report template first.
Report templates are classified as predefined and user-defined templates, providing a variety of pre-categorized report items.
l Predefined Template: Predefined templates are built in system. By default, different report
items have been selected for each predefined template category. The predefined template can-
not be edited or deleted. The predefined template categories are as follows:
Category Description
Global Net-
work and
Risk Assess-
ment Report
the overview, network and application traffic, network
threats and host details.
network traffic, application traffic and URL hits.
Network
Threat
Report
the threat trend, external attackers and threat categories.
Top 10 Hosts
Statistics of the top 10 hosts by application traffic, cov-
ering the host application traffic, network threats and URL
hits.
Statistics of the top 10 hosts by network threats, covering
the host application traffic, network threats and URL hits.
Category Description
Top 10 Hosts
by URL Hits
Statistics of the top 10 hosts by URL hits, covering the
host application traffic, network threats and URL hits.
l User-defined Template: The report template created as needed. You can select the report
items. Up to 32 user-defined templates can be created.
Creating a User-defined Template
1. Click Report & Log > Report > Template.
2. Click New.
In the Report Template Configuration page, configure the following values.
Opt-
Con-
tent
Select the check box of the report item as needed. By default, all report items are selected. The report items are described as follows:
l Network and Security Risk Summary: Statistics of the com-
prehensive and overall assessment for the health status and
security risks of the entire network.
Opt-
ing you better understand the usage of bandwidth, traffic des-
Opt-
Opt-
Opt-
3. Click OK to complete user-defined template configurations.
Editing a User-defined Template
To edit a user-defined report template, take the following steps:
2. In the templates list, select the user-defined report template entry that needs to be edited.
3. Click Edit.
Deleting a User-defined Template
To delete a user-defined report template, take the following steps:
2. In the templates list, select the user-defined report template entry that needs to be deleted.
3. Click Delete.
Cloning a Report Template
System supports the rapid clone of a report template. You can clone and generate a new report template by modifying some parameters of one current report template.
To clone a report template, take the following steps:
2. In the templates list, select a report template that needs to be cloned.
3. Click the Clone button above the list, and in the Report Template Configuration page, enter
the newly cloned report template name into the "Name" .
4. The cloned report template will be generated in the list.
Report Task
The report task is the schedule related to report file. It defines the report template, data range, generation period, generation time, and the output method of report files.
You can configure report tasks and generate report files on the device according to your needs.
Creating a Report Task
1. Select Report & Log > Report > Report Task.
2. Click New.
In this page, configure the values of report task.
Option Description
Description Specifies the description of the report task. You can
modify according to your requirements.
Expand Report Template, select the report template you want to use for the report task.
Option Description
Report Tem-
Specifies the report template to be used by the report
task:
plate or created user-defined report template)
from the Report Template list on the left.
2. When the report template is selected, the selec-
ted report template list shows the description of
the template and the details of the report item on
the right.
You can also click New or Edit button in the Report
Template list on the left to open the Report Template
Configuration page and create or edit a user-defined
report template quickly.
Option Description
IP Specifies the IP address range of the report statistics:
1. Click "+" and then select IPv4/Netmask, IPv4
Range, IPv6/Prefix or IPv6 Range as needed.
2. Enter the corresponding IP address in the text
box.
address range to the drop-down list.
4. To delete the added address, click after the
address in the drop-down list.
Expand Schedule, configure the running time of the report task.
Option Description
Schedule The schedule specifies the running time of the report
task. The report task can be run periodically or run imme-
diately.
l Generate At: Specifies the generation time.
Generate Now: Generates report files immediately.
l Specifies the start time and end time of absolute
statistical period in the time text box.
l Type: Generates report file based on the data in the
Option Description
Expand Output, configure the output mode information of the report.
Option Description
File Format Specifies the output format of the report file, including
PDF, HTML, and WORD formats.
Recipient Sends report file via email. To add recipients, enter the
email addresses in to the recipient text box (use ";" to sep-
arate multiple email addresses. Up to 5 recipients can be
configured).
Send via FTP Click the Enable button to send the report file to a spe-
cified FTP server.
the IP address.
FTP server.
to the FTP server.
name.
l Anonymous: Select the check box to log on to the
FTP server anonymously.
Option Description
Editing the Report Task
2. In the report task list, select the report task entry that needs to be edited.
3. Click the Edit button on the top to open the Report Task Configuration page to edit the
selected report task.
Deleting the Report Task
2. In the report task list, select the report task entry that needs to be deleted.
3. Click the Delete button on the top to delete the selected report task.
Enabling/Disabling the Report Task
To enable or disable the report task, take the following steps:
2. Select the task, and click the Enable or Disable button on the top.
By default, the user-defined task is enabled.
Logging
The Log module records and displays the following logs:
l Threat - logs related to behaviors threatening the protected system, e.g. attack defense logs,
AV logs, and IPS logs.
l Event - logs about the system, like ARP logs and login logs.
l Network - logs about network services, like DHCP logs and route logs.
l Configuration - logs about configuration, e.g. interface configuration logs.
l Session - Session logs, e.g. session protocols, source and destination IP addresses and ports.
l PBR - logs about policy-based route.
l NAT - NAT logs, including NAT type, source and destination IP addresses and ports.
l URL - logs about network surfing, e.g. Internet visiting time, web pages visiting history, URL
filtering logs.
l Content filter logs – logs related with content filter function, e.g. Web content filter, Web posting, Email filter and HTTP/FTP control.
l Network behavior record logs – Logs related with network behavior record function, e.g. IM
behavior ,etc.
l CloudSandBox - logs about sandbox.
System logs record running status of the device, thus provide information for analysis and evidence.
Log Severity
Logging 133
Alerts 1 Identifies problems which need immediate atten-
tion such as device is being attacked.
Critical 2 Identifies urgent problems, such as hardware fail-
ure.
Warnings 4 Generates messages for warning.
Notifications 5 Generates messages for notice and special atten-
tion.
Debugging 7 Generates all debugging messages, including
daily operatiol messages.
Log messages can be sent to the following destinations:
l Console - The default output destination. You can close this destination via CLI.
l Remote - Includes Telnet and SSH.
l Buffer - Memory buffer.
l File - By default, the logs are sent to the specified USB destination in form of a file.
l Syslog Server - Sends logs to UNIX or Windows Syslog Server.
l Email - Sends logs to a specified email account.
134 Logging
Log Format
To facilitate the access and analysis of the system logs, system logs follow a fixed pattern of information layout, i.e. date/time, severity level@module: descriptions.See the example below:
2000-02-05 01:51:21, WARNING@LOGIN: Admin user "admin" logged in through console from localhost.
Logging 135
Threat Log
Threat logs can be generated under the conditions that:
l Threat logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146
l You have enabled one or more of the following features: "Anti Virus" on Page 306,"Intrusion
Prevention System" on Page 255, "Attack-Defense" on Page 384.
To view threat logs, select Report & Log > Log > Threat Log.
l In the Detection Period drop-down menu, Specify the detection period to view the logs dur-
ing the specified time range.
l Click Filter to configure more filter conditions. After configure the filter conditions, the sys-
tem will automatically display the matched logs. Click the drop-dow menu after the Filter and
select "Save Filter" to save the current filter conditions, so that the next time you can directly
select the save filter conditions, and view the corresponding log.
l Configure: Configure the threat log settings.
l Export: Export all threat logs that matches the filter conditions. The separator is used to facil-
ity the process of importing logs to other auditing system.
l Delete: Delete the threat logs in the specified time range.
l Merge Log: Specifies the type of merging log. The system supports source IP, destination IP,
and threat name to merge logs. When specified, the logs in the list are displayed after merged.
You can enter the IPv4 or IPv6 address if the filter condition is selected as source or des-
tination IP.
l Select a threat log in the table and then you can view the detailed information in the Log
Details tab. In the Log Details tab, you can do the following:
136 Logging
l View the severity, application/protocol, source/destination port, threat start time, end time, and other threat-related information (such as plain-text SQL command, plain-text paths to URI, etc.).
l Click "ViewPcap" to see the message package of the threat, or click "Download" to download the packet to local for viewing. IPv6 and IPv4 protocol type messages are both supported for users to view.
l Click "Signature ID" "Add Whitelist" "Disable Rule" to quickly link to the relevant
page.
l If the threat log is detected by Intrusion Prevention system model or Antivirus, you
can click Add Blacklist to add the source IP address of attacker to the blacklist to block
its flow. In the page that pops up, configure the IP range, schedule, and status of the
blacklist.
Event Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that your device delivers.
To view event logs, select Report & Log > Log > Event Log.
l Filter: Click to add conditions to show logs that match your filter.
l Configure: Click to jump to the configuration page.
l Clear: Click to clear the selected logs.
l Export: Click to export the displayed logs as a TXT or CSV file.
Network Log
To view network logs, select Report & Log > Log > Network Log.
Logging 137
Configuration Log
To view configuration logs, select Report & Log > Log > Configuration Log.
138 Logging
Session Log
Session logs can be generated under the conditions that:
l Session logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.
l The logging function has been enabled for policy rules. Refer to "Security Policy" on Page 164.
To view session logs, select Report & Log > Log > Session Log.
Notes: l For ICMP session logs, system will only record the ICMP type value and its
code value. As ICMP 3, 4, 5, 11 and 12 are generated by other com-
munications, not a complete ICMP session, system will not record such kind
of packets.
l For TCP and UDP session logs, system will check the packet length first. If
the packet length is 20 bytes (i.e., with IP header, but no loads), it will be
defined as a malformed packet and be dropped; if a packet is over 20 bytes,
Logging 139
but it has errors, system will drop it either. So, such abnormal TCP and UDP
packets will not be recorded.
140 Logging
PBR Log
PBR logs can be generated under the conditions that:
l PBR logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.
l You have enabled logging function in PBR rules. Refer to "Policy-based Route" on Page 493.
To view PBR logs, select Report & Log > Log > PBR Log.
Logging 141
NAT Log
NAT logs are generated under the conditions that:
l NAT logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.
l NAT logging of the NAT rule configuration is enabled. Refer to "Configuring SNAT" on Page 188 and "Configuring DNAT" on Page 199.
To view NAT logs, select Report & Log > Log > NAT Log.
142 Logging
URL Log
URL logs can be generated under the conditions that:
l URL logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.
l You have enabled logging function in URL rules. Refer to "URL Filtering" on Page 339.
To view URL logs, select Report & Log > Log > URL Log.
Content Filter Log
Content Filter logs can be generated under the conditions that:
l Content Filter logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.
l You have enabled one or more of the following features: "Web Content" on Page 372 function.
To view Content Filter logs, select Report & Log > Log > Content Filter.
Logging 143
l Clear: Click to delete all the displayed logs.
Network Behavior Record Log
Network Behavior Record logs can be generated under the conditions that:
l Network Behavior Record logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.
l You have enabled the function of"Network Behavior Record" on Page 377.
To view Network Behavior Record logs, select Report & Log > Log > Network Behavior Record.
CloudSandBox Log
To view sandbox logs, select Report & Log > Log > Cloud SandBox Log.
l Filter: Click to add conditions to show logs that match your filter. You can enter the
IPv4 or IPv6 address if the filter condition is selected as source or destination IP.
l Configure: Click to jump to the CloudSandBox page.
144 Logging
Logging 145
Managing Logs
In the Log Management page, you can configure log settings, log servers, Web emails, and UNIX servers.
Configuring Log Settings
1. Select Log > Log Management.
2. With a tab active, configure the corresponding settings.
Threat Log
Option Description
Enable Select this check box to enable threat logging function.
Terminal Send logs to terminals.
l Lowest severity - Specifies the lowest severity
level. Logs below the severity level selected here
will not be exported.
l Lowest severity - Specifies the lowest severity
l Max buffer size - The maximum size of the cached
threat logs. The default value may vary from dif-
ferent hardware platforms.
146 Logging
Option Description
l Max File Size - The maximum si

Documents

NIPS WebUI User Guide