StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600...

18
StoneOS Release Notes 1 All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02 StoneOS 5.5R1 Release Overview Release Date: April 15 th , 2015 This major release mainly supports innovative features of comprehensive visibility, intelligence, and threat prevention. All platforms begin to use a unified and optimized interface. A new license “StoneShiled” is issued to provide advanced threat detection and abnormal behavior detection. New virtual firewall (vFW) is released. Platforms and Images Platform Models Images SG-6000-G5150 SG-6000-G3150 SG-6000-G2120 SG-6000-G2110 SG-6000-M6860 SG-6000-M6560 SG-6000-M6115 SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 SG-6000-M2105 SG-6000-M1600 SG6000-M-5.5R1 SG-6000-M8860 SG-6000-M8260 SG-6000-M7860 SG-6000-M7360 SG-6000-M7260 SG-6000-E5960 SG-6000-E5760 SG-6000-E5660 SG-6000-E5560 SG-6000-E5260 SG6000-M-2-5.5R1 SG-6000-E3960 SG6000-M-3-5.5R1

Transcript of StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600...

Page 1: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

1

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

StoneOS 5.5R1

Release Overview

Release Date: April 15th, 2015

This major release mainly supports innovative features of comprehensive visibility, intelligence,

and threat prevention. All platforms begin to use a unified and optimized interface. A new license

“StoneShiled” is issued to provide advanced threat detection and abnormal behavior detection.

New virtual firewall (vFW) is released.

Platforms and Images

Platform Models Images

SG-6000-G5150

SG-6000-G3150

SG-6000-G2120

SG-6000-G2110

SG-6000-M6860

SG-6000-M6560

SG-6000-M6115

SG-6000-M6110

SG-6000-M3600

SG-6000-M3108

SG-6000-M3105

SG-6000-M3100

SG-6000-M2600

SG-6000-M2105

SG-6000-M1600

SG6000-M-5.5R1

SG-6000-M8860

SG-6000-M8260

SG-6000-M7860

SG-6000-M7360

SG-6000-M7260

SG-6000-E5960

SG-6000-E5760

SG-6000-E5660

SG-6000-E5560

SG-6000-E5260

SG6000-M-2-5.5R1

SG-6000-E3960 SG6000-M-3-5.5R1

Page 2: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

2

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

SG-6000-E3660

SG-6000-E2800

SG-6000-E2300

SG-6000-E1700

SG-6000-E1600

SG-6000-E1100 (WLAN)

SG-6000-E1100 (WLAN +3G-WCDMA)

SG-6000-E1100 (3G-WCDMA)

SG-6000-C1000

SG-6000-X7180 SG6000-X7180-5.5R1

SG-6000-X6180 SG6000-X6180-5.5R1

SG-6000-X6150 SG6000-X6150-5.5R1

SG6000-X6150-GS SG6000-X6150-GS-5.5R1

SG-6000-VM01

SG-6000-VM02

SG6000-VM01-5.5R1

SG6000-VM02-5.5R1

SG-6000-T5860

SG-6000-T5060

SG-6000-T3860

SG6000-T-5.5R1.iso

SG-6000-G5150

SG-6000-G3150

SG-6000-G2120

SG-6000-G2110

SG-6000-M6860

SG-6000-M6560

SG-6000-M6115

SG-6000-M6110

SG-6000-M3600

SG-6000-M3108

SG-6000-M3105

SG-6000-M3100

SG-6000-M2600

SG-6000-M2105

SG-6000-M1600

SG6000-UIF-5.5R1.bin

SG6000-UIF-5.5R1.iso

SG6000-UIF-5.5R1-disk1.vmdk

SG6000-UIF-5.5R1.ovf

SG6000-UIF-5.5R1.mf

SG-6000-M8860

SG-6000-M8260

SG-6000-M7860

SG-6000-M7360

SG-6000-M7260

SG-6000-E5960

SG-6000-E5760

SG-6000-E5660

SG-6000-E5560

SG-6000-E5260

SG6000-UIF-2-5.5R1.bin

SG6000-UIF-2-5.5R1.iso

SG6000-UIF-2-5.5R1-disk1.vmdk

SG6000-UIF-2-5.5R1.ovf

SG6000-UIF-2-5.5R1.mf

Page 3: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

3

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

SG-6000-M8860

SG-6000-M8260

SG-6000-M7860

SG-6000-M7360

SG-6000-M7260

SG-6000-E3960

SG-6000-E3660

SG-6000-E2800

SG-6000-E2300

SG-6000-E1700

SG-6000-E1600

SG6000-UIF-3-5.5R1.bin

SG6000-UIF-3-5.5R1.iso

SG6000-UIF-3-5.5R1-disk1.vmdk

SG6000-UIF-3-5.5R1.ovf

SG6000-UIF-3-5.5R1.mf

Upgrading Notes

Upgrading Notes for Each Platform

Upgrading Notes for E/X Platform

For different versions of E/X platform, note the following matters:

To upgrade the versions before 5.0R3 to 5.5R1, Hillstone recommends you to first

upgrade to 5.0R4P5, and then upgrade to 5.5R1.

You can upgrade 5.0R3 and its subsequent versions to 5.5R1 directly.

The following versions support upgrading via WebUI: 5.0R4P6, 5.0R3P10, 5.0R4F4,

5.0R3F5.2, and 5.0R4F4.1. For other versions, use CLI to upgrade versions.

For different models of E/X platform, note the following matters:

SG-6000-M2105 (512M) does not support 5.5R1.

Due to storage limitation, Hillstone does not recommend you to upgrade the following

models to 5.5R1: SG-6000-M2105 (1G), SG-6000-M1600, SG-6000-M3100,

SG-6000-M3105, SG-6000-M3108. If needed, contact Service Line to obtain detailed

upgrading guideline.

Upgrading Notes for T Platform

Upgrading T platform takes a long time and it will last dozens of minutes or several hours.

During the upgrading, the device can normally forward the data in the data plane, but the

WebUI of Dashboard, iCenter, and Monitor cannot display normally. For more detailed

upgrading guideline, contact Service Line.

After upgrading from 5.0R4 to 5.5R1, the original threat logs cannot display in iCenter

due to threat database changes and new iCenter functions. To save the original 5.0R4

threat logs, export them via WebUI in 5.0R4.

Page 4: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

4

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Upgrading Notes for UIF Platform

Upgrading UIF platform takes a long time and it will last dozens of minutes or several

hours. During the upgrading, the device can normally forward the data in the data plane,

but the WebUI of Dashboard, iCenter, and Monitor cannot display normally. For more

detailed upgrading guideline, contact Service Line.

After upgrading from 5.0R4 to 5.5R1, the original threat data cannot display in iCenter

due to threat database changes and new iCenter functions. To save the original 5.0R4

threat logs, export them via WebUI in 5.0R4.

To upgrade E platform to UIF platform, you need to install the unified intelligence server

license. To roll back UIF platform to E platform, you need to first uninstall the unified

intelligence service license.

For more information about UIF platform introduction, installation and upgrading, see

Hillstone Unified Intelligence Firewall Installation Manual.

Upgrading Notes for Each Module

Separating Applications from Services

From 5.0R4 release, applications are separated from services. For example, the old Service FTP

is divided into Service FTP and Appication FTP. This change will affect these modules: policies,

policy routes, NAT, QoS, session limits and statistics. If you update your system to versions higher

than 5.0R4, there is no influence on your normal use (however, an “unsupported command”

prompt may appear). Due to the separation, downgrading from 5.0R4 will not restore the old

categorization. Please back up your configuration before upgrading to 5.0R4.

Log Type Change

From 5.0R4, StoneOS has moved alarm type logs to event logs (severity level higher than critical).

If system is upgraded to versions higher than 5.0R4, the commands related to alarm logs

(logging alarm/logging syslog...type alarm) will be deleted. If a system is downgraded from

5.0R4 or higher, the event logs of (and higher than) critical severity will be lost.

New Attribute for Address Books

From 5.0R3, StoneOS has added an ID attribute for each address entry. When the system is

upgraded to 5.0R3 from prior versions, the existing address book configurations will be processed

smoothly without any effect to users; when the system is downgraded to versions below 5.0R3,

all the existing address book configurations will be lost.

Page 5: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

5

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Policy Default Mode Change

From 4.5R1, StoneOS changed its policy’s default mode to the global configuration mode. When

the system is upgraded to 4.5R1 or higher, the existing policy rule configurations will be

processed smoothly without any effect to users; when the system is downgraded to versions

below 4.5R1, all the existing policy rule configurations will be lost.

Statistics Configuration Adjustment

From 4.5R1, StoneOS has adjusted the configuration of statistics function. When the system is

upgraded to 4.5R1 or higher, the existing statistics configurations will be processed smoothly

without any effect to users; when the system is downgraded to versions below 4.5R1, all the

existing statistics configurations may be lost.

Interface Mirroring Configuration Change

From 5.0R1, StoneOS changed CLI command for interface mirroring:

Before 5.0R1 After 5.0R1

mirror to interface-name [both | rx | tx] mirror to interface-name

mirror enable {both | rx | tx}

When the system is upgraded to 5.0R1 or higher, the command will be upgraded smoothly

without any effect to users; when the system is downgraded to versions lower than 5.0R1, all the

interface mirroring configurations will be lost.

Attack Defense Configuration Change

From 5.0R2, StoneOS does not support layer 2 IP address spoofing attack defense any longer.

When the system is upgraded to versions of 5.0R2 or higher, the configuration of ad

ip-spoofing will be lost.

New QoS: iQos

Intelligent Quality of Service (iQos) is added from version 5.5R1. When the system is upgraded

from older version to 5.5R1, you need to use the exec iqos enable command to enable iQoS.

iQoS only supports CLI. When iQoS is enabled, the old QoS configuration remains, but cannot be

edited. If you need QoS, use the exec iqos diable command to disable iQoS and reactivate QoS.

Layer 2 Switching

Layer 2 switching (VLAN, Super-VLAN and RSTP) is not supported in platforms of

SG-6000-E2800, SG-6000-E2300, SG-6000-E1700, SG-6000-E1600, SG-6000-E1100

(WLAN), SG-6000-E1100 (3G), SG-6000-E1100 (WLAN+3G) and SG-6000-C1000.

Page 6: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

6

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Upgrade Notice for Policy Rule Configuration (UIF)

The default mode for policy rule configuration in the current version is changed to global

configuration mode. When the system is upgraded to the current version from versions before

5.0R1, the existing policy rule configurations will be processed smoothly without any effect to

users; when the system is downgraded from the current version to versions before 5.0R1, all the

existing policy rule configurations will be lost.

Upgrade notice for unsupported function (UIF)

After updating to the current version for UIF, few functions will not be supported, which are listed

below. Users need to clear all the former configurations before updating to the current version for

UIF in order to avoid conflicting. Recommend you to backup all your configurations before

updating.

Unsupported functions System processing methods Suggestions

QoS Clear configurations automatically. Apply for iQoS license

and use iQoS to

configure again.

802.1x Keep global configurations.

Clear interfaces configurations

automatically.

N/A

Role Keep configurations. Recommend you to clear

configurations before

upgrading.

Connecting to HSM Keep configurations. N/A

Statistics Clear configurations automatically. Recommend you to use

Monitor function to

configure again.

Object(Pre-defined URL

signature, User-defined

URL signature, URL

search, Key word

category, SSL agent,

Page notification, Bypass

domain, User exception)

Keep configurations. Recommend you to clear

configurations before

upgrading.

URL filter

Web content

Web posting

Email filter

IM control

Page 7: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

7

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

HTTP/FTP control

Global blacklist

HA

VSYS

IPv6 Clear configurations automatically. N/A

AV/IPS Keep configurations. Recommend you to clear

configurations before

upgrading. And use

Threat Protection

function after upgrading

(apply for license first).

In-Service Software Upgrade

Preparation

Upgrading Environment

ISSU (In-Service Software Upgrade) can avoid network disconnection during the upgrading. To

use ISSUE, deploy the following topo and make the HA function work:

Page 8: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

8

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Preparation Items

No. Preparation Items Detailed Information

1 Prepare upgrading

reference guide

The upgrading reference guide has been printed or stored in your

PC.

2 Download new

version of image

Obtain the new version of the image from Hillstone.

3 Check current

version of image

According to the model, current version, and the corresponding

upgrading notes, select proper upgrading operations.

4 Check running status

of device

Ensure the SCM and SSM work normally

Record the running status of the modules in each slot. After

the upgrading completes, you can use the records to verify

the running status and perform the troubleshooting.

5 Deploy the upgrading

environment via

TFTP or FTP

In the above HA topo, deploy the upgrading environment via TFTP

or FTP.

6 Back up configuration

file

If the configurations after the upgrading differs from the previous

one, you can compare them and re-configure the missed settings.

Upgrading Operations

Upgrading E/X platform from 4.0/4.5 and corresponding versions to 5.5R1

1. Upgrade E/X platform from 4.0/4.5 and corresponding versions to 5.0R4P5

a. Disable the HA function of device B, shut down its traffic forwarding interface and its HA

interface.

b. Upgrade device B to 5.0R4P5 and wait its completion. During the upgrading, the traffic is

forwarded through device A.

c. Disable the HA function of device A, shut down its traffic forwarding interface and its HA

interface. Users’ traffic forwarding disconnects.

d. Enable the traffic forwarding interface of device B. Users’ traffic will be forwarded through

device B. Configure the HA function of device B.

e. Upgrade device A to 5.0R4P5 and wait its completion. During the upgrading, the traffic is

forwarded through device B.

f. Enable the traffic forwarding interface of device A. Configure the HA function of device A.

g. Verify the HA status of device A and device B.

2. Upgrade E/X platform from 5.0R4P5 to 5.5R1

Page 9: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

9

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

a. Upgrade device B to 5.5R1. During the upgrading, users’ traffic will be forwarded through

device A.

b. After device B upgrades successfully, it will re-negotiate HA with device A.

c. After the HA negotiation completes, upgrade device A to 5.5R1. During the upgrading,

users’ traffic will be forwarded through device B.

d. After device A upgrades successfully, it will re-negotiate HA with device B.

e. Complete the upgrading.

Upgrading E/X platform from 5.0R1 and subsequent versions to 5.5R1

1. Upgrade E/X platform from 5.0R1 and subsequent versions to 5.0R4P5

a. Upgrade device B to 5.0R4P5. During the upgrading, users’ traffic will be forwarded

through device A.

b. After device B upgrades successfully, it will re-negotiate HA with device A.

c. After the HA negotiation completes, upgrade device A to 5.0R4P5. During the upgrading,

users’ traffic will be forwarded through device B.

d. After device A upgrades successfully, it will re-negotiate HA with device B.

2. Upgrade E/X platform from 5.0R4P5 to 5.5R1

a. Upgrade device B to 5.5R1. During the upgrading, users’ traffic will be forwarded through

device A.

b. After device B upgrades successfully, it will re-negotiate HA with device A.

c. After the HA negotiation completes, upgrade device A to 5.5R1. During the upgrading,

users’ traffic will be forwarded through device B.

d. After device A upgrades successfully, it will re-negotiate HA with device B.

e. Complete the upgrading.

Upgrading T platform from 5.0R4 and subsequent versions to 5.5R1

1. Disable the HA function of device B, shut down its traffic forwarding interface and its HA

interface.

2. Upgrade device B to 5.5R1 and wait its completion. During the upgrading, the traffic is

forwarded through device A.

3. Disable the HA function of device A, shut down its traffic forwarding interface and its HA

interface. Users’ traffic forwarding disconnects.

4. Enable the traffic forwarding interface of device B. Users’ traffic will be forwarded through

device B. Configure the HA function of device B.

5. Upgrade device A to 5.5R1 and wait its completion. During the upgrading, the traffic is

Page 10: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

10

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

forwarded through device B.

6. Enable the traffic forwarding interface of device A. Configure the HA function of device A.

7. Verify the HA status of device A and device B.

Verifying the Upgrading

After the upgrading completes, use the show version command to verify whether the system has

been upgraded to the new version successfully.

Verifying the Configurations

After the upgrading completes, export the configuration file and compare it with the previous one.

If some configurations miss, you can check whether the commands have changed in the new

version and then re-configure the missed settings.

Verifying Basic Business

After the upgrading completes, perform some basic business to verify whether the device can

work normally.

New Features

WebUI Platform

Support new all-platforms WebUI.

Support percentage information in the Monitor page.

Viewing the Network Risk Index via WebUI.

E, X, T, UIF

iCenter Platform

Multi-dimensional, in-depth shows the all risky hosts and threats of the whole

network.

T, UIF

Threat protection enhancement Platform

Support the Mitigation function. Take action on the risk that hits the

mitigation rules.

Support the Host Defender function for the specific zone, for each host which

is identified host name.

Support the Advanced Threat Detection, detect malicious behavior to

identify APT (Advanced Persistent Threat) attack.

Support the Abnormal Behavior Detection function, which can inspect the

detected object in multiple factors to check whether an abnormal behavior

formed.

T, UIF

Page 11: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

11

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Support the Web Server Advanced Protection function to detect HTTP

protocol type of Web server attacks.

Support capture packets when an abnormal behavior occurs, associated

with the relevant threat, and view or download the evidence messages via

WebUI.

Support Perimeter Traffic Filtering, which can take block action on the

malicious traffic that hits the blacklist.

E, X

Monitor enhancement Platform

Optimize the appearance of Monitor , and display the statistics in bar chart,

line chart, tables, etc.

E, X, T, UIF

LLB enhancement Platform

Support server load balance function. E,X,T,UIF

Inbound LLB enhancement Platform

Support the function of inbound LLB for the sub interface. E, X

The domains for every SmartDNS rule table support up to 2500. E,X,T,UIF

Outbound LLB enhancement Platform

Support to generate outbound LLB logs.

Support the function of outbound LLB for the tunnel interface.

E, X, T, UIF

Policy enhancement Platform

Support the policy group function. E,X,T,UIF

License enhancement Platform

Support StoneShield license. Provide Abnormal Behavior Detection, Advanced

Threat Detection and its corresponding signature database update in package.

T, UIF

System enhancement Platform

Support to log in WebUI by importing a certification. E, X

Support to manage system admin users of different roles. Each role has its

privileges.

Support Application Layer Force Check function.

Support secondary IP for Track IP.

Support containing wildcards in netmask address.

Support long timeout value (maximum 1000 days) for application session.

Support timeout check for TCP FIN packet.

E, X, T, UIF

Optimize system to make sure normally work after system reboot. T, UIF

iQoS enhancement Platform

Page 12: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

12

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Support to bind a schedule for a sub-pipe.

Support iQoS function.

E, X, T, UIF

Up to 64 QoS rules can be bound to an interface.

Up to 16 IP QoS profiles or Role QoS profiles can be nested in an APP QoS

profile.

E, X

SCVPN enhancement Platform

Support to connect Hillstone Secure Connect from Android cellphones.

Clear host caching information when Hillstone Secure Connect disconnects.

The default SCVPN client certification supports the third-party SafePloy

USB-Key.

Support to lock a user who failed to log in SCVPN three times in a minute and

block him to log in within 2 minutes.

Support Hillstone BYOD Client for iOS, which is used to establish Secure

Connect VPN with Hillstone device.

By creating a Windows task, the SCVPN client supports the automatic

starting and login before you login into Windows.

Upgrade the SSL VPN client via official upgrade server or intranet upgrade

server.

E, X, T, UIF

VSYS enhancement Platform

Support VSYS. T, UIF

Monitor VSYS status in HA environment.

Support SCVPN for non-root VSYS.

Support Role-based secure management.

Support IPSec VPN for non-root VSYS.

E, X, T, UIF

PKI enhancement Platform

Support Simple Certificate Enrollment Protocol. E,X,T,UIF

IPSec VPN enhancement Platform

Configure up to 64 phase 2 IDs and use them to negotiate multiple IKE

tunnels.

Support to configure the local ID and Peer ID in an IP format for the ISAKMP

gateway.

Use phase 2 IDs to distribute the traffic on the ingress interface of the IKE

tunnel, or limit the traffic on the egress interface of the IKE tunnel.

Support IKEv2.

E, X, T, UIF

OSPF enhancement Platform

Page 13: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

13

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Support point-to-point and point-to-multipoint OSPF protocol interface

network types.

E, X, T, UIF

URL filter enhancement Platform

Support URL redirecting to specified page when URL filter rule blocked user's

behaviors.

Support the function of URL Filter, which can control users to visit websites

and record logs.

URL category supports CYREN categories.

E, X, T, UIF

SNMP enhancement Platform

Support to read interface descriptions by network management software. E,X,T,UIF

SSL proxy enhancement Platform

Decrypt the HTTPS traffic, identify the application in the decrypted traffic, and

manage the decrypted traffic.

E, T, UIF

AAA enhancement Platform

Support the traffic control based on the user group of the third-party

authentication server.

SG-6000-M7

260/M7860/

M8260/M886

0

Portal authentication Platform

Support the function of authenticating the users that access the Internet

through devices by using the Portal server.

E, X, T, UIF

Support to obtain the source IP when visiting Portal server.

Redirect to initial URL after Portal authentication succeeded.

E, X

Webauth enhancement Platform

Support Web SMS authentication. E,X,T,UIF

Interface enhancement Platform

Support Policy-based Interface Mirroring. E,X,T,UIF

Support the function of interface out-of-band management.

SG-6000-G5

150/G3150/

M6560/M686

0

Traffic mirror enhancement Platform

Mirror the traffic that matches the policy to the specified destination IP

address.

E, X, T, UIF

Page 14: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

14

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

NAT enhancement Platform

Support enabling or disabling the NAT rule. E, X

Support the address validity check in the NAT address pool.

Support Full-cone NAT.

T, UIF

HA enhancement Platform

Support HA Active-Passive mode. T, UIF

Peer mode supports IPSec VPN.

Peer mode supports SCVPN.

E, X

IOM hot swapping can trigger switching of their active and passive role.

Support active and passive role switch by adjusting priority values.

E, X, T, UIF

WAP enhancement Platform

SG-6000-X7180 Supports HTTP traffic distribution

Support to send WAP traffic distribution statistics to SNMP MIB Library.

E, X

User identification enhancement Platform

Support User Identification function.

SG-6000-X6

150/X6180/

X7180

Address enhancement Platform

Support excluding address entries.

Support containing wildcards in host name.

E, X, T, UIF

IPv6 enhancement Platform

Support to configure the maximum number of 6to4 sub-tunnels.

Support RIPng, OSPFv3, and IPv6 BGP.

Support DS-Lite technology.

E, X

Support IPv6. T, UIF

Application enhancement Platform

Support Application Filter Group. Users can define an application filter group

according to category, subcategory, technology, risk, characteristic, in order to

reduce duplicated search.

E, X

Identify more applications that are encrypted by HTTPS. E, T, UIF

The applications of APP signatures overseas support up to 1000+. E, X, T, UIF

Reports enhancement Platform

To optimize the configuration of the report task.

Optimize the reports in the Threat category in the Reports function.

T, UIF

Page 15: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

15

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Log enhancement Platform

Users can view, search, and export the session logs in the session log page.

Users can view, search, and export the NAT logs in the NAT log page.

T, UIF

The log server which supports Secure-TCP protocol can transfer logs without

any certifications.

Integrate the threat log: security log and IPS log are merged into the threat

log.

Optimize the format of threat log.

Optimize the threat type: divided into 6 threat types and 16 threat subtypes.

E, X, T, UIF

Support to save Event logs, Configuration logs, Network logs, and Threat logs

to device's hard disk card.

SG-6000-M8

860/E5960

Route enhancement Platform

Support the function of Static Multicast Route. T, UIF

Support the IS-IS dynamic routing protocol in TCP/IP network. E, X, T, UIF

IPS enhancement Platform

Support user-defined IPS signature.

Support IPS logs merging function.

Support two default IPS rules, which include IPS signatures.

Support displays the detailed description of the IPS signature.

E, X, T, UIF

Support IPS function. X

AV enhancement Platform

Upgrade the anti-virus signature database. E, T, UIF

DNS enhancement Platform

Support to distribute the DNS requests by weighted round-robin(WRR)

mode when more than one ISP lines are available.

DNS servers in the same ISP support to distribute the DNS requests by

round robin (1:1:1…)

Support DNS snooping function, which can access to the host through the

specified link.

E, X, T, UIF

TCP enhancement Platform

Support to specify the timeout value for TCP established, fin_wait_1,

fin_wait_2 and time_wait state.

E, T, UIF

Hardware enhancement Platform

IOM can be hot swapped with the same type module. E

Signature enhancement Platform

Page 16: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

16

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Support to off-line download the Mitigation signature database, Abnormal

behavior detection signature database and Advanced threat detection

signature database. The URL is

https://sec-cloud.hillstonenet.com/cloud/release/download_offline_cn.html.

T, UIF

Known Issues

WebUI Platform

Cannot login WebUI normally by using IE11 (11.0.9600.17041I).

( 96827-2(101167))

Solution: Use other web browser.

E, X, T, UIF

Cannot import IPGEO information via WebUI for the off-line device.(2(104879))

Solution: Update from CLI, and the URL is

http://update1.hillstonenet.com/ipgeo_update.html.

T, UIF

After logging in via WebUI, narrow the web browser may cause the menu bar

displaying incompletely.(107655-2(107881))

Solution: No

E, X, T, UIF

SCVPN Platform

Cannot Log in SCVPN client through USBKey automatically when the Windows

started. (79249-2(79250))

Solution: No

E, X, T, UIF

If logging in SCVPN client through Windows scheduled tasks, the GUI of SCVPN

client may not be started.(79151-2(79467))

Solution: No

E, X, T, UIF

HA Platform

In HA environment, manage IP cannot be configured for the MGT0 interface via

WebUI.(78546)

Solution: No

T, UIF

Cannot configure the aggregate interface to be a HA data link interface.(78544)

Solution: No E, T, UIF

In HA A/P mode, if rolling back the current version to 5.0R4P3, HA negotiation

may be failed.(96131-2(96133))

Solution: No

E, X

In HA environment, upgrading firmware version to 5.5R1 may cause device

work abnormally.(102331-2(102395))

Solution: Upgrade device to 5.0R4P4 first, and then update it to 5.5R1.

E, X

If priority value and preempt value already configured as default in HA A/P

mode, implementation of switching between the main device and backup

device frequently may cause priority value ineffective. (91697-0E0(94783))

Solution: No

E, X, T, UIF

Upgrade Platform

Cannot backup the current device configurations when upgrading to SG-6000-M2

Page 17: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

17

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

5.5R1.(101107-2(102135))

Solution: Upgrade through Console.

105/-M1600

/M3100/M31

05/M3108

It may fail for some platforms when upgrading to 5.5R1 via

WebUI.(102407-0E0(102607), 102627-0E0(102629))

Solution: Upgrade via CLI.

E, X

After upgrading to 5.5R1, data of Application Monitor, Threat Monitor and Report

modules may not display normally via WebUI.(105085-1(105085))

Solution: Export data to your local PC to backup before upgrading.

T, UIF

URL control may decrease because URL categories changed after upgrading to

5.5R1. (2(104939))

Solution: Configure the URL filter rule again after upgrading to 5.5R1.

E, T, UIF

Application Signature Database Professional may lost some applications after

upgrading to 5.5R1.(106317-2(106333))

Solution: Import a new Application Signature Database Professional manually

and then upgrade the firmware to 5.5R1.

E, X, T, UIF

Cannot recognize SSL applications normally after upgrading to 5.5R1.

(2(106641))

Solution: Upgrade Application Signature Database Professional before 5.5R1.

E, X, T, UIF

If configuring an URL filter rule on policy in 5.0R4F3/F4 version, upgrading the

version to 5.5R1 may lost URL filter configurations. (106899-2(106901))

Solution: Configure the URL filter rule again after upgrading to 5.5R1.

T, UIF

License Platform

Devices with small memory may not start normally after loading AEL license in

few cases.(101561-2(102475))

Solution: No

SG-6000-M3

100/M3108

Explorer Compatibility

The following browsers have passed compatibility tests:

IE11

Chrome

Getting Help

Hillstone provides the following guides to help you understand our products:

http://doc.hillstonenet.com/page/site/documentation/documentlibrary

StoneOS WebUI User Guide

StoneOS CLI User Guide

StoneOS Getting Started Guide

StoneOS Cookbook

Page 18: StoneOS 5 · SG-6000-M6110 SG-6000-M3600 SG-6000-M3108 SG-6000-M3105 SG-6000-M3100 SG-6000-M2600 ... Hillstone Unified Intelligence Firewall Installation Manual.

StoneOS Release Notes

18

All rights reserved. Copyright © 2015, Hillstone Networks SG-0415-5.5R1-02

Hillstone Multi-core Security Appliance Log Messages Reference Manual

Hillstone SNMP MIB Reference Manual

Hillstone SG-6000 Hardware Reference Guides

Hillstone SG-6000 Expansion Modules Reference Guides

Hillstone Unified Intelligence Firewall Installation Manual

Website: http://www.hillstonenet.com

Service Line: North American (1-800-889-9860)

Asia Pacific (86-400-828-6655)