Hillstone E-Series Next-Generation Firewalls

Comprehensive network security and advanced firewall features

Enterprise-grade firewalls

Hillstone Networks’ E-Series Next-Generation Firewalls provide visibility and control of web-based application traffic regardless of port, protocol or IP address. Policies can be defined that guarantee bandwidth to mission-critical applications while restricting or blocking inappropriate or malicious applications. Administrators can control access to applications (and application features) based on users and/or user-groups regardless of IP address, location or device. Hillstone E-Series firewalls incorporate comprehensive network security and advanced firewall features. They provide superior price performance, better energy efficiency, and a smaller size compared to competing products.

Learn about the Hillstone Unified Intelligent Firewall upgrade

Take advantage of the same capabilities offered in the Hillstone T-Series family by adding behavioral intelligence as an upgrade. Learn more about this capability.

Add Intelligence to your Hillstone Network E-Series Firewall

Hillstone Unified Intelligent Firewall upgrade

Upgrade your Hillstone Network Next-Generation Firewalls

The Hillstone Unified Intelligent Firewall Upgrade enables Hillstone E-Series NGFW to offer the same set of continuous threat defenses found in Hillstone’s innovative T-Series family of Intelligent Next-Generation Firewalls (iNGFW).

With the upgrade, Hillstone E-Series NGFW can detect network threats and anomalies with real-time traffic data analysis. Provide proactive detection to discover threats across your enterprise network faster and with more accuracy. The upgrade adds a reputation dimension to the 7-tuples (e.g. Next-Generation Firewall applications and users), the iNGFW enables threat protection and risk management and control with Behavior Reputation Index and Network Health Index in addition to the enhanced next-generation firewall features, maximizing business security and availability.

The behavioral intelligence upgrade, requires a virtual machine for each upgraded firewall.

Contact Hillstone Networks to learn more about the Hillstone Unified Intelligent Firewall Upgrade, if your existing Hillstone firewalls are able to be upgraded or to purchase the service.

Granular application control

Hillstone E-Series firewalls provide granular application control. Administrators can build policies that allow specific users or user-groups to access selected applications. (Allow Marketing to access Facebook). It is even possible to limit access to certain features within an application. Policies can also be defined that block or limit access to applications. For example, certain games may be blocked during work hours but allowed after work hours. Alternatively, some applications may be allowed during work hours but with limited bandwidth.

Proactive threat protection

Hillstone E-Series firewalls provide real-time protection for application and network attacks including viruses, spyware, worms, botnets, ARP spoofing, DoS/DDoS, Trojans, buffer overflows, and SQL injections. It incorporates a unified malware detection engine that shares packet details with multiple security defenses (IPS, URL filtering, and Anti-Virus), which significantly reduces latency.

Visibility and control

Hillstone E-Series provides visibility and control of network traffic. An intuitive user interface displays all applications traversing the network along with application categories and bandwidth. An administrator can quickly choose an application and see all the users who are accessing that application along with bandwidth consumption. If a particular user is of interest the administrator can see all the applications that user is using—now and in the past. Inappropriate applications can be blocked or limited by bandwidth or time of day. Multiple reports show top applications, top users, top URLs, top URL categories, top threats, etc.

StoneOS Core features:

Networking features

  • Dynamic routing(OSPF, BGP,RIPv2)
  • Policy-based routing
  • Route controlled by application
  • IPv6
  • Tap mode—connect to SPAN port
  • L2/L3 switching & routing
  • Virtual wire (Layer 1) transparent in-line deployment

QoS traffic shaping

  • Max/guaranteed and priority
  • By user, group, app, IP address, time, and more
  • By Class of Service (CoS) and app priority
  • (compatible with DiffServ tag)


  • PnP VPN
  • L2TP VPN
  • L2TP over IPSec VPN

High availability

  • Active/passive
  • Active/active
  • Configuration and session synchronization

Virtual firewalls

  • Multiple virtual firewalls in a single device

Load Balancing

  • By source IP
  • By destination IP
  • By session
  • By bandwidth/Latency

Application Control

  • Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
  • Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
  • Actions: block, reset session, monitor, traffic shaping

Centralized Management

  • Centralized deployment and management
  • Unified policy management
  • Performance and traffic monitoring

Zone-base architecture

  • All interfaces assigned to security zones for policy enforcement

Threat detection

  • Over 1.3 million AV signatures
  • Over 3500 IPS signatures
  • Over 20 million domain names
  • DoS/DDos DNS query flood
  • SYN flood
  • ARP spoofing
  • Malformed packets

Hillstone T-Series Intelligent Next-Generation Firewalls

Continually monitor your network

Integrated behavioral intelligence

Hillstone Network’s T-Series Intelligent Next-Generation Firewall (iNGFW) is an application-aware firewall that continuously monitors the network. It can identify attacks on all operating systems, applications, devices and browsers. It provides visibility into every stage of an attack and it can detect security breaches within minutes/seconds. It prioritizes hosts with the greatest security risks and provides contextual information about the threat. Security administrators can drill-down into the attack, including packet captures, to analyze all threat details.

Continuous threat defense

Hillstone’s T-Series Intelligent Next-Generation Firewall (iNGFW) uses three key technologies to provide continuous threat defense. First, it uses statistical clustering to detect security breaches in near real-time. It prioritizes hosts with the greatest security risks and provides contextual information about the attack. Second, it uses behavioral analytics to detect anomalous network behavior. It provides visibility into every stage of an attack and gives the user multiple opportunities to stop the attack. Finally, it provides forensic analysis so that the user can determine the root cause of the attack. This allows an administrator to make policy changes to prevent similar incursions into his network.

Product Overview Video

Product Demonstration Video


Statistical clustering

Leveraging a proprietary statistical clustering algorithm that can quickly detects variants of known malware. Instead of searching for explicit signatures, it analyzes the behavior of malware and looks for recurring combinations of actions that are strongly related to known malware. When a close match is detected the system will send an alert and provide a complete description of the malware including packet captures. It also provides a confidence level and a severity level so that the administrator can take remedial action.

Behavioral analytics

Using machine learning to establish a baseline of normal network activity and it uses big data analytics and mathematical modeling to detect anomalous network behavior that represents attacks at multiple stages in the attack lifecycle. This information is displayed on an intuitive dashboard and provides the user with multiple opportunities to stop the attack. Multiple mitigation technologies are built into the display so that the administrator can quickly limit potential damage while he investigates the abnormal traffic.

Forensic analysis

Hillstone’s T-Series provides a wealth of evidence that helps an administrator understand the root cause of the attack. Reports and logs provide an audit trail of the progression of attacks from initial compromise to the exfiltration of data. Hosts are prioritized by security risk and assigned a risk factor. The threats that contributed to the risk factor can be examined along with a detailed description of each attack, a confidence level, and packet captures.

Key features

Network services

  • Dynamic routing (OSPF, BGP, RIPv2)
  • Static and policy routing
  • Route controlled by application
  • Built-in DHCP, NTP, DNS server and DNS proxy
  • Tap mode—connect to SPAN port
  • IPv6 support: Mgt. over IPv6, IPv6 routing protocols, IPv6 tunneling, IPv6 logging and HA
  • Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and trunking)
  • L2/L3 switching & routing
  • Virtual wire (Layer 1) transparent inline deployment


  • Operating modes: NAT/route, transparent (bridge), and mixed mode
  • Policy objects: predefined, custom, and object grouping
  • Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323
  • NAT support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN
  • NAT configuration: per policy and central NAT table
  • VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing
  • Global policy management view
  • Schedules: one-time and recurring
  • QoS traffic shaping:

o   Max/guaranteed bandwidth tunnels or IP/user basis

o   Tunnel allocation based on security domain, interface, address, user/user group, server/server group, application/app group, TOS, VLAN

o   Bandwidth allocated by time, priority, or equal bandwidth sharing

o   Type of Service (TOS) and Differentiated Services (DiffServ) support

o   Prioritized allocation of remaining bandwidth

o   Maximum concurrent connections per IP

  • Virtual firewall: Up to 1000 vSYS load balanced firewalls
  • Load balancing:

o   Weighted hashing, weighted least-connection, and weighted round-robin

o   Session protection, session persistence and session status monitoring

o   Bidirectional link load balancing

o   Outbound link load balancing includes policy based routing, ECMP and weighted, embedded ISP routing and dynamic detection

o   Inbound link load balancing supports SmartDNS and dynamic detection

o   Automatic link switching based on bandwidth and latency

o   Link health inspection with ARP, PING, and DNS


  • IPSec VPN:

o   IPSEC Phase 1 mode: aggressive and main ID protection mode

o   Peer acceptance options: any ID, specific ID, ID in dialup user group

o   Supports IKEv1 and IKEv2 (RFC 4306)

o   Authentication method: certificate and pre-shared key

o   IKE mode configuration support (as server or client)

o   DHCP over IPSEC

o   Configurable IKE encryption key expiry, NAT traversal keep alive frequency

o   Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128, AES192, AES256

o   Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256, SHA384, SHA512

o   Phase 1/Phase 2 Diffie-Hellman support: 1,2,5

o   XAuth as server mode and for dialup users

o   Dead peer detection

o   Replay detection

o   Autokey keep-alive for Phase 2 SA

o   IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode

o   One time login prevents concurrent logins with the same username

o   SSL portal concurrent users limiting

  • SSL VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)
  • IPSEC VPN configuration options: route-based or policy based
  • IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode
  • One time login prevents concurrent logins with the same username
  • SSL portal concurrent users limiting
  • SSL VPN port forwarding module encrypts client data and sends the data to the application server
  • SSL VPN tunnel mode supports clients that run Windows XP/Vista including 64-bit Windows OS’
  • Host integrity checking and OS checking prior to SSL tunnel connections
  • MAC host check per portal
  • Cache cleaning option prior to ending SSL VPN session
  • L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC
  • View and manage IPSEC and SSL VPN connections

User identification

  • Local user database
  • Remote user authentication: LDAP, Radius, Active Directory
  • Single-sign-on: Windows AD
  • 2-factor authentication: 3rd party support, integrated token server with physical and SMS
  • User identification


  • 3,000+ signatures, protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
  • IPS actions: default, monitor, block, reset (attackers IP or attackers IP and victim IP, incoming interface) with expiry time
  • Packet logging option
  • Filter based selection: severity, target, OS, application and/or protocol
  • IP exemption from specific IPS signatures
  • IDS sniffer mode
  • IPv4 and IPv6 rate based DOS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination)
  • Active bypass with bypass interfaces

Threat protection

  • Breach detection

o   Near real-time breach detection (seconds/minutes)

o   Detailed description and severity of malware closely resembling attack

o   Pcap files and log files provide corroborating evidence

o   Confidence level provides certainty of attack

  • Network behavior analysis

o   L3-L7 baseline traffic compared to real-time traffic to reveal anomalous network behavior

o   Built-in mitigations technologies include: session limits, bandwidth limits and blocking

o   Graphical depiction of anomalous behavior compared to baseline and upper and lower thresholds

  • Network Risk Index quantifies the threat level of the network based on the aggregate host index.
  • Host Risk Index quantifies the host threat level based on attack severity, detection method, and confidence level.
  • Over 1.3 million AV signatures
  • Botnet server IP blocking with global IP reputation database
  • Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP, FTP/SFTP
  • Flow-based web filtering inspection
  • Manually defined web filtering based on URL, web content and MIME header
  • Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related)
  • Additional web filtering features:

o   Filter Java Applet, ActiveX and/or cookie

o   Block HTTP Post

o   Log search keywords

o   Exempt scanning encrypted connections on certain categories for privacy

  • Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IP
  • Web filter local categories and category rating override

Application control

  • Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
  • Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
  • Actions: block, reset session, monitor, traffic shaping

High availability

  • Redundant heartbeat interfaces
  • Active/Active and Active/Passive
  • Standalone session synchronization
  • HA reserved management interface
  • Failover:

o   Port, local & remote link monitoring

o   Stateful failover

o   Sub-second failover

o   Failure notification

  • Deployment options:
  • HA with link aggregation
  • Full mesh HA
  • Geographically dispersed HA


  • Management access: HTTP/HTTPS, SSH, telnet, console
  • Central management: Hillstone Security Manager (HSM), web service APIs
  • System integration: SNMP, syslog, alliance partnerships
  • Dynamic real-time dashboard status and drill-in monitoring widgets
  • Language support: English

Logs & reporting

  • Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms
  • Encrypted logging and log integrity with HSA scheduled batch log uploading
  • Reliable logging using TCP option (RFC 3195)
  • Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets
  • Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events
  • IP and service port name resolution option
  • Brief traffic log format option


Hillstone X-Series Data Center Firewalls

Designed for the unique requirements of a data center

Hillstone Networks’ X7180 data center firewall offers outstanding performance, reliability, and scalability, for high-speed service providers, large enterprises and carrier networks. It provides flexible firewall security for multi-tenant cloud-based security-as-a-service environments. The X7180 platform is based on Hillstone’s Elastic Firewall Architecture (EFA), which offers highly scalable virtual firewalls, exceptional firewall throughput, massive concurrent sessions and very high new sessions per second. The X7180 also supports Deep Packet Inspection (DPI), next generation application control and Quality of Service (QoS). The system delivers exceptional performance in a small form factor with low power requirements.

Hillstone’s Elastic Firewall Architecture: A breakthrough technology for data centers

Streaming media, web-based applications, VoIP, peer-to-peer file sharing, mobile devices, cloud computing, and international presence are all contributing to accelerating data center traffic. As core network traffic increases, the need for high-speed network interfaces and high port densities becomes critical. Mobile device traffic also requires more emphasis since network security solutions can degrade significantly when the traffic shifts toward a large number of users and smaller packet size. As a result, datacenter firewalls must provide high throughput, large numbers of concurrent sessions and high numbers of new sessions per second. More importantly, they must respond to the usage patterns of its customers, which are often highly unpredictable. Consequently, data center firewalls must also provide rapid elasticity and on-demand security. 

The X7180 data center firewall is built on Hillstone’s Elastic Firewall Architecture. It can support up to 1000 virtual firewalls and it can be provisioned as an on-demand service option complete with service level agreements (SLAs). Service providers can dynamically adjust resource allocation (CPU, sessions, policies and ports) for each virtual firewall in response to SLAs. Hillstone’s X7180 hardware is composed of multiple security and networking blades that provide scalability for future growth. It leverages a distributed multi-core architecture enabling wire-speed performance up to 360 Gbps throughput, 120 million concurrent sessions and 2.4 million new sessions per second. The chassis supports up to 8x40GbE ports, 68×10-GbE ports or 144x1GbE ports.

Carrier-grade reliability

The X7180 provides carrier-grade reliability. It supports High Availability (HA) in both active/passive and active/active modes, ensuring 24×7 operation. It also has redundant and hot swappable power supplies, fans, System Control Modules (SCM), Security Service Modules (SSM) and I/O Modules (IOM). The X7180 also has a multi-mode and single-mode fiber bypass module, to ensure business continuity during power outages.

NAT and IPv6

The inevitable march to IPv6 is underway but service providers still need to deploy Carrier Grade NAT (CGN) and Large Scale NAT (LSN) to manage the IPv4 address shortage while the transition is underway. Hillstone’s X7180 supports a variety of transition technologies including Dual Stack, IPv6/IPv4 tunnels, DNS64/NAT64, NAT 444, full cone NAT, NAPT, etc. Session logging and address translation enable audit trails for record keeping and forensics.

Energy efficiency

The X7180 has slots front and rear, which saves rack space and facilitates cooling. It has a 5U form factor and a maximum power consumption of 1300W, which is 50–67% less power than other data center firewalls.


The X7180 provides visibility and control of over 1,300 web applications including 200 mobile applications and encrypted P2P applications. It allows fine grain control of applications, bandwidth, users, and user/groups. The X7180 prevents users from accessing malicious or inappropriate applications and the embedded Intrusion Prevention System (IPS) protects the network from malicious activity. The X7180 supports deep packet inspection and standard-based IPSec VPN, which uses hardware based crypto acceleration to provide third-generation SSL VPN. Hillstone also offers a unique Plug-and-Play VPN solution that makes branch office VPN deployment a simple task.


The X7180 platform can manage bandwidth based on applications, users, and time of day. The system provides fine-grained policy control including guarantee bandwidth, bandwidth limit, traffic priority, and FlexQoS, which can dynamically adjust bandwidth based on utilization. These features, along with session limit, policy routing and link load balancing enable flexible bandwidth management.

Product Functions

Attack Defense

  • Network-based Intrusion Prevention System
  • Scanning protection (IP address scan, port scan)
  • Flood protection (SYN flood, DNS flood, UDP flood)
  • Layer-2 attack prevention (IP spoofing, DHCP snooping, ARP protection)

Virtual firewall

  • Up to 1,000 virtual firewalls
  • Elastic resource allocation (CPUs, sessions, policies, ports, services)
  • Virtual firewall management, provisioning and reporting via Hillstone Security Manager
  • Integrates with OpenStack and CloudStack orchestration solutions


  • NAT-PT
  • NAT444
  • Full-Cone NAT

Application identification

  • More than 1,300 applications
  • More than 200 mobile applications
  • Application identification based on signature and behavior

Log and report

  • URL log
  • NAT log
  • Session log
  • Security event log
  • Real time traffic statistics and reporting
  • Security event statistics and reporting

Access Control

  • Access control based on application
  • Access control based on user/user-groups
  • Access control based on time, IP-MAC-Port address binding
  • Local/external server user authentication (RADIUS, LDAP, AD)

High availability

  • Active/active and active/passive
  • Redundancy of key hardware components

Dynamic routing



  • Access control
  • ICMPv6
  • DNSv6
  • SNMP management
  • Static routing
  • Dual stack, DS-Lite, DNS64/NAT64 and other transition technologies


  • IPSec VPN
  • GRE
  • VPDN
  • PnPVPN (Plug-and-play VPN)

Traffic Shaping

  • QoS policy based on user, application, IP address, and time
  • Per-IP control
  • Priority, guarantee bandwidth, bandwidth limit, shaping
  • Multi-layer QoS
  • Flexible QoS