X-Forwarded-For (XFF) Recognition – Seeing the Real Attacker Behind the Proxy

Here’s the classic headache: Your threat logs light up with an attack… but the source IP is your own cloud proxy or a third-party service IP. Without XFF recognition, your security operations team is left chasing ghosts. They might block a proxy IP, which does nothing to stop the real attacker and could break legitimate traffic for other users. Tracing the true origin of an attack for forensics becomes a manual, frustrating, and often impossible detective game. Customers needed a way to automatically cut through the proxy fog.

With NIPS new release, the system now defaults to parsing and recording the client IP from the X-Forwarded-For header. We’ve added a new “Proxy IP Information Display” switch in the global threat protection settings (enabled by default). When this is on, critical security modules like IPS, Anti-Virus, and Sandboxing will process threat logs differently. If an incoming request contains proxy chain information, the logs won’t just show the last hop; they’ll display the relevant proxy IP details and, most importantly, retain the full proxy chain. You can now take action against the actual malicious client IP, not an innocent intermediary. Goodbye to misplaced blocks.

Optimized HTTP Multi-Decoding – No More Hiding in Plain Sight

Attackers are crafty. They know many security systems perform basic checks on incoming data. So, they layer on multiple encodings—like wrapping a payload in Unicode, then URL-encoding it—to bypass signature-based detection. Without peeling back these layers, the threat slips right through. This evasion technique was a significant blind spot, forcing admins to choose between deeper inspection and performance.

Our new HTTP Multi-Decoding engine tackles this head-on. The system now supports multi-layer, recursive decoding of HTTP traffic that uses URL or Unicode formats. This means it can intelligently decode a payload that’s been encoded two, three, or more times, revealing the original content for inspection. For fine-tuned control, administrators can configure the multi-decoding behavior via CLI commands, deciding how deeply the IPS should dig into encoded payloads. Obfuscation techniques that relied on nested encoding are effectively neutralized. Attackers can’t hide in the layers anymore.

NIPS 5.4 and 5.5 are about removing the advantages attackers have enjoyed in complex, modern network environments. These updates empower your security team to act with confidence, investigate with clarity, and stop threats more effectively than ever before. For more details, reach out to Hillstone Networks representative.

The post Your Attackers Can’t Hide Anymore: NIPS 5.4 & 5.5 Just Leveled Up the Game appeared first on Hillstone Networks.

Integrated Response with 3rd-Party Firewalls: Stop Threats Faster, Automatically

In cybersecurity, siloed tools are a major pain point. Integrated Response is all about breaking down those walls. You might have a Palo Alto at the perimeter, a FortiGate in the data center, and something else in a remote office. Manually logging into each firewall to block a malicious IP that BDS found is slow, tedious, and frankly, not scalable when every second counts. Without this integration, there’s a dangerous gap between detection and containment.

We’ve supercharged BDS 5.5’s ecosystem integration. Now, you can directly bind a BDS device to a blocking template and have it execute automated block/unblock commands on a range of major third-party firewalls. Think of it as giving your NDR solution hands—not just eyes. Now, when BDS spots something malicious, it can instantly tell your firewall to block it, no human intervention required. It drastically cuts down your Mean Time to Respond (MTTR). What used to take minutes of manual work now happens in seconds, automatically.

Deployment Support for Public Cloud Environments: Secure Your Cloud Workloads Seamlessly

As companies migrate workloads to the public cloud, traditional on-premise security tools start to struggle. The cloud environment is dynamic—resources spin up and down constantly, and you often lose the “full packet visibility” you had in your own data center. Network Detection and Response in the cloud requires solutions that can be deployed flexibly, scale elastically, and integrate with cloud-native networking—all while maintaining the same detection fidelity you’d expect on-prem.

BDS 5.5 now offers native deployment support across all major public cloud platforms, such as Amazon Web Services (AWS), Microsoft Azure, Alibaba Cloud, and Tencent Cloud. Whether you’re running a hybrid environment, multi-cloud strategy, or fully cloud-native architecture, BDS can now be deployed wherever your workloads live. Deploying the same detection capabilities across on-prem and cloud environments means one console, one set of policies, unified visibility—no more security silos.

Jumbo Frame Support: Don’t Let Big Packets Hide Big Threats

Standard Ethernet frames max out at 1,500 bytes (MTU), but Jumbo Frames can go much larger—up to 9,000 bytes or more. By packing more data into each frame, you reduce the number of frames needed and cut down on header overhead, which improves throughput and efficiency. If your security tools aren’t built to handle Jumbo Frames, they might drop or truncate these oversized packets during inspection. That means threats hidden in large payloads—malware embedded in file transfers, data exfiltration disguised in legitimate traffic, or exploit code split across large packets.

BDS 5.5 now fully supports Jumbo Frames up to 9300 bytes. You can enable or disable Jumbo Frame processing per interface, and your MTU settings persist across reboots. More importantly, BDS doesn’t just pass through these frames—it deeply inspects them, just like any other packet. As a result, no more missed threats hiding in oversized packets. Your detection coverage stays complete, even in high-performance networks where Jumbo Frames are the norm.

By giving you Integrated Response for instant containment, Broader Cloud Deployment for multi-cloud visibility, and Jumbo Frame Support for non-stop, high-speed inspection, BDS 5.5 makes your job easier and your network safer. For more details, reach out to Hillstone Networks representative.

The post BDS 5.5: Threat Detected, Automatically Blocked appeared first on Hillstone Networks.

We’ve listened to what’s keeping you up at night: the headaches of migrations, the limitations of deployment options, and the need for smarter traffic steering. This release tackles these pain points head-on with three features that don’t just check boxes—they actually solve real problems you’re facing in production environments. Our new ADC 4.3 release is here to change that conversation.

iRules Compatibility for Seamless Legacy ADC Migration

If you’ve worked with enterprise load balancers, you’re likely familiar with iRules—those powerful TCL-based scripts that define custom traffic handling logic. Originally popularized by F5 ADC platforms, these scripts have become an incredibly flexible way to manipulate everything from HTTP headers to connection behaviors with custom code. They’re now a cornerstone of many organizations’ application delivery strategies. Many companies have hundreds, sometimes thousands, of custom iRules that took years to develop and refine. They represent significant institutional knowledge and business logic. Manually converting them? That’s a nightmare scenario. It’s error-prone, time-consuming, and frankly, a project delivery killer. One wrong conversion can break critical application logic, and nobody wants to be the person who took down production during a migration.

Our ADC device now natively supports legacy TCL-based iRules by intelligently converting them into Lua-based aRules. You can import your original TCL scripts directly into the system—whether they’re from F5, homegrown implementations, or other platforms—and it handles the heavy lifting of conversion. Once converted, you can export or save these aRules for deployment. Bottom line: faster migrations, fewer risks, happier stakeholders, and the ability to preserve your investment in existing business logic.

SSLO L2 Transparent Deployment Mode

Layer 2 (L2) transparent deployment is exactly what it sounds like—your security device sits transparently on the network at the data link layer, inspecting traffic without requiring IP address changes or routing modifications. Network changes make people nervous—and for good reason. When you’re introducing SSL orchestration and security inspection into a production environment, the last thing you want is a complex deployment that requires routing changes, IP reconfiguration, or significant network topology modifications. L2 transparent mode is the path of least resistance.

ADC SSLO now fully supports service chain configuration in Layer 2 transparent deployment mode. This works for TCP, UDP, Any, and HTTPS virtual services. You can insert SSLO into your network topology without the deployment gymnastics, and traffic flows through your security service chains transparently. This enhancement improves solution adaptability across diverse customer environments and removes a significant barrier to adoption. More deployment options means more customers can say “yes” to SSLO without the usual procurement and implementation friction.

Service Chain Selection Based on Content Switching Rules

Content switching is the art of routing traffic intelligently based on what’s actually in the packets—not just where they’re coming from or going to. At Layer 4, this means looking at transport-layer characteristics like source/destination IPs and ports. It’s about making smart routing decisions based on traffic attributes rather than applying one-size-fits-all policies. Different traffic types need different security treatment, even when accessing the same services. Without granular service chain selection, you’re stuck with blanket policies that either under-protect some traffic or create unnecessary bottlenecks for others.

ADC 4.3 introduces Layer 4 content switching rules for service chain selection. You can now define matching conditions based on transport-layer attributes and route traffic to appropriate service chains accordingly. The system evaluates L4 characteristics and makes intelligent steering decisions in real-time. It’s more efficient—you’re not wasting inspection resources on low-risk traffic. It’s more secure—high-risk traffic gets the scrutiny it deserves. And it’s more flexible—you can tailor security enforcement to specific scenarios, user populations, or compliance requirements.

The capabilities remove barriers to migrating away from other ADC platforms. The L2 transparent mode expands where and how you can deploy SSLO. And content-based service chain selection gives you the precision control that modern security demands. Together, these features make ADC 4.3 a significant step forward in making application delivery and security orchestration less painful and more powerful. For more details, reach out to Hillstone Networks representative.

The post ADC 4.3: Smarter, Faster, and Built for Real-World Challenges appeared first on Hillstone Networks.

External Dynamic List: Stop Manually Updating Every Firewall Policy

In cybersecurity, blocking malicious IPs is fundamental. Regulatory bodies and threat intelligence providers constantly publish updated lists of bad actors—IP addresses associated with malware, botnets, phishing campaigns, and more. If you’re managing multiple firewalls—maybe dozens across different sites—manually updating each one with the latest malicious IP lists becomes a full-time job. Miss one update, and you’ve left a door open. Make a typo, and legitimate traffic gets blocked. It’s time-consuming, error-prone, and frankly, unsustainable as your infrastructure grows.

In the new release, External Dynamic List changes the game by centralizing the entire process. Here’s how it works: you create a single list containing malicious IPs on a server, then reference that list in the destination address field of your firewall policy rules. That’s it. Update the IP file once on the server, and all associated firewalls automatically synchronize the changes and apply them to their security policies. The efficiency gains are immediate. Instead of touching every firewall individually, you manage one central source of truth. Your protection against malicious IPs stays current without the administrative headache. You get centralized resource management and dynamic policy updates that make your security posture more responsive and scalable. Plus, you eliminate human error from the equation—no more typos, no more forgotten devices.

iCenter Threat Overview: See Everything That Matters, Right Now

Modern security operations centers need situational awareness. You can’t protect what you can’t see, and when threats move at machine speed, having scattered information across multiple tools slows you down. A lightweight SOC solution should give you the full picture without overwhelming complexity.

The iCenter Threat Overview dashboard consolidates everything into one real-time view. You get threat distribution showing types and severities across your network, plus asset distribution highlighting which systems are most at risk. The threat analysis views dig deeper: attacker geographical distribution, top threat events, and rankings of top attackers and victims. It’s comprehensive without being cluttered. Situational awareness is the name of the game. Security teams can move from a broad overview down into specific details seamlessly. You can spot patterns faster—maybe most attacks are coming from a specific region, or perhaps one internal asset keeps showing up as a victim. This enables faster detection and better response times. Instead of hunting through logs and correlating data manually, you’re making informed decisions based on clear, consolidated intelligence.

SD-WAN Multi-Path Packet Duplication: Zero Loss, Low Latency for Critical Apps

In networking, packet loss is the enemy of reliability. For critical applications—think real-time financial transactions, voice calls, or industrial control systems—losing even a single packet can mean failed transactions, degraded quality, or operational disruptions. Traditional approaches rely on retransmissions, which add latency and don’t always solve the problem fast enough.

Multi-Path Packet Duplication takes a smarter approach. The transmit end duplicates packets and sends both the original and a copy over two high-quality links. If one link drops packets, the receive end uses the duplicates from the other link to restore the data—no retransmissions needed. This means better performance for your most important services, happier users, and fewer emergency troubleshooting sessions at 3 AM. For enterprises that can’t afford downtime or degraded performance, this feature delivers peace of mind.

Multiple ZTNA Instances on a Gateway: One Device, Many Identities

Zero Trust Network Access (ZTNA) has become the standard for secure remote access, replacing legacy VPNs with identity-based, application-level controls. The principle is simple: never trust, always verify. But implementing ZTNA across complex organizations with different user groups, authentication requirements, and security policies presents challenges.

StoneOS R12 Multiple ZTNA Instances on a Gateway lets you run multiple independent ZTNA instances on a single physical or virtual gateway. Each instance serves different user groups, and to those users, it feels like they have their own dedicated appliance—but everything is consolidated on one gateway. The platform supports diverse AAA servers and authentication methods tailored to each instance. For example, internet-facing clients might authenticate using Active Directory credentials plus SMS verification, while intranet users rely on Radius with username, password, and hardware tokens. Each instance maintains its own policies, resource access controls, and user management—completely independent of the others.

Whether you’re protecting a growing business, managing infrastructure for multiple clients, or just trying to stay ahead of evolving threats, StoneOS 5.5R12 gives you the tools to work smarter, not harder. Because at the end of the day, security should protect your business—not consume all your time. For more details, reach out to Hillstone Networks representative.

The post StoneOS 5.5R12: Smarter Security, Simpler Operations appeared first on Hillstone Networks.

This transformation reflects the deep-seated needs of enterprise digital transformation: from single-point perimeter defense to distributed collaborative defense, from static deployment to dynamic adaptation, from isolated operation to intelligent interconnection. As a veteran in the cybersecurity field, Hillstone Networks has long recognized this technological trend and made forward-looking investments in the HMF direction. We believe this evolution of industry standards provides a broader stage for all security vendors committed to technological innovation.

What is Hybrid Mesh Firewall (HMF)? — Beyond Traditional Boundaries

Traditional firewalls are built upon the concept of “perimeter,” with security protection between data centers and external networks as the core. However, driven by cloud computing, multi-cloud architectures, and distributed work environments, enterprise network boundaries have gradually blurred, requiring security protection to break through existing frameworks. If traditional firewalls are “gate guards,” then HMF represents a “distributed collaborative defense system.”

HMF was proposed precisely in this context. Its core characteristics include:

Unified Management: HMF achieves unified policy distribution, monitoring, and operations for firewall devices distributed across different locations and in different forms through centralized management platforms, completely breaking the siloed approach of traditional firewalls.

Collaborative Interconnection: Each node in the mesh is no longer an independent defense island, but an intelligent component capable of sharing threat intelligence and coordinating responses to security incidents. When one node detects a threat, the entire mesh can respond rapidly.

Hybrid Deployment: HMF supports hybrid deployment across physical devices, virtualization platforms, and cloud-native environments, providing consistent security protection experiences regardless of enterprise network architecture complexity.

Agile Elasticity: Facing rapid changes in business requirements and dynamic evolution of threat landscapes, HMF can quickly scale up or down and flexibly adjust protection strategies, truly achieving “security follows business wherever it goes.”

What Real Problems Can HMF Solve? — Customer Value and Scenarios

In the process of enterprise digital transformation, multi-cloud and hybrid architectures have become the norm. Correspondingly, security construction faces new challenges:

Multi-Cloud Unified Strategy: Enterprises often simultaneously use multiple public and private cloud platforms, making it difficult for traditional security devices to achieve unified cross-cloud management. HMF enables enterprises to enjoy consistent security experiences across different cloud platforms through centralized policy distribution.

Hybrid Network Management: With the proliferation of remote work and mobile offices, enterprise network boundaries have become increasingly blurred. Employees may work from home, at branch offices, or access applications in the cloud. HMF provides unified visibility of network-wide traffic, enabling security administrators to clearly understand the security status of every connection.

Elastic Scaling: During business peak periods, traffic surges can make traditional firewalls bottlenecks. HMF’s mesh deployment can flexibly add nodes based on demand, easily handling traffic spikes.

Hillstone’s HMF Solution — Ready and Empowering the Future

Hillstone Networks’ HMF solution is not simply a response to trends, but the result of years of technological accumulation. We have built a complete HMF ecosystem across three dimensions:

Unified Command Center: Intelligent Management Platform

Hillstone Security Management (HSM) platform not only achieves unified visibility and centralized operations for security policies, logs, and events, but also provides rich integration capabilities, truly becoming the unified command center for enterprise security and networking. HSM supports unified management of various security devices including firewalls, ADC (Application Delivery Controllers), and WAF (Web Application Firewalls), enabling users to maintain policy consistency and management convenience even in complex multi-device environments. This cross-product-line management capability significantly reduces the complexity of enterprise security operations. HSM also integrates application-aware SD-WAN capabilities, intelligently identifying business application types and dynamically selecting optimal paths based on application importance and network conditions, significantly enhancing business experience and network reliability while ensuring security. This deep integration of “security + networking” makes HMF not just a security protection mesh, but a business assurance mesh.

Powerful Mesh Nodes: Complete Product Portfolio

Hillstone’s complete firewall product line ranges from data center-grade high-performance devices to lightweight branch office equipment, from physical appliances to virtualization solutions to cloud-native containerized components, comprehensively covering various HMF deployment scenarios. At the technical architecture level, Hillstone firewalls employ a fully parallel security operating system, achieving an efficient “single unpack, parallel processing” model that enables multiple security inspections to occur simultaneously, significantly improving processing efficiency and delivering high-performance security protection experiences. Meanwhile, the complete separation of data plane and control plane ensures that management operations do not affect data forwarding even under high loads, significantly enhancing system reliability. Hillstone’s self-developed ASIC chips provide hardware firewalls with ultra-low latency within 4.8us, 200% throughput performance improvement, 150% improvement in new connections per second, and 100% IPSec VPN performance enhancement, providing a robust performance foundation for the HMF mesh and ensuring stable and reliable protection capabilities even in large-scale deployment scenarios.

Collaborative Security Brain: Threat Intelligence and Services

Through deep integration of threat intelligence, security services, and AI technology, Hillstone has built an intelligent defense system with collaborative response capabilities. Hillstone’s accumulated threat intelligence network provides real-time threat data support for each node in the HMF mesh. When new threats are detected, intelligence can be synchronized across the entire mesh, achieving a “detect at one point, defend across the network” collaborative effect. This intelligence-driven defense mechanism significantly shortens the time window from threat discovery to network-wide protection. Hillstone’s AI Operations Assistant infuses this security brain with intelligent capabilities. It not only performs intelligent Q&A, security policy optimization, configuration assistance and troubleshooting, but also conducts deep threat analysis and response, anomaly behavior detection, and system optimization recommendations based on threat intelligence. The AI assistant transforms complex security operations work into simple conversational interactions, enabling security teams to respond to threats more rapidly and manage the entire HMF mesh more efficiently.

Continuous Evolution, Creating the Future Together

Hillstone’s HMF solution is built with core requirements such as ensuring stable business operations, secure data, and meeting compliance requirements as its foundation.

Ensuring Business Continuity: Through SD-WAN’s intelligent routing and HMF’s elastic scaling capabilities, critical business operations remain uninterrupted even when facing network fluctuations or traffic surges.

Reducing Security Risks: The collaborative threat intelligence network and mesh-wide rapid response mechanism enable enterprises to contain threats before they spread, significantly reducing the impact scope of security incidents.

Simplifying Operations Management: The unified management platform and AI operations assistant make complex multi-cloud and hybrid network environments manageable and controllable, significantly reducing the operational burden on security teams.

Supporting Compliance Requirements: Centralized policy management and complete audit logs help enterprises more easily meet various compliance standard requirements.

Hillstone’s HMF solution can truly help customers confidently address security challenges brought by digital transformation, complexity management of multi-cloud architectures, performance demands from rapid business growth, and increasingly stringent compliance pressures. We will continue to increase technology investment in the HMF field, continuously improve product capabilities, and work together with customers and partners to build a more secure, intelligent, and efficient cybersecurity protection system.

The post From Perimeter to Mesh: Hillstone’s Perspective on HMF Implementation appeared first on Hillstone Networks.

Intrusion Prevention Virtual Patching: Your Emergency Security Lifeline

Virtual patching is a method of shielding vulnerable systems without touching their underlying code. Instead of updating the software, it blocks exploit attempts at the network or host layer. Sometimes, you just can’t patch right away. Maybe the system is critical to operations, maybe the vendor hasn’t issued a fix, or maybe the upgrade path is too risky for now. But attackers don’t wait, and known vulnerabilities are easy targets. That’s where virtual patching steps in—as a critical stopgap.

CloudArmour now delivers intrusion prevention with virtual patching, automatically identifying known vulnerabilities and dynamically blocking attempts to exploit them—whether they’re coming through exploit payloads, known CVEs, or suspicious scanning behavior. It brings immediate protection that guards against high-risk and zero-day attacks before official patches arrive.

Runtime Application Self-Protection (RASP): Security That Lives Inside Your Apps

RASP secures applications from the inside out by monitoring and reacting to threats in real time as the app runs. It moves beyond traditional request analysis to understand what’s really happening in your code. Modern attacks often bypass traditional perimeter defenses. Customers are looking for security that’s baked in, not bolted on. And when applications are in production, security needs to be both real-time and adaptable.

We’re introducing runtime injection, allowing admins to embed protection into apps post-launch. Combined with real-time behavior monitoring, allowlist support, and custom response actions, CloudArmour RASP can stop logic-based and zero-day attacks right as they happen, thus allowing for real-time blocking and in-app visibility.

Enhanced Integration with Hillstone OpenXDR Platform: The Command Center Revolution

OpenXDR is Hillstone’s centralized security operations platform that unifies visibility across EDR, NDR, and other detection tools. The more integrated your tools are with it, the faster you can investigate and respond. Previously, CloudArmour only connected to OpenXDR for SSO purposes. That meant limited correlation, no host-level visibility, and no coordinated response. But that’s changing now.

We’ve expanded the integration to include host asset sync, threat intelligence sharing, and automated remote response in CloudArmour 1.0R5. Now the integration provides unified security context, one-click remediation, and streamlined operations.

With CloudArmour 1.0R5, we’re pushing runtime protection to the next level. Whether it’s shielding unpatched systems, embedding intelligence into your applications, or tightening the loop between detection and response, this release is all about being proactive, not reactive. For more details, reach out to Hillstone Networks representative.

The post CloudArmour 1.0R5: Smarter Security, Stronger Defense appeared first on Hillstone Networks.

Including TAP Mode Devices In SSL Orchestration: Visibility Without Disruption

SSL Orchestration (SSLO) allows decrypted traffic to be passed through a chain of security tools for inspection, filtering, or logging. While inline devices can block or act on threats in real time, TAP mode devices passively monitor traffic, which is critical for forensic analysis and threat detection. SSLO can now mirror decrypted traffic to TAP mode devices. This opens the door to deploying more flexible monitoring strategies, letting you observe encrypted traffic flows without risking disruption to your production services. It’s a win for visibility, and a win for operational agility—especially for teams looking to add tools or conduct live analysis without taking systems offline.

Intelligent Load Handling: Smarter Balancing, Seamless Continuity

When it comes to orchestrating traffic across multiple security devices, not every appliance has the same power or capacity. So why treat them all the same? ADC 4.2 introduces weighted load balancing for SSLO, giving you a smarter way to assign traffic based on the real-world capabilities of your infrastructure. With nine common balancing algorithms now available, you can match your architecture more closely and avoid overloading individual devices while others sit underused. This update also introduces conditional bypass logic, which adds an extra layer of resilience. If the number of active devices drops below a specified threshold, SSLO can now automatically bypass the service chain—keeping traffic flowing smoothly rather than causing a disruption. Of course, all state changes are logged, so you have a clear audit trail. It’s all about using your resources wisely and ensuring continuity, even when parts of the chain become unavailable.

SSL Health Checks: Accurate Monitoring for Encrypted Services

For enterprises that encrypt internal communications—especially those in finance, government, or large-scale corporate environments—monitoring service availability through encrypted protocols like SMTPS, IMAPS, or POP3S has always been tricky. TCP-level health checks for these services couldn’t really account for SSL-specific behavior. That meant potential blind spots in your monitoring and less reliable load balancing decisions.

ADC 4.2 introduces SSL-type health checks. These checks can be bound directly to a server-ssl-profile, making them fully aware of the actual encryption protocols in use. They can also detect SSL-level failures, providing far more accurate status data for your services. The result is smarter routing, better uptime, and health monitoring that truly reflects how your applications are functioning. Every update in ADC 4.2 is rooted in real-world needs: better visibility, smarter orchestration, and more accurate insights into how your encrypted traffic behaves. For more details, reach out to Hillstone Networks representative.

The post ADC 4.2 Is Here: Flexible, Smarter SSL Handling for a Safer Network appeared first on Hillstone Networks.

Client-ID-Based Blocking: Precision That Matters

Traditionally, WAFs rely on source IPs to block malicious traffic. But what happens when both attackers and legitimate users share the same public IP (like in NAT or CDN scenarios)? Blocking the entire IP could take down good traffic, leading to frustrating false positives.

WAF 3.6 introduces Client-ID-Based Blocking, a smarter way to handle malicious traffic: The WAF generates a unique Client ID and embeds it in the Set-Cookie header; For HTTP Flood attacks and scanner protection, blocking can now be applied at the Client ID level instead of the entire IP; A site-specific Client ID blacklist records blocked sessions for better tracking. It brings fewer false positives and better accuracy, while maintaining security.

SNMP Monitoring for TPS & CPS: Real-Time Visibility for Proactive Security

Many security teams rely on external monitoring tools  to track WAF performance. But without native SNMP support, getting real-time metrics like Transactions Per Second (TPS) and Connections Per Second (CPS) was tricky.

WAF 3.6 now supports SNMP-based monitoring, allowing real-time tracking of TPS & CPS passing through the WAF and seamless integration with third-party monitoring platforms, which leads to better performance insights and easier performance management.

Virtual Instance Management: Configuration Lockdown Instead of Restarts on LMS Disconnection

In previous versions, if a vWAF lost connection to the License Management Server (LMS) for over 30 days, it would automatically restart—potentially disrupting live traffic. That made a possible problem: unnecessary restarts causing downtime.

WAF 3.6 replaces forced restarts with a smarter lockdown approach. If LMS disconnection lasts >30 days, the vWAF locks the configuration (no restart); Once reconnected, the configuration automatically unlocks; If the vWAF restarts within the 30-day window, the timer continues from the last lock; If restarted after 30 days, an 8-hour grace period allows reconnection before locking again. As a result, configurations stay intact until LMS is back, and you can avoid unnecessary service interruptions.

With Client-ID-Based Blocking, SNMP Monitoring, and Enhanced vWAF Management, WAF 3.6 brings precision, visibility, and reliability to your security setup. For more details, reach out to Hillstone Networks representative.

The post WAF 3.6 Enhances Security Without Compromising Performance appeared first on Hillstone Networks.

High Availability Firewall Support: Eliminating Downtime Worries

Anyone who’s managed enterprise security knows that firewall continuity isn’t just a nice-to-have—it’s essential. Network interruptions, even brief ones, can lead to security vulnerabilities, lost productivity, and unhappy users.

In HSM 5.6.5, we’ve completely redesigned how our solution handles High Availability (HA) firewall operations. When an HA configuration disbands—whether during planned maintenance or unexpected outages—the system now performs comprehensive verification to ensure all essential services remain fully operational on the new master device. This verification process eliminates those anxiety-inducing “blind failovers” where you’re never quite sure if policies and services have transferred correctly. Upon HA reformation, the system intelligently associates HA devices based on whether the new primary device is linked to the required services. As a result, seamless service continuity that keeps your security intact even during device transitions.

Signature Database Updates: Adapting to Your Network Reality

Security threats evolve at lightning speed. Without timely signature updates, even the most sophisticated security devices miss new malware variants, emerging exploits, or critical CVE patches. Many organizations face challenges with signature updates due to restricted network policies or segmentation requirements.

Our HSM 5.6.5 release addresses this with flexible signature database update options. It provides direct online updates—for environments with unrestricted internet access—enabling immediate protection against emerging threats, as well as proxy-based updates—for restricted or complex network environments where direct internet access isn’t permitted. This dual approach ensures you’re never caught with outdated signature databases, regardless of your network architecture.

Log Management: Automated, Reliable, Compliant

Ask any security professional about log management headaches, and you’ll likely hear war stories. Manual log exports, inconsistent archiving practices, and compliance nightmares can consume valuable time and create risk.

HSM 5.6.5 transforms log management with automated solutions: Scheduled Export: Configure regular, automatic log exports that serve as reliable backups; FTP/SFTP Server Backup: Securely archive logs to designated storage locations without manual intervention. These capabilities dramatically reduce the operational burden on your security teams while ensuring you maintain comprehensive logs for compliance requirements.

HSM 5.6.5 represents our commitment to addressing real-world security challenges. From ensuring uninterrupted firewall protection through improved HA support to flexible signature updates and automated log management. For more details, reach out to Hillstone Networks representative.

The post HSM 5.6.5 Release: Seamless Security, Smarter Management appeared first on Hillstone Networks.

Mitigating Attacks Under TAP Mode: Blocking Without the Hassle

In the world of WAF deployment, there are two main categories: modes that block attacks, like inline or reverse proxy, and modes that only detect them, like bypass monitoring. Historically, if you wanted to block attacks, you had to deploy your WAF inline, which could be complex and disruptive to your network. But what if you could block attacks without being deployed inline? That’s where the new Bypass Blocking Mode comes in.

With the new Bypass Blocking Mode, WAF can now actively terminate malicious TCP connections even in bypass mode. Here’s how it works: In this mode, the WAF is connected to a switch that mirrors traffic to its bypass interface. When a security policy with a “block” action is triggered, the WAF sends RST packets to both the client and server through its bypass control interface, effectively terminating the TCP connection and blocking the attack. It brings minimal network disruption and web security at the same time.

Smart Client IP Identification: Because Knowing Who’s Who Matters

Accurate client IP identification is critical for effective security. Without it, you can’t properly enforce rate limiting, blocking, or other security rules. But in today’s complex networks—filled with proxies, load balancers, and mixed IPv4/IPv6 environments—identifying the true client IP can be a headache.

WAF 3.5 introduces enhanced X-Header parsing capabilities that are nothing short of revolutionary. It allows you to retrieve the client IP from a specific position in the X-Header, and use the X-Header IP as the client IP, even if it belongs to a different address family than the network layer IP. As a result, it provides better protection against IP-based attacks.

HSM Integration: One Platform to Rule Them All

Managing multiple WAFs across your network can be a logistical nightmare. Keeping track of firmware versions, licenses, and threat statuses is time-consuming and error-prone.

WAF 3.5 now integrates seamlessly with HSM, allowing you to view the posture and threat status of all managed WAFs from a single dashboard, manage service pools, licenses, and firmware upgrades, and perform operations like database upgrades and configuration changes across multiple devices. It helps you get a clear, unified view of your WAF infrastructure.

WAF 3.5 represents a step forward in web application security. From the innovative Bypass Blocking Mode to smart client IP identification and centralized management, these features address real-world challenges that security professionals face every day. For more details, reach out to Hillstone Networks representative.

The post WAF 3.5: Smarter Protection and Better Management appeared first on Hillstone Networks.