Page 1 GUIDE STORMSHIELD NETWORK SECURITY SNS - USER CONFIGURATION MANUAL SN Range Details Date Version November 2016 Creation Reference : sns-en-user_configuration_manual-v3...
Page 2: Table Of Contents
FTP protocol ADMINISTRATORS “HTTP block page” tab “Administrators” tab Block page tabs Possible operations Editing block pages Table of privileges CERTIFICATES AND PKI “Administrator account” tab Possible operations ANTISPAM Search bar “General” tab Page 2/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 3 Network Alarms DYNAMIC DNS Resources List of Dynamic DNS profiles License Configuring a profile Hardware Properties DNS resolution New applications Dynamic DNS service provider Services Advanced properties Active Update E-MAIL ALERTS Interfaces Page 3/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 4 If you have chosen to create a cluster148 INTERFACES If you have chosen to join a cluster 148 Step 3: Cluster’s pre-shared key and Operating mode between interfaces data encryption Advanced mode Page 4/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 5 User monitoring Creating a GRETAP interface Connection monitoring Modifying a GRETAP interface Route monitoring “Configuration of the interface” tab “Advanced properties” tab NETWORK OBJECTS Converting an interface to link Possible actions aggregation (LACP) Page 5/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 6 RTSP features “IPS” tab Support “Proxy” tab “SMTP Commands” tab SIP commands “Analyzing files” tab Maximum size of elements (bytes) "Sandboxing" tab SIP session parameters POP3 SIP protocol extensions “IPS - PROXY” tab Page 6/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 7 Sending of SNMPv2c alerts (traps) Class-based queue (CBQ) Sending of SNMPv1 alerts (traps) Monitoring queue MIBS and Traps SNMP Priority queue Stormshield Network SNMP event and alert Available queues (traps) format Examples of application and usage Management information bases (MIBs) recommendations...
Page 8 SNS - USER CONFIGURATION MANUAL V.3 Operating principle “Member of these groups” tab Configuring a profile VIRTUAL INTERFACES SSL VPN services on the Stormshield Creating or modifying an IPSec interface Network web portal (VTI) Accessing your company’s web sites via an SSL tunnel Button bar Accessing your company’s resources...
Page 9 DNS name (FQDN) Incident resolution - Common errors 401 Network HOW TO: IPSec VPN - Authentication Port by certificate Port range Implementation Protocol Configuring the main site Configuring remote sites A and B Page 9/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 11: Welcome
Stormshield reserves the right to revise this document, to remove sections or to remove this whole document at any moment without prior notice.
Page 12: Security Watch
SNS - USER CONFIGURATION MANUAL V.3 WELCOME Backed by the Common Criteria, Stormshield Network advises taking into consideration the recommendations of use for the Administration Suite and Firewall product stated below. These recommendations set out the usage requirements by which to abide in order to ensure that your Firewall operates within the context of the common criteria certification.
Page 13: Human Media
Example no DHCP, DNS, PKI, application proxies, etc.* Stormshield Network appliances are not configured to forward IPX, Netbios, AppleTalk, PPPoE or IPv6 information flows. Firewall-VPN appliances do not depend on external “online” services (DNS, DHCP, RADIUS, etc.) to apply the information flow control policy.
Page 14 The usage mode subject to evaluation excludes the fact that the TOE relies on services other than PKI, DNS and DHCP servers and proxies. The optional modules provided by Stormshield Network to manage these services are disabled by default and have to stay that way.
Page 15: User Awareness
This certificate can either be the appliance’s default certificate or the certificate entered during the configuration of the appliance (Authentication > Captive portal). The name (CN) of the appliance’s default certificate is the appliance’s serial Page 15/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 16: User Password Management
Therefore to confirm the integrity of an appliance, the NETASQ and Stormshield certificate authorities must be added to the browser’s list of trusted certificate authorities before the initial connection. These...
Page 17: Work Environment
To round up this chapter on creating user awareness of network security, the administrator has to tackle the management of user access. In fact, a Stormshield Network Firewall’s authentication mechanism, like many other systems, is based on a login/password system and does not necessarily mean that when the application enabling this authentication is closed, the user is logged off.
Page 18 Remind users to lock their sessions before they leave their workstations unattended. This seemingly tedious task can be made easier with the use of authentication mechanisms which automate session locking (for example, a USB token). Page 18/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 19: Access Privileges
Click on Apply to confirm your configuration. SSL VPN The SSL VPN allows setting up a secure tunnel (peer authentication, encryption and/or verification of data integrity) between two hosts, between a host and a network, or between two Page 19/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 20: Sponsorship
A search field in which keywords/letters can be entered will allow you to find relevant users. Configuration table This table allows assigning access privileges to your users or user groups, with regards to SSL VPN and IPSec VPN parameters. The table contains the following columns: Page 20/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 21 REMARKS When you add lines to the table without having set up any rules, the columns Authentication, SSL VPN and IPSEC will be set to “Deny” by default, even if you have Page 21/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 22: Pptp" Tab
Modify user password Select the line containing the user whose password you wish to modify and enter the new data in the window that appears. NOTE A login consisting only of uppercase letter can be entered. Page 22/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 23: Active Update
Update servers of the Stormshield Network URL database If the Stormshield Network URL database has been selected as the URL database provider (menu Object > Web objects, URL database tab), servers other than Stormshield Network servers can be entered.
Page 24: Audit Logs
USB key or an external hard disk. For more information, refer to the Guides PRESENTATION AND INSTALLATION OF NETASQ PRODUCTS U SERIES – S Models or PRESENTATION AND INSTALLATION OF STORMSHIELD NETWORK PRODUCTS SN Range, available in your private area, under the section Documentation.
Page 25: Logs
Select a filter to launch the corresponding search. The list will suggest filters that have menu) been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows reinitializing the filter by selecting the criteria selection. Page 25/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 26 Number of logs displayed in the page, Period covered by the logs shown in the page, The UTM’s date and time (information that will be useful if the administrator’s workstation does not have the same settings). Page 26/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 27: Interactions
Save the object in the database if it is an IP address, Select the appropriate object if the IP address corresponds to several objects, Add it to an existing group. This group may correspond to a quarantine of predefined vulnerable objects. Page 27/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 28: Views
This view displays Network connections, Application connections, and HTTP proxy logs according to certain categories: The Network connections logs only display logs whose standard service corresponding to the destination port is HTTP, HTTPS or HTTP_PROXY. Page 28/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 29: Logs
The list of logs displayed in the menu and the name of the corresponding log file is shown below: Administration l_server Alarms l_alarm Authentication l_auth Network connections l_connection Filtering l_filter FTP proxy l_ftp SSL VPN l_vpn Application connections l_plugin (plugin) POP3 proxy l_pop3 SMTP proxy l_smtp SSL proxy l_ssl Page 29/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 30 25 hours. Likewise, if a search is launched for a common time, the search will be conducted in all logs, meaning before and after the change of time on the appliance. Page 30/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 31: Administrators
There can only be one “superadministrator” with the following characteristics: The only administrator authorized to log on via the local console on Stormshield Network appliances, and only during the installation of the firewall or for maintenance operations outside of normal production use.
Page 32: Table Of Privileges
If you wish to apply a modification immediately, you will need to force the disconnection of the administrator in question (for example using the CLI command: monitor flush user Page 32/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 33 Privilege to perform maintenance operations (backups, restorations, modify, base, updates, Firewall shutdown and reboot, antivirus update, modification maintenance of antivirus update frequency and RAID-related actions in Stormshield Network Realtime Monitor) Intrusion prevention Privilege to modify Intrusion prevention (IPS) configuration modify, base, Page 33/448 sns-en-user_configuration_manual-v3 - Copyright ©...
Page 34: Administrator Account" Tab
You are strongly advised to use uppercase letters and special characters. NOTE Stormshield Network uses asymmetrical encryption, meaning that it uses a key pair consisting of a public key, used for encrypting data, and a private key, used for decryption. The advantage of using this system is that it removes the problem of securely transmitting the key and allows electronic signatures.
Page 35 By clicking on this button, you will save the private key associated with the admin account on your workstation. Export firewall’s public By clicking on this button, you will save the public key associated with the firewall on your workstation. Page 35/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 36: Antispam
300, it will be high. If you have indicated a moderate level of trust for this option, all e-mails of moderate and high level (above 200) will be rejected whereas those from 100 to 200 will be kept. Page 36/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 37: Advanced Properties
To delete a configured server, select it in the list and click on Delete. NOTE RBL servers in Stormshield Network’s native configuration are differentiated from customized servers by a padlock symbol ( ), which indicates RBL servers in Stormshield Network’s native configuration. Reminder: Active Update only updates the list of these servers.
Page 38: Whitelisted Domains" Tab
“unwantedness”. E-mails that obtain a value exceeding or equal 5000] : to the threshold set will be considered spam. Stormshield Network’s default value is 200. This section enables the definition of a threshold to apply. By modifying the score, the minimum value of the 3 trust thresholds will be modified.
Page 39 Domain names can contain alphanumeric characters, as well as "_", "-" and ".". Wildcard characters "*" and "?" are also allowed. The length of the domain name must not exceed 128 characters. Page 39/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 40: Antivirus
Once the database has been downloaded, the antivirus will be enabled. Parameters Analysis of ClamAV files In this menu, the types of files that need to be scanned by the Stormshield Network firewall antivirus service are configured. Analyze compressed This option enables the decompression engine (Diet,Pkite, Lzexe, Exepack…).
Page 41: Applications And Protections
Ctrl key. Some column titles have the icon . When you click on it, a menu appears and suggests assigning a setting to several selected alarms (Action, Level, New and Advanced). Page 41/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 42 “Enter”. Filter This list contains several protocols and services covered by the alarms. You can sort them and display only the alarms that belong to the following categories: Page 42/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 43: The Various Columns
Three alarm levels are available: "Ignore", "Minor" and "Major". Allows viewing new alarms, represented by the icon Context: id Alarm name. The icon represents alarms deemed sensitive. Refer to the paragraph below for further information. Page 43/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 44: View By Context
Place the machine under quarantine: the packet that caused the alarm will be blocked with the following parameters. To remove a packet from quarantine, use Stormshield Network Realtime Monitor. for a period of (minutes): duration of the quarantine...
Page 45 The “new” status of alarms can be removed by clicking on Approve new alarms described in the previous chapter. You can also Search in alarms by typing letters or words in the appropriate field. Page 45/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 46: Authentication
The button Add a method opens a drop-down list that offers a choice of 8 authentication methods that you can Delete if necessary. These methods are: Page 46/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 47 In order for the chain to be correctly applied, it is important that you insert every link in the whole chain of authorities between the highest authority you have inserted to the authority just above the user certificate. Delete Deletes the selected certificate authority. Page 47/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 48 This protocol is equipped with a server linked to an identification database (e.g. LDAP directory). The Stormshield Network firewall can act as a RADIUS client and can therefore address authentication requests for users wishing to pass through the Firewall, to an external RADIUS server.
Page 49 (this name corresponds to the name indicated in the Stormshield Network script that comes with the installation hardware). The Service name will be the serial number preceded by “HTTP/”. Example: HTTP/U70XXAZ0000000 For firewalls in high availability, since the identifier has to be the same for both appliances, you are advised to use the name of the authentication portal’s certificate (CN) entered in the Captive...
Page 50 Windows service that allows Stormshield Network firewalls to benefit from a seamless authentication on Windows Active Directory. Please refer to the technical note Stormshield Network SSO Agent - Installation and deployment for instructions on how to install this application.
Page 51 The firewall will then delete the user associated with this host from its table of authenticated users. This duration defined in seconds, minutes or hours, is set by default to 5 minutes. Page 51/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 53: Authentication Policy" Tab
Places the selected line before the line just above it. Move down Places the selected line after the line just below it. Allows you to cut an authentication rule in order to move it. Page 53/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 54: New Rule
The authentication methods are evaluated in the order in which they appear on the list and from top to bottom. As the SSO agent method is transparent, it is by definition always applied as a priority. To enable the new rule, double-click on the status “Disabled”. Page 54/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 55: Captive Portal" Tab
If the Enable captive portal checkbox was not selected in the chosen profile, the name of the profile will follow the icon Default method or The authentication method or the directory associated with the selected profile will directory automatically appear. Page 55/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 56: Ssl Server
Users can indicate in their web browsers the automatic configuration script located at https://if_firewall>/config/wpad.dat. Captive portal Hide the header (logo) This option makes it possible to hide the Stormshield Network banner (this is the Stormshield logo by default) when the user authenticates on the captive portal, for confidentiality reasons.
Page 57: Internal Interfaces" And "External Interfaces" Tabs
User enrolment Stormshield Network offers web-based user enrolment. If the user attempting to connect does not exist in the user database, he may request the creation of his account via web enrolment. For certificate requests (CSR) by the user, they will be signed by the certificate authority (CA) chosen by default in the menu Certificates and PKI.
Page 58 The user must indicate his agreement to the terms by for internet access selecting the relevant checkbox before being able to authenticate. These conditions can be customized in the “Captive portal” tab. NOTE Page 58/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 59: Transparent Or Explicit Http Proxy And Multi-User Objects
If an object is added to or deleted from the list of Multi-user objects , ensure that no authentication process relating to this object has been saved. Using Stormshield Network Realtime Monitor, check the use of this object in the User module and delete the authentication of any authenticated users by right-clicking on them –...
Page 60: Explicit Proxy
Explicit mode involves HTTP traffic via the CONNECT method. HTTPS traffic is then encapsulated in HTTP and the method for sending requests allows setting up a relationship of trust between the client and the server. Page 60/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 61: Block Messages
Contents of the e-mail This field allows modifying the text of the message received when a virus is detected in an e-mail. Example: Your Stormshield Network firewall has detected a virus in this e-mail - the embedded antivirus has cleaned it; infected attachments were removed.
Page 62: Block Page Tabs
$url_rule Number of the block rule in the URL filter policy $url_policy Number of the URL filter policy To display the full URL, both variables need to be concatenated as follows: $host$url Page 62/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 63 Images embedded in the HTML page have to be encoded in base64 and contained in the image tag. This code embeds various versions of the page’s message and information about the e-mail notification. Page 63/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 64: Certificates And Pki
For the use of the SSL VPN feature, the CA (certificate authority) “SSL VPN-full-default-authority” includes a server certificate “openvpnserver” and a user certificate “openvpnclient”. This allows the client and the Stormshield Network firewall’s SSL VPN service to identify each other without relying on an external authority.
Page 65: Add
Check certificate use), Confirm the deletion of the private key (click on Confirm deletion). REMARK This action is not available (grayed-out option) when the selected certificate does not have a private key. Page 65/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 66: Download
The ‘downloads’ menu will also offer the export of a certificate revocation list (CRL) in PEM or DER format. NOTE Any issues encountered during this procedure are beyond Stormshield Network’s competence. Check usage You can look for the features or modules that use the selected certificate.
Page 67: Adding Authorities And Certificates
For sub-CAs, these data are already pre-entered. And unless you modify the configuration, not all of this information can be modified later. Organization (O) Name of your company (e.g.: COMPANY). Organizational Unit "Branch" of your company (e.g.: INTERNAL). (OU) Page 67/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 68 Even though large keys are more effective, you are advised against using this key with entry-level appliances as this will mean the key will take a long time to be generated. NOTE The computation of big keys may slow down your Stormshield Network appliance. Page 68/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 70 Smartcard certificates and server certificates. Adding a user certificate In the configuration wizard, the administrator will specify information relating to the user for whom he wishes to create a certificate, by entering the user’s e-mail address. Page 70/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 71 Click Finish. By clicking on the relevant certificate, detailed information about it will be displayed on the right side of the screen in a single tab: Page 71/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 72 In the case of a website, it allows checking that the URL and its DN (domain name) belong to the stated company. Define the properties of the server certificate through the wizard. Page 72/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 73 Even though this field is not mandatory, you can indicate here a shortcut to your CN, which will come in handy for your command lines. Example Stormshield Network (owner of the FQDN) Proceed in the same way as for adding a user certificate or a Smartcard certificate: Specify the various options for your server certificate.
Page 74 PKI Click on Next. You will see a summary of the data regarding the import of your file (its name, format and items to import). Click on Finish. Page 74/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 75: Cli Console
LIST Displays the list of connected users, by showing user privileges (by level) and privileges for the session in progress (SessionLevel). Allows viewing the Stormshield Network multifunction firewall’s activity logs, groups 6 commands. MODIFY This command is a specific privilege that allows the user to modify the configuration of a module, in addition to reading privileges.
Page 76 If you enter the CONFIG command, all commands relating to it will appear on the screen. To use one of these commands, enter “CONFIG” in the data entry zone, followed by a space and the desired command, such as: “CONFIG HA”. Page 76/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 77: Configuration
Enabling the “ANSSI Diffusion Restreinte (DR)” mode requires rebooting the firewall. NOTE Enabling this mode has a tendency of lowering performance on SN150, SN200, SN300, SN500 and SN700 models. Page 77/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 78: Password Policy
If this option is selected, your firewall will automatically be synchronized with the local time. NOTE The date and time to which your Stormshield Network firewall is set are important – they allow you to locate events in the log files. They are also useful in the scheduling of configurations.
Page 79: Hardware
OnTimer bypass: when the product has to handle too many connections, this bypass will be activated after a period defined in the configuration of Safety mode. Once the bypass has been activated, the firewall administrator can then reset Safety mode. Page 79/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 80: Advanced Properties
Domain name (FQDN) Enter a fully qualified DNS name for the firewall (e.g.: firewall.company.org). This field is only accessible when the "Specify a domain name (FQDN)" value has been selected in the Redirect to the captive portal field. Page 80/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 81: Firewall Administration" Tab
Authorized administration host that will be able to log on to the administration interface. This object may be a host, host group, network or address range. Delete Select the line to be removed from the list and click on Delete. Page 81/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 82: Remote Ssh Access
This field allows specifying the object corresponding to the server that the firewall will use as a proxy. Port This field allows specifying the port used by the firewall to contact the proxy. Page 82/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 83: Dns Resolution
Select the line to be removed from the table and click on Delete. Move up Moves the selected line above the previous line. Move down Moves the selected line below the next line. Page 83/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 84: Configuration Of Monitoring
These queues must be defined beforehand in the Security policy > Quality of service module. The table contains the following columns: Name Select from the drop-down list the QoS queue that needs to be monitored. Page 84/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 85: Dashboard
Configuration This section is presented as a directory of the menus and their modules, replaced with a keyword search bar. 9 sub-menus are available (click on them to expand): Page 85/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 86: The Dynamic Area: Widgets
, this tool allows you to refresh the data on the dashboard or the widget concerned. Open Represented by the icon , this tool opens the module associated with the widget you are browsing and as such, closes the dashboard. Page 86/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 87: Network
(see section The module configuration menu). Network This window displays the model of your Stormshield Network multifunction firewall as well as the number of interfaces available on it (32 maximum). The interface(s) used appear(s) in green. When the bypass mechanism is enabled (industrial...
Page 88: Resources
The widget offers a view of Licenses of warranty and options by expiry date. Those options are : Update (firmware), Contextual protection signatures, Vulnerability Manager, ClamAV Antivirus, Kaspersky Antivirus, Stormshield Network URL databases, Extended Web Control URL databases, Antispam DNS blacklists (RBL), Antispam: heuristic engine, License expiry.
Page 89: Properties
Profile applied for the filter and NAT policy. A “Collapse/Expand” button has been added for filter rules. Status of the VPN on your network. Dynamic DNS Status of the dynamic DNS client. Page 89/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 90: New Applications
Stormshield Management Center If you have installed the Stormshield Management Center centralized administration server, this panel will allow you to display the characteristics of the firewall's connection to the SMC server.
Page 91: Sandboxing
If your firewall has the sandboxing option, this panel will allow you to show the status of the connection to the service as well as the latest scan statistics. Status of the service Indicates the status of the connection between the firewall and the Stormshield sandboxing servers. Criticality of the last...
Page 92: Dhcp
In order for a DHCP server to provide IP addresses, an address pool from which the server can pick addresses has to be configured. Action buttons To add or delete address ranges, click on Add or Delete. Page 92/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 93: Reservation
The table displays the host objects for which addresses have been reserved: these objects must always be defined using an IPv4 address and their MAC address. Indeed, the MAC address will be used as the client’s unique ID for obtaining or renewing its reserved IP address. Page 93/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 94: Advanced Properties
(Internal interfaces and External interfaces tabs in the menu Configuration>Users>Authentication). Update DNS server If this option has been selected, DNS servers will be dynamically updated when entries information contained in the DHCP server is modified. Assigned lease time Page 94/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 95: Dhcp Relay" Service
The DHCP server has to be configured in such a way that it can distribute IP addresses to clients that pass through the relay. Action buttons Page 95/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 96 In order to add or delete listening interfaces, click on Add or Delete. Adds a row to the table and opens a drop-down list of the firewall’s interfaces in order to select an interface. Delete Allows deleting one or several listening or outgoing interfaces. Page 96/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 97: Directories Configuration
Check usage of a directory in the firewall's configuration. Creating an internal LDAP This type of directory is hosted by your Stormshield Network multi-function firewall, and your information is stored in it once the LDAP directory is created.
Page 98: Step 1: Selecting The Directory
Name of your company (e.g.: COMPANY). Domain The country in which your company is located (e.g.: fr). Password Definition of the Stormshield Network Admin password. Confirm Confirmation of the LDAP administration password that you have just entered in the previous field.
Page 99: Connecting To An External Ldap Directory
Connecting to an external LDAP directory The external LDAP is a directory to which your Stormshield Network multi-function firewall will connect. Step 1: Selecting the directory Select the LDAP base of your choice. This is the first step in the configuration of this directory.
Page 100: External Ldap Directory Screen
) to search for the corresponding CA. NOTE This option will be grayed out by default if the previous option Check that the name of the server matches the FQDN in the SSL certificate was not selected. Page 100/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 101 Some authentication methods (such as LDAP) have to store the user’s password in the form of a hash (result of a hash function applied to the password) which will avoid having to store the password in plaintext. You have to select your desired hash method from the following: Page 101/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 102 (See menu Users\Authentication module\Available methods tab: the authentication method Certificate (SSL) has to be added and the CA indicated in the right column “Certificate authorities (C.A)” ) Click on Apply to confirm your configuration. Page 102/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 103: Connecting To A Posixaccount External Ldap Directory
Click on Finish to display the external LDAP directory screen. External LDAP directory screen Once the configuration of the LDAP directory is complete, you will arrive at the external LDAP screen which sets out the following items: Page 103/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 104 LDAP server account to check user when the user authenticates. authentication on the directory Otherwise, the firewall will use the user's account to perform this verification. Click on Apply to confirm your configuration. Page 104/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 105 Open Directory: directory of websites under license of Open Directory External directory This column represents the value given to the attribute in the external directory. For attributes PosixAccount LDAP directories, the attribute Stormshield member will have the value memberUid. Advanced properties Protected characters For some external severs, a \ has to be added so that LDAP requests will be taken into account.
Page 106: Connecting To A Microsoft Active Directory
Select the option Connect to a Microsoft Active Directory and click on Next. Step 2: Accessing the directory Name Name enabling the identification of the Microsoft Active Directory when several directories have been defined on the firewall. Page 106/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 107: Microsoft Active Directory Screen
If this option is not selected, access will not be encrypted. Check the certificate During a connection to the LDAP database, the firewall will check that the certificate against a Certification has been issued by the Certification Authority specified below. Authority Page 107/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 108 Advanced properties Protected characters For some external severs, a \ has to be added so that LDAP requests will be taken into account. Password hash: The password encryption method for new users. Page 108/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 109 (See menu Users\Authentication module\Available methods tab: the authentication method Certificate (SSL) has to be added and the CA indicated in the right column “Certificate authorities (C.A)” ) Click on Apply to confirm your configuration. Page 109/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 110: Dns Cache Proxy
The maximum size allocated to the DNS cache depends on your firewall’s model. Transparent mode As its name implies, the purpose of this option is to make the Stormshield Network (intercepts all DNS Firewall’s DNS service transparent. As such, when this option is enabled, the...
Page 111 DNS CACHE PROXY Random querying of If this option is selected, the firewall will select the DNS server at random from the list. domain name servers (see menu System>Configuration module/Network settings tab/DNS Resolution panel). Page 111/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 112: Dynamic Dns
Subscribing to the Wildcard range is necessary in order to benefit from this feature. Dynamic DNS service provider This zone allows you to enter the access information for your Dynamic DNS service provider. Page 112/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 113: Advanced Properties
Access the settings for advanced properties by clicking on the button Advanced properties. These allow in particular, renewing registrations and changing addresses. Renewal frequency Renewal period of the Dynamic DNS service. Stormshield Network has set this period (days) to 28 days by default.
Page 114: E-Mail Alerts
DNS domain This is useful for indicating the domain name of the e-mail sender. The e-mail address of the sender will therefore be expressed as follows: <firewall_name>@<domain_name>. E-mail sending frequency (in minutes) Page 114/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 115: Intrusion Prevention Alarms
Selection of the group that will receive major and minor system events. REMARK The status of system events can be viewed in a module of the same name: In the menu, go to Notifications>System events. Page 115/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 116: Recipients" Tab
Check use The Check use button allows checking if a group of e-mail is used in the different modules of the firewall’s configuration. Page 116/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 117: Templates" Tab
Accept the user request: e-mail template specifying that the enrolment request has been approved by the administrator. Reject the user request: e-mail template specifying that the enrolment request has been rejected by the administrator. Page 117/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 118: List Of Variables
Example of a report received by e-mail regarding alarms Type Minor Action Block Date 2010-10-11 15:08:32 Interface dmz2 Protocol Source 10.2.18.5:55987 (ed:ephemeral_fw_tcp) Destination 66.249.92.104:80 (www.google.com) Description SQL injection prevention: suspicious instruction OR in the URL Page 118/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 119: Enrolment
SNS - USER CONFIGURATION MANUAL V.3 ENROLMENT ENROLMENT Stormshield Network’s web enrolment service allows “unknown” users in the user database to request the creation of their access accounts (internet, mail server, all services that require authentication) and their certificates. This module requires at least the use of an LDAP database for user requests and a root CA (internal PKI) for user certificate requests.
Page 120: Advanced Properties
This option allows sending an e-mail to the user to inform him that his enrolment request has been approved or rejected. when approving/rejecting user's certificate request This option allows sending an e-mail to the user to inform him that his certificate request has been approved or rejected. Page 120/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 121: Filtering And Nat
Policies This section allows you to select and manipulate Filter policies and NAT policies. Page 121/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 122: Selecting The Filter Policy
Application scans will however be applied. This policy should only be used for testing. NOTE You can Rename these policies and modify their configuration whenever you wish (see below). Page 122/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 123: Possible Operations
Means that the operation is possible, Means that the object cannot be added to the chosen cell. “Filtering” tab Stormshield Network’s intrusion prevention technology includes a dynamic packet filtering engine (“stateful inspection”) with rule treatment optimization that allows the application of filter Page 123/448...
Page 124: Actions On Filter Policy Rules
Actions on filter policy rules Search This field allows performing searches by occurrence, letter or word. Example: If you enter “Network_internal” in the field, all filter rules containing “Network_ internal” will be displayed in the table. Page 124/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 125 To allow a policy on a firewall hosted in the cloud to be similar to a policy on physical appliance, the listening port of an explicit HTTP proxy can be configured on a port other than the default port (8080/TCP). Click on Finish. Delete Deletes the selected line. Page 125/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 126: Filter Table
IP packet. Place them in the right order so that you obtain a coherent result. It is therefore important to define rules from the most restrictive to the most general. The filter table contains the following columns: Page 126/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 127 This zone refers to the action applied to the packet that meets the selection criteria of the filter rule. To define the various parameters of the action, double- click in the column. A window containing the following elements will appear: “General” tab General Page 127/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 128 It will be encrypted again after the scan (if it is not blocked by any rule). Log only: The Stormshield Network firewall does not do anything. This is useful when you wish to log only certain types of traffic without applying any particular action. In this case, filter rules will continue to be evaluated as no action (Block or Pass) has been applied on the traffic.
Page 129 Connection fairness: bandwidth will be distributed evenly between connections. Connection threshold The Stormshield Network firewall may limit the maximum number of connections accepted per second for a filter rule. The desired number can be defined for protocols corresponding to the rule (TCP, UDP, ICMP and some application requests).
Page 130 This DSCP service, used in the context of Quality of Service, allows the administrator to apply QoS rules according to the service differentiation that he has defined. Click on Ok to confirm your configuration. “Advanced properties” tab Redirect Page 130/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 131 Advanced properties Count If you select this option, the Stormshield Network firewall will count the number of packets that correspond to this filter rule and will generate a report. It will therefore be possible to obtain volume information on a desired traffic type.
Page 132 This field allows applying the filter rule to source hosts with a public IP address Select a region belonging to countries, continents or geographic groups (group of countries and/or continents defined beforehand in the Objects > Network objects module). Page 132/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 133 This field allows filtering according to the value of the DSCP field of the packet received. Authentication Authentication method This field allows restricting the application of the filter rule to the selected authentication method. Click on Ok to confirm your configuration. Page 133/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 134 This field allows selecting the reputation score above which ( ) or below which ( the filter rule will apply to the monitored destination hosts. Click on Ok to confirm your configuration. “Advanced properties” tab Advanced properties Page 134/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 135 Automatic protocol If this option is selected, a field with the same name will appear below with the detection (default) following data: Application protocol: Based on default port or content IP protocol: All Page 135/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 136 Inspection type General Inspection level IPS (Detect and block) If this option is selected, Stormshield Network’s IPS (Intrusion Prevention System) will detect and block intrusion attempts, from the Network level to the Application level in the OSI model. IDS (Detect) If this option is selected, Stormshield Network’s IDS (Intrusion Detection System) will...
Page 137 RAM. The maximum size of a resource that can be memorized is 32 KB. The tracking of memorized resources and cache management can be viewed in Realtime Monitor (Dashboard). URL filtering To enable this filtering method, select a URL filter profile from the suggested profiles. Page 137/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 138: Nat" Tab
Actions on NAT policy rules Search This field allows performing searches by occurrence, letter or word. Example: If you enter “Any” in the field, all NAT rules containing “Any” will be displayed in the table. Page 138/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 139 Places the selected line before the line just above it. Move down Places the selected line after the line just below it. Expand all Expands all folders in the directory. Collapse all Collapses all folders in the directory. Page 139/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 140: Nat Table
This column shows the status of the rule: On /Off . Double-click on it to change its status. By doing this once, you will enable the NAT rule. Repeat the operation to disable it. Page 140/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 141 If two clients go through the same firewall, they will not be able to connect to the same server at the same time. Stormshield Network’s intrusion prevention engine will block packets received by the second client. After 5 minutes, the intrusion prevention engine will deem the session too old and will allow the second client to take over.
Page 142 Select the destination host of the traffic from the object database in the drop-down list. Destination port If you wish to translate the traffic’s destination port, select one from the objects in the drop-down list. The object “Any” is selected by default. Page 142/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 143 This field allows selecting the reputation score above which ( ) or below which ( the filter rule will apply to the monitored destination hosts. Click on Ok to confirm your configuration. “Advanced properties” tab Advanced properties Page 143/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 144 NAT rules. This allows connections from one source to the same server to be distributed according to the source port and source IP address. Random: The firewall randomly selects an address from the selected address range Page 144/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 145 If the option has been selected, the encryption policy will be applied to the translated tunnel (before traffic. The NAT operation is performed just before encryption by the IPSec module encryption, after when packets are sent and after decryption when packets are received. decryption) Page 145/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 146 SNS - USER CONFIGURATION MANUAL V.3 FILTERING AND NAT Comments You can add a description that will make it possible to break down your NAT rule and its characteristics. Page 146/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 147: High Availability
“passive” will seamlessly take over. As such, the “passive” firewall becomes “active”. A video from Stormshield Network’s WebTV on YouTube will guide you step by step in the configuration of a group of Stormshield Network firewalls (cluster). Click on this link to access the...
Page 148: Step 2: Configuring Network Interfaces
This option assumes that a cluster has already been created beforehand, in order for a firewall to be able to join it. As such, some of the information from the first firewall created will be copied. Page 148/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 149: Step 3: Cluster's Pre-Shared Key And Data Encryption
Confirm the password/pre-shared key that you have just entered in the previous field. Mandatory password This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, strength “Good” or “Excellent”. You are strongly advised to use uppercase letters and special characters. Page 149/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 150: If A Cluster Exists
It will then restart in order to apply the configuration. To access this cluster, you need to connect to the active firewall. NOTE This step may take a long time on entry-level models. Do not unplug the firewall. Page 150/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 151: High Availability Screen
Optimize swap for network bridges When surrounding appliances change from a cluster to bridge mode, the change is applied faster with this option. Page 151/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 152 It may be useful to set all unused interfaces to 0 so that they will not affect the quality calculation. NOTE Disabled network interfaces do not appear in the high availability quality calculations. Next, click on Apply. Page 152/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 153: Host Reputation
Scan failed [0-20] Adjust the slider in order to define the weight of files that could not be scanned by sandboxing in the calculation of a host's reputation. Page 153/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 154: Hosts" Tab
This table allows defining the hosts to be excluded from the reputation calculation. It is possible to Add or Delete hosts, host groups, networks or IP address ranges using the relevant buttons. Page 154/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 155: Identification Portal
CLI (CONFIG AUTH HTTPS sslparanoiac=0 / CONFIG AUTH ACTIVATE). Connection In order to configure your Stormshield Network firewall, you need to log onto the web administration interface. Configuration of a firewall is only accessible to administrators of the product. The “super admin”...
Page 156: Logging Off
<number of seconds>”. The “admin” account, super administrator By default, only one user has administration privileges on Stormshield Network products – the “admin” account (whose login is “admin”). This administrator holds all privileges and can perform certain operations such as the modification of a user’s authentication method, for example.
Page 157 By clicking on Quit, the interface will return to the connection window. Cancelling will return the user to the main screen, without any effect to the execution of the program. Page 157/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 158: Implicit Rules
1300): administrators will be able to log on via their internal networks to port 1300 on the firewall. This service is used especially by Stormshield Network Real-Time Monitor. Allow protected interfaces to access the firewall's SSH port: allows opening access to the firewall via SSH in order to log on using command lines from a host located on the internal networks.
Page 159: Advanced Properties
The following actions may be dangerous: Disabling the “Serverd” rule: in the absence of an explicit rule, may cause users to no longer have access to tools using port 1300, namely Stormshield Network RealTime Monitor, GlobalAdmin, Stormshield Network Centralized Management and Stormshield Network Event Analyzer.
Page 160: Inspection Profiles
Security inspection Global configuration for each profile Default configuration Configuration for Define the profile to apply for incoming traffic on the network via the Stormshield incoming traffic Network Firewall. Incoming traffic represents the traffic of an unprotected interface (such as the internet) to a protected interface (your local/internal network).
Page 161: Configuring Profiles
Select the application profile associated with the protocol from the drop-down list by clicking on the arrow to the right of the field. To return to the previous menu, click on “Go to global configuration”. Page 161/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 162: Ipsec Vpn
The services that Stormshield Network’s IPSec offers provide access control, integrity in offline mode, authentication of data source, protection against replay, confidentiality in encryption and on traffic.
Page 163: Site To Site (Gateway-Gateway)
This button allows immediately deactivating the selected IPSec policy. Site to site (Gateway-Gateway) A video from Stormshield Network’s WebTV on YouTube will guide you step by step in the configuration of a secure connection between your sites. Click on this link to access the video: ...
Page 164 Remote network Host, host group, network or network group accessible through the IPSec tunnel with the peer. Star configuration This procedure consists of directing several VPN tunnels to a single point. It allows, for example, linking agencies to a central site. Page 164/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 165 Configuration of the peer, which can be viewed in the tab of the same name in the IPSec VPN module. Remote network Select from the drop-down list of objects, the host, host group, network or network group accessible through the IPSec tunnel with the peer. Page 165/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 166: Anonymous - Mobile Users
IPSec policy. Anonymous – Mobile users A video from Stormshield Network’s WebTV on YouTube will guide you step by step in the configuration of a secure connection between one of your sites and an IPSec VPN client. Click on this link to access the video:...
Page 167 Phase 1. The server is also authenticated by (iPhone) certificate during this Phase 1. Additional authentication of the client is carried out by XAuth after Phase 1. NOTE This is the only mode compatible with iPhones. Page 167/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 168 When creating a new mobile IPSec VPN policy via the wizard, you will be asked to enter details about the local network, and not the remote network, since the IP address is unknown. The object “Any” will therefore be selected by default. Page 168/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 169: Peers" Tab
[gateway policy at line 2] - Different IKE versions cannot be used in the same IPSec policy. “Peers” tab This tab consists of two sections: Left: the list of IPSec VPN and mobile IPSec VPN peers. Right: Information about the selected peer. Page 169/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 170: List Of Peers
For a “gateway” peer, you have the choice of Certificate or Pre-shared key (PSK). Certificate If you have chosen the certificate authentication method, this field will display your certificate. If you had opted for the pre-shared key method, this field will be grayed out. Page 170/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 171 The use of the aggressive mode + pre-shared keys (especially for VPN tunnels to mobile workstations) may be less safe than other modes in the IPSec protocol. Stormshield Network recommends using the main mode and especially main mode + certificates for tunnels to mobile workstations. In fact, the Firewall’s internal PKI is capable of providing the certificates needed for...
Page 172 If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed. Warning This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured. Four choices are available for configuring DPD: Inactive: DPD requests from the peer are ignored.
Page 173 By clicking on this link, you will switch to the “Identification” tab in the IPSec VPN PSK list module. You can add you Approved certificate authorities as well as your Mobile tunnels: pre- shared keys. Page 173/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 174 The use of the aggressive mode + pre-shared keys (especially for VPN tunnels to mobile workstations) may be less safe than other modes in the IPSec protocol. Stormshield Network therefore recommends the use of main mode for mobile peers, either with authentication by certificate or by using hybrid mode.
Page 175: Identification" Tab
If it is detected that a peer is no longer responding, the negotiated SAs will be destroyed. Warning This feature provides stability to the VPN service on Stormshield Network Firewalls on the condition that the DPD has been correctly configured. Four choices are available for configuring DPD: Inactive: DPD requests from the peer are ignored.
Page 176: Mobile Tunnels: Pre-Shared Keys
SA). Two negotiation modes are possible: main mode and aggressive mode. The drop-down list allows choosing the protection model associated with your VPN policy, from 3 pre-configured profiles: StrongEncryption , GoodEncryption , and Mobile. Others may also be created. Page 176/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 177 Copy selection, and give it a name. Delete Select the encryption profile to be deleted from the list and click on Delete. General Comments Description given to your encryption profile. Page 177/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 178 6 choices are offered: sha1, md5, sha256, sha384, sha512 or non_auth. Strength Number of bits defined for the selected algorithm. Encryption proposals This table allows you to modify or add encryption algorithms to the pre-entered list of the selected profile. Page 178/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 179 You can Add or Delete lines, by modifying the order of priority using the Up and Down buttons. When deleting a line, ensure that the pre-shared key is not being used in the active policy. Click on Apply once you have completed the configuration. Page 179/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 180: Interfaces
There are many advantages to this mode: ease of integration of the product since there is no change in the configuration of client workstations (default router, static routes, etc.) and no change in IP address on your network. Page 180/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 181: Hybrid Mode
In hybrid mode: some interfaces have the same IP address and others have a distinct address. The hybrid mode uses a combination of both modes mentioned earlier. This mode may only be used with Stormshield Network products having more than two network interfaces. You may define several interfaces in transparent mode...
Page 182: Directory Of Interfaces
Ethernet interfaces have a real name (ex: "Out") and a technical name (ex: "0"). The physical port is displayed in brackets after the name of the interfaces. Page 182/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 183: Toolbar
The number of bridges to create depends on your firewall model. Identifying the bridge Name Name of the interface. (See warning in the introduction to the chapter on Interfaces) Comments Allows you to enter comments regarding the interface. Page 183/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 184: Address Range
DHCP. In this case, the “DHCP” zone in the Advanced properties tab will be enabled. Fixed IP (static) Your firewall has a static (fixed) IP address. List of the bridge’s IP addresses Page 184/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 185: Advanced Properties" Tab
Here, several associated IP addresses and network masks may be defined for the same bridge (the need to create aliases, for example). These aliases may allow you to use this Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub- networks with a different address range.
Page 186 In this case, the changed revision number must be applied to all appliances for the affected region.. REMARK On Stormshield Network firewalls, an MSTP configuration can only define one region. Table of MSTP instances This table allows defining the various instances declared in the MSTP configuration:...
Page 187: Bridge Members" Tab
Name given to the bridge interface. (See warning in the introduction to the chapter on Interfaces) Comments Allows you to enter comments regarding the interface. Physical port Name of the physical port (example: in (port 2)). Page 187/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 188 Here, several associated IP addresses and network masks may be defined for the same bridge (the need to create aliases, for example). These aliases may allow you to use this Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub- networks with a different address range.
Page 189: Advanced Properties" Tab
This window allows you to specify a MAC address for an interface instead of using the address assigned by the firewall. This allows you to better facilitate the integration of the Stormshield Network firewall in transparent mode into your network (by specifying your router’s MAC address instead of having to reconfigure all the workstations using this MAC address).
Page 190 "100 Mb Full duplex", "1 Gb Half duplex", "1 Gb Full duplex". Warning If the firewall is directly connected to an ADSL modem, you are advised to enforce the medium that you wish to use on the interface concerned. Page 190/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 191: Modifying An Ethernet Interface (Advanced Mode)
Select the type of VLAN you wish to create. VLAN attached to a Stormshield Network firewalls can be placed at the end of VLANs to add or remove a single interface (VLAN VLAN tag. The firewall carries out the filtering and takes care of communications endpoint) between the VLANS and the networks connected to the other firewall interfaces.
Page 192: Vlan Attached To 2 Interfaces (Crossing Vlan)
By selecting this option, the interface will have a static address range. In this case, its IP address and the mask of the sub-network to which the interface belongs, have to be indicated. Click on Next. Page 192/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 193: Adding A Vlan
If you wish to create a new VLAN and you have reached the maximum number of dynamic VLANs possible, a pop-up window will appear to allow you to add others. This number can also be modified manually by going to System\Configuration\Network\Available VLANs (max 128)\. Page 193/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 194: Modifying A Vlan
Here, several associated IP addresses and network masks may be defined for the same bridge (the need to create aliases, for example). These aliases may allow you to use this Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub- Page 194/448 sns-en-user_configuration_manual-v3 - Copyright ©...
Page 195: Advanced Properties" Tab
This window allows you to specify a MAC address for an interface instead of using the address assigned by the firewall. This allows you to better facilitate the integration of the Stormshield Network firewall in transparent mode into your network (by specifying your router’s MAC address instead of having to reconfigure all the workstations using this MAC address).
Page 196 Rewriting of packets by application scans (SMTP, HTTP and web 2.0, FTP and NAT, SIP and NAT). Gateway address This field is used for routing by interface. All packets that arrive on this interface will be routed via a gateway. Page 196/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 197: Deleting A Vlan
PIN code of the SIM card: information that comes together with your SIM card. USB modem: by default, the value Automatic detection will be suggested. If your modem is not automatically recognized, choose one of the two "customized modem" profiles then click on Modem configuration. Page 197/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 198: Customized 3G/4G Modem Profile
Example: "ATZ" (command to reinitialize the modem), "AT^CURC=0" (command which allows disabling periodic messages). Authentication Identifier Enter the user’s ID (mandatory). Password Enter the password (mandatory). Once Step 1 has been configured, click on Next. Page 198/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 199: Step 2
(this is more economical than in the case of a link that is charged by duration). The Permanent connection keeps the connection to the internet permanently active. Page 199/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 200: Pptp Modem
Password used for authentication. If you click on the key icon to the right of the field, the password will appear in plaintext for 5 seconds. Connectivity Phone number of the access provider. Number to dial Page 200/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 201: 4G Modem
The Permanent connection keeps the connection to the internet permanently active. USB modem This is the configuration mode selected when the modem was created (Automatic detection or customized profile) Page 201/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 202: Deleting A Modem
You can change the parameters of each GRETAP interface. To do so, select a GRETAP interface located inside a bridge on the left-hand side of the window. Two tabs will then appear: Page 202/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 203: Configuration Of The Interface" Tab
By selecting this option, the interface will have a static address range. In this case, its IP address and the mask of the sub-network to which the interface belongs, have to be indicated. Page 203/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 204: Advanced Properties" Tab
Here, several associated IP addresses and network masks may be defined for the same bridge (the need to create aliases, for example). These aliases may allow you to use this Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub- networks with a different address range.
Page 205: Converting An Interface To Link Aggregation (Lacp)
Therefore, by aggregating x links, it will be possible to set up a link of x times 1 Gbps or 10 Gbps between two appliances. Page 205/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 206: Link Aggregation (Lacp)" Tab
Name of the interface. (See warning in the introduction to the chapter on Interfaces) Physical port List of Ethernet ports in the aggregation (Example: (Port2) Aggregated to the Name of the virtual, i.e., “aggregated” interface. interface Page 206/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 207 "100 Mb Full duplex", "1 Gb Half duplex", "1 Gb Full duplex". Warning If the firewall is directly connected to an ADSL modem, you are advised to enforce the medium that you wish to use on the interface concerned. Page 207/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 208: Licence
Last check for license updates performed on : date of the last time a request was made manually or automatically to search for licenses. The Stormshield Network Firewall is sold by default with all features enabled. However, some features (URL filtering, high availability, among others) are optional and not enabled. Certain options, such as updates, are valid for a limited period.
Page 209: Installing From A File
You can install your first license here if you do not have internet access or if you wish to manage licenses yourself. If you choose to use new features or renew certain options, please contact your reseller. A new encrypted file will then be given to you through your private area on Stormshield Network’s website. License file This field allows you to insert a license that you have retrieved earlier from Stormshield Network’s website and activate the configuration on your firewall.
Page 210: License Details" Tab
GlobalAdmin Global administration possible via GlobalAdmin. (Default value: 1) Manager Administration possible via the web interface. (Default value: 1). Monitor Monitoring possible via Stormshield Network REAL-TIME MONITOR (Default value: 1). Date Antispam Deadline for updating DNSRBL spam databases Antivirus Deadline for updating ClamAV antivirus databases Page 210/448 sns-en-user_configuration_manual-v3 - Copyright ©...
Page 211 SPAMVendor Deadline for updating the spam filter heuristic engine. URLFiltering Deadline for updating Stormshield Network’s URL filter databases. URLVendor Deadline for updating Stormshield Network Extended Web Control URL filter databases. Update Deadline for updating the appliance. VirusVendor Deadline for updating Kaspersky antivirus databases.
Page 212 SpamVendor Enables or disables the spam filter heuristic engine. (Default value: 0). URLFiltering Enables or disables URL filtering via Stormshield Network’s database in the proxy. (Default value: 1). URLVendor Enables or disables URL filtering via Stormshield Network Extended Web Control database in the proxy.
Page 213: Logs - Syslog - Ipfix
For more information, please refer to the appendix C of the Guides PRESENTATION AND INSTALLATION OF NETASQ PRODUCTS U SERIES – S Models or PRESENTATION AND INSTALLATION OF STORMSHIELD NETWORK PRODUCT SN Range, available in your private area, under the section Documentation.
Page 214: Configuration Of The Space Reserved For Logs
POP3 proxy: events relating to message sending (l_pop3), Vulnerability manager: events relating to the application for consulting vulnerabilities on the Stormshield Network Vulnerability Manager network (l_pvm), Sandboxing: events relating to the sandboxing of files if this option has been subscribed and enabled, Administration (Serverd) : events relating to the firewall administration server: "serverd"...
Page 215: Syslog" Tab
By clicking on Apply, the following message will appear: “The total disk space reserved for logs exceeds this model’s capacity. Apply this configuration?”. " You can force the save or cancel,. NOTE These files can be copied on the Stormshield Network EVENT ANALYZER solution in order to create reports or archive them. “Syslog” tab The Syslog tab allows configuring up to 4 profiles for sending logs to Syslog servers.
Page 216: Ipfix" Tab
Select the protocol on which IPFIX traffic will be based (TCP or UDP). Advanced properties Port Choose an object corresponding to the communication port between the firewall and the IPFIX collector. The default value suggested is ipfix (port 4739). Page 216/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 217 This field will only be active when the protocol selected is TCP. Backup port This is the listening port of the backup IPFIX collector. Page 217/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 218: Maintenance
Configuration “Configuration” tab System disk This refers to the system disk of your Stormshield Network multifunction firewall. You are currently using this partition: your firewall’s system disk is divided into two partitions, which allow you to back up your data.
Page 219: System Report (Sysinfo)
Backup filename: By default, the name of the backup will correspond to “<firewall serial number>_day_month_year.na”. Download The file will be saved in .na format (Stormshield Network ARCHIVES). Click on this button to save it. Advanced properties Password Define a password to protect your backup.
Page 220 Furthermore, after the backup, you will not be able to change or reinitialize it. Change the password... This button allows displaying a window to edit the password. This new password will only be valid for the following backups. Page 220/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 221: Restore" Tab
Network objects Filtering and NAT IPSec VPN LDAP directory Automatic backup restoration Date of the latest Date of the latest backup of your configuration, available on the local or external backup server. Page 221/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 222: System Update" Tab
(Backup), enter it in this field, otherwise any restoration of the file will be impossible. “System update” tab A video from Stormshield Network’s WebTV on YouTube will guide you step by step in the configuration of a group of Stormshield Network firewalls (cluster). Click on this link to access the ...
Page 223 Current version of the system This field shows the current software version of your product. Update uploaded on this firewall This field displays the update that you had selected earlier at the top of this screen. Page 223/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 224: Monitoring
The Go to monitoring configuration link allows going directly to the configuration of data refreshment times. Page 224/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 225: Interface Monitoring
Left-clicking on an indicator listed in the legend allows hiding/showing the corresponding data on the graph. Scrolling over a curve with a mouse will display the value of the indicator and corresponding time in a tooltip. Page 225/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 226: Qos Monitoring
Scrolling over a curve with a mouse will display the value of the indicator and corresponding time in a tooltip. “History” tab This tab sets out history graphs showing bandwidth use for each monitored QoS queue. Page 226/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 227: Host Monitoring
Number of bytes that have passed through the firewall towards the sending host ever since the firewall started running. Incoming throughput Actual throughput of traffic to the host passing through the firewall Outgoing throughput Actual throughput of traffic from the host passing through the firewall Page 227/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 228 User logged on to the host (if any). Source IP address of the host at the source of the connection Source name Name of the object (if any) corresponding to the source host. Page 228/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 229 Views. Once a filter has been saved, it will be automatically offered in the list of filters. Delete Delete a customized filter saved earlier. Page 229/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 230 Indicates the date on which the vulnerability was detected on the host Details Additional information about the vulnerability. "Application" view For a selected host, this tab will describe the applications detected. The "Application" view displays the following data: Page 230/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 231 Expand button allows collapsing all graphs on the page in a single action. Interactive features Left-clicking on an indicator listed in the legend allows hiding/showing the corresponding data on the graph. Page 231/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 232: User Monitoring
Expiry date Auth. method Method used for authenticating the user (e.g. SSL) Multi-user Indicates whether the host to which the user has logged on is a multi-user host (e.g. a TSE server). Page 232/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 233 Connection Connection ID Parent connection Certain protocols may generate "child" connections (e.g. FTP) and in this case, this column will list the parent connection ID. Protocol Communication protocol used for the connection. Page 233/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 234 Views. Once a filter has been saved, it will be automatically offered in the list of filters. Delete Delete a customized filter saved earlier. Page 234/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 235 Indicates the date on which the vulnerability was detected on the host Details Additional information about the vulnerability. "Application" view This tab describes the applications detected on the host on which the selected user is connected. The "Application" view displays the following data: Page 235/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 236: Connection Monitoring
Name of the object corresponding to the destination port Source interf. Name of the interface on the firewall on which the connection was set up. Dest. interf. Name of the destination interface used by the connection on the firewall. Page 236/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 237 Once a filter is applied, all results matching this filter will be exported. Reset columns This button makes it possible to display only columns suggested by default when the host monitoring window is opened. Page 237/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 238: Route Monitoring
The Export results button allows downloading a file in CSV format containing all of this information. The Reinit. columns button makes it possible to display only columns suggested by default when the host monitoring window is opened. Page 238/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 239: Network Objects
By clicking on this button (represented by the icon), a window will show the download link of the objects database in CSV format. Click on this link to save the exportable file on your computer. Page 239/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 240: Filter
Select a host in order to view or edit its properties. Each one of them has by default a name, an IP address and a DNS resolution (“Automatic” or “None (static IP)”). Page 240/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 241: Network
Select a port or port range in order to view or edit its properties. Name of the object Name of the service used. This field is grayed out and cannot be modified. Port Number of the port associated with the selected service. Page 241/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 242: Ip Protocol
Objects in this group The network objects in your group will be shown in a table. To add or modify objects, refer to the previous field. Page 242/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 243: Port Group
Deletes the selected gateway. Move to the list of Allows switching from one gateway in the main table to the backup table or vice versa. backups/Move to the list of main gateways Page 243/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 244 By source IP address: all gateways defined in the "List of gateways used" will be used. An algorithm allows balancing routing based on the source of the routed traffic. The rate at which the various gateways are used will be related to their respective weights. Page 244/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 245: Geographic Group
The countries or continents in your group will be shown in a table. To add or modify objects, refer to the previous field. DNS name (FQDN) Select a DNS name to view or edit its properties. Page 245/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 246: Time Object
Add a time slot, to add a time slot and to define the start and end time of your event. To delete it. New information regarding the time slot(s) will appear in the field Description. Page 246/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 247: Pptp Server
40-bit MPPE Allows the use of the 40-bit MPPE encryption protocol. 56-bit MPPE Allows the use of the 56-bit MPPE encryption protocol. 128-bit MPPE Allows the use of the 128-bit MPPE encryption protocol. Page 247/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 248: Preferences
The current local security policy is displayed by default. Comments about rules If this option is selected, comments created for filter and NAT rules will automatically with creation date include the date and time of creation. (Filtering and NAT) Page 248/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 249: Management Interface Behavior
External links Online help URL This URL indicates the address to access Stormshield Network’s online help: you will find the directory of the modules in alphabetical order. Click on the module of your choice in order to view the corresponding page.
Page 250: Protocols
IPS_01. The drop-down list offers 10 profiles, numbered from 00 to 09. Each profile has by default the name of the protocol, accompanied by its number. Examples: http_00 (1) http_01… Page 250/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 251: Buttons
Choosing the HTTPS port in the list "HTTPS: list of default TCP ports" will set off two successive scans: The HTTPS traffic will be scanned by the SSL plugin The traffic decrypted by the SSL proxy will be analyzed by the HTTP plugin Page 251/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 252: Global Configuration Of The Tcp/Udp Protocol
(days): SSL: list of default TCP ports This option is offered for the list of default TCP ports. The default ports of the added protocols will be analyzed by the SSL plugin. Page 252/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 253: Http
URLs or checks on URL size or requests, allow you to block attacks such as Code RED, Code Blue, NIMDA, HTR, WebDav, Buffer Overflow or even Directory Traversal… Managing buffer overflows is fundamental at Stormshield Network, which is why defining the maximum sizes allowed for HTTP buffers is particularly detailed.
Page 254 Example of malicious behavior: Redirection without your knowledge, to a website other than the site you had intended to visit. NOTE Selecting this checkbox will disable the Enable on-the-fly data decompression option. Page 254/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 255 COOKIE field Maximum number of bytes for the COOKIE field, including formatting attributes. (Min: 128; Max: 8192). Other fields Maximum number of bytes for others field, including formatting attributes. (Min: 128; Max: 4096). Page 255/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 256: Proxy" Tab
(different from the pass all policy). Such access can be authorized via the firewall’s basic Network objects (RFC5735) or the “Private IP” group in the EWC URL database. Page 256/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 257: Icap" Tab
(reading collaborative management of documents. If this option has been selected, the and writing) WebDav protocol will be authorized in the Stormshield Network Firewall. Allow TCP tunnels The CONNECT method allows building secure tunnels through proxy servers. (CONNECT method) If this option has been selected, the CONNECT method will be authorized in the Stormshield Network Firewall.
Page 258: Analyzing Files" Tab
A URL category or category group can be excluded from the antivirus scan. By default, the antivirus scan there is a URL group named antivirus_bypass in the object database containing Microsoft update sites. Page 258/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 259: Sandboxing" Tab
Office document (Office software): all types of documents that can be opened with the MS Office suite. Executable : files that can be run in Windows (files with the extension ".exe",".bat",".cmd",".scr", etc). PDF: files in Portable Document Format (Adobe) Page 259/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 260: Smtp
BDAT extension header Maximum volume of data sent using the BDAT command. [102400 – 10485760] Command line [64 – Maximum volume of data that a command line can contain (excluding the DATA 4096] command). Page 260/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 261: Proxy" Tab
(the refusal will be indicated by an SMTP error). This allows restricting spam. Maximum size of the Indicates the maximum size of messages passing through the Stormshield Network message [0 – firewall. Messages exceeding the defined size will be refused by the firewall.
Page 262: Analyzing Files" Tab
This option defines the behavior of the antivirus module when certain events occur. fails Examples: If the hard disk has reached its capacity, information will not be downloaded. The maximum size that the file can reach for the antivirus scan is restricted (1000KB). Page 262/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 263: Sandboxing" Tab
When this option is selected, your mail server’s banner will no longer be sent during a banner sent by the POP3 connection. This banner contains information that may be exploited by hackers server (server type, software version, etc). Page 263/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 264: Pop3 Commands" Tab
The total memory space corresponds to a common space for all the resources reserved for the Antivirus service. If you define the size limit for analyzed data on POP3 as 100% of the total size, no other files can be analyzed at the same time. Page 264/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 265: Sandboxing" Tab
RFC compliance analysis, checks on FTP command parameter size or restrictions on the protocol (SITE EXEC for example). These analyses therefore allow stopping attacks such as FTP Bounce, FTP PASV DoS, Buffer overflow, etc. This Page 265/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 266: Proxy" Tab
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. Page 266/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 267: Commands Ftp" Tab
Add. They are limited to 115 characters and can be deleted when needed. Prohibited FTP commands FTP commands, limited to 115 characters, can be prohibited in the intrusion prevention module. Page 267/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 268 RFC compliance. This command is the object of a greater filter. It is only allowed with the arguments S, B, C and Z. If the antivirus analysis has been enabled, only argument S will be allowed. Page 268/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 269 F will be allowed. SYST: This command displays the information about the server’s operating system. This command does not accept arguments. By default, a scan will be performed to check RFC Page 269/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 270 STOU: This command stores a given file with a unique name. This command does not accept arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked. Page 270/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 271: Ftp Users » Tab
Block traffic when information retrieval fails, or Pass without scanning. "Sandboxing" tab Sandboxing Status This column displays the status ( Enabled/ Disabled) of sandboxing for the corresponding file type. Double-click on it to change its status. Page 271/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 272: Ssl
SSL negotiation Allow unsupported Select this option if the encryption algorithm that you wish to use is not supported by encryption methods the SSL protocol. Page 272/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 273: Proxy" Tab
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. Page 273/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 274: Tcp-Udp
For example, it is suitable for streaming applications (audio/video broadcast) for which packet loss is not vital. Indeed, during these transmissions, lost packets are ignored. Page 274/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 275: Profiles Screen
Rewrite TCP sequences If this option is selected, TCP sequence numbers generated by the client and server with strong random will be overwritten and replaced with the Stormshield Network intrusion prevention values (arc4) engine, which will produce random sequence numbers.
Page 276: Ips" Tab
TCP/UDP) example. Profiles screen “IPS” tab Maximum size of DNS fields (in bytes) DNS name (query) This field has to be between 10 and 2048 bytes. Page 276/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 277: Yahoo Messenger (Ymsg)
Log every Yahoo Enables or disables the generation of logs relating to the Yahoo Messenger protocol. Messenger (YMSG) query Page 277/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 278: Icq - Aol Im (Oscar)
When this option is selected, the scan of the TFTP protocol will be disabled and traffic prevention will be authorized if the filter policy allows it. Log every TFTP query Enables or disables the generation of logs relating to TFTP queries. Page 278/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 279: Ms-Rpc Protocol
When this option is selected, the scan of the MS-RPC protocol will be disabled and prevention traffic will be authorized if the filter policy allows it. Log every DCE/RPC Enables or disables the logging of MS-RPC queries. query Page 279/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 280: Netbios Cifs
Dynamic connections As this protocol is used for relaying access to Microsoft services, the following options allow restricting the services and options relayed by the EPMAP server. Page 280/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 281: Mgcp
This list contains the RTP codecs supported by default. You can add codecs by clicking on the appropriate button or remove them from the list by selecting them and clicking on “Delete”. Page 281/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 282: Rtcp
RTSP header Maximum size of the header. Allows managing memory overflow. SDP protocol Maximum size of an SDP line. Allows managing memory overflow. Content-Type Maximum size of the « Content-Type » header. Page 282/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 283: Rtsp Session Settings
(audio, video, application, data, control, etc). Automatically detect If the protocol has been enabled, the inspection will be automatically applied to the and inspect the discovery of the corresponding traffic allowed by the filter. protocol Page 283/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 284: Sip Commands
When one device subscribes to another, it will be informed when an event occurs. Example Onlining of contacts that it is looking for. Select this option to enable the extension. Page 284/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 285: Support
Modbus settings Maximum message This value makes it possible to restrict the size allowed for a Modbus message. It has size (bytes) to be between 8 and 4096 (default value: 260). Page 285/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 286: Managing Modbus Function Codes
Analyze by operation set and Modify all operations allow modifying the action (Analyze / Block) applied to the selected operation set or to all S7 operations listed in the table. Page 286/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 287: Support
When this option is selected, the scan of the OPC UA protocol will be disabled and prevention traffic will be authorized if the filter policy allows it. Log every OPC UA Enables or disables the logging of OPC UA requests. query Page 287/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 288: Others
As all protocols are enabled by default, double-click on the column to disable the automatic detection of the relevant protocol. Repeat the operation when you wish to re-enable it. Click on Apply to save your changes. Page 288/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 289: Quality Of Service (Qos)
The optimized control of congestion and the management of data queues has become a major challenge in Quality of Service. Stormshield Network Firewalls employ two algorithms for congestion management – TailDrop and BLUE. However, Stormshield Network recommends the use of BLUE for managing congestion.
Page 290: Class-Based Queue (Cbq)
This option is synchronized by default with the option Min inv. By modifying the value of this option, this value will be replicated in Min inv. By modifying the value of Min inv, the values will be different and therefore desynchronized. Page 290/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 291: Monitoring Queue
To add a monitoring queue, click on Add a queue, then select Monitoring queue (MONQ). Modifying a monitoring queue Name Name of the queue to be configured. Type Type of queue from CBQ, PRIQ or MONQ). Color Color to differentiate the queue. Comments Related comments. Page 291/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 292: Priority Queue
SN150, SN160w, SN200, SN510, SN500, SN710, SN700, SN910, A SN2000, SN3000, SN6000 SN210w, SN300, U30S, U70S SN900, U150S, U250S, U500S, U800S Examples of application and usage recommendations Example 1: Prioritization of DNS traffic Page 292/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 293 Security Policy\Filtering and NAT module\Action column). Effects on traffic Lowers the risk of network congestion. Reduces the impact of traffic on the network’s overall performance. Example 3: Guaranteeing a minimum level of service Page 293/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 294 (see the document on Filtering and NAT or go to the menu Security Policy\Filtering and NAT module\Action column). Effects on traffic Guarantees bandwidth for a specified traffic type. Introduces a maximum data transfer time for the service. Page 294/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 295: Reports
USB key or an external hard disk. For more information, refer to the Guides PRESENTATION AND INSTALLATION OF NETASQ PRODUCTS U SERIES – S Models or PRESENTATION AND INSTALLATION OF STORMSHIELD NETWORK PRODUCTS SN Range, available in your private area, under the section Documentation.
Page 296: Possible Operations
Left-clicking on a value in a report will open a menu offering several interactions. These may be for example, providing additional information on the value, modifying a parameter of the configuration profile or launching a search in the Logs section. Page 296/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 297 You can also confirm the current status of vulnerabilities in Realtime Monitor. Open help: this link redirects to the help page of the alarm raised or the vulnerability detected. Page 297/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 298: Reports
ASQ engine or by URL filtering if it has been enabled (Security inspection). Top web searches These values relate to requests sent over the search engines Google, Bing and Yahoo. Page 298/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 299 Vulnerabilities can be listed by host. The Vulnerability management module has to be enabled. By default, these reports concern vulnerabilities that have been detected on internal networks as the object network_internals is defined by default in the list of network elements being monitored Page 299/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 300 SPAM The Antispam module has to be enabled. These data are counted by recipient of spam received, by analyzing SMTP, POP3, SMTPS and POP3S traffic if the SSL scan has been enabled. Page 300/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 301 This report sets out the malicious files most frequently detected by sandboxing. Top malicious files detected and blocked by sandboxing request This report sets out the malicious files most frequently blocked by sandboxing. Page 301/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 302: Report Configuration
Enable history graphs This option allows enabling history graphs that can be viewed in the Monitoring module. Table of reports and history graphs "List of reports" tab The table sets out the following columns: Status Allows enabling/disabling the report in question. Page 302/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 303: List Of History Graphs" Tab
At the bottom right of the table, the disk space used by the SQLite database will be shown. NOTE Such data may be sent via Syslog to the Virtual Log Appliance for Stormshield solution in order to build reports or archive them.
Page 304: Routing
The default router is generally the equipment which allows your network to access the (router) Internet. The Stormshield Network Firewall sends all packets which have to exit on the public network to this address. Often the default router is connected to the Internet. If...
Page 305: Presentation Of The Table
Clicking on this column will open the objects database in order to select a host (router). Color (Optional) A window will appear, allowing the selection of an interface color (used in Stormshield Network REAL-TIME MONITOR). (Optional) Comments Any text. “Dynamic routing” tab This tab allows enabling and configuring the Bird dynamic routing engine.
Page 306: Return Routes" Tab
Clicking on this column will open the objects database in order to select a host or a virtual interface (IPSec). If the object is a host object, it must specify a MAC address. (Optional) Comments Any text. Page 306/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 307: Smtp Filtering
The procedure for editing an SMTP filter profile is as follows: Select a profile from the list of URL filter profiles. The table of filters will then appear as well as a screen indicating errors. Page 307/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 309 SNS - USER CONFIGURATION MANUAL V.3 SMTP FILTERING Errors are displayed in the form of a list. By clicking on an error, the rule concerned will automatically be selected. Page 309/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 310: Snmp Agent
Do not send: by selecting this option, you will not receive system alarms. By selecting send only major alarms, you will be able to receive major system alarms. By selecting send major and minor alarms, major and minor system alarms will be sent. Page 310/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 311: Snmpv3" Tab
By clicking to the right of a host name, the objects database will appear, allowing you to select a host. Server [Name of destination server (object)] The parameters in the configuration of SNMP V3 events are as follows: Port Port used for sending data to the host (snmptrap by default). Page 311/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 312: Snmpv1 - Snmpv2C" Tab
The first versions of the SNMP protocol are not secured. The only field necessary is the community name. By default VPN suggests the name "public". Warning We advise against using it for security reasons. If you wish to indicate several communities, separate them with commas. Page 312/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 313: Sending Of Snmpv2C Alerts (Traps)
Stormshield Network’s information base (these MIBs are available on Stormshield Network’s website, at the address indicated in the chapter on Stormshield Network MIBs). MIB data are files in text format that describe a list of SNMP objects used by the supervisor. These MIBs therefore provision data that the supervisor would need in order to interpret SNMP traps, events and query messages sent to the firewall.
Page 314 (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus." ::= { snmpTraps 3 } linkUp NOTIFICATION-TYPE OBJECTS { ifIndex, ifAdminStatus, ifOperStatus } STATUS current Page 314/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 315: Management Information Bases (Mibs)
The descriptions of system alarms are also given in the chapter SYSTEM EVENTS in the section List of events. Management information bases (MIBs) Stormshield Network MIBs Here is the list of fields of Stormshield Network MIBs, CLI commands corresponding and console commands. The links can be downloaded from: https://www.stormshield.eu/landing/mibs/ NETASQ-SMI-MIB: Mib as a whole ...
Page 316 NbDeadNode .2.0 NbActiveNode .3.0 NbHALinks .5.0 NbFaultyHALinks .6.0 Table of HA members FwSerial .7.X.2 Online .7.X.3 Model .7.X.4 Version .7.X.5 HALicence .7.X.6 HAQuality .7.X.7 HAPriority .7.X.8 HAStatusForced .7.X.9 HAActive .7.X.10 Uptime .7.X.11 Page 316/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 317 .X.10 In_curr_throughput .X.11 Out_curr_throughput .X.12 In_max_throughput .X.13 Out_max_throughput .X.14 NETASQ- PROPERTY- MIB: Information returned by the "SYSTEM PROPERTY" command .1.3.6.1.4.1.11256.1.0 ==> (CLI) SYSTEM PROPERTY, SYSTEM IDENT, SYSTEM LANGUAGE Model .1.0 Version .2.0 Page 317/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 318 NETASQ-IF-MIB: Status of interfaces seen by ASQ .1.3.6.1.4.1.11256.1.4.1 ==> (CLI) MONITOR INTERFACE IfName .X.2 Name .X.3 Addr .X.4 Mask .X.5 Type .X.6 Color .X.7 MacThroughput .X.8 CurThroughput .X.9 MaxThroughput .X.10 PktAccepted .X.11 PktBlocked .X.12 PktFragmented .X.13 Page 318/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 319 .X.3 UpTime .X.4 NETASQ-VPNSA-MIB: Table of negotiated IPSEC SA .1.3.6.1.4.1.11256.1.1.1 ==> (CLI) MONITOR GETSA ==> (console) showSAD SAIndex .X.1 IPSrc .X.2 IPDst .X.3 Type .X.4 Mode .X.5 .X.6 PeerSPI .X.7 ReqID .X.8 Page 319/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 320 ASQStatsStatefulFlowConflicts .1.17 ASQStatsStatefulFlowFailures .1.18 ASQStatsStatefulInterfaceMute .1.19 ASQStatsStatefulTcpPkt .1.20 ASQStatsStatefulTcpInBytes .1.21 ASQStatsStatefulTcpOutBytes .1.22 ASQStatsStatefulTcpConn .1.23 ASQStatsStatefulTcpNatConnSrc .1.24 ASQStatsStatefulTcpNatConnDst .1.25 ASQStatsStatefulTcpNoNatConnSrc .1.26 ASQStatsStatefulTcpNoNatConnDst .1.27 ASQStatsStatefulTcpSmallWindowRst .1.28 ASQStatsStatefulTcpEmptyDupAckBl .1.29 ASQStatsStatefulUdpPkt .1.30 ASQStatsStatefulUdpInBytes .1.31 ASQStatsStatefulUdpOutBytes .1.32 Page 320/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 321 ==> (CLI) MONITOR ROUTE ==> (console) sfctl -s route Index .X.1 Type .X.2 IPVersion .X.3 RouterName .X.4 GatewayName .X.5 GatewayAddr .X.6 GatewayType .X.7 LastCheck .X.8 State .X.9 StateLastChange .X.10 Partition .X.11 ActiveLastChange .X.12 Page 321/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 322 The SNMP agent only supports listed fields and sub-sets. SNMPv2-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMPv2-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpMIB.html rfc=http://www.ietf.org/rfc/rfc3418.txt system.*.0 sysORTable snmp.*.0 setSerialNo.0 SNMP-FRAMEWORK-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMP-FRAMEWORK-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpFrameworkMIB.html rfc=http://www.ietf.org/rfc/rfc3411.txt snmpEngine.*.0 SNMP-TARGET-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMP-TARGET-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpTargetMIB.html rfc=http://www.ietf.org/rfc/rfc3413.txt snmpTargetSpinLock.0 snmpTargetAddrTable snmpTargetParamsTable snmpUnavailableContexts.0 snmpUnknownContexts.0 SNMP-NOTIFICATION-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMP-NOTIFICATION-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpNotificationMIB.html rfc=http://www.ietf.org/rfc/rfc3413.txt snmpNotifyTable Page 322/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 323 NOTIFICATION-LOG-MIB mibfile=http://www.net-snmp.org/docs/mibs/NOTIFICATION-LOG-MIB.txt desc=http://www.net-snmp.org/docs/mibs/notificationLogMIB.html rfc=http://www.ietf.org/rfc/rfc3014.txt SNMP-USER-BASED-SM-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMP-USER-BASED-SM-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpUsmMIB.html rfc=http://www.ietf.org/rfc/rfc3414.txt usmStats.*.0 usmUserTable SNMP-VIEW-BASED-ACM-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMP-VIEW-BASED-ACM-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpVacmMIB.html rfc=http://www.ietf.org/rfc/rfc3415.txt vacmContextTable vacmSecurityToGroupTable vacmAccessContextTable vacmViewSpinLock.0 vacmViewTreeFamilyTable SNMP-USM-DH-OBJECTS-MIB mibfile=http://www.net-snmp.org/docs/mibs/SNMP-USM-DH-OBJECTS-MIB.txt desc=http://www.net-snmp.org/docs/mibs/snmpUsmDHObjectsMIB.html rfc=http://www.ietf.org/rfc/rfc2786.txt usmDHPublicObjects.*.0 usmDHUserKeyTable IF-MIB mibfile=http://www.net-snmp.org/docs/mibs/IP-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ip.html rfc=http://www.ietf.org/rfc/rfc4293.txt ifNumber.0 ifTable Page 323/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 324 RFC1213-MIB mibfile=http://www.net-snmp.org/docs/mibs/RFC1213-MIB.txt rfc=http://www.ietf.org/rfc/rfc1213.txt atTable IP-MIB mibfile=http://www.net-snmp.org/docs/mibs/IP-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ip.html rfc=http://www.ietf.org/rfc/rfc4293.txt ip.*.0 icmp.*.0 ipAddrTable ipRouteTable ipNetToMediaTable ipNetToPhysicalTable IPV6-MIB mibfile=http://www.net-snmp.org/docs/mibs/IPV6-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ipv6MIB.html rfc=http://www.ietf.org/rfc/rfc2465.txt ipv6MIBObjects.?.0 ipv6Interfaces ipv6IfTable ipv6IfStatsTable IPV6-TCP-MIB mibfile=http://www.net-snmp.org/docs/mibs/IPV6-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ipv6TcpMIB.html rfc=http://www.ietf.org/rfc/rfc2452.txt ipv6TcpConnTable IPV6-UDP-MIB mibfile=http://www.net-snmp.org/docs/mibs/IPV6-UDP-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ipv6UdpMIB.html rfc=http://www.ietf.org/rfc/rfc2465.txt ipv6UdpTable Page 324/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 325 TCP-MIB mibfile=http://www.net-snmp.org/docs/mibs/TCP-MIB.txt desc=http://www.net-snmp.org/docs/mibs/tcp.html rfc=http://www.ietf.org/rfc/rfc4022.txt tcp.*.0 tcpConnTable UDP-MIB mibfile=http://www.net-snmp.org/docs/mibs/UDP-MIB.txt desc=http://www.net-snmp.org/docs/mibs/udp.html rfc=http://www.ietf.org/rfc/rfc4113.txt udp.*.0 udpTable IF-INVERTED-STACK-MIB mibfile=http://www.net-snmp.org/docs/mibs/IF-INVERTED-STACK-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ifInvertedStackMIB.html rfc=http://www.ietf.org/rfc/rfc2864.txt HOST-RESOURCES-MIB mibfile=http://www.net-snmp.org/docs/mibs/HOST-RESOURCES-MIB.txt desc=http://www.net-snmp.org/docs/mibs/host.html rfc=http://www.ietf.org/rfc/rfc2790.txt hrSystem.*.0 hrMemorySize hrStorageTable hrDeviceTable hrProcessorTable hrNetworkTable hrPrinterTable hrDiskStorageTable hrPartitionTable hrFSTable Page 325/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 326 DISMAN-EVENT-MIB mibfile=http://www.net-snmp.org/docs/mibs/DISMAN-EVENT-MIB.txt desc=http://www.net-snmp.org/docs/mibs/dismanEventMIB.html rfc=http://www.ietf.org/rfc/rfc2981.txt mteTriggerTable mteTriggerDeltaTable mteTriggerExistenceTable mteTriggerBooleanTable mteTriggerThresholdTable mteObjectsTable mteEventTable mteEventNotificationTable DISMAN-SCHEDULE-MIB mibfile=http://www.net-snmp.org/docs/mibs/DISMAN-SCHEDULE-MIB.txt desc=http://www.net-snmp.org/docs/mibs/schedMIB.html rfc=http://www.ietf.org/rfc/rfc3231.txt schedLocalTime.0 schedTable AGENTX-MIB mibfile=http://www.net-snmp.org/docs/mibs/AGENTX-MIB.txt desc=http://www.net-snmp.org/docs/mibs/agentxMIB.html rfc=http://www.ietf.org/rfc/rfc2742.txt NET-SNMP-AGENT-MIB mibfile=http://www.net-snmp.org/docs/mibs/NET-SNMP-AGENT-MIB.txt desc=http://www.net-snmp.org/docs/mibs/netSnmpAgentMIB.html nsModuleTable nsCacheTable nsConfigDebug.*.0 nsDebugTokenTable nsConfigLogging nsLoggingTable netSnmpExampleScalars Page 326/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 327 SNS - USER CONFIGURATION MANUAL V.3 SNMP AGENT netSnmpIETFWGTable netSnmpHostsTable nstAgentModules NET-SNMP-VACM-MIB mibfile=http://www.net-snmp.org/docs/mibs/NET-SNMP-VACM-MIB.txt desc=http://www.net-snmp.org/docs/mibs/netSnmpVacmMIB.html nsVacmAccessTable UCD-DISKIO-MIB mibfile=http://www.net-snmp.org/docs/mibs/UCD-DISKIO-MIB.txt desc=http://www.net-snmp.org/docs/mibs/ucdDiskIOMIB.html UCD-DLMOD-MIB mibfile=http://www.net-snmp.org/docs/mibs/ucdDlmodMIB.html desc=http://www.net-snmp.org/docs/mibs/ucdDlmodMIB.html SCTP-MIB mibfile=http://www.net-snmp.org/docs/mibs/SCTP-MIB.txt desc=http://www.net-snmp.org/docs/mibs/sctpMIB.html rfc=http://www.ietf.org/rfc/rfc3873.txt sctpStats sctpParameters sctpAssocTable sctpAssocLocalAddrTable sctpAssocRemAddrTable sctpLookupLocalPortTable sctpLookupRemPortTable sctpLookupRemHostNameTable sctpLookupRemPrimIPAddrTable sctpLookupRemIPAddrTable Page 327/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 328: Ssl Filtering
SSL FILTERING SSL FILTERING SSL filtering is now integrated into the new security policy on Stormshield Network multi-function firewalls. This module allows filtering access to secure web sites. It also makes it possible to allow or prohibit web sites or certificates that pose risks.
Page 329: Rules
This action applies according to the value of this column. It may contain a group or URL category, as well as a group of certificate names. Comments Comments relating to the rule. Page 329/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 330: Errors Found In The Ssl Filter Policy
This analyzer shows rule creation errors and coherence errors. Errors are displayed in the form of a list. By clicking on an error, the rule concerned will automatically be selected. Page 330/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 331: Ssl Vpn
(public Wi-Fi, hotels, etc) or private local networks precisely use the first few address ranges reserved for these uses (example: 10.0.0.0/24, 192.168.0.0/24). REMARK Address ranges are not supported. Page 331/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 332: Advanced Properties
(example: disconnecting a disk from a remote shared network). NOTE Only client hosts running under Windows and with the Stormshield Network client can use the executable script service. The format of files must be “.bat”. NOTE All Windows environment variables can be used in connection/disconnection scripts (example: %USERDOMAIN%, %SystemRoot%, etc.).
Page 333 If you choose to create your own CA, you will need to use two certificates signed by it. If this CA is not a root authority, both certificates have to be issued by the same sub- authority. Page 333/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 334: Ssl Vpn Portal
SNS - USER CONFIGURATION MANUAL V.3 SSL VPN PORTAL SSL VPN Portal Stormshield Network’s SSL VPN allows your mobile or static users to connect to your company’s resources securely. The SSL VPN configuration screen consists of 4 tabs: General: Allows enabling the module, selecting the access type and configuring advanced properties.
Page 335: Advanced Properties
Advanced properties Access to servers via SSL VPN Prefix for the URL root Stormshield Network’s SSL VPN technology enables masking the real addresses of directory servers to which users are redirected, by rewriting all URLs contained in HTTP pages visited. These URLs will then be replaced by a prefixed followed by 4 digits. This field enables defining the prefix to be used.
Page 336 URL used by SSL VPN Link calculated based on 3 fields: Destination server, Port and URL: access path. (Example: http://destination server/URL: access path). Name of the link on The defined link appears on the Stormshield Network web portal. When the user clicks the user portal on this link, he will be redirected to the corresponding server.
Page 337: Adding An Owa Web Server
Adding an OWA web server The SSL VPN module on Stormshield Network Firewalls supports OWA (Outlook Web Access) Exchange 2003, 2007 and 2010 servers. “Premium” mode can only be used in Windows with Internet Explorer 5 and higher. It is based on web technologies such as html, css and javascript but also on Microsoft proprietary technologies such as htc, xml and activeX.
Page 338: Adding A Lotus Domino Web Server
Adding a Lotus Domino web server The SSL VPN module on Stormshield Network Firewalls supports Lotus domino servers. An HTTP server can be added to the list of web access servers with certain options specifically pre-entered for compatibility with Lotus Domino.
Page 339: Configuration With A Citrix Server
Go to "Secure access" then select “Pop up secure-access window” from the drop-down list. Warning It is important for the Stormshield Network SSL VPN applet to operate as a background task. Next, select Portal access\Portal then enter your username, password and domain.
Page 340: User Profiles" Tab
“User profiles” tab Operating principle All servers configured in the SSL VPN module are listed on the Stormshield Network authentication portal by default. As such, users who have the right to access SSL VPN features on the firewall have access to all the servers configured by the administrator. The concept of using profiles enables determining which users will have access to which servers configured in SSL VPN.
Page 341: Ssl Vpn Services On The Stormshield Network Web Portal
SSL VPN services on the Stormshield Network web portal When authentication is enabled on the firewall (module Users\Authentication\General, select “Enable the captive portal”), then you will be able to access Stormshield Network’s SSL VPN features. To access SSL VPN features, the procedure is as follows: Open the web browser.
Page 342: Static Multicast Routing
A multicast packet matching the rule (packet originating from an address contained in the multicast group and being presented by one of the declared source interfaces) will be sent to all destination interfaces. Page 342/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 343: Stormshield Management Center
SNS - USER CONFIGURATION MANUAL V.3 STORMSHIELD MANAGEMENT CENTER STORMSHIELD MANAGEMENT CENTER If you have installed the Stormshield Management Center centralized administration server, this panel will allow you to install the attachment package in order to connect your firewall to the SMC server.
Page 344: System Events
This alarm is transferred to the logs, and can be sent by Syslog (Logs – Syslog) or by e-mail (see module E-mail alerts). Log: The Stormshield Network firewall does not do anything. This is useful when you wish to log only certain types of traffic without applying any particular action.
Page 345: System Alarms List
When you select an event from the list by clicking on it, a “Show help” link appears. Clicking on this link will take you to the Stormshield Network knowledge base, providing more details on the information relating to the event.
Page 346 USB error: Activation error: The event returned an unhandled error code: The following slot activation did not succeed: System was not properly halted DNS cache is cycled too quickly Get CRL failed Page 346/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 347 Backup failed Power: Connection error with agentAD: Topology change Malicious file has been detected, hash: Remote service is no longer reachable: Remote service is reachable: An error occurred loading a proxy functionality: Page 347/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 348: Temporary Accounts
Connection ID of the temporary user. It will be automatically created by concatenating the first name and last name separated by a period. Example: john.doe First name First name associated with the account. Page 348/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 349: Possible Operations
This button allows deleting a temporary account: Select the user to remove. Click on Remove. Modify user This button allows you to modify certain parameters of a temporary account: First name, Last name, E-mail address, Page 349/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 350 This button allows printing the information of a temporary account unless the beneficiary of the temporary account has modified the initial password. In this case, the account settings can only be printed after the password has been reinitialized; Page 350/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 351: Url Filtering
The procedure for editing a URL filter profile is as follows: Select a profile from the list of URL filter profiles. The table of filters will then appear as well as a screen indicating errors. Page 351/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 352: Possible Operations
Comments relating to the rule. REMARK Dragging and dropping only applies to URL categories or groups oh categories here. REMARK The characters “[ ]” and “{}” are no longer allowed in URLs (Internet Explorer 7 and 8). Page 352/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 353: Errors Detected
This analyzer shows rule creation errors and coherence errors. Errors are displayed in the form of a list. By clicking on an error, the rule concerned will automatically be selected. Page 353/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 354: Users
Enter the name of the particular user or user group you are looking for. The search field will list all users and/or user groups with first names, last names and/or logins that correspond to the keywords entered. Example: Page 354/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 355: Filter
To create a user, enter at least a login and a name. To associate a certificate with this user, you will need to indicate a valid e-mail address. User’s login Name User’s last name First name User’s first name Page 355/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 356: Delete
List of users (CN) If you wish to access a user’s data, select the user in the list of CNs on the left. The information concerning this user will appear in the right column. Page 356/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 357: Account" Tab
Click on the group of your choice. It will be added to your table. To remove a group, select it and click on Delete. A user attached to several departments, for example, may belong to numerous groups. The maximum number is 50 groups per user. Page 357/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 358: Virtual Interfaces
Cancels the configuration of the IPSec interfaces. Click on Add in the toolbar. An additional row will be inserted into the table of IPSec interfaces. Presentation of the table The table sets out five fields of information: Page 358/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 359: Creating Or Modifying A Gre Interface
Enabled: Double-click to enable the created interface. Disabled: The interface is not in operation. The line will be grayed out in order to reflect this. Name(mandatory) Give the GRE interface a name. Page 359/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 360: Creating Or Modifying A Loopback Interface360
Disabled: The interface is not in operation. The line will be grayed out in order to reflect this. Name(mandatory) Give the loopback interface a name. IP address Enter the IP address assigned to the loopback interface created. (mandatory) Comments(optional) Any text. Page 360/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 361: Vulnerability Management
Enable application and If this option is selected, vulnerability detection will be enabled and the relevant vulnerability detection information will be visible in Stormshield Network REAL-TIME MONITOR. REMARK During the update (if you have purchased the license), the Vulnerability management module will be enabled by default. Alarms will be raised according to the default configuration: monitor all vulnerabilities for all internal hosts.
Page 362: List Of Monitored Network Objects
Network object (host Selects the network object to which monitoring applies. This object will be scanned by or group – network – the Stormshield Network Vulnerability Manager engine which will rely on the rules address range) contained in the associated detection profile.
Page 363: Advanced Configuration
Database servers (SQL) “All known applications” profile This profile allows assigning to an object (host, group, network or address range), the detection of all client/server and operating system vulnerabilities detected by the Stormshield Network Vulnerability Manager. Advanced configuration Data lifetime (days) [1 – 30]: Duration for which data (application, vulnerability) will be kept without traffic or updates detected.
Page 364: Web Objects
(URL database). URL database : Depending on le type of option subscribed, the available URL lists are updated by different providers (Stormshield Network or Stormshield Network Extended Web). Stormshield Network’s URL lists are offered by default.
Page 365: Url Table
The table sets out the elements indicated below: Name of the URL. Name of the URL. Wildcards may be used. Comments You can add a comment in this field to describe each URL listed. Page 365/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 366: Certificate Name (Cn)" Tab
Allows checking whether the group selected earlier is being used in a configuration. When you click on this button, a panel will appear in the tree structure of the modules and indicate the modules that use this group. Page 366/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 367: Url Database" Tab
URL filter is its higher quality compared to the embedded solutions. If you have subscribed to the option Stormshield Network EWC, in order to enable the URL filter feature on Extended Web Control URL lists, select the entry from the list of suggested providers.
Page 368: Ipv6 Support
The firewall can send out router advertisements and prefixes (RA: Router Advertisement). Static routing IPv6 static routes can be defined on the firewall. Dynamic routing The dynamic routing engine handles IPv6 routes (RIP / BGP / OSPF protocols). Page 368/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 369: Objects
Events raised by IPv6 traffic (alarms, etc.) are saved in log files. They can also be looked up in the SN Real-Time Monitor application. IPSec IKEv1 IPv4 and/or IPv6 traffic can be transported through IPSec tunnels set up between: - IPv6 tunnel endpoints, - IPv4 tunnel endpoints. Page 369/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 370: Notifications
(IPv4 / IPv6): this server will be able to synchronize in IPv4 with Stormshield Active Update servers, and provision its updates to firewalls in IPv6.
Page 371: Ipv6 Support
The dynamic routing engine handles IPv6 routes (RIP / BGP / OSPF protocols). DHCPv6 The firewall can take on the role of a DHCPv6 server or relay. Objects Network objects Network objects may have only IPv4 addresses, only IPv6 addresses or both (double stack). Page 371/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 372: Unsupported Features
In version 1.0, the following are features that will not be available for IPv6 traffic: - IPv6 address translation (NATv6), Application inspections (Antivirus, Antispam, HTTP cache, URL filtering, SMTP filtering, FTP filtering and SSL filtering), Use of the explicit proxy, Page 372/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 373: General Points
(IPv4 / IPv6): this server will be able to synchronize in IPv4 with Stormshield Active Update servers, and provision its updates to firewalls in IPv6.
Page 374: Network Settings Tab
Several IP addresses and associated masks can be defined for the same bridge (when aliases need to be created, for example). These aliases can allow you to use the Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub-networks with a different address range.
Page 375 The prefix advertised is the prefix configured in the interface’s IPv6 address range extracted from the (Configuration tab). interface address The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits. Page 375/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 376: Creating A Bridge
When this option is selected, the bridge will have an IPv4 address. If this address is static, this has to be indicated in the field below the checkbox along with its network mask. By default, a dynamic address will be assigned to it via DHCP. Page 376/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 377: Modifying An Ethernet Interface (In Bridge Mode)
2001:db8::70/32), in the field below the checkbox. Once the interface is outside the bridge, you will be able to access the parameters of the interface described in the chapter “Modifying an Ethernet interface (in bridge mode)”. Page 377/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 378: Creating A Vlan
(RA)” tab in the menu Modifying a Bridge. “Advanced properties” tab For advanced VLAN configuration options please refer to the paragraph “Advanced configuration” tab in the menu Modifying an Ethernet interface (in bridge mode). Page 378/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 379: Virtual Interfaces
Click on the button to access the object database and select a host. The “Default gateway” field will be grayed out if a list of gateways has been defined in the advanced configuration zone. Button bar Search Search that covers host, network and group objects. Page 379/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 380: Ipv6 Dynamic Routing" Tab
Clicking on this column will open the objects database in order to select a host (router). Color (Optional) A window will appear, allowing the selection of an interface color (used in Stormshield Network REAL-TIME MONITOR). (Optional) Comments Any text. “IPv6 dynamic routing” tab This tab makes it possible to enable and configure the IPv6 Bird dynamic routing engine (Bird6).
Page 381: Ipv6 Return Routes" Tab
(IPSec). If the object is a host object, it must specify a MAC address. Comments Any text. (Optional) DHCP DHCP service settings are located within the DHCP IPv6 tab. General Enable service: enables the DHCP service in one of 2 specific modes: server or relay. Page 381/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 382: Dhcp Server" Service
Allows adding an address range. Select or create an IPv6 address range (IP address range network object). Delete Allows deleting one or several address ranges simultaneously. The table shows the address ranges used by the DHCP server for distributing addresses to clients: Page 382/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 383 This field contains the host’s unique ID. This ID allows the firewall to identify the client (DUID) and reassign the reserved IP address to it. On a Windows client workstation, this DUID is entered in the following registry key: HKEY_LOCAL_ MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Dhcpv6DUID Page 383/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 384: Dhcp Relay" Service
The drop-down list allows selecting a host object or group object containing hosts. The firewall will relay client requests to this or these DHCP server(s). Listening interfaces for DHCP requests Indicate the network interfaces through which the firewall will receive DHCP client requests. Page 384/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 385: Network Objects
IPv4. IPv6 This option allows displaying all network objects of the chosen type (host, network, IP address range) in the list on the left with addresses exclusively in IPv6. Page 385/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 386: The Different Types Of Objects
“block all” filter policy. This concerns NS (Neighbour Solicitation) and NA (Neighbour Advertisement) messages. In Stormshield Network 1.0, certain actions that can only apply to IPv4 traffic will generate warnings ( icon) or errors ( icon) in the field “Checking the policy” if IPv6 objects are included in the filter rules.
Page 387 IPv6 objects Rule including IPv6 objects and using [Rule X] Application inspections will only apply to IPv4 traffic. application inspections (Antivirus, Antispam, HTTP cache, URL filtering, SMTP filtering, FTP filtering or SSL filtering) Page 387/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 388: How To: Implementing A Filter Rule
HOW TO: Implementing a filter rule In this example, you wish to authorize HTTP access from a workstation on the internal network to an intranet server (located in a dmz1 for example) through your Stormshield Network firewall. REMARK For connections to another type of application server, such as a database server for example, the procedure is the same except for the value of the destination port(s).
Page 389: Selecting A Filter Policy
Double-click on the value Block in the Action column: In the Action field, select pass, In the Log level field, select log if you want traffic matching this rule to be reflected in the IPS- Firewall’s filter logs. Page 389/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 390 Double-click on the value Any in the Destination port column. In this case for the Destination port field, select HTTP. Double-click on the value Any in the Destination port column. In this case for the Destination port field, select HTTP . Page 390/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 391: Activating The Filter Policy
Has routing between the client workstation and the server been defined (static routes, default gateway to the IPS-Firewall)? Is the web service running on the server? - Is there a firewall blocking the connection on the workstation or the server? Page 391/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 392: How To: Setting Up A Nat Rule
To perform this configuration, two network objects are needed: The web server’s private address. Example: Priv_Webserver, The IPS-Firewall’s public address. Example: Pub_FW. In the menu Configuration > Objects > Network objects, click on Add to create these objects: Page 392/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 393: Selecting A Filter Policy
NAT rules can be specified directly in this filter rule. In the Filtering tab, click on New rule > Standard rule . A new rule, which is disabled by default, is created: Page 393/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 394 Source hosts field, select the network object Internet. Destination Double-click on the value Any in the Destination column: In the Destination hosts field in the General tab, select your network object Pub_FW, Page 394/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 395: Activating The Filter Policy
For the Destination port field, select HTTP. The filter and NAT rule will then look like this: NOTE It is certainly possible to complete this rule with extended Stormshield Network firewall features (customized security inspection profiled, scheduling, etc). Activating the filter policy At the bottom of the Filter-NAT window, click on Save and apply.
Page 396 Has routing between the client workstation and the server been defined (static routes, default gateway to the IPS-Firewall)? Is the web service running on the server? Is there a firewall blocking the connection on the workstation or the server? Page 396/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 397: How To: Ipsec Vpn - Authentication By Pre-Shared Key
IPS-Firewall: Pub_Remote_FW, the intranet server to contact on the main site: Intranet_Server. These objects can be defined in the menu: Configuration > Objects > Network objects. Page 397/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 398 IPS-Firewall (object Pub_Remote_FW). By default, the name of the peer will be created by adding a prefix “Site_” to this object name; this name can be customized: Page 398/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 399 For better security, you can create a more restrictive rule on the IPS-Firewall that hosts the intranet server by specifying the source of the packets. To do so, when selecting the traffic source, indicate the value “IPSec VPN tunnel” in the field Via (Advanced properties tab): Page 399/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 400: Configuring The Remote Site
HTTP to the intranet server located on the local network of the main site (rule no. 1). You can also temporarily add, for example, ICMP to test the setup of the tunnel more easily (rule no. 2). The filter rule will look like this: Page 400/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 401: Checking The Tunnel Setup
Checking in Stormshield Network Realtime Monitor Launch Stormshield Network Realtime Monitor, log on to the IPS-Firewall of the main site through the program and click on the module Logs > VPN. Check that phases 1 and 2 took place correctly (message “Phase established”):...
Page 402 A message “Negotiation failed due to timeout” in phase 1 appears in the module Logs > VPN in Stormshield Network Realtime Monitor on the “initiator” IPS-Firewall. A message “Negotiation failed” in phase 1 appears in the module Logs > VPN in Stormshield Network Realtime Monitor on the “responder” IPS-Firewall.
Page 403: How To: Ipsec Vpn - Authentication
A message “Could not get a valid proposal” in phase 2 appears in the module Logs > VPN in Stormshield Network Realtime Monitor on the “responder” IPS-Firewall. Solution: The appliances are attempting to negotiate but cannot seem to agree on an encryption policy in phase 2 (IPSec).
Page 404: How To: Ipsec Vpn - Authentication By Certificate
The purpose of this chapter is to describe the configuration needed on the various IPS-Firewalls participating in the IPSec VPN: Creation of network objects, Creation of the PKI infrastructure, Certificate authority (CA), Certificate revocation list (CRL), IPS-Firewall certificates, Creation of IPSec tunnels, Setup of filter rules. Page 404/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 405: Configuring The Main Site
Organizational unit (OU). Example: the name of the CA user’s department, State or province (ST), Country (C). REMARKS When creating a root CA, the fields Parent CA and Password remain empty. Page 405/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 406 PKI, click on Add > Add a server certificate. Fill in the field Fully qualified domain name with the FQDN of the main IPS-Firewall. The ID field suggests the same name by default. Page 406/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 407 After entering a password to protect it, download the certificate by clicking on the hyperlink and save it on your administration workstation. Follow the same steps to export the certificate of the second remote IPS-Firewall. Page 407/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 408 Edit. Next, click on Add to define the IPSec tunnels. Select the Star configuration model. A wizard will automatically launch: Page 408/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 409 The VPN tunnel is meant to interlink two remote sites securely, but its purpose is not to filter traffic between these two entities. Filter rules therefore need to be set up in order to authorize only necessary traffic between identified source and destination hosts. Page 409/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 410: Configuring Remote Sites A And B
Intranet_server. On remote site B: the local network of the main site: Private_Net_Main_Site, the public address of the main IPS-Firewall: Pub_Main_FW, the local network of remote site B: Private_Net_Site_B, Page 410/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 411: Sns-En-User_Configuration_Manual-V3 - Copyright © Stormshield
Peer field: Pub_Main_FW, Remote networks field: Private_Net_Main_Site. Selecting the encryption policy and adding the VPN tunnel In the menu Configuration > VPN > IPSec VPN, select the Encryption policy – Tunnels tab. Page 411/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 412 ICMP to test the setup of the tunnel more easily (rule no. 2). The filter rules will look like this: On remote site A: On remote site B: Page 412/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 413: Checking The Tunnel Setup
Checking in Stormshield Network Realtime Monitor Launch Stormshield Network Realtime Monitor, log on to the IPS-Firewall of the main site through the program and click on the module Logs > VPN. Check that phases 1 and 2 took place correctly (message “Phase established”):...
Page 414 Symptom: The tunnel cannot be set up. The messages “Negotiation failed” and “Certificate with serial XXX from issuer YYY: unable to get local issuer certificate” in phase 1 appear in the module Logs > VPN in Stormshield Network Realtime Monitor on the “responder” IPS-Firewall Solution: the “responder”...
Page 415: How To: Ipsec Vpn - Hub And Spoke Configuration
Case no.2: all traffic via IPSec tunnels All the traffic goes through the Hub through tunnels. Internet access is centralized at the Hub level. Page 415/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 416: Configuration Requirements
Certificates have been created for the IPS-Firewalls, The respective certificates have been imported on the IPS-Firewalls of the Spoke sites, The CA has been added to the list of trusted CAs on each of the IPS-Firewalls to interlink. Page 416/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 417: Tunnels
Creating the Site_Spoke_B peer In the same way, create the Site_Spoke_B peer using the following values: Remote gateway: the IPS-Firewall of the Spoke B site (object Pub_FW_Spoke_B), Certificate: the certificate of the Hub IPS-Firewall. Page 417/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 418 Private_Net_Hub => Site_Spoke_A => Private_Net_Spoke_A, Private_Net_Hub => Site_Spoke_B => Private_Net_Spoke_B. Filter rules Define the filter rules needed for exchanges between Spoke sites, Spoke sites and the Hub as well as local traffic to the Internet: Page 418/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 419: Configuring The Satellite Sites Spoke A And Spoke B
Spoke B IPS-Firewall. Creating tunnels Spoke A site Following the method described in the paragraph Configuring the Hub site / Creating tunnels, create the two tunnels needed: Page 419/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 420 Internet: Spoke B site Define the filter rules needed for exchanges between Spoke B and Spoke A, Spoke B and the Hub as well as local traffic to the Internet: Page 420/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 421: Case No.2: All Traffic Via Ipsec Tunnels
To allow hosts on the network Private_Net_Spoke_A to access the internet, create the following NAT rule Spoke B site To allow hosts on the network Private_Net_Spoke_B to access the internet, create the following NAT rule Case no.2: all traffic via IPSec tunnels Page 421/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 422: Configuring The Central Hub Site
Case no. 1 to define the following VPN tunnels: Filter rules Define the filter rules needed for exchanges between Spoke sites, Spoke sites and the Hub as well as local traffic to the Internet: Page 422/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 423: Configuring The Satellite Sites Spoke A And Spoke B
Case no. 1 to define the following VPN tunnel: Filter rules In this tutorial, traffic between private networks is voluntarily not specified (destination port: ANY). To optimize performance (save bandwidth and machine resources), it is important to refine the Page 423/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 424: Checking The Tunnel Setup
Via the Stormshield Network administration suite Launch Stormshield Network Realtime Monitor, log on to the IPS-Firewall of the Hub site through the program and click on the module Logs > VPN. Check that phases 1 and 2 took place correctly (message “Phase established”):...
Page 425: Information And Diagnosis Tools In Console Mode
From the same client workstation on the Spoke A site, set up a connection to a host on the Spoke B site, in order to test the setup of the second tunnel (Hub to Spoke B). In the module Logs > VPN in Stormshield Network Real-Time Monitor, check that phases 1 and 2 took place correctly (message “Phase established”):...
Page 426 IPSec gateway. Such information will be available only when tunnels have been set up. In Case no.2 of this tutorial (all traffic via IPSec tunnel), executing this command on the Spoke A IPS-Firewall will return the following result: The following information will be found: Page 426/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 427: Incident Resolution - Common Errors
- Common errors” in the tutorial “IPSec VPN – Authentication by certificate”. If you have opted for authentication by pre-shared key, please refer to the section “Incident resolution - Common errors” in the tutorial “IPSec VPN – Authentication by pre-shared key”. Page 427/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 428: Appendix A: Allowed Names
@ " # <tab> <space> Objects Prohibited characters: <tab> <space> | ! " # , = @ [ \ ] Prohibited prefixes: Firewall_ Network_ ephemeral_ Global_ Prohibited names: any internet none anonymous broadcast all Page 428/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 429: Dns (Fqdn) Name Objects
<alphanum> - _ . : Prefix of the URL’s root directory: (allowed characters): <alphanum> - _ E-mail alerts Name of e-mail groups (prohibited characters): <tab> <space> | ! " # , = @ [ \ ] Page 429/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 430: Appendix B: Structure Of An Objects Database In Csv Format
DNS name (FQDN) Type of object (mandatory): fqdn, Name (mandatory): text string using only accepted characters (see Appendix A: Allowed names), IPv4 address (mandatory), IPv6 address (optional), Comments (optional): text string between quotes. Example: Page 430/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 431: Network
First port in the range (mandatory): number of the first port used by the port range, Last port in the range (mandatory): number of the last port used by the port range, Comments (optional): text string between quotes. Example: service,MyPortRange,tcp,2000,2032,"" Page 431/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 432: Protocol
Name (mandatory): text string using only accepted characters (see Appendix A: Allowed names), Group components (mandatory): list of elements included in the group (list between quotes - components separated by commas), Comments (optional): text string between quotes. Example: servicegroup,ssl_srv,"https,pop3s,imaps,ftps,smtps,jabbers,ldaps","SSL Services" Page 432/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 433: Glossary
Mbps. Like regular Ethernet, Fast Ethernet is a shared media network in which all nodes share the 100 Mbps bandwidth. Active Update The Active Update module on Stormshield Network Firewalls enables updating antivirus and ASQ contextual signature databases as well as the list of antispam servers and the URLs used in dynamic URL filtering.
Page 434 ASQ (Active Security Qualification) Technology which offers Stormshield Network Firewalls not only a very high security level but also powerful configuration help and administration tools. This intrusion prevention and detection engine integrates an IPS which detects and gets rid of any malicious activity in real time.
Page 435 Common criteria The common criteria, an international standard, evaluate (on an Evaluation Assurance Level or EAL scale of 1 to 7) a product’s capacity to provide security functions for which it had been Page 435/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 436 The X.509 format is most typically used and contains information regarding the user and the certification authority. Page 436/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 437 A rule created to perform several possible actions on incoming or outgoing packets. Possible actions include blocking, letting through or disregarding a packet. Rules may also be configured to generate alarms which will inform the administrator of a certain type of packet passing through. Page 437/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 438 HTTP Protocol used for transferring hypertext documents between a web server and a web client. HTTP Proxy A proxy server that specializes in HTML (Web page) transactions. Page 438/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 439 Application level in the OSI model. IPSEC A set of security protocols that provides authentication and encryption over the internet and supports secure exchanges. It is largely used for the setup of VPNs (Virtual Private Networks). Page 439/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 440 This translation type allows converting an IP address (or n IP addresses) into another (or n IP addresses) when going through the firewall, regardless of the connection source. Modularity Term describing a system that has been divided into smaller subsystems which interact with each other. Page 440/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 441 Packet analyzer When an alarm is raised on a Stormshield Network Firewall, the packet that caused this alarm to be raised can be viewed. To be able to do so, a packet viewing tool like “Ethereal” or “Packetyzer” is necessary. Specify the selected tool in the Packet analyzer field, which Reporter will use in order to display malicious packets.
Page 442 Some IP address ranges can be used freely as private addresses on an Intranet, meaning, on a local TCP/IP network. Private address ranges are 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 10.0.0.0 to 10.255.255.255 Page 442/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 443 Replay Anti-replay protection means a hacker will not be able to re-send data that have already been transmitted. Page 443/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...
Page 444 A secure authentication method which deters the misuse of passwords by issuing a different password for each new session. Slot Configuration files in the Stormshield Network UNIFIED MANAGER application, numbered from 01 to 10 and which allow generating filter and NAT policies, for example. SMTP (Simple Mail Transfer Protocol) TCP/IP communication protocol used for electronic mail exchange over the internet.
Page 445 Static quarantine A quarantine that the administrator sets when configuring the firewall. Stormshield Network REAL-TIME MONITOR Module in Stormshield Network’s Administration Suite that allows viewing the firewall’s activity in real time. Stormshield Network GLOBAL ADMINISTRATION Module in Stormshield Network’s Administration Suite that allows configuring firewalls.
Page 446 When an authentication service has been set up, every authorized user has to be defined by creating a “user” object. The larger the enterprise, the longer this task will take. Stormshield Network’s web enrolment service makes this task easier. If the administrator has defined a PKI, “unknown”...
Page 447 Virtual link which uses an insecure infrastructure such as the internet to enable secure communications (authentication, integrity & confidentiality) between different network equipment. WAN (Wireless Area Network) Local wireless network. Wi-Fi (Wireless Fidelity) Technology allowing wireless access to a network. Page 447/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016...

Stormshield SN series Configuration Manual

Quick Links

Related Manuals for Stormshield SN series

Summary of Contents for Stormshield SN series