Stormshield SN series Configuration Manual page 125

New rule
Delete
Page 125/448
Inserts a predefined line or a blank line after the selected line.
5 choices are available: authentication, SSL inspection and explicit HTTP proxy rules
will be defined via a wizard in a separate window:
Single rule: This option allows creating a blank rule that will leave the administrator
l
the possibility of entering different fields in the filter table.
Separator – rule grouping : This option allows inserting a separator above the
l
selected line.
This separator allows to group rules that apply to traffic going to different servers
and helps to improve the filter policy's readability and visibility by indicating a
comment.
Separators indicate the number of grouped rules and the numbers of the first and
last rules in the form: "Rule name (contains total number of rules, from first to last)".
You can collapse or expand the node of the separator in order to show or hide the
rule grouping. You can also copy/paste a separator from one location to another.
Authentication rule : The aim of this is to redirect unauthenticated users to the
l
captive portal. By selecting it, an authentication wizard will appear.
You will need to select the Source (displays "Network_internal" by default) and the
Destination (displays "Internet" by default) of your traffic from the drop-down list of
objects, and then click on Finish. As the port cannot be selected, the HTTP port is
chosen automatically.
You can specify as the Destination URL categories or groups that are exempt from
the rule, and therefore accessible without authentication (the web object
authentication_bypass contains by default Microsoft update sites). Access to these
sites without authentication can therefore also benefit from the firewall's security
inspections.
SSL inspection rule : The aim of this wizard is to create rules that inspect the
l
encrypted SSL traffic. You are strongly advised to go through this wizard to generate
the two rules needed for the SSL proxy to run correctly.
You will need to define the Profile of traffic to be encrypted by indicating the Source
hosts ("Network_internal" by default), Incoming interface ("any" by default), the
Destination ("Internet" by default) and the destination port ("ssl _srv" by default)
from the drop-down list of objects.
In order to Inspect encrypted traffic through the second zone in the wizard window,
you will need to define the configuration of the Inspection profile, by selecting one
of those you have defined earlier, or leave it in "Auto" mode. This automatic mode
will apply the inspection relating to the source of the traffic (cf Application
protection>Inspection profile).
You can also enable the Antivirus or Antispam and select the URL, SMTP, FTP or SSL
filter policies (checking the CN field of the certificate presented).
Explicit HTTP proxy rule: This option allows enabling the explicit HTTP proxy and
l
defining who can access it. You will need to choose a Host object and an Incoming
interface in the Source field. Next, define the Inspection of transmitted traffic by
indicating whether you wish to enable the Antivirus and select the URL filter
policies.
NOTE
To allow a policy on a firewall hosted in the cloud to be similar to a policy on
physical appliance, the listening port of an explicit HTTP proxy can be
configured on a port other than the default port (8080/TCP).
Click on Finish.
Deletes the selected line.
SNS - USER CONFIGURATION MANUAL V.3
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
FILTERING AND NAT