Advanced Properties - Stormshield SN series Configuration Manual

Allow ISAKMP (UDP port 500) and the ESP protocol for IPSec VPN peers: IPSec VPN peers
l
will be able to contact the firewall through both of these protocols that allow securing data
circulating over IP traffic.
Allow access to the firewall's web administration server (WebAdmin): administrators will
l
be able to log on to the web administration interface.
Allow "Bootp" requests with an IP address specified for relaying DHCP requests: BOOTP
l
service (Bootstrap Protocol) requests to a DHCP server relayed by the firewall are allowed
when they use an IP address specified in the configuration of the DHCP relay (option "IP
address used to relay DHCP queries"). This option is used for relaying the DHCP queries of
remote users through an IPSec tunnel to an internal server.
Allow clients to reach the firewall SSL VPN service on the HTTPS port: Connections relating
l
to the setup of the SSL VPN tunnel are allowed on the HTTPS port.
Allow
l
If IPv6 support has been enabled on the firewall, IPv6 nodes may send router solicitations
(RS) in multicast or to the firewall.
Allow requests to DHCPv6 server and DHCPv6 multicast solicitations: If IPv6 support has
l
been enabled on the firewall, DHCPv6 clients may send solicitation queries to the server or
DHCPv6 relay on the firewall.
Do not log IPFIX packets in IPFIX traffic : this rule makes it possible to not include the
l
packets that are needed for running the IPFIX protocol in logs sent to the IPFIX collector(s).
The following actions may be dangerous:

Advanced properties

Include
implicit
hosted
(indispensable)
Page 159/448
NOTE
This rule allows access to the captive portal, and therefore the web administration
interface for all users connected from a protected interface. To restrict access to web
administration ("/admin/" directory), define one or several hosts in the menu System\
Configuration\ Firewall administration tab. A table will allow you to restrict access to
these pages at the web application level.
router solicitations (RS)
WARNING
Disabling the "Serverd" rule: in the absence of an explicit rule, may cause users
l
to no longer have access to tools using port 1300, namely Stormshield Network
RealTime Monitor, GlobalAdmin, Stormshield Network Centralized Management
and Stormshield Network Event Analyzer.
Disabling the "WebAdmin" rule: you will no longer have access to the web
l
administration interface, unless an explicit rule allows it.
outgoing This checkbox, selected by default, enables outgoing implicit rules for
rules for services hosted by the firewall.
services
Previously, this feature, which was found in earlier versions of the
firmware, could only be modified in CLI.
These rules are indispensable for the proper operaion of the
firewall. They need to be explicitly defined in the filter policy if
this checkbox has been unselected.
SNS - USER CONFIGURATION MANUAL V.3
in multicast or
IMPORTANT
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
IMPLICIT RULES
directed to the firewall: