CSNA v4 Training Book With Virtual Labs and Appendices 2020-09-14

UNIFIED THREAT MANAGEMENT AND NEXT-GENERATION FIREWALL SOLUTIONS
ADMINISTRATOR
TRAINING
STORMSHIELD
NETWORK SECURITY
NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

2
Training and certification program 7
Presentation of Stormshield and its products 10
Introduction to Stormshield 11
Stormshield Data Security 13
Stormshield Endpoint Security 15
Stormshield Network Security 17
Standard and optional features in SNS 27
Appendix 29
Standard features 30
Security packs and software options 34
Hardware options 38
Handling the firewall 40
Registering the firewall and accessing documentation 41
Stop/start/reset 45
Connecting to the firewall 48
Web user interface 51
Dashboard 54
System configuration 56
Modifying the "admin" account password 62
License 64
Maintenance 67
Logs and monitoring 78
Log categories 79
Configuring and viewing logs 82
Monitoring and history graphs 89
Syslog, SVC, e-mail notifications and reports 94
Appendix 98
Enabling the syslog 99
Stormshield Visibility Center (SVC) 102
E-mail notifications 106
Reports 111
Objects 115
General points 116
Network objects 119
3
Network configuration 132
Configuration modes 133
Types of interfaces 139
System routing 156
Advanced routing 161
Order of routing types 174
Appendix 178
Wi-Fi interfaces 179
Dynamic DNS 185
DHCP 189
Static multicast routing 194
DNS proxy cache 197
Bird static routing 200
Bird dynamic routing 203
Address translation 206
General points 207
Dynamic translation 209
Static translation by port 212
Static translation 215
"NAT" Menu 220
Order of application of NAT rules 231
Appendix 235
Advanced properties 236
Filtering 244
General points 245
The "stateful" concept 247
Sequencing of filter and translation rules 249
“Filtering” Menus 252
Coherence and compliance analyzer 270
Appendix 274
Advanced properties 275
Application protection 280
Enabling proxy mode 281
HTTP proxy 284
HTTPS proxy 298
Antivirus analysis 305
Breach Fighter analysis 310
Intrusion prevention module and security inspection 313
Appendix 319
SMTP filtering and antispam 320
Host reputation 328
4
Users & authentication 334
Introduction 335
Linking to a directory 337
Managing users 347
Authentication methods 351
Authentication policy 355
Captive portal 359
Filter rules for authentication 369
Defining new administrators 377
Appendix 382
Guest method 383
VPN 386
Different types of VPN 387
IPSec VPN – Concepts and general points 389
IPSec VPN – Configuration of a site-to-site tunnel 395
IPSec VPN – Configuration of multiple site-to-site tunnels 408
IPsec VPN - Virtual Tunneling Interface 412
Appendix 422
Point to Point Tunneling Protocol 423
IPSec VPN dynamic peers 427
SSL VPN 436
Concepts and general points 437
Setting up a tunnel 444
Appendix - Troubleshooting 457
Introduction 458
Before creating an incident 460
Essential elements 463
Additional information 466
Access to the firewall 470
Virtual Labs 473
Architecture diagram 474
Installing and preparing the virtual platform 475
LAB 1: Handling the firewall 480
LAB 2: Objects 481
LAB 3: Network configuration 482
LAB 4: Address translation 484
LAB 5: Filtering 485
LAB 6: Content filtering (HTTP and HTTPS) 487
LAB 7: Authentication 488
LAB 8: IPSec VPN (site to site) 489
LAB 9: SSL VPN 490
5
Virtual Labs - Corrections 491
LAB 1: Handling the firewall 492
LAB 2: Objects 493
LAB 3: Network configuration 494
LAB 4: Address translation 495
LAB 5: Filtering 496
LAB 6: Content filtering (HTTP and HTTPS) 497
LAB 7: Authentication 499
LAB 8: IPSec VPN (site to site) 500
LAB 9: SSL VPN 502
Advanced labs 504
LAB 1: Implementing the infrastructure 506
LAB 2: Embedded reports 509
LAB 3: DHCP features 509
LAB 4: VLANs and router objects 510
LAB 5: Advanced SMTP application filtering 512
LAB 6: Authentication and temporary accounts 514
LAB 7: Authentication and sponsorship 515
LAB 8: SSL VPN and Site-to-site IPSec VPN 516
LAB 9: Routing via VTIs 517
LAB 10: Centralizing logs with SVC 520
Advanced labs - solutions 521
All images in this document are for representation only, actual products
may differ.
6 Copyright © Stormshield 14/09/2020

TRAINING AND
CERTIFICATION COURSE
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
➔ Training and certification program

Introduction to the company and products
Getting started with the firewall
Logs and monitoring
Objects
Network configuration
Address translation
Filtering
Application protection
Users & authentication
VPN
SSL VPN
The topics in this module will not be evaluated in Stormshield certification exams.
7
Training and certification course
TRAINING AND CERTIFICATION LEVELS

Certified Stormshield Network
Management Center Expert
CSMCE
Certified Stormshield Network Certified Stormshield Network Certified Stormshield Network
Administrator Expert Troubleshooting & Support
CSNA CSNE CSNTS

CSNA kit for distance
learning
FSNOT CSNOT
Fundamental / Certified
Stormshield Network
Operational Technology
SNS training includes five certificate courses:

• CSNA (Certified Stormshield Network Administrator): three-day training program to
introduce the range of Stormshield Network products and the main features that can
be configured from the web administration interface.
• CSNE (Certified Stormshield Network Expert): three-day training program presenting
the advanced features of Stormshield Network firewalls that can also be configured
via the web administration interface.
• CSNST (Certified Stormshield Network Troubleshooting & Support): configuration
and monitoring in console mode are the focus of this four-day training program. At
the end of this course, trainees will gain in-depth knowledge about the Stormshield
Network product so that they can provide configuration debugging.
• CSMCE (Certified Stormshield Management Center Expert): this two-day course
covers all the features of SMC, the tool dedicated to the centralized administration of
Stormshield Network appliances.
• FSNOT (Fundamental Stormshield Network Operational Technology): this two-day
complementary course (no certificate is awarded at the end of it) presents the main
features on Stormshield Network firewalls and explains how to deploy these firewalls
in industrial environments.
• CSNOT (Certified Stormshield Network Operational Technology): this one-day course
allows trainees to expand their expertise in filtering industrial protocols through
practical exercises.
All courses consist of a theory component (classroom) that explains how all the features operate
and how to configure them, and a practical component (labs) to apply and test these features.
8
Training and certification course
Apart from the FSNOT course, each course level concludes with a certification that
trainees obtain by taking a test on our e-learning platform at
https://institute.stormshield.eu
Trainees are allowed two attempts for each exam from their Institute accounts.
Access to the exam automatically begins the day after the end of the course and
remains open for three weeks for CSNA, CSNE and CSMCE, CSNOT exams, and six
months for the CSNTS exam. If trainees fail their first attempt or are unable to sit for
the exam within this time frame, they will be entitled to a second and final attempt,
which will open with immediate effect for an additional week. The minimum score
required for all exams in order to obtain the certification is 70%.
The format of the exam depends on the certification level:
• CSNA: the exam consists of 70 MCQ/MRQ questions to be completed

within 1 1/2 hours (1 hour 40 minutes for the certification in English).
• CSNE: the exam consists of 90 MCQ/MRQ questions to be completed
within 2 hours (2 hours 10 minutes for the certification in English).
• CSNTS: the exam consists of 60 questions: 50% MCQ/MRQ and 50% open
questions to be completed within 3 hours (3 hours 30 minutes for the
certification in English).
• CSMCE: The exam consists of 50 MCQ/MRQ questions to be completed
within 1 1/2 hours (1 hour 40 minutes for the certification in English).
• CSNOT: the exam consists of 20 MCQ/MRQ questions to be completed
within 1 hour (1 hour 30 minutes for the certification in English).
For all levels, trainees must score at least 70% in order to be certified.
Stormshield certifications are valid for three years, during which trainees can attend
classroom-based courses to validate certification at a higher level. When trainees
obtain certification at a higher level, lower-level certifications will be automatically
renewed.
Trainees can also remotely renew their last certification obtained by ordering a
recertification kit.
9
STORMSHIELD:
PRESENTATION OF THE
COMPANY AND ITS
PRODUCTS
Training program
✔ Training and certification course

➔ Stormshield: presentation of the company and its products
Logs and monitoring
Objects
Address translation
Filtering
VPN
SSL VPN
The topics in this module will not be evaluated in Stormshield certification exams.
10
Stormshield: presentation of the company
and its products
STORMSHIELD:
PRESENTATION OF THE
COMPANY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
Program of this module
➔ Stormshield: presentation of the company

Stormshield Data Security
Stormshield Endpoint Security
Stormshield Network Security
Standard and optional features in SNS
11
and its products
STORMSHIELD: PRESENTATION OF THE COMPANY
1998 NETASQ
Creation of Netasq (FR)
ARKOON 2000 First firewall that embedded an IPS
Creation of Arkoon (FR)
First UTM on the market
2013
Acquisition and Merger
Fully owned subsidiary of Airbus CyberSecurity
STORMSHIELD 2014
Launch of the brand and product range
Businesses, government institutions and defense organisations around the world

need trusted partners they can count on to bridge their digital transition and
guara tee the y erse urity of their i frastru tures, users a d data. Stor shield’s
technologies have been certified at the highest levels in Europe: EU Restricted, NATO
Restricted (NR), Common Criteria EAL3+/EAL4+, including recommendations and
approvals from ANSSI (France's National Cybersecurity Agency). This is how they
respond to new challenges in IP and OT to protect your organization. Our security
solutions give you the freedom to focus on your business and nothing else.
Find out more at www.stormshield.com
We channel our technology into three complementary product ranges to ensure

flawless security:
• Protection of information and industrial networks - Stormshield Network Security
• Protection of workstations and servers - Stormshield Endpoint Security
• Protection of data - Stormshield Data Security
12
and its products
STORMSHIELD DATA
SECURITY
✔ Introduction to Stormshield
➔ Stormshield Data Security
Stormshield Endpoint Security
13
and its products
STORMSHIELD DATA SECURITY
Stormshield Data Security lets users stay in control of their data in Microsoft environments by
offering the following possibilities:
• Transparent encryption of local or shared folders with Disk and Team, including USB devices,
• Integration with mail applications, such as Microsoft Outlook and Lotus Notes, to encrypt
and/or sign e-mails with Mail,
• Secured collaborative data with Team,
• Easier paperless administrative and sales procedures with Sign, which signs all types of files,
• Safe destruction of files and folders with Shredder,
• Administration through Powershell commandlets or business APIs with Connector,
• Centralized administration with Authority Manager.
Stormshield Data Security for Cloud & Mobility aters to orga izatio s’ eed for o ility a d
the migration of their data to the cloud.
When an agent is installed on Windows or Mac OS X platforms or on Apple and Android
smartphones, users can access their work data without protection. All data that needs to be
stored locally or with a cloud provider will be encrypted before it is sent.
With agentless encryption technology, the encryption/decryption function can be used directly
in the browser as an add-on to encrypt files processed by web applications or e-mails from a
webmail account. So, no need for administrators to deploy any agents, and no need to install
agents for external users who need to receive confidential information.
Stormshield Data Security Enterprise version 9.1.2 was awarded EAL3+ certification for its
transparent file encryption feature in September 2016.
14
and its products
STORMSHIELD
ENDPOINT SECURITY
✔ Stormshield Data Security
➔ Stormshield Endpoint Security
15
and its products
STORMSHIELD ENDPOINT SECURITY
PROTECTION FROM ILLICIT AND MALICIOUS USE

• Protection from malicious operations by the user
ZERO-DAY PROTECTION • Prevents attempts to copy or remove sensitive
• Proactive protection – no signature data
databases • Prevents operations that do not comply with the
• No updates needed for offline security policy, such as the use of personal mobile
environments phones or unsecured WiFi networks
• Protection from current and future attacks,

even the most sophisticated
COMPREHENSIVE REPORTS
• Comprehensive reports compiled from
logs that include the use of devices and
WiFi
SECURITY POLICY
• Thorough analysis of threats: potentially
• A single policy is all it takes to infectious USB flash drives, crucial
secure your network workstations or critical services and
• Modular, context-based security processes on the OS that may be
rules GUARANTEED SERVICE vulnerable to attacks, etc.
CONTINUITY
• Easy deployment and
management of security policies • Business as usual, even
during an attack
• Attacks blocked without user
intervention
• Information reported in the
central management console
When targeted, sophisticated attacks strike, Stormshield Endpoint Security responds

in real time to monitor and block programs that behave suspiciously. This includes
memory access, keyloggers, vulnerability exploitation and misuse of legitimate
programs. Because it runs within the operating system, it is particularly effective
against zero-day and ransomware attacks.
Although it does not rely on signature databases, Stormshield Endpoint Security

maintains optimal security conditions for environments that operate under a wide
range of restrictions, such as industrial systems and point-of-sale terminals. This
protection runs in real time without affecting the performance of the workstation,
and is fully transparent and autonomous. Furthermore, it does not require any
connection to external systems, and the centralized console immediately warns the
administrator of attacks. And since there are no signature databases to maintain, this
solution is particularly suited to end-of-life or unsupported systems.
Stormshield Endpoint Security version 7.2.6 was awarded EAL3+ certification for its
surface encryption functional module,
16
and its products
STORMSHIELD
NETWORK SECURITY
✔ Stormshield Endpoint Security
➔ Stormshield Network Security
17
and its products
FIREWALL HARDWARE
SMES, AGENCIES, MID-SIZE BUSINESSES AND AGENCIES

BRANCH OFFICES
INDUSTRY
LARGE CORPORATIONS,
WIFI DATACENTERS
The Stormshield Network Security product range consists mainly of two large categories
illustrated in the figure above: physical appliances (SN range) and virtual appliances (EVA).
• Products in the SN range are divided into four families:

▪ SN160, SN210 and SN310 for small businesses, agencies and subsidiaries. SN160W
and SN210W appliances have built-in WiFi cards to enable secure wireless
connections.
▪ Sni-40, designed for industrial environments.
▪ SN510, SN710 and SN910 for mid-size organizations.
▪ SN2100, SN3010 and SN6100 for large organizations and datacenters.
The technology on all Stormshield Network products is based on a proprietary IPS (Intrusion
Prevention System) engine embedded in a FreeBSD kernel.
• Stormshield Network Security version 2.2.6 is:

▪ EAL3+ certified for the Stormshield Firewall software suite embedded in Stormshield
appliances,
▪ EAL4+ certified for filtering features in the Stormshield Firewall software suite.
18
and its products
VIRTUAL APPLIANCES
10
Virtual appliances are compatible with the following hypervisors:

• VMware Vsphere - version v6.0, 6.5 or 6.7,
• Citrix XenServer - version v7.6 and upwards,
• Microsoft Hyper-V – Windows Server 2012 R2 and upwards,
• Linux KVM - Red Hat Enterprise Linux 7.4 and upwards.
Virtual appliances for the cloud are available from AWS (Amazon web services) and Microsoft
Azure providers, making it possible to protect your servers hosted with them.
Stormshield also offers the Stormshield Pay As You Go range, which caters to private cloud
providers that offer hosted services and/or Internet access, either in the form of SaaS or IaaS.
When these appliances are deployed in your virtual infrastructure, you will be able to offer your
clients a network security service that can be billed monthly based on the number and size of
virtual firewalls used.
19
and its products
SMALL BUSINESSES, AGENCIES AND BRANCH OFFICES
SN160 SN210 SN310
SN160(W) SN210(W) SN310

Number of 10/100/1000
1 + 4 ports (switch) 2 + 6 ports (switch) 8
interfaces
IPS throughput (Gbps) 1 1.6 2.4
IPSec VPN throughput (Mbps
200 350 600
AES)
Concurrent connections 150,000 200,000 300,000
SD card slot Yes Yes Yes
Hard disk drive - - -
11
Use cases
• SN160(W): Remote site connected via VPN, unified security for small
structures. Two separate WiFi networks can be created with the SN160W.
• SN210(W): Remote site connected via VPN, unified security for small
structures with a DMZ or dual WAN access. With the SN210, two trusted
zones can be created on the internal network, and Internet access link
redundancy can be set up. The SN210W also makes it possible to create
two separate WiFi networks.
• SN310: Unified security for small structures requiring continuity (high
availability) and safety zones. The SN310 offers 8 physical ports and
supports high availability.
Log storage is limited by default on this appliance range, but can be extended with
the use of SD cards.
20
and its products
MID-SIZE ORGANIZATIONS AND LARGE AGENCIES
SN510 SN710 SN910
Number of 10/100/1000 interfaces 12 8-16 8-16
Number of 1Gb fiber interfaces - 0-8 0-10
Number of 10Gb fiber interfaces - 0-4 0-4
IPS throughput (Gbps) 3.3 8 15
IPSec VPN throughput (Gbps AES) 1 2.4 4
Concurrent connections 500,000 1,000,000 1,500,000
Hard disk drive > 200 GB > 200 GB 120 GB SSD
12
Use cases
• SN510: Mid-size organizations that need to archive logs locally. With the
SN510, logs can be stored locally and archived on the hard disk.
• SN710: Mid-size organizations that require network modularity, offering a
combination of copper ports (up to 16) and 10-gigabit Ethernet fiber ports.
• SN910: Mid-size organizations that require flexibility in order to enhance
performance. The SN910 can also support 8 Ethernet ports, 10 1G fiber
ports or 4 10G fiber ports.
21
and its products
LARGE CORPORATIONS AND DATACENTERS
SN2100 SN3100 SN6100
Number of 10/100/1000 interfaces 2-26 2-26 8-64
Number of 1/ 10/ 40 Gb fiber interfaces 0-24/0-12/0-6 0-24/0-12/0-6 0-64/0-34/0-16
IPS throughput (Gbps) 35 55 68
IPSec VPN throughput (Gbps AES) 8 10 20.5
Concurrent connections 2,500,000 5,000,000 20,000,000

256 GB SSD
512 GB SSD (RAID
Hard disk drive (with RAID 1 as an 256 GB SSD (RAID 1)
1)
option)
Redundant power supply - Yes yes
13
Use cases
• SN2100: Organizations with high performance and scalability
requirements. The SN2100 offers a high level of modularity thanks to
optional network extension modules.
• SN3100: Organizations with critical architectures. The SN3100 embeds
redundant hardware components to ensure better availability: SSD hard
disks in RAID1 and redundant power supply. It supports the same network
configurations as the SN2100.
• SN6100: Large corporations and datacenters. The SN6100 offers unrivaled
network modularity and can support up to 64 copper or fiber ports. It
offers firewall performance of up to 170Gbps and hardware component
monitoring via IPMI.
22
and its products
INDUSTRY
Sni40
Number of 10/100/1000 interfaces 5
Number of 1G SFP fiber interfaces 0-2
IPS throughput (Gbps) 2.9
IPSec VPN throughput (Gbps AES) 1.1
Concurrent connections 500,000
Hard disk drive 32 GB SSD
Redundant power supply yes
14
Use cases
• When industrial protocols need to be used (Profinet, Modbus, S7 200-300-
400, OPC UA).
• Hardware bypass: service continuity is critical in industrial settings. The
SNi40 appliance builds in a hardware bypass feature (ports 6 and 7) that
allows network traffic to continue to pass through during a power outage
or hardware failure.
• Resistance to external elements (e.g., impact, electromagnetic
interference, dust or extreme temperatures), the level of protection that
the appliance provides is IP30 (IP code).
• DIN rail hardware format to protect PLCs (Programmable Logic
Controllers).
23
and its products
VIRTUAL APPLIANCES
EVA1 EVA2 EVA3 EVA4 EVAU
Concurrent connections 200,000 400,000 1,000,000 1,500,000 5,000,000
Number of 802.1q VLAN interfaces 128 256 512 512 1024
Number of tunnels 200 500 750 5,000 10,000
Simultaneous SSL VPN clients 100 150 200 250 500
Max number of vCPU/memory (GB) 1/2 2/3 4/6 4/8 16 / 64
15
Stor shield’s Elastic Virtual Appliance range offers organizations a full range of
security features without the need for an initial investment, only subscriptions to
services that include system updates and various protections.
The performance of these products automatically adapts to the resources that the
hypervisor allocates. This means that you can monitor your operating costs
whenever you need to expand your infrastructure.
Stor shield’s Elastic Virtual Appliance also protects virtual servers and virtual
networks in clouds hosted by Amazon Web Services or Microsoft Azure. This is easy
to set up, simply by including SN firewalls in the cloud provider’s Marketplace.
24
and its products
LONG TERM SUPPORT BRANCH VERSION
V3.6 V3.7 V3.8 V3.9 V3.10 V4 V4.1
Main
V3.7.1 V3.7.2 V3.7.9
LTSB
1 year support minimum
16
Major or minor versions with this label are considered versions that will be stable
over a long term, and will be supported for at least 12 months. These versions are
recommended for clients whose priority is stability instead of new features and
optimizations.
25
and its products
CENTRALIZED ADMINISTRATION
17
Stormshield Management Center

SMC, which requires a license, makes it possible to manage a pool of Stormshield
firewalls.
Physical and/or virtual firewalls that need to be managed will be attached to the
SMC server with the help of a connecting package, regardless of whether they are in
a production environment or in factory configuration.
To manage the pool more easily, firewalls will be classified in folders, as all the items
that SMC can deploy (explained later in this module) may affect a single firewall, a
firewall folder or the entire pool.
Apart from direct access to logs and activity reports on connected firewalls via the
SMC server, with SMC you can:
• Deploy global objects.
• Deploy filter and translation rules.
• Deploy IPSec VPN topologies.
• Deploy NSRPC scripts.
• Deploy templates based on global and/or local variables
• Manage certificates, including their deployment and renewal
• Monitor firewalls (resources, licenses, etc.)
26
and its products
STANDARD AND
OPTIONAL FEATURES IN
SNS
✔ Stormshield Endpoint Security
✔ Stormshield Network Security
➔ Standard and optional features in SNS
27
and its products
STANDARD AND OPTIONAL FEATURES
Application
Mobile
control
device
Extended control
DDoS Web Control
Antivirus protection
Antivirus
Antivirus
Antimalware
URL
filtering
Firewall
Transparent
authentication
Filtering
Antispam Collaborative
Antiphising Security Industrial
protocols Microsoft
Security features Web 2.0
protection
Scheduling
of rules
Services
Firewall
Filtering by
IDS/IPS user Internal
Application and external
Content
inventory PKI
control
SSL Vulnerability
decryption detection
Detection of
Protocol Interactive Physical link
Dynamic
analysis connections redundancy
Site-to-site routing
(LACP)
or mobile
IPSec VPN WAN
Transparent Link
routed/hybrid redundancy
Stormshield PPTP
mode
IPSec VPN remote access
Client
HTTP cache
Quality of
proxy
Encryption Support for
Service
features SSL VPN

tunnel mode
Android/IOS
Secure
IPSec IPv4/IPv6 High
availalbility Network features
Publication Policy-based
of web routing
applications
Standard features
Optional features
19
You will find all product datasheets and features available in the SNS range on
Stormshield.com.
You will find the installation guides for various products on

documentation.stormshield.eu.
28
APPENDIX –
STORMSHIELD:
PRESENTATION OF THE
COMPANY AND ITS
PRODUCTS
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
29
Appendix
Stormshield: presentation of the company and
its products
STANDARD FEATURES
Program
➔ Standard features
Security packs and software options
Hardware options
30
Appendix
its products
STANDARD FEATURES
Stormshield Network range
Functions - Products SN2100 and Virtual appliances

SN310, SN510,
SN160(w) SN210(w) SN3100,
SN710 and SN910
SN6100
IPS engine
• Protocol analysis:
• IP, ICMP, TCP, UDP, HTTP, FTP, SIP, RTSP, etc Yes Yes Yes Yes Yes
• Industrial (SCADA): MODBUS, S7
• Context-based patterns Yes Yes Yes Yes Yes
Antispam
• Heuristic analysis Yes Yes Yes Yes Yes
• Reputation-based detection (DNS RBL) Yes Yes Yes Yes Yes
ClamAV Antivirus - Yes Yes Yes Yes

Stormshield URL Filtering - Yes Yes Yes Yes
SYSTEM
• RAID 1 - - - Yes -
• Double system partition Yes Yes Yes Yes -
• High availability - - Yes Yes Yes
Stormshield Network products integrate standard functions as described below:
• IPS Protocol Analysis: includes all the checks applied on network (IP, TCP,
UDP, etc.) and application (HTTP, FTP, etc) protocols to ensure their
compliance. From version 2.3 onwards, this analysis will also make it
possible to check two industrial protocols (SCADA): MODBUS and S7.
• IPS contextual signatures: an attack database used in addition to the
protocol analysis to rapidly detect known attacks.
• Antispam:
o Heuristic engine: allows the firewall to qualify an email as spam by
using a specific algorithm that determines the degree of legitimacy
of emails.
o Reputation based detection (DNS RBL: Real time Blackhole List):
based on RBL servers that indicate if an email is spam, based on
the reputation of the sender. The list of RBL servers is constantly
updated.
• ClamAV Antivirus: open-source antivirus engine designed to detect
viruses, Trojans and malware. Its library provides different file format
detection mechanisms and tools that operate in conjunction with
compressed files and archives.
• Stormshield URL Filtering: proprietary URL database used for web
filtering. The URLs are classified into 16 categories.
31
Appendix
its products
• System:
o RAID 1 (Redundant Array of Independent Disks): Ensures the
reliability of data storage by placing a copy of the data on two
separate hard drives.
o Double system partition (main and backup): Allows storage of two
firmware versions.
o High availability: Ensures the continuity of services by using two
firewalls: one in active mode and the other in passive mode. If the
active firewall is no longer reachable, the passive firewall switches
to active mode to guarantee the transmission and protection of
data. This feature monopolizes a network interface on each
firewall.
32
Appendix
its products
STANDARD FEATURES
Stormshield Network range

SN510, SN710, SN910, Virtual
Services - Products SN210(w) and
SN160(w) SN2100, SN3100 and appliances
SN310
SN6100
• Dynamic routing, policy-based routing Yes Yes Yes Yes
• DHCP Client Yes Yes Yes Yes
• DHCP Server/Relay Yes Yes Yes Yes
• DynDNS client Yes Yes Yes Yes
• NTP client Yes Yes Yes Yes
• SNMP agent Yes Yes Yes Yes
• DNS cache Yes Yes Yes Yes
• Syslog Yes Yes Yes Yes
• Tunnels: IPSEC VPN, SSL VPN, GRE, GRETAP, VTI Yes Yes Yes Yes
• RSTP/MSTP - - Yes Yes
• LACP - - Yes -
• PKI and CA Yes Yes Yes Yes
• Local logs Option Option Yes Yes
The table above presents the services available on Stormshield Network Security
products. Do note that local log storage is native on all products except SN160(w),
SN210(w) and SN310 models because they do not have a built-in hard disk drive.
However, with the E ternal storage license option, which is enabled by default on
models in v4 and above, logs can be stored locally on a removable SD card.
33
Appendix
its products
SECURITY PACKS AND

SOFTWARE OPTIONS
Program
✔ Standard features
➔ Security packs and software options
Hardware options
34
Appendix
its products
7
SECURITY PACKS
Certain additional features are available with a subscription to specific security packs:
• Stormshield Network Vulnerability Manager: identifies and reports vulnerabilities and
weaknesses on applications and services used on protected networks in real time. To do so,
SNVM works in collaboration with the IPS to collect and archive information relating in
particular to the operating system, various activities and the various versions of applications
installed. These may be client applications (Firefox) or networked services (Apache, Bind,
OpenSSH, etc). NVM reports the vulnerabilities it detects by identifying the hosts involved,
and suggests possible fixes as well.
• Kaspersky antivirus: developed and integrated by Kaspersky Labs, it represents one of the
best antivirus solutions currently available on the market. Its engine analyzes incoming and
outgoing mail, web traffic as well as files in real time to detect and eliminate all viral
intrusions on protected networks. To ensure optimum protection, the virus pattern database
is constantly updated. The advantages of this antivirus include its support for many archive
formats, its better processing performance compared to ClamAV, and the enhanced
performance of its heuristic analysis engine.
• Extended Web Control web filtering: relies on a cloud-hosted URL database provider. The
base references several hundred million URLs classified into 65 thematic categories:
shopping, education, banking, etc. The main advantage of this new option is the quick update
of the URL database, which is no longer downloaded on the firewall.
• Log storage on the "external storage" SD card: allows firewalls with SD memory card slots to
store logs on such cards. On SN160(w), SN210(w) and SN310 products, SD cards make it
possible to generate all activity reports (without an SD card, only five reports can be used).
• Breach Fighter: makes it possible to run an analysis in the cloud in addition to the one run by
Kaspersky antivirus to block sophisticated attacks, with the support of a dedicated security
team.
35
Appendix
its products
8
SECURITY PACKS
Stormshield offers security service packs to cater to specific usage requirements.

These packs include:
• Updates including continuous patches and upgrades of protection systems
(firmware, IPS, applications, etc),
• Hardware maintenance of Stormshield Network products on two levels:
Standard exchange upon receipt of defective products or Express Exchange
as soon as the breakdown is detected,
• Access to technical support through a partner network,
• Access to the "Stormshield Security Watch" area via the Stormshield client
area. In this area, you will see a list of the vulnerabilities and attacks
managed by Stormshield Network Security solutions.
The various packs:

• Remote Office Security Pack: This pack is specially intended for the
protection of small remote offices, directly connected to their central site
via a VPN tunnel. It has been adapted to thoroughly manage and filter
access over the network. Security features such as antivirus, antispam and
URL filtering are therefore managed by the central site. This pack is only
available on SN160(w) and SN210(w) products.
36
Appendix
its products
• UTM Security Pack: Corporations seeking unified protection from threats

conveyed by the web or electronic mail and wishing to closely monitor the
online activity of their users would find it advantageous to subscribe to
this pack. They would then benefit from Stormshield Network “ecurit ’s
unique intrusion prevention technology, an advanced antispam engine, an
antivirus module to detect malicious programs and 16 website categories
for defining an internet access policy
• Premium UTM Security Pack: This pack caters to corporations with
stringent security requirements. It provides the best technologies to
counter the most sophisticated attacks. Kaspersk ’s antimalware system
with emulation technology and URL filtering in cloud mode based on 65
categories (Extended Web Control) will raise your protection to a level that
is unrivalled on the market. The SN Vulnerability Manager module offers
real-time visibility over network or application vulnerabilities that affect
workstations and servers on the information system.
• Enterprise Security Pack: Aimed at enterprises that have distinct
protection solutions for each security function at their disposal, this pack
concentrates the added value of Stormshield Network Security products
on Next-Generation Firewall features. Application databases for the
purpose of application control are continuously updated, with priority
given to applications requested by our clients. The SN Vulnerability
Manager module offers real-time visibility over network or application
vulnerabilities that affect workstations and servers on the information
system.
37
Appendix
its products
HARDWARE OPTIONS
Program
✔ Standard features
✔ Security packs and software options
➔ Hardware options
38
Appendix
its products
HARDWARE OPTIONS
SN710 SN910 SN2100 SN3100 SN6100

Hardware options
(1 module) (1 module) (2 modules) (2 modules) (6 modules)
8 10x100x1000 copper port

Option Option Option Option Option
extension module
4 Gigabit SFP fiber port extension

Option Option Option Option Option
module
8 Gigabit SFP fiber port extension

- - Option Option Option
module
2 10-Gigabit SFP+ fiber port - - -

Option Option
extension module
4 10-Gigabit SFP+ fiber port - -

Option Option Option
extension module
-
BIG DATA (1 TB hard disk) - - Option Option
11
The high range appliances (SN710, SN910, SN2000, SN3000 and SN6000) offer
incomparable network modularity on the market thanks to optional copper or fiber
modules:
• SN710 embeds 8 10/100/1000 ports and can support an additional 8

10/100/1000 ports, 4 SFP 1Gbps ports or 2 SFP+ 10Gbps ports (1 extension
module).
• SN910 embeds 8 10/100/1000 ports + 2 SFP+ 10Gbps ports and can support an
additional 8 10/100/1000 ports, 6 SFP 1Gbps ports or 2 SFP+ 10Gbps ports (1
extension module).
• SN2100 and SN3100embed 2 10/100/1000 ports in the standard version and can
support an additional 24 10/100/1000 ports, 24 SFP 1Gbps ports, 12 SFP+ 10Gbps
ports (3 extension modules) or 6 40 Gbps ports.
• SN6100 embeds 8 10/100/1000 ports in the standard version and can support an
additional 62 10/100/1000 ports, 64 SFP 1Gbps ports, 34 SFP+ 10Gbps ports (7
extension modules) or 16 40 Gbps ports.
39
GETTING STARTED WITH
THE FIREWALL
Training program

✔ Stormshield: presentation of the company and its products
➔ Getting started with the firewall
Logs and monitoring
Objects
Address translation
Filtering
VPN
SSL VPN
40
REGISTERING THE
FIREWALL AND
ACCESSING
DOCUMENTATION
GETTING STARTED WITH THE FIREWALL
➔ Registering the firewall and accessing documentation

Stop/start/reset
Connecting to the firewall
Web user interface
Dashboard
System configuration
Modifying the "admin" account password
License
Maintenance
41
REGISTERING THE FIREWALL AND ACCESSING DOCUMENTATION
https://mystormshield.eu
In your MyStormshield personal area, you will be able to track and manage the life
cycle of your Stormshield products through two types of accounts: client and
partner.
With a client account, you can register all the Stormshield products belonging to a
single company.
With a partner account, you can oversee managed services for partner accounts, if
such services have been set up.
When you create a MyStormshield account, you need to enter information about
your company or your client’s company.
When you receive a Stormshield product, you need to register it in your or your
client’s account in order to activate the maintenance contract.
Several contacts can be entered for each user within the same user account.
You can access online help dedicated to the MyStormshield website from the
homepage.
42
In your MyStormshield area, you can:

• Download licenses, new versions of firmware and administration tools,
• Retrieve configuration files stored in the cloud,
• Access the documentation base to obtain marketing and legal information,
• Subscribe to our newsletter,
• Oversee managed services on partner accounts,
• Retrieve updates for some services (context-based patterns, Stormshield URL
database, etc) automatically on the firewall,
• Submit suggestions for URL categorization,
• Open tickets with “tor shield’s TAC.
43
Authentication is not required to access https://documentation.stormshield.eu,

which contains all publicly available documentation that “tor shield’s team of
technical writers manage:
• Version release notes,
• Configuration guides,
• Technical notes.
Technical notes explain how to set up sophisticated configurations by providing step-
by-step instructions that present the concepts and parameters involved.
You can access the knowledge base at https://kb.stormshield.eu and authenticate

using your MyStormshield credentials. The SNS TAC (technical support) regularly
updates and adds articles to this base.
You will find some of the following information in the knowledge base:
• Specific configuration parameters,
• Known functional limitations,
• Recordings of webinars oragnized by the TAC,
• Diagnosis procedures.
44
STOP/START/RESET
✔ Registering the firewall and accessing documentation

➔ Stop/start/reset
Connecting to the firewall
Web user interface
Dashboard
License
Maintenance
45
STOP/START/RESET
SD card
slot LEDs
Power supply
Network Reset button

Console port USB port
interfaces
Connectors are similar throughout the UTM range, but may have a different location
depending on the product:
• On/Off button,
• Three status LEDs:
o The first LED, in orange, indicates that the firewall is powered on
(power cable plugged),
o The second LED, in green, indicates that the firewall system is
starting up or shutting down,
o The third LED, in green, indicates that the firewall has finished
booting and is running,
• SD card slot: to add memory cards on the firewall,
• PS2 keyboard port and VGA or HDMI video connector: to connect a
keyboard and screen to the firewall and access console mode,
• Serial port or USB port connected internally to a serial adapter: to connect
a serial console on the firewall,
• Reset button: to restore the firewall's factory settings,
• USB port: to connect a USB key or a 3G modem,
• Network interfaces: type and number of interfaces depend on the firewall
model.
Note: The memory card must be at least Class 10, SDHC standard with a maximum
capacity of 32 GB (2 TB for SN160(W), SN210(W), and SN310).
46
Starting the firewall:

Start the firewall by powering it up, then pressing the start button if there is one. At
the beginning, the first two LEDs, starting from the orange one, will light up,
indicating that the firewall is powered up and the system is starting. Once the system
has started up, the last LED will light up, indicating that the firewall is running; on
some models, you will hear a beep.
Turning off the firewall:

Shut down the firewall either by pressing the Off button (if there is one), or through
the administration interface. The first green LED will start blinking, which means that
the system is shutting down. Once the system has shut down, both green LEDs will
switch off and the firewall will stop running.
Restoring factory settings:

Hold the Reset button down for 10 seconds; on some models, you will hear a beep.
The firewall will restore factory settings and reboot automatically.
47
CONNECTING TO THE
FIREWALL

✔ Stop/start/reset
➔ Connecting to the firewall
Web user interface
Dashboard
License
Maintenance
48
CONNECTING TO THE FIREWALL
Default configuration
External interface Internal interfaces
OUT IN DMZ1 DMZn
Bridge → . . . /8
DHCP → [ . . . – 10.0.0.100]/8
10
In the default configuration, the first interface of the firewall is named "OUT", the
second "IN" and the remaining interfaces "DMZx". The "out" interface is an external
interface used to connect the firewall to the Internet and the other interfaces are
internal and are mainly used to connect the firewall to local networks.
Keeping internal/external interfaces separate ensures that you are protected from IP
address spoofing attacks.
All interfaces are included in a bridge with the address 10.0.0.254/8. A DHCP server
is enabled on all interfaces of the bridge and distributes IP addresses between
10.0.0.10 and 10.0.0.100 inclusive.
To ccess the firewall's administration interface, connect your machine to an internal

interface.
NOTE : With the default configuration, when a host connects to the external
interface then to an internal interface, the firewall will consider this an IP address
spoofing attempt on the bridge, and will then block all traffic generated by this
machine. The firewall must be rebooted to work around this situation.
49
CONNECTING TO THE FIREWALL
https://10.0.0.254/admin
Microsoft Edge
Google Chrome
Mozilla Firefox
11
You can access the fire all’s administration interface through a browser in HTTPS at
"https://10.0.0.254/admin". In order for this interface to operate optimally, you are
advised to use the latest versions of Microsoft Edge, Google Chrome and Mozilla
Firefox.
Access to administration pages requires authentication. By default, there is only the

admin system account, which holds all privileges on the appliance, and can log in. In
factory configuration, the password for this account is also admin; for obvious
security reasons, the password must be changed.
To authenticate, users can also use certificates stored in their browsers.
In the advanced options, the administrator can select the language of the
configuration menus and read-only access, which prevents the configuration from
being modified.
At the top right side of the page, the following icon opens online help
50
WEB USER INTERFACE


✔ Connecting to the firewall
➔ Web user interface
Dashboard
License
Maintenance
51
WEB USER INTERFACE

Header
Menu contents
Menus
Administration interface logs
13
The administration interface is divided into four parts:

1. The header (green box): contains the following information:
• Firewall name: the default name is the serial number,
• Firmware version,
• Connected user and access privileges: read-only or read and write, and
access to logs: restricted or full,
• Link to help for the current menu and more information on settings and
menu options. Do note that you will be redirected to an online page when
you open help.
When you click on the user name, you will be able to:
• Access the Preferences menu to configure parameters relating to the
administration interface. The most important are:
o Idle time before logging the user out of the administration
interface (30 minutes by default),
o Display options in the menus (always show advanced
configurations, number of filter rules per page, etc.),
o External links to Stormshield sites.
• Obtain or release write permissions. Note that at any given time, only one
user can have the write permission on the firewall.
• Access private data.
• Log out the user.
52
2. Menus (red box): configuration and monitoring menus, and shortcuts in the form
of expandable lists. Menus are classified under two categories: the Monitoring
tab for anything that relates to monitoring, logs or the status of the firewall; the
Configuration tab for objects and the configuration of various features.
3. Menu contents (blue box): displays the contents of the selected menu.
4. Administration interface logs (brown box): displays the list of web interface logs,
which can be customized. For example, you can choose to show only NSRPC
commands executed by the web interface, reported errors, warnings, etc.
53
DASHBOARD

✔ Web user interface
➔ Dashboard
License
Maintenance
54
DASHBOARD
16
The dashboard includes all information and indicators regarding the firewall:
• Status of Active Update
• Alarms,
• License (expiry date of each module),
• Properties (serial number, active policies, date and time, etc),
• Interfaces (list of configured network interfaces),
• Status of various services.
Clicking on an item in the dashboard will redirect you to the monitoring or

configuration page relating to the item.
55
SYSTEM
CONFIGURATION

✔ Dashboard
➔ System configuration
License
Maintenance
56
SYSTEM CONFIGURATION: GENERAL
18
The CONFIGURATION ⇒ SYSTEM ⇒ Configuration menu lets you configure the

firewall's system, network and administration parameters. It consists of three tabs:
1. GENERAL CONFIGURATION:
• Name of the firewall, which is the serial number by default,
• Language of the firewall for logs: English or French,
• Layout of the keyboard used for direct console access: English, French,
Italian, Polish or Swiss.
• Cryptography settings offer two options which relate to certificates
(covered in the Expert course) and the AN““I Diffusion restreinte
mode respectively.
• The password policy defines the minimum length and mandatory
characters for passwords created in the firewall's various menus (for
example: user passwords in the internal directory (LDAP), passwords that
protect backup files, passwords of certificates created on the firewall). By
default, the minimum length is one character and no characters are
mandatory. However, the administrator may impose alphanumeric
passwords only or alphanumeric with special characters.
57
SYSTEM CONFIGURATION: GENERAL
19
• Time settings: date, time and time zone. These parameters are crucial for
functions such as logs and authentication. The firewall must be restarted
if the time zone is changed.
• To allow the firewall to automatically synchronize its clock with an NTP
server, simply select Synchronize firewall time (NTP). By default, two NTP
servers belonging to Stormshield are preconfigured in the list of servers,
which may be modified.
58
SYSTEM CONFIGURATION: FIREWALL ADMINISTRATION
20
2. FIREWALL ADMINISTRATION:
• The "admin" account’s permission to access the administration interface
can be withdrawn. This means that a new administrator with the right
permissions must be created. Otherwise, you will permanently lose access
to the fire all’s administration interface.
• The port used to access the fire all’s administration interface can be a
port other than the standard HTTPS (443/TCP), which is defined by default.
The access URL then becomes: https://firewall_@IP:port/admin.
• By default, the firewall's administration interface uses a certificate issued
by the firewall's certification authority. The link "Configure the SSL
certificate for access to the administration interface" will lead to the menu
that allows you to modify this certificate.
• Protection from brute force attacks on the administration interface can be
enabled/disabled; the number of attempts and the interval between
attempts (in minutes) can be configured. By default, after 3 unsuccessful
attempts, access from the IP address in question will be blocked for 1
minute.
• Access to the administration interface may be restricted to a specific host
or network. In this case, the host or network has to be in the Authorized
administration host list. By default, only internal networks and those
represented by the object "Network_internals" are allowed to access it.
59
• SSH (secure connection) access can be enabled and the ser ice’s listening
port – SSH (22/TCP) by default – can be changed. The password needs to
be activated for simplified access. In this case, users will be prompted to
enter their logins and passwords when logging in. Otherwise, you will need
to manage access using a key pair.
60
SYSTEM CONFIGURATION: NETWORK PARAMETERS
22
3. NETWORK PARAMETERS:
• Stormshield Network firewalls support IPv6 and several features (interface,

routing, filtering, VPN and administration) are IPv6-compatible. However,
this support is optional and can be enabled with the button Enable
support for the IPv6 protocol on this firewall.
NOTE : As this operation is irreversible, you will automatically be asked to

back up your configuration when you click on this button. You can
backtrack to IPv4 support only (without IPv6) after you reset the firewall's
configuration.
• When a firewall goes through a proxy to access the internet, the pro ’s
parameters have to be configured in this menu.
• One or several DNS servers may be added. The firewall contacts these
servers to resolve names that it sends or relays. These names have to be
resolved for features such as Active Update which queries update servers
in order to download databases (context-based patterns, antivirus,
Vulnerability Manager, etc). These DNS servers will also be used when the
DNS cache service is enabled in transparent mode (see the Appendix on
the DNS cache proxy).
61
MODIFYING THE "ADMIN"

ACCOUNT PASSWORD

✔ Dashboard
✔ System configuration
➔ Modifying the "admin" account password
License
Maintenance
62
MODIFYING THE "ADMIN" ACCOUNT PASSWORD
24
The password of the ad in account can be changed in the ADMIN ACCOUNT tab
in the CONFIGURATION ⇒ SYSTEM ⇒ Administrators menu. The password must
contain at least 5 characters and comply with the password policy defined in the
CONFIGURATION menu.
The strength of the password indicates its level of security: Very weak, weak,
moderate, good, excellent. You are strongly advised to use uppercase letters and
special characters to increase the level of security.
The Export the private key and Export the public key buttons on the firewall make it
possible respectively to download the private key and the public key of the admin
account.
63
LICENSE

✔ Dashboard
✔ Modifying the "admin" account password
➔ License
Maintenance
64
LICENSE: GENERAL
26
The menu CONFIGURATION ⇒ SYSTEM ⇒ License displays all information regarding

the license. The firewall holds a temporary license that is valid for 3 months, allowing
it to be immediately operational when it is powered up. The permanent license can
be downloaded from your personal Stormshield area (after registering your firewall)
or installed automatically. It is presented in the form of a .license file.
The menu is made up of two tabs:
1. GENERAL:
At the top of the tab, a button allows you to search for new licenses directly on
Stormshield update servers and another button allows you to install licenses. These
buttons are followed by information on the duration of the license’s validity and the
various options available. The section Install from a file makes it possible to install a
license from the .license file stored on the PC.
The section Advanced configuration makes it possible to configure the frequency
with which the firewall will look for updates and automatically install them.
65
LICENSE: LICENSE DETAILS
27
2. LICENSE DETAILS:
The buttons that allow you to search for and install licenses are also found in this
section. Use the search bar to find out whether an option or service is available in
the license.
The rest of the page sets out the contents of the license with validity durations of
various options.
66
MAINTENANCE

✔ Dashboard
✔ Modifying the "admin" account password
✔ License
➔ Maintenance
67
MAINTENANCE: UPDATING THE SYSTEM
.maj file Active Partition Active Partition
System x+1 System x Config y System x+1 Config y
Backup Partition Backup Partition

System update
System x-1 Config y-1 with backup System x Config y
29
In the CONFIGURATION ⇒ SYSTEM ⇒ Maintenance menu, system updates and

configuration backups/restorations can be managed. Four tabs make up this menu:
1. System update:
This tab allows the administrator to update the version of the system (firmware). The
".maj" update file can be downloaded from the Stormshield client account or the
firewall can automatically retrieve it when you click on “earch for new updates .
The diagram above illustrates the update of the partition system. The new version of
the system "x+1" will replace the older version "x" located on the active partition
while keeping the same configuration "y". The administrator can choose whether to
create a backup of the active partition on the backup partition before the update,
using the option Back up the active partition on the backup partition before
updating the firewall" (if the option has been selected, the older version of the
system "x-1" and the configuration "y-1" will be permanently lost).
In ad anced configuration", the administrator can choose whether to download

and enable an update or to download it only and enable it later with the option
Enable firmware downloaded earlier".
68
MAINTENANCE: BACKING UP A CONFIGURATION
30
2. BACKUP:
In this tab, the administrator can manually back up the fire all’s configuration,
downloaded and saved beforehand in a .na encrypted file format. The items that
are backed up in the file include:
• Network (interface, routing and dynamic DNS),

• SMTP filtering,
• URL filtering,
• SSL filtering,
• Web objects,
• Global modules,
• Secure configuration,
• Active Update,
• Services (SNMP, DHCP server),
• IPS inspection profiles,
• Network objects,
• Filtering and NAT,
• IPSec VPN,
• LDAP.
The administrator cannot back up only part of the configuration from the web
interface; partial backups can be made only from CLI. Furthermore, the file may be
protected with a password that needs to be entered in the ad anced configuration
section.
69
MAINTENANCE: BACKING UP A CONFIGURATION
31
The administrator can also enable the automatic backup of the configuration file.
Two options are available:
• Cloud backup: By enabling this option, the configuration file will be stored
on a server hosted in a service infrastructure called a cloud backup
ser ice managed by Stormshield. Backups may be performed every day,
every week or every month. In advanced configuration this frequency can
be configured and the configuration can be protected with a password
thanks to the Backup fre uenc and Backup file pass ord
parameters. Backups are secured via an HTTPS connection and certificate-
based authentication. A maximum of 5 configuration files per firewall can
be saved on the cloud’s servers. Beyond that, new files will overwrite
older files. These files can be accessed from “tor shield’s client area.
70
• Customized server: with this option, configuration files will be stored on a

server that has an IP address entered in the Backup ser er parameter.
Several parameters can be configured in advanced configuration:
• Server port: listening port of the backup server,
• Communication protocol: HTTP or HTTPS,
• Server certificate: active only if HTTPS has been selected. It
specifies the certificate presented by the server on which the
configuration backup will be sent. The aim of this option is for the
firewall to be able to confirm the identity of the server before
sending the backup file to it,
• Access path: specifies the folder in which configuration files will
be stored,
• Sending method: selects the HTTP sending method: basic
authentication (auth basic), digest authentication (auth digest) or
POST,
• Login and password: used with the sending methods auth asic
and auth digest ,
• POST – control name: used with the POST sending method,
• Backup frequency: frequency with which backups are sent – set by
default to one week,
• Backup file password: protects backup files with a password.
71
MAINTENANCE: RESTORING A CONFIGURATION
33
3. RESTORE:
A configuration may be restored from a .na file stored on the host. If the
configuration file is password-protected, the administrator will need to enter it in the
ad anced configuration section.
Partial restorations are possible. In this case, in Advanced properties, select the
necessary module(s). In all cases, you are advised to restart the firewall after a
restoration (you will be asked to restart after a full restoration).
NOTE : As the ad in user’s password is not saved in the configuration file, it will
not be restored or backed up.
72
MAINTENANCE: RESTORING A CONFIGURATION
34
Configurations can also be restored from the latest automatic backup from the date
indicated as Date of last backup. If the backup is password-protected, the
administrator will need to enter it in the ad anced configuration section.
73
MAINTENANCE: CONFIGURATION
Active Passive partition

Main Main
Partition
Passive partition Active

Backup Backup
Partition
35
4. CONFIGURATION:
All physical Stormshield Network UTM appliances hold two fully independent
partitions that make it possible to store various firmware versions. Each partition has
its own configuration. It is therefore important to distinguish between main/backup
partitions and active/passive partition. There are two possible scenarios as
illustrated above: (1) active partition => main and passive partition => backup or (2)
active partition => backup and passive partition => main.
The administrator can select the partition that will become active the next time the
firewall is started (main or backup). The other partition will then automatically
become the passive partition.
With the "Back up active partition button, the contents of the active partition
(configuration + firmware) can be copied to the backup partition.
The last maintenance options allow you to reboot or shut down the firewall and
download the system report, a text file that shows the fire all’s status and many
other indicators that will help technical support with their diagnosis.
74
MAINTENANCE: ACTIVE UPDATE
36
The CONFIGURATION ⇒ SYSTEM ⇒ Active Update menu allows you to monitor the
automatic updates of the following modules:
• Antispam: DNS blacklists (RBL)

• Embedded URL databases,
• IPS: context-based protection patterns,
• Antivirus: ClamAV antivirus signatures (or Kaspersky),
• Antispam: heuristic engine,
• Vulnerability management (if the option has been enabled in the license),
• Root certification authorities.
• IPS: custom context-based protection patterns.
• Geolocation / Public IP reputation
The administrator can enable or disable the update of a single module or of all
modules at once using the buttons Allo all or ‘eject all .
The lists of update servers for the various modules and the URL database can be
accessed in ad anced configuration . The administrator can modify, add or delete
servers.
75
SECURITY RECOMMENDATIONS
• Use SSH only when necessary

– Access protected by passwords
– Passwords change with every use
• Define an appropriate password policy
• Perform updates through a mirror or internal proxy
• Configure internal NTP and DNS servers
• Automatically back up the configuration
• Define administration networks clearly
• Dedicate an interface to administration
• Configure the right language (UI, log and console)
• Replace the web interface certificate
37
As SSH access requires the use of the admin account, access must be occasional and
monitored. When not in use, SSH must be disabled to minimize the attack surface.
Passwords must be changed with every use.
With an internal proxy or mirror, you can:

- Manage the frequency of updates,
- Consume less bandwidth,
- Reduce the number of machines with Internet access.
An internal NTP server ensures the consistency of dates in logs, which is an absolute
necessity when logs need to be correlated.
With an internal DNS, you can:
- Maintain control over name resolution,
- Speed up resolution.
The firewall must be managed from a protected, identified network and kept
separate from production environments.
Users must understand the languages used to avoid mistakes when handling the
product.
Sources (in French):

• https://www.ssi.gouv.fr/guide/recommandations-de-securisation-dun-pare-feu-
stormshield-network-security-sns/
• https://www.ssi.gouv.fr/politique-filtrage-parefeu/
• https://www.ssi.gouv.fr/passerelle-interconnexion/
76
38
For more information, refer to the resources at documentation.stormshield.eu:

• SNS user configuration manual
• Technical notes:
• Initial configuration via USB key
• Automatic backups
• Software Restoration via USB key
• EVA on Amazon Web Services
• EVA on Microsoft Azure
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
77
LOGS AND MONITORING
Training program

✔ Introduction to the company and products
✔ Getting started with the firewall
➔ Logs and monitoring
Objects
Address translation
Filtering
VPN
SSL VPN
78
Logs and monitoring
LOG CATEGORIES
LOGS AND MONITORING
➔ Log categories
Configuring and viewing logs
Monitoring and history graphs
Syslog, SVC, e-mail notifications and reports
79
Logs and monitoring
LOG CATEGORIES
Connections
POP3 proxy Administration
connections
Application System events

SMTP proxy connections
System
Authentication
FTP proxy
Filter policy Statistics
SSL proxy Proxy <-> Server

Vulnerability
manager
HTTP proxy IPSec VPN Alarms

Proxy
SSL VPN Sandboxing
VPN Security & usage
The features and services on Stormshield Network firewalls generate events that are
stored locally in log files (on the hard disk) or on an SD memory card for firewalls
that have the "external storage" option. Log files are organized in several categories
as described below:
• Administration: all events relating to firewall administration. Therefore all
changes made to the firewall’s configuration are logged.
• Authentication: all events relating to the authentication of users on the
firewall.
• Network connections: all events relating to TCP/UDP connections going
through or to the firewall that are not processed by an application plugin.
• System events: all events relating directly to the system: shutting
down/starting up the firewall, system errors, switching on/off an interface,
high availability, Active Update, etc.
• Alarms: all events relating to intrusion prevention features (IPS) and
events that have been logged with a minor or major alarm level in the
filter policy.
• HTTP Proxy: all events relating to connections going through the HTTP
proxy.
80
Logs and monitoring
• Application connections (plugin): all events relating to connections

processed by an application plugin (HTTP, FTP, SIP, etc).
• SMTP proxy: all events relating to connections going through the SMTP
proxy.
• Filter policy: all events relating to filter and/or NAT rules, when rules are
logged in verbose mode.
• IPSec VPN: all events relating to the negotiation phase of an IPSec VPN
tunnel.
• SSL VPN: all events relating to the setup of an SSL VPN (tunnel or portal
mode).
• POP3 proxy: all events relating to connections going through the POP3
proxy.
• Statistics: Summary of the statistics on several elements: system, security,
interfaces, QoS, etc.
• Vulnerability management: all events relating to the "Stormshield
Network Vulnerability Manager option.
• FTP proxy: all events relating to connections going through the FTP proxy.
• SSL proxy: all events relating to connections going through the SSL proxy.
• Sandboxing: all events relating to the sandboxing of files if this option has
been subscribed and enabled.
81
Logs and monitoring
CONFIGURING AND
VIEWING LOGS
LOGS AND MONITORING
✔ Log categories
➔ Configuring and viewing logs
Monitoring and history graphs
82
Logs and monitoring
CONFIGURING AND VIEWING LOGS
• Configuration of local storage
Local log storage can be managed in the menu CONFIGURATION ⇒ NOTIFICATIONS

⇒ Logs - Syslog - IPFIX ⇒ in the LOCAL STORAGE tab. Log files are saved on the hard
disk (if the firewall has one) or on an SD memory card (if the firewall has a slot for it
and the administrator has subscribed to the "external storage" option). Each log
occupies space reserved on the storage medium. The tab comprises the following
sections:
• ON/OFF button: starts/stops recording logs. Enabled by default for all logs.
• Storage device: allows you to select the storage device – internal hard disk or SD
memory card.
• Refresh button: refreshes the list of available storage media.
• Format button: allows you to format the selected storage medium.
• Configuration of the space reserved for logs: allows you to start or stop writing
logs for a given log by double-clicking in the corresponding Status column. It also
makes it possible to configure the percentage of disk space reserved for the log
family in Percentage. Do note that the total of the percentages must not exceed
100%. The actual size of the disk space reserved for a log is indicated in Disk
space quota.
Log are rotated, i.e., older log entries will be overwritten by newer logs. This is the
default selection.
83
Logs and monitoring
• Viewing logs
The AUDIT LOGS menu in CONTEXT: MONITORING displays logs saved locally on
firewalls that are equipped with a hard disk or SD memory card with the external
storage option, grouped by log family: network traffic, alarms, web, etc. E.g.: the
Network traffic family concatenates the following logs: Network connections,
filtering, FTP proxy, application connections, POP3 proxy, SMTP proxy, SSL proxy,
HTTP proxy, VPN SSL.
Logs can be restricted to a predefined (last hour, today, last week or last month) or
customized time range.
Logs are displayed in the order of the most recent at the top of the list.
The default number of columns displayed is limited. However, all columns can be
displayed in one click using the option Expand all the elements in the Actions menu
(red box). To manually add one column at a time, click on the arrow framed in blue
and then on Columns .
To see all data relating to a log, highlight a row and click on the Log line details
(green box).
84
Logs and monitoring
• Simple search filter
A simple search field makes it possible to filter logs by searching for a character
string in all columns of all logs. In the example above, the search criterion is part of
the name of an ICMP filter rule. The results of the search are displayed regardless of
whether the column containing the information is visible on the screen.
When you right-click on an item in a log, a window appears with shortcuts to several
features that vary depending on the type of item selected, as shown in the example
above:
• Several actions can be performed with URL objects, e.g., adding a URL list
defined by the administrator (blue box, then green box).
• ICMP (red box) can be added as a search criterion, which will replace the
verbose criterion in the example above. In this case, the corresponding filter rule can
be highlighted directly in the active security policy.
These operations mean that the administrator can rely on logs to refine their
security policies, enrich the objects database on the firewall and check
configurations intuitively.
85
Logs and monitoring
• Advanced search filter
Criterion 1 Criterion 2
Result:
The advanced search makes it possible to create complex filters by combining

several selection criteria.
Filters can be saved (Save button) and used repeatedly in the same log family.
86
Logs and monitoring
• Restricted access to logs
• Full access to logs
10
In order to apply the new European regulation on personal data, the GDPR (General
Data Protection Regulation), access to logs on SNS firewalls is restricted by default
for all administrators.
The admin super administrator and all administrators who hold the Access to
private data privilege can gain full access to logs simply by clicking on Obtain the
access privilege for private data (logs).
87
Logs and monitoring
• Creating temporary access codes for full access to logs
11
Administrators who do not hold the Access to private data privilege can still obtain
full access using a temporary access code generated by another administrator who
holds the Management of access to private data permission.
Temporary access codes can be created in the menu CONFIGURATION ⇒ SYSTEM ⇒

Administrators ⇒ TICKET MANAGEMENT tab. Access tickets have a start date and
an end date. Tickets can be copied and forwarded to administrators, who will enter
them in the window that appears when they click on the Restricted access to logs
button.
NOTE: Tickets can be used by several administrators.
88
Logs and monitoring
MONITORING AND
HISTORY GRAPHS
LOGS AND MONITORING
✔ Log categories
✔ Configuring and viewing logs
➔ Monitoring and history graphs
89
Logs and monitoring
MONITORING AND HISTORY GRAPHS
13
The MONITORING menu shows graphs and data in real time organized in 12 sub-
menus:
• Hardware / High availability: CPU temperature,

• System: use of the firewall's system resources,
• Interfaces: use of network interfaces,
• QoS: use of QoS queues,
• Hosts: hosts that generate traffic going through the firewall,
• Users: users authenticated on the firewall,
• Connections: connections opened through the firewall,
• Routing: network routes and gateways defined on the firewall,
• DHCP: IP leases assigned by the DHCP service,
• SSL VPN tunnels: users connected to the firewall via SSL VPN,
• IPSec VPN tunnels: tunnels that comply with the firewall's policy,
• Whitelist / Blacklist: quarantined or whitelisted hosts on the firewall.
90
Logs and monitoring
• Viewing history graphs
14
In addition to real-time graphs, four history graphs are also available if the History
curves button is set to ON in the menu CONFIGURATION ⇒ NOTIFICATIONS ⇒
Report configuration. History graphs show:
• CPU consumption,
• Bandwidth use for each interface,
• Bandwidth use for each QoS queue,
• Host reputation.
Like reports, history graphs can also be viewed over a configurable period: last hour,
specific day, last 7 days or last 30 days.
91
Logs and monitoring
• Configuration of monitoring
15
Certain monitoring parameters can be configured in the menu CONFIGURATION ⇒

NOTIFICATIONS ⇒ Configuration of monitoring.
• Interval between refreshments:

• Maximum period displayed (in minutes): the data period to be displayed
for a curve (15, 30, 45 or 60 minutes),
• Refresh period in seconds: monitoring curves will be refreshed every 5,
10, 15 or 20 seconds depending on the configuration.
• Grid refresh period in minutes: defines the refreshment frequency of
monitoring data.
The rest of the menu is organized in two tabs:

• INTERFACE CONFIGURATION: adds/deletes the interfaces to be monitored,
• QOS CONFIGURATION: adds/deletes the queues to be monitored.
92
Logs and monitoring
• Configuration of history graphs
16
History graphs can be enabled in the menu CONFIGURATION ⇒ NOTIFICATIONS ⇒

Report configuration if the History curves button is set to ON and by enabling the
desired graphs in the LIST OF HISTORY GRAPHS tab.
NOTE: Activity reports and history graphs are available on firewalls that do not have
local log storage. However, they are limited to 5 reports and graphs in total with a
maximum history of 7 days.
93
Logs and monitoring
SYSLOG, SVC, E-MAIL

NOTIFICATIONS AND
REPORTS
LOGS AND MONITORING
✔ Log categories
✔ Configuring and viewing logs
✔ Monitoring and history graphs
➔ Syslog, SVC, e-mail notifications and reports
94
Logs and monitoring
SYSLOG, SVC, E-MAIL NOTIFICATIONS AND REPORTS
• SYSLOG: sends logs to SYSLOG servers.
• SVC (Stormshield Visibility Center): Syslog server with a

web interface for viewing logs.
• E-mail notifications: automatic transmission of

notifications via e-mail for various events.
• Reports: calculate an event's top ten.
18
Details on these four features are covered in the appendix of the Logs and
Monitoring module.
95
Logs and monitoring
• Define a log policy

– Configure local log storage
– Configure at least one external syslog server
• Use encrypted SNMPv3

• Filter SNMP queries
19
A strong log policy ensures that logs will not be altered or easily accessed for
debugging.
Logs must be stored locally for appliances to be debugged effectively. The external
server secures access to logs and protects them from attempts to alter them when
the appliance is compromised.
SNMP must be used to monitor the appliance while keeping a high level of security,
by applying specific firewall rules to such traffic.
96
Logs and monitoring
LAB 1 – GETTING STARTED WITH THE FIREWALL
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13
Debian Virtual Machine

192.168.1.254/24
172.16.1.254/24
192.36.253.10/24
Instructor
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
20
For more information, refer to the technical notes at documentation.stormshield.eu:

• Description of audit logs
• Complying with regulations on personal data
For highly specific situations/questions, refer to the TAC knowledge base at

kb.stormshield.eu.
97
APPENDIX – LOGS AND
MONITORING
98
Appendix
Logs and monitoring
ENABLING THE SYSLOG

LOGS AND MONITORING
Program
➔ Enabling the syslog

Stormshield Visibility Center (SVC)
E-mail notifications
Reports
99
Appendix
Logs and monitoring
ENABLING THE SYSLOG
Syslog Client
Syslog servers
Stormshield Network firewalls embed a syslog client that can be enabled to send
logs to external syslog servers. Up to four syslog servers can be enabled at the same
time by customizing the transmission protocol, format and log categories for each
server.
These servers can be configured in CONFIGURATION ⇒ NOTIFICATIONS ⇒ Logs -

Syslog - IPFIX ⇒ SYSLOG tab (one server per profile). In each profile, the following
parameters can be configured:
• Name: name of the syslog profile,

• Comments (optional),
• Syslog server: Host object with the syslog server's IP address,
• Protocol: used to send logs: UDP, TCP and TLS,
• Port: destination port used to send logs. Standard ports: syslog (UDP/514),
syslog-conn (TCP/601) and syslog-tls (TCP/6514),
• Certification authority (mandatory): The certificate from the CA that signed the
firewall's and syslog server's certificates,
• Server certificate (optional): the certificate that the syslog server must present to
authenticate on the firewall,
• Client certificate (optional): the certificate that the firewall must present to
authenticate on the syslog server,
100
Appendix
Logs and monitoring
ENABLING THE SYSLOG
• Format: The syslog format used:

• LEGACY: limited to 1024 characters for each syslog message.
• LEGACY-LONG: The length of the syslog message is not limited.
• RFC5424: must comply with the format defined in RFC 5424.
• In advanced properties, the following parameters can be configured:

• Backup server,
• Backup port,
• Category (facility): Identifier added to the beginning of a log line to
identify a firewall when the syslog server receives logs from several
firewalls,
• LOGS ENABLED: select which log categories will be sent to the syslog
server by double-clicking on the Status section of each category to enable
or disable sending.
NOTE :
• The Certification authority, Server certificate and Client certificate parameters are
enabled only if the TLS protocol has been selected.
• The Backup server and Backup port parameters can only be used if TCP or TLS
have been selected.
101
Appendix
Logs and monitoring
STORMSHIELD VISIBILITY
CENTER (SVC)
LOGS AND MONITORING
Program
✔ Enabling the syslog

➔ Stormshield Visibility Center (SVC)
E-mail notifications
Reports
102
Appendix
Logs and monitoring
STORMSHIELD VISIBILITY CENTER
Stormshield provides its partners with a free syslog server built into a virtual
machine, Stormshield Visibility Center, which can be downloaded from the
mystormshield area in ".ova" or ".vhd" format.
Stormshield Visibility Center is based on the ELK suite: Elasticsearch (database),

Logstash (log manager) and Kibana (web portal). This suite is installed on a Linux
distribution (Yocto) and has been configured to process logs originating from
Stormshield products (SNS appliances; SDS and SES programs). The size of the
database is 200 GB by default.
Network parameters and the keyboard language can be manually configured when
the virtual machine starts up by holding down any key for 5 seconds. Otherwise, the
network interface will be in DHCP by default and the keyboard configuration will be
"US". During startup as well, a password must be entered for the "root" and "log"
users. The "root" user makes it possible to log in to the virtual machine's console,
whereas the "log" user allows access to the web interface.
Once the user has logged in to the console of the virtual machine, the command svc-
configurator makes it possible to view and configure several parameters: data,
network, database, password, keyboard language, date, etc.
NOTE: for further information on installation, refer to the Stormshield Visibility

Center Administration Guide available in the documentation base.
103
Appendix
Logs and monitoring
Logs can be viewed through a web interface that can be accessed in HTTPS through
the virtual machine's IP address. The home page consists of several panels:
• Global - Menu: groups the home screens of each Stormshield product and the
configuration operations that link a Stormshield product to the SVC server.
• Global - Events: number of entries reported by Stormshield products.
• Events – Per types: provides an overview of logs by category
104
Appendix
Logs and monitoring
Default views can be used for SNS firewalls, but the interface makes it possible to
define other fully customized lines and sections.
Dashboards are displayed by default for a limited duration - the icon at the top right
of the web interface makes it possible to change it to a predefined or customizable
duration.
Display filters can also be used. For example, in the above view showing SNS logs,
windows containing graphs have been removed from the view and a filter makes it
possible to display log lines that contain a specific destination port.
Refer to the Stormshield Visibility Center Administration Guide for further

information.
105
Appendix
Logs and monitoring
E-MAIL NOTIFICATIONS
LOGS AND MONITORING
Program

✔ Stormshield Visibility Center (SVC)
➔ E-mail notifications
Reports
106
Appendix
Logs and monitoring
NOTIFICATIONS BY E-MAIL
10
Stormshield Network firewalls can automatically send notifications by e-mail for

various events. This feature can be configured in CONFIGURATION ⇒
NOTIFICATIONS ⇒ E-mail alerts.
Start by configuring the users and/or groups that will receive notifications.
The RECIPIENTS tab allows you to create and configure mailing lists. Recipients in a
group can be e-mail addresses or users saved in the LDAP base. In this case, ensure
that users have entered their e-mail addresses in their LDAP identities.
107
Appendix
Logs and monitoring
11
The CONFIGURATION tab contains the following parameters:

• Enable notifications by e-mail: enables/disables the service,
• SMTP server: configures the settings of the server to which e-mails will be
sent (IP address, port, authentication information and domain name).
Notifications are sent by default from firewall a e@DN“_do ai .
108
Appendix
Logs and monitoring
12
• Sending frequency: indicates how frequently notifications are sent. The

value of this field must be between 1 and 1000 minutes.
• Intrusion prevention alarms and system events: defines what information
will be sent in notifications about alarm and system event logs:
• Do not send any e-mails,
• Send only major alarms,
• Send major and minor alarms.
Mailing lists are used here, and must be created beforehand.
109
Appendix
Logs and monitoring
13
In the TEMPLATES tab, you can customize the body text in e-mails sent for various
events, except alarm management (seen earlier). This text can contain variables
($URL, $UID, etc.) that will be replaced with values that depend on the context of
the event.
110
Appendix
Logs and monitoring
REPORTS
LOGS AND MONITORING
Program

✔ Stormshield Visibility Center (SVC)
✔ E-mail notifications
➔ Reports
111
Appendix
Logs and monitoring
REPORTS
15
Reports are calculated based on log files and are stored in a database. These
calculations only take into account logs that were captured since reports were
enabled; log history is not factored in.
By default, the firewall offers 30 reports organized by 8 categories: spam, network,

web, security, vulnerability, virus, industrial networks and sandboxing.
These reports can be configured in CONFIGURATION ⇒ NOTIFICATIONS ⇒ Report

configuration. This feature is disabled by default - select Enable reports in the
General section to enable it.
Next, you will be able to select which reports to enable/disable in the LIST OF
REPORTS tab by double-clicking on the Status field in a report.
112
Appendix
Logs and monitoring
REPORTS
16
Reports can be viewed in the REPORTS menu.
Reports calculate statistics on the 50 most important events that occurred within the
selected time range, i.e., last hour, last day, last 7 days or last 30 days). However, the
page only displays the first 10 events (top 10) out of these 50. The rest of the events
(11th to 50th) are grouped in the Others category.
Statistics can be displayed in two formats:

• Graph: in the form of a bar chart (horizontal or vertical) or a pie chart.
• List: shows statistics in percentages and actual figures of the number of
events.
In some reports (e.g., alarms), configuration elements can be modified by clicking on

the relevant row. For example, the log level or action associated with an alarm can
be modified from this tool if the user has write privileges for the session in progress.
The interface makes it possible to download the report in a CSV file and print it.
113
Appendix
Logs and monitoring
BONUS LAB EXERCISE - EMBEDDED REPORTS
17
114
OBJECTS
Training program

✔ Logs and monitoring
➔ Objects
Address translation
Filtering
VPN
SSL VPN
115
Objects
OVERVIEW
OBJECTS
➔ Overview
Network objects
116
Objects
OVERVIEW
• An object:
– Represents/bears a value (IP address, URL, time-based event, etc).
– Has a name and description
• Objects are used to configure the parameters of features:

– Object names, more easily recognizable than values, are used
– Values are more easily modified
• Three object categories:

– Networks
– Web
– Certificates and PKI
The configuration menus for Stormshield Network firewalls use objects to represent
values, e.g., IP addresses, network addresses, URLs, events, etc. There are two major
advantages in using objects instead of values:
1. The administrator deals with names, which are more recognizable than
values.
2. Whenever a value changes, only the object needs to be modified instead
of all the menus in which the object is used.
Objects are classified under three categories:

1. Network objects: all objects relating to network values (IP addresses,
port numbers, protocol numbers, etc.) and time objects.
2. Web objects: URL groups (or groups of categories) and groups of
certificate names.
3. Certificates and PKI: makes it possible to create and manage certification
authorities and all ensuing identities (server, user, or smartcard).
In this module, we will focus mainly on network objects. Web objects will be covered
in the "application protection" module. As for the segment on certificates and PKI, it
will be covered in the CSNE course.
117
Objects
OVERVIEW
Prohibited Prohibited Prohibited Prohibited

prefixes characters in the object names characters in the
name description
firewall_ <tab> Any <tab>
Network_ <space> None #
Ephemeral_ ! Anonymous @
Global_ " Broadcast "
Vlan_ # Internet
Bridge_ ,
=
@
[
]
\
Object names have to follow the syntax restrictions defined in the table above.
Names are not case-sensitive.
Objects can be created and configured as follows:

• In the menu: CONFIGURATION ⇒ OBJECTS
• In the menu: OBJECTS
• From any other menu through the button highlighted in the slide above
(context-based).
NOTE: Several objects bearing the same value can be created. However, we advise
against it in order to simplify the display of configuration menus (mainly filter and
NAT rules) and object databases, and of course, to simplify their maintenance.
118
Objects
NETWORK OBJECTS
OBJECTS
✔ Overview
➔ Network objects
119
Objects
NETWORK OBJECTS
The network object database can be accessed from the menu CONFIGURATION ⇒
OBJECTS ⇒ Network objects. It includes the following categories of objects:
• Host: an IP address
• DNS name (FQDN): all IP addresses associated with an FQDN name by DNS
resolution
• Network: a network address
• IP address range: an address range
• Port – port range: a port or a port range. It can be restricted to a particular
transport protocol (TCP or UDP),
• IP protocol: the ID of the IP protocol,
• Group: a group of objects with one or several IP addresses: hosts, IP address
ranges, networks or other groups,
• Port group: a group of objects containing ports or port ranges as well as other
port groups,
• Region group: a group of countries or continents. This type of object can be used
in the geolocation of IP addresses,
• Router: makes it possible to enter one or several gateways for a load balancing
route with or without backup gateways. This object will be covered in detail in the
Routing section of the Network Configuration module,
• Time: an event with a set time (ad hoc, day of the year, day(s) of the week or time
slot(s)).
120
Objects
NETWORK OBJECTS
The CONFIGURATION ⇒ OBJECTS ⇒ Network objects menu offers several features

to manage network objects:
• Search bar: performs a search by the name, comments or value of the object.
• Filter: filters the display of objects by category (host, network, port, etc.).
• Type: filters the display of objects by the type of address used (double stack, IPv4,
IPv6 or MAC address).
• Add: creates a new object.
• Delete: deletes the selected object. If this object is used in a configuration, a
window will appear so that you can check the module in which the object is used,
force delete the object or cancel the delete action.
• Check usage: displays in the banner on the left the menus in which the selected
object is used.
• Export: exports the objects database into a CSV file.
• Import: imports objects from a CSV file.
The rest of the menu is made up of two sections:

• List of objects: shows all network objects by display filter used. Each object is
displayed on a row with the following information:
• The object category represented by an icon,
• Status: if it is green, this means that the object is being used, otherwise it
will be gray.
• The name of the object,
• The value of the object.
• Properties: displays the attributes of the selected object. They can be modified in
this section.
121
Objects
NETWORK OBJECTS
• Implicit objects: Created automatically on the firewall by

the administrator (read only)
• Preconfigured objects: standardized values and other

items
There are two other particular categories of objects in addition to those that can be
created by the administrator:
• Implicit objects: these are created automatically by the firewall and depend on
the network configuration. These objects are in read-only mode and the
administrator can neither modify nor delete them. For example, the object
Firewall_out , created automatically when an IP address is associated with the
OUT interface or the object Network_i ter als , groups all networks
accessible via the internal interfaces.
• Preconfigured objects: these are present by default in the list of objects. They
represent values of standardized network parameters (ports, protocols,
networks) and the values needed for the firewall to run (IP addresses of
Stormshield servers for updates). The diagrams above represent ICMP and the
I ter et object, which groups all hosts that are not part of internal networks.
NOTE: We recommend that you use implicit and pre-configured objects and refrain
from creating other objects with the same values.
122
Objects
NETWORK OBJECTS
• Creating an object
• Selecting the object category
• Name of the object
• Corresponding value
The window comprises several tabs, one for each category of object to be created.
In most cases, to create an object, two mandatory fields – name and the value –
must be defined. The comments field is optional.
You can either "create" or "create and duplicate" the object. The second button will
create the object and keep the creation window open in order to facilitate the
creation of a new object of the same category.
123
Objects
NETWORK OBJECTS
10
The screen captures above illustrate the creation of FQDN, host and IP address range
objects.
NOTE: When you create an FQDN object, click on the magnifying glass to resolve the
name of the object, All affected IP addresses will be added to the objects database,
and the first IP address on the list will appear as the default address. If you still do
not have access to a DNS server that can resolve addresses, enter any IP address – it
will change when it is resolved.
124
Objects
NETWORK OBJECTS
11
The screen captures above illustrate the creation of port and time objects.
125
Objects
NETWORK OBJECTS
• Creating host groups or port groups

– Name of the object
– Objects included in the group
12
To add one or several objects to the group, simply select the object and move it from
the list on the left to the list on the right by clicking on the → button. Delete objects
from a group by doing the opposite with the ← button.
You can search for objects by typing partial names or the values of the desired
objects in the search field.
126
Objects
NETWORK OBJECTS
• Creating a region group
13
127
Objects
NETWORK OBJECTS
• Exporting the objects database into a CSV file
14
Object databases can be exported to a CSV file by clicking on "Export". You will then
be asked if you wish to download the file locally. The CSV file will contain host, IP
address range, network, FQDN, port - port range, protocol, group and port group
objects.
Objects are arranged by category, separated by lines that contain the names of
parameters: #type, #name, #IP, etc. (parameters differ according to object
categories). Object attributes are separated by commas.
128
Objects
NETWORK OBJECTS
• Importing objects from a CSV file
15
Objects can be imported from a CSV file in the same format as the exported file.
To do so, click on I port , and a window will open to allow the CSV file to be
entered. Next, simply click on "Transfer" to start importing the file. A progress bar
shows how long the import will take. Once it is complete, a report will show the
number of objects imported by type.
NOTE: Objects already found on the firewall will be replaced with the objects
transferred from the file.
129
Objects
• Use an administrator object group
• Restrict the use of dynamic objects
• Follow a naming system for objects
• Reduce the number of unused objects
• Avoid duplicates
16
if an object group contains all the administration IP addresses and networks, it can
be used in all filter rules relating to administration, ensuring consistency and making
it easier to modify groups.
Dynamic objects such as FQDNs and dynamic hosts generate DNS requests regularly,
requiring network and firewall resources. Ordinarily, the objects saved by default in
the configuration will not be necessary if the above recommendations have been
applied, i.e., the use of a mirror or internal proxy.
A well-defined naming system will prevent duplicates from being created if it is

thoroughly applied, making it easier to read objects.
Unused objects, often forgotten and created again, will occupy unnecessary space.
To avoid any duplicates from being created in the first place, you are advised to avoid
keeping specific objects that will not be used in the configuration.
Duplicates have to be identified and deleted, as they can potentially cause errors
when filter rules are modified. For example, if an object with a duplicate is modified,
the changes will not be applied to all the filter rules that contain it, creating a
security flaw.
130
Objects
LAB 2 – OBJECTS
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13

192.168.1.254/24
172.16.1.254/24
192.36.253.10/24
Instructor
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
17
For more information, refer to the resources at documentation.stormshield.eu.

kb.stormshield.eu.
131
NETWORK
CONFIGURATION
Course program

✔ Objects
➔ Network configuration
Address translation
Filtering
VPN
SSL VPN
132
CONFIGURATION MODES
NETWORK CONFIGURATION
➔ Configuration modes
Types of interfaces
System routing
Advanced routing
Order of routing types
133
CONFIGURATION MODES
1- Transparent Mode or Bridge Mode
2- Advanced Mode or Router Mode
3- Hybrid Mode
There are three configuration modes on all models of the Stormshield Network
Security range:
• Transparent mode or bridge mode,
• Advanced mode or router mode,
• Hybrid mode.
Do note that there is no configuration wizard for these modes. Each mode can be
implemented when needed, by configuring network interfaces and translation rules.
134
CONFIGURATION MODES
1- Transparent Mode or Bridge Mode
Address range:
192.168.0.x/24
Default router:
192.168.0.1
Internet
access gateway
Internal address range

192.168.0.1 Public addresses
IP address range of the Address translation

bridge
192.168.0.2
With transparent mode, the Stormshield Network firewall can be integrated easily
into an existing network without having to modify its configuration.
This mode is particular in that all of the firewall’s interfaces are included in a bridge
that bears the IP address of the local network (IP used to access the firewall’s
administration interface). This makes it possible to obtain several physical networks
(one network per interface) sharing the same logical network.
Physical networks and the Internet access gateway communicate in bridge mode
(level 2) but the firewall continues to monitor traffic between interfaces (filtering,
ASQ analysis, etc).
In the diagram above, the local network uses a private address range 192.168.0.0/24
and accesses the Internet via a gateway that performs address translations. The
Stormshield Network firewall acts on connections between hosts in the local
network and the Internet access gateway.
135
CONFIGURATION MODES
2- Advanced Mode or Router Mode

Address range:
172.16.1.x/24
Default router:
172.16.1.1
Address range:
192.168.0.x/24
Default router:
192.168.0.1 DMZ address range Internet
172.16.1.1 access gateway
Public addresses
195.36.253.1
Internal address
range
192.168.0.1
Address translation
In advanced mode, the firewall acts as a router by managing several logical networks
(network addresses). Each interface is configured with a particular IP network, so
that the network can be physically and logically segmented.
In the image above, the local network is made up of two logical networks: a network
for internal hosts and a network for servers in the DMZ. Each network is connected
to the firewall via an interface with a specific IP address range. The public IP address
is configured directly on an external interface of the firewall.
In this mode, the Stormshield Network UTM has to manage the address translation
mechanisms to provide the local network with Internet access.
136
CONFIGURATION MODES
3- Hybrid Mode (1)
Address range:
192.168.0.x/24
Default router:
192.168.0.1
Internet
Public addresses access gateway
195.36.253.1
IP address range of the

bridge
192.168.0.1
Address translation
Hybrid mode is a combination of the bridge and advanced modes. The purpose of
this combination is to have several interfaces in a bridge (same address range) and
other independent interfaces with different address ranges.
In this mode there are two possible scenarios. The first is illustrated here. The
network of the internal hosts and the network of servers in the DMZ share the same
address range and they are connected to the firewall via interfaces belonging to the
same bridge. Address translation has to be configured on the firewall in order for the
local network (network of the bridge) to access the Internet via the external
interface, configured with a public IP address.
137
CONFIGURATION MODES
3- Hybrid Mode (2)

Address range:
195.36.253.x/28
Address range:
192.168.0.x/24
Default router:
IP address range of the
192.168.0.1
bridge
195.36.253.1
Internet
access gateway
Internal address
range
192.168.0.1
Address translation
The second scenario is illustrated above. The network of servers in the DMZ is
configured with a public IP address range. Each server will therefore have its own
public IP address.
This network is connected to the firewall by an interface in the same bridge as the
external interface that leads to the Internet access router. The servers in the DMZ
access the Internet via the bridge and no address translation is needed (connections
will still go through filter rules and other application analyses on the UTM).
The network of internal hosts has a private address range. which is connected to the
firewall via an interface that does not belong to the bridge. As a result, address
translation has to be configured in order to allow the network to access the internet.
138
TYPES OF INTERFACES
✔ Configuration modes
➔ Types of interfaces
System routing
Advanced routing
139
TYPES OF INTERFACES
physical 1 physical 2 physical 3 physical 4 physical 5 GRETAP
Bridge
VLAN1 VLAN2
Modem
3G/4G USB
PPPoE PPTP
modem
There are five types of interfaces on the firewall:

• Physical interfaces: the number of bridges depends on the firewall model,
• Bridge interfaces: these associate several physical or VLAN interfaces. The
number of bridges depends on the firewall model. (reminder: in factory settings,
all interfaces belong to the same bridge),
• VLAN interfaces: network segment, attached to a physical interface on the UTM,
with a tag and specific address range. The maximum number of VLAN interfaces
depends on the firewall model,
• Modem interfaces: this type of interface makes it possible to handle connections
between the firewall and a modem (ADSL, ISDN, PSTN, etc). The possible types of
connections are: PPPoE and PPTP.
• GRETAP interfaces: encapsulation interface that makes it possible to link two
remote networks on level 2 (bridge). To do this, the interface allows Ethernet
packets to be encapsulated inside IP packets via the GRE protocol. Hosts from two
remote networks will then be able to communicate as if they belonged to the
same LAN.
140
TYPES OF INTERFACES
10
Interfaces can be configured in the menu CONFIGURATION ⇒ Network ⇒

Interfaces. The menu consists of two sections:
• The header (green box): offers basic features to manage interfaces.

• The list of interfaces (red box): displays all interfaces (physical, bridge, VLAN,
modem) on the firewall. To modify the configuration of an interface, simply drag
and drop it. For example, an interface can be added to a bridge by dragging the
physical interface and dropping it on the bridge interface. Drag and drop in the
opposite direction to remove an interface from a bridge.
To configure an interface (blue box), double-click on its line, which is highlighted, or

click on Edit. The edit window contains two tabs for all interface types.
The double arrows at the top right corner of the window let you confirm changes
and close the window.
NOTE: the icon in the screen capture above means that the administrator is logged in
to the firewall from the corresponding interface.
141
TYPES OF INTERFACES
On/ off button
11
The header contains:

• Filter: searches for interfaces in some or all fields – name, IP address or
comments,
• Edit: opens the configuration window of the current interface, or one of the
ode profiles,
• Add: adds a new bridge, VLAN, modem (or USB modem) or GRETAP interface,
• Delete: deletes the selected interface. An alert appears if the interface is used in a
configuration menu. Despite this message, you can still force the interface to be
deleted,
• Monitor and Go to monitoring: enables or disables monitoring on an interface to
check bandwidth use and the number of connections,
• Check usage: displays the configuration menus in which the interface is used. The
results of this check are shown in the frame on the left under the favorites icon.
142
TYPES OF INTERFACES
• Physical interface: general configuration
12
Every physical interface has at least one static or dynamic IP address (blue box), with
the following parameters:
• Status: enabled or disabled
• Name: the interface must be given a logical name that is different from the
interface’s system name,
• Comments: optional parameter to add remarks regarding the selected interface,
• This interface is:
• internal (protected): a protected interface only accepts packets coming
from a known address range, such as a directly connected network or a
network defined by a static route. This protection includes the registration
of hosts connected to this interface (thereby protecting against IP address
spoofing), and allows implicit filter rules to be generated during the
activation of certain services on the firewall (for example SSH). An icon
representing a shield appears on all protected interfaces.
• external (public): indicates that the interface does not benefit from the
protection of a protected interface and can therefore receive packets
coming from any address range (which are not assigned to internal
interfaces). This type of interface is used mainly to connect the firewall to
the Internet.
143
TYPES OF INTERFACES
• Physical interface: general configuration
13
The parameters in the Address range section are:

• Address range, with two options:
• Address range inherited from the bridge: refer to the section on bridge
later in this chapter,
• Dynamic / Static: the properties of the address type are given on the next
line: IPv4 address.
• IPv4 address, with two options:
• Dynamic IP (obtained by DHCP). An advanced DHCP configuration menu
opens:
o DNS name (optional): indicates the domain name sent to the
DHCP server,
o Request lease time (seconds): defines the duration of the DHCP
lease requested from the DHCP server,
o Request domain name servers from the DHCP server and create
host objects: created objects will be named
Firewall_<interface_name>_dns_1,
Firewall_<interface_name>_dns_2, etc.
• Fixed IP (static): if this option is selected, it means that the interface has a
fixed IP address that must be entered in the list below with a network
mask. The mask may be written in digital or CIDR format. Several fixed IP
addresses (aliases) can be configure for an interface, even if they belong to
the same IP network.
NOTE: configurations will not be saved if they are not applied using the Apply
button.
144
TYPES OF INTERFACES
• Physical interface: advanced configuration
14
The screen capture above shows the ADVANCED CONFIGURATION tab:

• MTU: indicates the interface’s MTU size in bytes.
• Physical address (MAC): makes it possible to impose an interface’s MAC
address.
• Media: offers choices on the speed of the link that the interface uses. By
default, the speed is detected automatically.
145
TYPES OF INTERFACES
• Creation and general configuration of bridges
15
There are two ways to create a bridge:

1. Prior selection of bridge members: when the interfaces are highlighted,
they will be entered in the configuration window, as shown above,
2. Creation of a bridge without member interfaces: the name of the bridge
in the configuration window remains grayed out until at least two
interfaces are selected as bridge members.
The GENERAL tab contains:

• General settings: name of the interface (mandatory) and comments
(optional),
• Address range: the bridge may be configured with either a fixed IP address
and network mask, or a dynamic IP address provided by a DHCP server.
• Managing members: list of interfaces that belong to the bridge and inherit
its IP parameters.
NOTE: The maximum number of bridges depends on the firewall model.
146
TYPES OF INTERFACES
• Advanced configuration of bridges
16
The screen capture above shows the ADVANCED CONFIGURATION tab of a

bridge:
• MTU: indicates the interface’s MTU size in bytes.
• Physical address (MAC): makes it possible to impose a ridge’s MAC
address. All interfaces that belong to a bridge inherit its MAC address and
IP address,
• Loops detection (Spanning Tree): enables or disables RSTP or MSTP to
communicate with layer 2 entities on the network and prevent looping.
147
TYPES OF INTERFACES
• Advanced configuration of interfaces in a bridge
17
The screen capture above illustrates the ADVANCED CONFIGURATION tab of an

interface:
• MTU and Physical (MAC) address: these fields are grayed out because
they are inherited from the bridge, and the MAC address is the same for
all member interfaces,
• Media: offers choices on the speed of the Ethernet link that the interface
uses. By default, the speed is detected automatically.
• Authorize without analyzing: allows IPX (Novell network),
NetBIOS/NetBEUI, AppleTalk (for Macintosh machines), PPPoE or IPv6
packets to be sent and received between the interfaces of the bridge
without being analyzed or inspected at a higher level because the firewall
acts as a switch.
• Keep initial routing: keeps the destination MAC address of the frames
received by an interface belonging to the bridge and sent by another
member interface, thereby keeping the initial routing of the packets. This
option facilitates the seamless integration of the firewall into a network
without having to modify hosts’ default routes. Warning: When this option
is enabled, it may impact certain features that require the firewall to
modify packets.
148
TYPES OF INTERFACES: MODEM
• Creation and general configuration of PPTP/PPPoE

modems:
18
The firewall can be connected to various types of modems:

• ADSL or cable modems: connected to an Ethernet interface (example
shown above),
• 3G/4G modems: connected to the USB port (next slide).
The maximum number of modems that can be connected simultaneously depends
on the firewall’s model.
The screen capture above shows the GENERAL tab, which appears right after the
warning stating that a default route must be created after the modem has been
configured:
• Identification of the modem: the name of the interface and comments, if
any,
• Configuration of the modem: the parameters of this menu vary
according to the type of modem chosen:
• PPPoE: The modem must be connected to an external interface
that has to be chosen in the parameter Parent interface,
• PPTP: PPTP negotiation requires the IP address of the PPTP server,
which must be entered in the parameter PPTP address,
• Authentication: ID and password used by the modem connection. The
ISP will communicate this information.
NOTE: in the ADVANCED PROPERTIES tab of a PPTP or PPPoE modem, you can
specify whether connectivity is permanent or on demand.
149
TYPES OF INTERFACES: MODEM
• 3G/4G modems: creation of profiles and interfaces
19
There are two types of 3G/4G modems:

• Ethernet over USB modem: once the modem is connected to the firewall
and configured, the modem will be assigned the public IP address and act
as a router for the firewall,
• USB modem: once the modem is connected to the firewall and configured,
the firewall will be assigned the public IP address.
Before you create the modem interface, you must configure a profile according to
the parameters that the modem vendor provided. For more details, see the technical
note: Configuring a 3G/4G modem on “N“ . The technical note explains which
parameters need to be entered in the profile.
After you have created the profile, you need to restart the firewall.
After the restart, create the interface and attach the profile, which you configured
earlier, to this interface.
150
TYPES OF INTERFACES
• Virtual interfaces: VLANs through 802.1q ports
From PC1… …To PC2

PC 1 VLAN 10 VLAN 20 PC 2
…To SERVER
VLAN ID 10 & 20
SERVER FIREWALL
802.1q Untagged ports 802.1q Router mode
Tagged 2 VLAN interfaces:
port - VLAN10
- VLAN20
C C
Ethernet Ethernet VLAN
From PC1… header IP DATAGRAM R
header header
IP DATAGRAM R
C C
VLAN ID 20
C C
Ethernet VLAN
…To SERVER Ethernet
header IP DATAGRAM R header header
IP DATAGRAM R
C C
VLAN ID 10 20
VLANs (Virtual Local Area Networks) introduce the concept of virtual segmentation
which makes it possible to create logical sub-networks within the same physical network
architecture. All network devices belonging to the same VLAN can communicate with
each other and make up a broadcast domain. The use of VLANs in a network
architecture therefore enhances performance by restricting broadcasts, and offers
better security by separating logical networks.
Stormshield manages IEEE 802.1q VLANs, for which an additional 4-byte header is:
• Added by a manageable switch or the firewall to an outgoing Ethernet frame over an
802.1q port,
• Removed by a manageable switch or the firewall to an incoming Ethernet frame over
an 802.1q tagged port,
This header includes the VLAN id (VID) field, which identifies the VLAN to which the
frame belongs. This field is coded in 12 bits and allows up to 4094 different VLANs to be
defined (VLANID=0 means that the frame does not belong to any VLAN and
VLANID=4095 is reserved). The header also includes the 3-bit Priority or CoS (Class of
Service) field which indicates the priority of the packet defined by the IEEE 802.1p
standard.
In the example above, a frame sent from PC1:

• Can reach PC2 without being modified because the ports on the switch that PC1 and
PC2 are connected to belong to the same VLAN.
• Can reach the firewall through an 802.1q tag added by the switch (VID 20 added).
• Cannot reach SERVER directly since it is in a different VLAN.
• Can reach SERVER by routing through the firewall. After routing, a new frame tagged
by the firewall (VID 20 added) is sent to the server. The switch then removes the tag
from the incoming port and forwards the frame to the server.
151
TYPES OF INTERFACES: VLAN ENDPOINT
• Creation and general configuration of VLANs
21
There are two ways to create a VLAN:

1. Prior selection of the parent interface: when the interface is highlighted,
it will be entered in the configuration window, as shown above,
2. Creation of a VLAN without a parent interface: the error This VLAN is
not associated with any physical interface prevents the interface from
being created as long as the Parent interface field is not entered.
The GENERAL tab contains:

• General settings: name of the interface (mandatory) and comments
(optional),
• Parent interface: the interface to which the VLAN will be attached,
• VLAN ID: value of the VLANID [1-4094]
• Priority (CoS): value set in the CoS field on all packets sent by this
interface,
• This interface is: select between internal and external,
• Address range: the VLAN interface may be configured with either a fixed IP
address and network mask, or a dynamic IP address provided by a DHCP
server. It can also inherit the IP address of a bridge. This is a specific case
that will be explained in the next slide.
NOTE:
• The MTU value of the interface can be changed in the ADVANCED
PROPERTIES tab of a VLAN,
• In the above example, even though the parent interface of the VLAN is
disabled, the VLAN interface can still be created and run properly.
152
TYPES OF INTERFACES
• VLAN in bridge mode

SWITCH 1
VLAN ID 20
VLAN 20
PC FIREWALL
802.1q Tagged port Bridge mode
2 VLAN interfaces:
- VLAN20_1
C
VLAN C - VLAN20_2
From PC… Ethernet
header IP DATAGRAM R
Ethernet
C header C
SWITCH 2
VLAN ID 20
VLAN 20
SERVER
802.1q Tagged port
C C
Ethernet Ethernet VLAN
…To SERVER header IP DATAGRAM R
C header C
22
The example above shows what happens when a firewall is added between two
switches in bridge mode, and linked up via a 802.1q tagged link. The switches
continue to behave the same way despite the addition, but the firewall will analyze
traffic on the VLAN.
Follow the steps below to create a VLAN:

1. Create two VLAN interfaces with the same identifier (VID) on two
different parent interfaces,
2. Create a bridge that contains these two interfaces,
3. Repeat the steps above as many times as there are VLANs that need to
use the link between both switches.
In the above example:

1. A frame sent from PC to SERVER reached the switch (VID 20 added), then
the firewall (VID 20 removed on the incoming interface),
2. The firewall analyzes the contents of the frame,
3. The firewall tags the frame (VID 20 added on the outgoing interface)
which is sent to the server,
4. The switch then removes the tag from the incoming port and forwards
the frame to the server.
153
TYPES OF INTERFACES
• Verification of the configuration
23
The consistency of the network configuration is analyzed in real time. You can view it
by clicking on the arrow at the bottom of the screen.
Even when a warning appears, the configuration can still be backed up. However,
errors will prevent backups from being performed (the Apply button is grayed out).
154
LAB 3 – NETWORK CONFIGURATION: INTERFACE CONFIGURATION
24
155
SYSTEM ROUTING
✔ Types of interfaces
➔ System routing
Advanced routing
156
SYSTEM ROUTING
• Routing: default route
212.13.25.120/30
Default
out
dmz1
in
26
Traffic that does not match any route in the routing table will be sent back to the
default gateway, regardless of route type: standard (static or dynamic routing) or
Stormshield proprietary (policy-based routing).
157
SYSTEM ROUTING
• Routing: default route
27
The default gateway can be entered in the IPV4 STATIC ROUTES tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing, Default gateway (router) parameter, and
can be one of the following values:
• Host object: specifies a single default gateway without availability testing, load
balancing or backup gateways (example above),
• Router object: the various gateways configured in the router object make it
possible to conduct availability and load balancing tests and to use backup
gateways. Such objects will be explained later in this chapter.
NOTE: on interfaces that obtain their IP addresses dynamically via DHCP, when the
DHCP lease is obtained, an object named Firewall_<interface_na e>_router will
be created, and can be used as the default gateway.
For example, since the address range of your out interface is dynamic, you can enter
the object Firewall_out_router in the Default gateway (router) parameter.
158
SYSTEM ROUTING
• Routing: static routing

Remote site B
192.168.2.0/24
Default router
Router R1
Router R2
sites
in Remote site C
Router R3 192.168.3.0/24
Remote site D
192.168.4.0/24
28
Static routing consists of manually entering the remote gateway to which packets
will be sent in order to reach a remote network. In the figure above, three static
routes are needed to reach the remote networks B, C and D via the outgoing
interface named sites", then routers R1, R2 and R3.
159
SYSTEM ROUTING
• Routing: static routing
When a configuration
contains inconsistencies
29
Static routes can be configured in the section IPV4 STATIC ROUTES in the first tab of
the menu CONFIGURATION ⇒ NETWORK ⇒ Routing.
The section contains a search bar and two buttons to add or delete routes. It also
contains a window that lists all the static routes and their parameters. The Add
button adds entries to the list. Mandatory parameters for this line are:
• Status: on / off
• Destination network: may be a host, network or group object.
• Gateway: host object representing the IP address of the gateway that
makes it possible to reach the destination network.
• Interface: outgoing interface to reach the gateway. Based on the
parameters of the interface, the firewall automatically fills in the address
range. The selection of the interface is justified for bridges that may
contain protected and unprotected interfaces. You can find out whether
the network needs to be considered protected only when you select the
interface. When the address range of the interface is different from the
gateway’s address range, an error message will indicate that the gateway
is not routa le .
160
ADVANCED ROUTING
✔ System routing
➔ Advanced routing
161
ADVANCED ROUTING
• Dynamic routing
BIRD
Remote site 1
RIP BGP OSPF 10.0.1.0/24
RO
OSPF
in Sites
Remote site 2
10.0.2.0/24
Remote site 3
10.0.3.0/24
31
In dynamic routing, routes are learned automatically through a routing protocol. SNS
firewalls use BIRD to implement dynamic routing. BIRD implements 3 routing
protocols - RIP, OSPF and BGP - the supported versions of which are entered in the
knowledge base. In the figure above, the OSPF routing protocol is enabled on the
sites interface on the firewall to allow the firewall to learn the routes that access
networks remote1, remote2 and remote3.
162
ADVANCED ROUTING
• Dynamic routing
32
Dynamic routing can be configured in the IPV4 DYNAMIC ROUTING tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing.
Destination networks that were added to the routing table by a dynamic protocol
can be added to the table of protected networks.
163
ADVANCED ROUTING
• Policy-based routing
ISP 1 ISP 2
Other Outgoing
traffic mail
isp1
dmz1 isp2
in
33
Policy-based routing (PBR) makes it possible to specify a gateway in a filter rule.

Traffic targeted by the rule is then sent to a gateway defined by the administrator.
In the above example, outgoing e-mail traffic is redirected to the gateway "ISP2"
while the rest of the traffic is redirected to the gateway "ISP1", which is the default
gateway.
164
ADVANCED ROUTING
• Configuration of policy-based routing
34
Policy-based routing instructions can be implemented in the "Action" field of a filter

rule. Two types of objects can be entered in this field:
• Host object: specifies a gateway,

• Router object: makes it possible to use a router object configured earlier
and assign its load balancing settings to the filter rule.
165
ADVANCED ROUTING
• Router object: load balancing
ISP 1 ISP 2
Connections Connections
isp1
dmz1 isp2
in
35
Router objects group several gateways so that they can be used simultaneously.
When a router object is created, a single route is created in the routing table. Router
objects also make it possible to conduct availability and load balancing tests and to
use backup gateways.
With load balancing, connections can be shared among several gateways. Traffic may
be shared equally or weighted so that each gateway receives a specific percentage of
the overall traffic. How traffic is shared may be based on the source IP address or the
parameters of a connection, i.e., source and destination IP addresses and port
numbers.
The figure above provides an example in which all outgoing connections will be
shared between the gateways I“P1 and I“P2 according to the chosen load
balancing mode (by source or by connection).
By using router objects, load balancing can be applied to traffic sent to the default
gateway or even to a particular type of traffic via policy-based routing. In the first
case, the router object has to be specified as the firewall's default gateway (see slide
27), whereas in the second case, the router object has to be entered in the gateway
parameter of the Action field in a filter rule (see slide 34).
166
ADVANCED ROUTING
• Creation and configuration of router objects
36
Routing by load balancing can be configured in a router object. The various gateways
have to be added in the LIST OF GATEWAYS USED tab. Each line makes it possible to
enter:
• The gateway with a host object
• Availability testing: tests the availability of the gateway using pings. This
parameter may have several values:
• No availability testing: the availability of the gateway will not be tested.
• Test the gateway directly: pings will be sent directly to the gateway to test
its availability.
• A host or host group located behind the gateway, to which pings will be
sent to test the gateway's availability and operational status.
By default, the status of each gateway will be checked every 15 seconds by sending a
ping to each host entered. If no response is received after 2 seconds, the firewall will
try again three more times before considering the gateway unavailable.
NOTE: The availability of gateways retrieved automatically by DHCP or via a modem

interface cannot be tested.
167
ADVANCED ROUTING
37
The weight (red box) determines how much of the traffic managed by the router
object will be assigned to a gateway, based on the following calculation:
� � �
% � � = ×
� �
In the above example: weight RTR_ISP1 = 3, weight RTR_ISP2 = 7

➔30% of the traffic goes through RTR_ISP1, 70% through RTR_ISP2.
The value of a weight must be between 1 and 1024.
The algorithm used (blue box) for load balancing can be configured in the Load
balancing (Advanced configuration) parameter:
• No load balancing: traffic will be sent exclusively to the first gateway that
appears in the list.
• By connection: balances traffic according to source and destination IP
addresses and port numbers. This algorithm is recommended as it allows
connections from the same host to be balanced equally.
• By source IP address: balances traffic according to the source address.
This ensures that traffic from a particular host will always be sent to the
same gateway.
168
ADVANCED ROUTING
38
When a filter rule uses a router object (policy-based routing) and none of the
o ject’s gateways can be reached, the behavior of the firewall can be configured in
the If no gateways are available parameter:
• Default route: traffic is sent to the default router.
• Do not route: traffic will be blocked by the firewall.
Load balancing can be used with a maximum of 64 gateways.
169
ADVANCED ROUTING
• Backup gateways
ISP 1 ISP 2
isp1
dmz1 isp2
in
39
A router object also makes it possible to specify a list of backup gateways that will be
used in the event one, several or all main gateways are unavailable.
In the example illustrated above, the gateway "ISP2" is considered a backup gateway
that will be used for all traffic only when "IPS1" is no longer available.
Do note that router objects make it possible to use backup gateways for traffic sent
to the default gateway or only for a particular type of traffic using policy-based
routing.
170
ADVANCED ROUTING
• Creation and configuration of backup gateways
40
Several backup gateways can be added in a router object's LIST OF BACKUP

GATEWAYS tab. For each backup gateway, a testing device and weight can be defined
in the same way as for main gateways.
Advanced configuration enables the configuration of two elements:

• When backup gateway(s) must be enabled:
• When all main gateways cannot be reached,
• When at least one main gateway cannot be reached,
• When the number of uncontactable main gateways falls below a
certain threshold. (1<threshold≤ number of main gateways)
• If one or all backup gateways must be enabled: by default, only the first
contactable backup gateway in the list will be used unless the option
Enable all backup gateways when unavailable is selected.
A maximum of 64 backup gateways can be entered.
171
ADVANCED ROUTING
• Return route
ISP 1 ISP 2 (DEFAULT GW)
Incoming
connection 1
4 4
isp1
2 dmz1
isp2
3
.1 .2 .3
in
41
The return route specifies the outgoing interface to reach a remote gateway. Such
routes are used to force outgoing traffic from an incoming connection to go through
the connection's incoming interface.
The image above illustrates an example in which we have two WAN access points.
The "ISP1" access point is reserved exclusively for mail traffic (incoming and
outgoing). The "ISP2" access point is used as the default exit point for other traffic.
Without a return route, responses from incoming e-mail connections via "ISP1" can
be redirected through "ISP2".
172
ADVANCED ROUTING
• Creation and configuration of return routes
42
Return routes can be configured in the RETURN ROUTE tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing. A row needs to be added for each route,
in which the gateway and the interface allowing it to be accessed have to be
specified.
173
ORDER OF ROUTING
TYPES
✔ System routing
✔ Advanced routing
➔ Order of routing types
174
ORDER OF ROUTING TYPES
IP packet
Return route
+ Load balancing and/or backup

gateways
Do not route
P Policy-based routing
R
I Static routing
O
R Dynamic Routing
I
T
Load balancing and/or
Y backup gateways
- Default route
44
The figure shown above illustrates the order in which the various types of routing
will be applied.
NOTE: When a router object is used in policy-based routing and no gateways can be
contacted, two options are possible: either routing can be delegated to the default
route or the firewall can block the traffic. These options are not possible if the router
object is used in the default route.
175
• Disable unused interfaces
• Declare internal interfaces
• Define static routes for internal networks
45
If an interface is not in use, you are advised to disable it to prevent any traffic from
arriving on it.
To benefit from anti-spoofing mechanisms, you are advised to declare an internal

interface as soon as possible. Warning: IDS and firewall inspection modes may
bypass anti-spoofing. If such as alarm is raised, most likely there is an issue with the
architecture that requires immediate attention.
In order to recognize networks that can be reached from an interface, they must be
known to the firewall. For this, you will need a route that leads from a protected
interface to these networks. On the other hand, any unreachable network defined in
the routing table may hinder the anti-spoofing mechanism, which is why you should
never leave unnecessary routes in the routing table.
176
LAB 3 – NETWORK CONFIGURATION: ROUTING CONFIGURATION
46

• Configuring a 3G/4G modem on SNS
• Level 2 encapsulation
• Stacking: distribution of traffic among several firewalls
• LACP link aggregation
• Bird V3 dynamic routing

kb.stormshield.eu.
177
APPENDIX - NETWORK
CONFIGURATION
178
Appendix
WI-FI INTERFACES
Program
➔ Wi-Fi interfaces
Dynamic DNS
DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
179
Appendix
WI-FI INTERFACES
• Available only on SN160W and SN210W appliances

• Two Wi-Fi networks can be enabled
PublicAP
PrivateAP
SN160W and SN210W firewalls build in an 802.11 a/b/g/n Wi-Fi card that makes it
possible to configure two separate WLAN access points to connect wireless
equipment over 2.4 GHz or 5 GHz frequency ranges.
180
Appendix
WI-FI INTERFACES
To enable the Wi-Fi card, select Enable Wi-Fi in CONFIGURATION ⇒ NETWORK ⇒

Wi-Fi. The menu also allows you to configure the following parameters:
• General configuration:
• Scan frequency: select or create a time object to define when to enable
the Wi-Fi card.
• Mode: select the transmission standard that the Wi-Fi card uses:
o 802.11b, 802.11g or 802.11g/n in the 2.4 GHz range.
o 802.11a or 802.11a/n in the 5 GHz range.
181
Appendix
WI-FI INTERFACES
Available channels:
in 2.4 GHz in 5
GHz
• Channel configuration:
• Country: select the country in which the firewall is installed so that the Wi-
Fi transmission complies with the country's regulations. This choice will
determine the available communication channels and signal strength.
• Channel: select the channel that the Wi-Fi card uses. The channels offered
depend on the selected country and mode.
• Tx power: set the transmission strength of the Wi-Fi card. The strengths
offered depend on the selected country.
• Configuring the access point: redirects to the CONFIGURATION ⇒ NETWORK ⇒

Interfaces menu
NOTES:
• the above parameters are the same for both WLAN access points.
• If you have other Wi-Fi access points in your company, refrain from using identical
or overlapping channels so that you can restrict interference on your wireless
network:
• In the 2.4 GHz frequency range, only channels 1, 6 and 11 do not overlap.
• In the 5 GHz frequency range, none of the channels overlap.
182
Appendix
WI-FI INTERFACES
After the Wi-Fi card is activated, you can configure both access points in
CONFIGURATION ⇒ NETWORK ⇒ Interfaces.
Both access points correspond to the WLAN interfaces PrivateAP andPublicAP,
disabled by default. They can be enabled simultaneously with different
configurations, making it possible to have two separate WLAN networks that can be
managed separately in other modules: DHCP, filtering, translation, authentication,
etc.
The parameters of both interfaces are the same:

• Name: name of the WLAN interface.
• Comments (optional).
• This interface is: specifies whether the WLAN interface must be considered
"internal (protected)" or "external (public)" - refer to the chapter "Types of
interfaces" in the Network configuration module for further detail.
• Wi-Fi:
• Network name: represents the SSID (Service Set Identifier); the name of
the Wi-Fi network as seen by wireless devices,
• Authentication: Three methods are available:
o Open network: no authentication method and no encryption,
o WPA1 (Wi-Fi Protected Access): pre-shared keys are used for
authentication, and data will be encrypted with the RC4 cipher
stream algorithm (a 128-bit key and an initialization vector).
183
Appendix
o WPA2 (recommended): This is an upgrade from WPA1, in which

authentication is also based on pre-shared keys, but data is
encrypted with CCMP, which uses AES with a 128-bit key.
o Security key: the pre-shared key used for WPA and WPA2
authentication.
• Isolation AP (Access Point): This feature makes it possible to prohibit two
devices connected to the WLAN network from communicating directly
with each other without going through the access point, i.e., the firewall. It
is enabled by default.
NOTES:
• After having configured a WLAN interface, you need to configure the DHCP server
to automatically assign IP addresses to devices that log in to the WLAN. Refer to
the chapter on DHCP in this module to find out how to do so.
• WLAN interfaces can belong to a bridge.
• VLAN interfaces cannot have a WLAN interface as their parent interface.
184
Appendix
DYNAMIC DNS
Program
✔ Wi-Fi interfaces
➔ Dynamic DNS
DHCP
DNS proxy cache
Bird static routing
185
Appendix
DYNAMIC DNS: HOW IT WORKS
Server
Client
Client
Client
2 Updates IP address
1 New IP address
firewall.stor shield.eu → OUT i terfa e
Dynamic DNS makes it possible to match a domain name to a firewall that does not
have a static public IP address. This means that the firewall can always be reached
when its domain name is used. This feature relies on a DNS service provider;
Stormshield Network firewalls support two providers: DynDNS and No-IP.
The way Dynamic DNS works is illustrated in the diagram above. It involves two
entities: a client integrated into the Stormshield Network firewall, which sends IP
address updates to a server maintained by the DNS service provider. The domain
name is associated with an interface. Updates are performed every time the IP
address of the interface changes. If the address never changes, updates will take
place by default every 28 days.
186
Appendix
DYNAMIC DNS: CONFIGURATION MENU
10
Dynamic DNS can be configured in CONFIGURATION ⇒ NETWORK ⇒ Dynamic DNS.

The page of the menu consists of two sections:
1. List of dynamic DNS profiles: you can add, remove and reinitialize
profiles. Profiles can be enabled/disabled by double-clicking on the Status
field. The Reset button is enabled for a profile when communication with
the DNS service provider fails. This button launches a new
communication attempt.
2. Parameters of the Dynamic DNS profile:
• Domain name: enter the domain name that will be used to access
the firewall. E.g.: firewall.stormshield.eu.
• Interface associated with the domain name: the interface with an
IP address associated with the domain name. Multiple different
profiles cannot use the same interface.
• Resolve DNS for sub-domains (wildcard): if this option is
selected, all sub-domains (www.firewall.stormshield.eu) of the
domain entered above (firewall.stormshield.eu) will be associated
with the same IP address.
• Dynamic DNS provider: indicates the DNS service provider used
by the profile. Currently, two service providers are supported:
DynDNS and No-IP.
187
Appendix
• User name and Password: the ID and password used to authenticate the
client with the DNS service provider.
• Dynamic DNS server: indicates the DNS service pro ider’s server in the
form of a host object with an automatically resolved name (see the
O je t module).
• Dynamic DNS Service: indicates the service subscribed with the DNS
service provider.
188
Appendix
DHCP
Program
✔ Dynamic DNS
➔ DHCP
DNS proxy cache
Bird static routing
189
Appendix
DHCP: SERVER AND RELAY

Server
DHCP
Port 68 UDP Port 67 Port 67 UDP Port 67
Broadcast/Unicast
DHCP DISCOVER
DHCP OFFER
Server
DHCP DHCP REQUEST
DHCP ACK
DHCP DISCOVER Unicast

DHCP DISCOVER
DHCP OFFER
DHCP OFFER
DHCP
DHCP DHCP REQUEST
DHCP REQUEST
DHCP ACK
DHCP ACK
13
Stormshield Network firewalls embed a DHCP server and relay:

• DHCP server: dynamically manages the assignment of IP addresses in a
LAN. DHCP messages are exchanged by broadcast or unicast between the
client and the firewall over UDP (port 68 on the client side and port 67 on
the server side). These exchanges are illustrated in the diagram above.
Exchanges begin with the client sending the message DHCP DI“COVER
to discover the DHCP server(s) on the LAN. The firewall responds with a
message DHCP OFFER which contains an IP address offer with all the
necessary parameters (gateway, DNS, etc). The client accepts the offer by
sending back a DHCP REQUE“T message with the desired IP address
(announced during the DHCP OFFER). The server ends the exchange by
acknowledging the lie t’s request with a message DHCP ACK . The IP
address will be valid for a specified lease time. The DHCP server runs only
on the firewall’s internal (protected) interfaces.
• DHCP relay: the firewall relays DHCP messages between the client and a
server. DHCP messages are relayed in unicast between the firewall and
the DHCP server.
The firewall cannot simultaneously manage DHCP server and relay features.
190
Appendix
14
DHCP servers or relays can be configured in CONFIGURATION ⇒ NETWORK ⇒ DHCP.

The menu varies according to the selected service:
• DHCP server:
The Parameters section defines the elements sent by default to DHCP clients:
Domain name, Default gateway, Primary DNS Server and Secondary DNS
server. This information can be customized for each address range defined in
the ADDRESS RANGE section. Ranges must comply with the following
conditions:
• An address range must belong to the same addressing scheme as the
protected i terfa e’s scheme.
• IP address ranges must not overlap.
• The gateway specified for a range has to be in the same addressing
scheme.
191
Appendix
15
Still in the same menu, the RESERVATION section makes it possible to reserve
static IP addresses for hosts in the LAN, identified by their MAC address.
Warning: Reserved IP addresses must be outside the address ranges entered

in the previous tab.
Addresses can be reserved by adding a row in the list using the Add button. A
host object must be entered in the Reservation field. This object must
contain the IP address that will be assigned to the client and the MAC
address of the host that will obtain this IP address. If the host object entered
does not contain a MAC address, a error appears to indicate that a MAC
address could not be found for the host. A specific gateway can be entered
for the reserved IP address in the GATEWAY field.
In advanced configuration, additional elements can be sent to clients and the

allocated lease time can be modified.
192
Appendix
16
• DHCP relay
In the Parameters section, enter the object corresponding to the DHCP

server to which DHCP messages will be relayed. With the option IP address
used to relay DHCP requests, you can choose the source IP address of DHCP
requests relayed by the firewall. As a result, only Firewall_ objects will be
listed there.
If the option Relay DHCP requests for all interfaces is selected, the firewall
will listen to client requests on all of its network interfaces (the list that
follows will then be grayed out).
Otherwise, the list will make it possible to specify interfaces for which
requests must be relayed.
193
Appendix
STATIC MULTICAST
ROUTING
Program
✔ Dynamic DNS
✔ DHCP
➔ Static multicast routing
DNS proxy cache
Bird static routing
194
Appendix
STATIC MULTICAST ROUTING
Group1: 239.0.0.100
Group2: 239.0.0.200 Group2: 239.0.0.200
DMZ1
LAN2
Group1: 239.0.0.100
LAN1
18
Unlike a unicast transmission in which a copy of the traffic is sent to each recipient, a
multicast transmission distributes a single copy of the traffic to a group of recipients
identified by a multicast IP address (class D 224.0.0.0/8 to 239.255.255.255/8). This
transmission mode is used mainly to distribute real-time multimedia traffic (radio,
TV, conferences, etc). To receive a stream of traffic, the user must subscribe to the
multicast group using IGMP (Internet Group Management Protocol). IGMP requests
are received on the access router which manages multicast groups (subscription,
unsubscription, checking the presence of subscribers) in the internal network and
retrieves multicast traffic, by using a multicast routing protocol (PIM-SM, PIM-DM,
PIM-BIDIR, PIM-SSM, DVMRP and MOSPF) with the other routers.
Static multicast routing implemented on SNS firewalls reroutes multicast traffic

received by one interface to another interface, regardless of type (physical, bridge,
VLAN, GRE or GRETAP) except for IPSec and HA interfaces (used in high availability
clusters). In the example above, the server in the DMZ network forwards two
streams of multicast traffic (GROUP1 and GROUP2) which are received by the DMZ1
interface. GROUP1 and GROUP2 are routed respectively to the LAN1 and LAN2
interfaces so that each stream is received only by workstations connected to the
network of the destination interface.
Note:
• For the moment, multicast groups cannot be managed with IGMP on SNS
firewalls, which do not implement multicast routing protocols. Support for these
features is expected in future versions.
195
Appendix
STATIC MULTICAST ROUTING
19
Static multicast routing can be configured in CONFIGURATION ⇒ NETWORK ⇒

Multicast routing
To add a route, simply click on Add which will launch a wizard; in the first window,
enter the source interface and multicast address or network. Destination interfaces
are indicated in the second window.
Routing must be enabled by selecting the parameter Enable static multicast routing.
196
Appendix
DNS PROXY CACHE

Program
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
➔ DNS proxy cache
Bird static routing
197
Appendix
DNS PROXY CACHE: HOW IT WORKS
DNS cache
Domain name IP address
DNS Server
www.google.com . 9 . . , . 9 . .99, …
DNS query www.google.com

DNS response
DNS response . 9 . . , . 9 . .99, …
. 9 . . , . 9 . .99, …
DNS response
. 9 . . , . 9 . .99, …
21
The DNS proxy cache feature makes it possible to memorize the IP addresses of
names resolved by DNS requests. This saves bandwidth by preventing multiple
resolutions of the same name. This feature can be implemented in two situations:
• When the local network uses the firewall as a DNS server. The firewall
receives the DNS request and checks for the presence of the name in the
cache. If the name does not exist, the firewall will resolve it using its DNS
servers; it will add the name accompanied by the IP addresses to the
cache and sends a DNS response to the local network. If the name exists
in the cache, the firewall will send a DNS response based on available
information.
• When the local network uses any DNS server. The DNS request intended
for server X is intercepted by the firewall which begins by checking for the
name in the cache. If the name does not exist, the firewall will resolve it
using its servers instead of server X; it will add the name accompanied by
the IP addresses to the cache and sends a DNS response to the local
network by spoofing the IP address of server X, leading the local network
to believe that the name was resolved by this server. If the name exists in
the cache, the firewall will send a DNS response based on available
information, also by spoofing the IP address of server X.
198
Appendix
DNS PROXY CACHE: CONFIGURATION MENU
22
In CONFIGURATION ⇒ Network ⇒ DNS Proxy cache, the DNS cache can be enabled.
Objects that are allowed to use this cache must be explicitly added to the List of
clients allowed to use the DNS a he . These objects can be hosts, networks, address
ranges or groups.
In advanced configuration, you can:

• Change the size of the cache which is set by default to 1 MB.
• The option Transparent mode (intercepts all DNS requests sent by
authorized clients) must be selected so that the DNS cache can function
for the second situation described earlier.
• The option random querying of DNS servers allows the firewall to
randomly use the list of its DNS servers configured in the menu SYSTEM ⇒
Configuration ⇒ NETWORK PARAMETERS ⇒ DNS Resolution
199
Appendix
BIRD STATIC ROUTING

Program
✔ Dynamic DNS
✔ DHCP
✔ DNS proxy cache
➔ Bird static routing
200
Appendix
Bird static routing
Route injection
Bird makes it possible to inject routes into the FreeBSD system routing table, and in
return, learn routes that are already in the routing table, so that they can be
redistributed via dynamic routing protocols, for example.
The Bird configuration file shown by default in the graphical interface is:
The sections seen in this file (pseudo-protocols) determine the interactions between
Bird and the system, in the following order:
• Protocol direct: routes to networks directly connected to the firewall's
local interfaces can be exported to Bird.
• Protocol kernel: the Bird routing table can be synchronized with the
syste ’s routing table.
• Protocol device: statuses of links on interfaces are monitored, e.g., when
an interface is disabled, routes that must go through this interface will be
deleted from the system routing table.
Bird commands
To view information on routes, the status of interfaces or other information about
Bird, you can use the following commands after you have enabled dynamic routing in
the web interface:
201
Appendix
Test the show i terfa es command, for example, which is particularly useful in
viewing the status of each interface, its system name and usual name. Also, when
you have pushed a configuration, regularly compare the Bird routing table (show
route) with the FreeBSD routing table (netstat –rn).
Static routing configuration

The following section must be added to the sections explained earlier:
protocol static {
check link; # Advertise routes only if link is up
route 192.168.2.0/24 via 172.20.0.1;
}
Fault tolerance
Stormshield firewalls support the use of two links with different priorities:
protocol static via_vti1{

check link;
route 192.168.2.0/24 via 172.20.0.1 ;
preference 200 ; #high-priority
}
protocol static via_vti2{
check link;
route 192.168.2.0/24 via 172.20.0.3 ;
preference 100 ; #low-priority
}
Fault detection depends on the status of interfaces, among other factors. But this
aspect does not apply to VTIs, since firewalls always consider them active. To force a
quick switch when a link fails, BFD (Bidirectional Forwarding Detection) can be used.
This is not a routing protocol, but an independent feature, which also works with
dynamic routing. BFD makes it possible to detect faults on links by monitoring
sessions that were created by sending UDP packets (port 3784). As soon as a BFD
instance is created, it must be attached to the corresponding static route.
protocol bfd {
interface "enc1"{
interval 1 s; #frequency of sending BFD control
messages for established BFD session
multiplier 3; #failure detection
idle tx interval 1 s; #frequency of sending BFD control
messages for not established BFD session
};
}
202
Appendix
BIRD DYNAMIC ROUTING

Program
✔ Dynamic DNS
✔ DHCP
✔ DNS proxy cache
✔ Bird static routing
➔ Bird dynamic routing
203
Appendix

(example with OSPF)
Introduction
Before you configure OSPF, several important factors must be taken into account,
based on the network topology:
• The links over which OSPF will be used, such as point-to-point links.
• Routes that do not need to be exported to OSPF, such as default gateways specific
to each site, networks with the same network pool on all sites, etc..
• Interfaces on which OSPF traffic does not need to be enabled, such as the internal
interfaces of a site.
Response components with Bird

• Of the five network types defined by OSPF, point-to-point, for example, is the
most appropriate on links via VTIs. The Bird parameter of the OSPF instance
pointopoint will therefore be used (two routers connected directly to each other
without election, so adjacency will be faster).
• A filter will specify the networks that must not be exported, such as the default
gateway.
• OSPF messages will only be sent to neighbors declared with the strict
nonbroadcast yes OSPF instance parameter. The list of neighbors will be declared
with the neighbors parameter.
Bird commands for OSPF
To view information on routes, the status of interfaces or other information about

Bird, you can use the following commands after you have enabled dynamic routing in
the web interface:
bird>show ospf neighbors [instance_name]: adjacency status.
bird>show route: all the routes known to bird (dynamic and kernel routes).
bird>show route export kernel1: routes exported from bird to the kernel routing
table.
bird>show ospf interface [instance_name]: detailed parameters of the OSPF instance
(area, network type, cost, timers, etc.).
bird>show protocols all: information about all protocols and pseudo-protocols used
(number of routes imported, exported, protocol preferences, etc.).
The command show route export kernel1 will be particularly useful in verifying the
routes that Bird injects into the kernel, and modifying import-export filters as a
result.
204
Appendix
Bird dynamic routing (continued)

OSPF dynamic routing
The example below represents an OSPF configuration via a VTI (point to point):
router id 172.20.0.0;
filter network {
if net ~ [ 192.168.56.0/24, 0.0.0.0/0 ] then reject;
# networks into [] rejected
else accept;
}
# the direct protocol automatically generates device routes to
# all network interfaces.
protocol direct {
preference 251;
}
# this pseudo-protocol performs synchronization between bird's
routing
# tables and the kernel.
protocol kernel {
learn; # learn all alien routes from the kernel
persist; # don't remove routes on bird shutdown
scan time 20; # scan kernel routing table every 20s
import filter network; # default is import all
export filter network; # default is export none
preference 254; # protect existing routes
}
# this pseudo-protocol watches all interface up/down events.
protocol device {
scan time 10; # scan interfaces every 10 seconds
}
protocol ospf via_vti1 {
tick 2;
rfc1583compat yes;
area 0 {
stub no;
interface "local_vti1_a" {
# hello 10;
# retransmit 6;
# cost 10;
# transmit delay 5;
# dead count 5;
# wait 50;
type pointopoint;
neighbors {
172.20.0.1 eligible;
};
strict nonbroadcast yes;
};
};
import filter network;
export filter network;
}
Note: The Bird project documentation

https://bird.network.cz/?get_doc&f=bird.html&v=20 provides many examples,
especially of the filters to use.
205
ADDRESS TRANSLATION
Training program

✔ Objects
✔ Network configuration
➔ Address translation
Filtering
VPN
SSL VPN
206
Address translation
OVERVIEW
ADDRESS TRANSLATION
➔ Overview
Dynamic translation
Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
207
Address translation
OVERVIEW
• A private network uses IP address ranges that are not

routed over the Internet (RFC 1918).
Prefix IPv4 address range Number of addresses
10.0.0.0/8 10.0.0.0 – 10.255.255.255 16 777 216

172.16.0.0/12 172.16.0.0 – 172.31.255.255 1 048 576
192.168.0.0/16 192.168.0.0 – 192.168.255.255 65 536
• NAT (Network address translation): mechanism that

allows IP packets (source/destination address,
source/destination port) to be modified.
Address translation mechanisms have been developed to deal with the shortage of
public IP addresses. Basically, private IP addresses – defined by the IANA (Internet
Assigned Numbers Authority) and entered by RFC 1918 (table above) – are used for
local corporate and private networks. These networks are then connected to the
Internet via a single public IP address.s
208
Address translation
DYNAMIC TRANSLATION
ADDRESS TRANSLATION
✔ Overview
➔ Dynamic translation
Static translation by port
Static translation
"NAT" Menu
209
Address translation
DYNAMIC TRANSLATION
• Translating a private network to a public IP address

Web server over the Internet
@web
Computer Source Source Source Source
on the Internal network address port address port
HTTP connection
@privA xxxx @pub_fw 20,000
@privA
@pub_fw
1 2
4 3
Address translation
Original packet 1 Translated packet 2
Source Source Destination Destination Source Source Destination Destination
address port address port address port address port
@privA xxxx @Web 80 @pub_fw 20,000 @Web 80
Translated packet 4 Original packet 3

@Web 80 @privA xxxx @Web 80 @pub_fw 20,000
In most cases, this type of translation is implemented to allow local networks

configured with private IP addresses to access the Internet via a single public IP
address.
The diagram above illustrates how this type of translation works when the host
pri A" accesses a web server "@web" over the internet. The IP packet sent by the
host " @privA " to the server " @web " is intercepted by the firewall which replaces
the source IP address source " @privA " with the fire all’s public IP address "
@pub_fw " and the source port " xxxx " (this port is chosen by the operating system
of the host " @privA ") with a port in the range [20000-59999]. The firewall
memorizes the translated match between (the IP address "@privA" /source port
"xxxx" ) and (the IP address "@pub_fw" /source port 20000). This match is used in
translating responses from the web server by replacing (the IP address destination
"@pub_fw" /destination port 2000) with (the IP address destination "@privA"
/destination port " xxxx " ).
210
Address translation
DYNAMIC TRANSLATION
• Translating a private network to a public IP address

Web server over the Internet
@web
HTTP connections
@pub_fw
Address translation
Source address Source port Source address Source port
@privA 1232 @pub_fw 20000

Ephemeral_fw
@privB 20321 @pub_fw 20001
[20000, 59999]
@privC 1232 @pub_fw 20002
The modification of the source port is warranted mainly when two hosts "@privA"
and "@privC" use the same source port to set up a connection to the same web
server. If the source port is not modified by the firewall, the web server will receive
two connection requests coming from the same public IP address "@pub_fw" and
same source port. This may cause a malfunction on both connections and ambiguity
in the translation of responses with regard to the firewall, which will not know to
which host it needs to send the responses received from the server.
The source ports set by the firewall are selected from a predefined range called
ephemeral_fw [20000-59999]. By default, ports are chosen in sequence from the
range. There is however an option available to enable a random selection.
An IP address range can be used to mask the source IP address.

The NAT rule will use a network or address range object instead of a host object in
the Source and Traffic after translation field. Since addresses between ranges will be
translated 1:1, they must be of the same size. The source port must therefore not be
translated.
211
Address translation
STATIC TRANSLATION BY
PORT
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
➔ Static translation by port
Static translation
"NAT" Menu
212
Address translation
STATIC TRANSLATION BY PORT
• Providing access to internal resources behind a single public IP

address
Destination Destination Destination Destination Host on the Internet
Web server address port address port @client
on the Internal network @priv_web 80 @pub_fw 80
@priv_web
@pub_fw
2 1
3 4 HTTP connection
Translated packet 2 Address translation Original packet 1

@client xxxx @priv_web 80 @client xxxx @pub_fw 80

@priv_web 80 @client xxxx @pub_fw 80 @client xxxx
This type of translation, also known as a port redirection , provides access to

services hosted in a local network via a single public IP address.
The diagram above illustrates the example of a local web server "@priv_web"
accessible from the Internet over the fire all’s public IP address "@pub_fw". A
translation rule is created on the firewall to match (the destination public IP address
"@pub_fw" /destination port 80) and (the IP address of the local server
"@priv_web" /destination port 80).
As such, the packet sent by the host "@client" to the IP address "@pub_fw" on port
80 will be modified before being sent to the web server on the same port. The
response sent by this server will also be modified as a result before being sent to the
host "@client" . It is important to note that destination ports before and after
translation may differ.
213
Address translation
STATIC TRANSLATION BY PORT
• Providing access to internal resources behind a single public IP

address
Host on the Internet
@client
Mail server Web server
@priv_mail @priv_web
@pub_fw
Address translation
Destination Destination Destination Destination

address port address port
@priv_web 80 @pub_fw 80
@priv_mail 25 @pub_fw 25
A single public IP address may provide access to services hosted on several local
servers as shown in the diagram above. Servers are differentiated only by the port
number of the service.
214
Address translation
STATIC TRANSLATION
ADDRESS TRANSLATION
✔ Overview
✔ Static translation by port
➔ Static translation
"NAT" Menu
215
Address translation
STATIC TRANSLATION
• Dedicating a public IP address to an internal server (incoming

connection)
Destination Destination Destination Destination Mail server over the Internet
Mail server address port address port @internet
on the Internal network @priv_mail any @pub_mail any
@priv_mail
@pub_fw
+ @pub_mail
2 1
3 4 SMTP connection
Address translation
@client xxxx @priv_mail 25 @internet xxxx @pub_mail 25

@priv_mail 25 @client xxxx @pub_mail 25 @internet xxxx
11
In this type of translation, a public IP address can be dedicated to a local server

configured with a private IP address. This assumes that there are at least two public
IP addresses: "@pub_fw" configured on the firewall's external interface and
"@pub_mail" used for translation rules.
Static translation must be two-way, meaning that the local server can be accessed by
all incoming connections from the Internet with its public IP address. Outgoing
connections initiated by this server to the Internet must have the same public IP
address as its source. This is reflected in two translation rules: a rule for incoming
connections and another rule for outgoing connections.
The diagram above shows the changes made to the packets of an incoming
connection to a local mail server based on the translation rule that matches (the
destination public IP address "@pub_mail") to (the IP address of the local server
"@priv_mail).
The packet sent by the mail server "@internet" to the IP address "@pub_mail" will
therefore be modified in order to be sent to the mail server. The response sent by
this server will also be modified as a result before being sent to the mail server
"@internet" . It is important to note that source ports before and after translation
may be restricted to a particular port number and may differ.
216
Address translation
STATIC TRANSLATION
• Dedicating a public IP address to an internal server (outgoing

connection)
Mail server over the Internet
Source address Source port Source address Source port @internet
Mail server
on the Internal network @priv_mail any @pub_mail any
@priv_mail
@pub_fw
+ @pub_mail
1 2
4 3
Address translation

@priv_mail xxxx @internet 25 @pub_mail xxxx @internet 25

@internet xxxx @priv_mail xxxx @internet xxxx @pub_mail xxxx
12
The diagram above shows the changes made to the packets of an outgoing
connection, initiated by the local web server, to a server over the Internet based on
the translation rule that matches (source private IP address "@ priv_mail") to (the
source public IP address "@pub_mail").
As such, the packet sent by the server "@priv_mail" to an IP address over the
Internet will be modified to replace the source address "@priv_mail" with the source
address "@pub_mail". The response sent by the external server will also be modified
as a result before being sent to the local mail server. It is important to note that
source ports before and after translation may be restricted to a particular port
number and may differ.
217
Address translation
STATIC TRANSLATION
• Dedicating a public IP address to an internal server

Host on the Internet
@internet
Mail server FTP server
@priv_mail @priv_ftp @pub_fw
+ @pub_ftp
+ @pub_mail
Address translation
Destination Destination Destination

Source address Source port Source address Source port
address Destination port address port
@priv_mail Any Internet Any @pub_mail any

Internet Any @pub_mail Any @priv_mail
@priv_ftp Any Internet Any @pub_ftp Any

internet Any @pub_ftp Any @priv_ftp
13
If there are several public IP addresses, a specific IP address may be dedicated to

each server. Each server requires two translation rules as shown above.
218
Address translation
STATIC TRANSLATION
• ARP broadcast of virtual public IP addresses
@pub_fw ⇒ @MAC_fw @MAC_R
Src IP Dst IP
ARP broadcast @client @pub_mail Data
IP packet
ARP broadcast: @pub_mail?
@pub_ftp ⇒ @MAC_fw
@pub_mail ⇒ @MAC_fw 1
ARP response: @pub_mail ⇒ @MAC_fw

2
Dst MAC Src MAC
Ether
3 @MAC_fw
? @MAC_R Type
IP packet
Ethernet Frame
• ARP (Address Resolution Protocol): Dynamically retrieves the MAC

address of the interface bearing a certain IP address.
14
Given that virtual public IP addresses are not configured on the fire all’s external
interface, the firewall will not respond to ARP requests to resolve these IP addresses
to the fire all’s MAC address.
To resolve this issue, the ARP broadcast of virtual public IP addresses is needed so
that static translation will work. This means that entries can be added to the
fire all’s ARP table to match each virtual public IP address to the MAC address of
the external interface. The firewall will be able to respond to ARP requests to resolve
these IP addresses and receive all packets going to these address, as shown in the
diagram above.
219
Address translation
"NAT" MENU
ADDRESS TRANSLATION
✔ Overview
✔ Static translation
➔ "NAT" Menu
220
Address translation
"NAT" MENU
Filter and NAT policy:
1) 2) (3) 4) 5) 6) 7) 8) 9) 10)
Block all High Medium Low Filter 05 Filter 06 Filter 07 Filter 08 Pass all High Pass all
NAT NAT
Filtering NAT
16
On Stormshield Network firewalls, filter and NAT rules (address translation) are
grouped in the same policy. Up to 10 different policies can be defined but only one
policy may be active at a given time, identified by the icon:
221
Address translation
"NAT" MENU
• Editing the security policy
17
Filter and NAT rules can be configured in the menu CONFIGURATION ⇒ SECURITY
POLICY ⇒ Filtering and NAT.
The menu header makes it possible to:
• Select the filter and NAT policy using the drop-down list.
• Edit:
• Rename: changes the name of the policy.
• Reinitialize: resets to default filter and NAT rules.
• Copy to: copies from one policy to another.
• Export: exports filter/NAT rules from the selected policy to a CSV file,
which will then be used to retrieve rules on a Stormshield Management
Center (SMC) server.
The rest of the menu is made up of two tabs:
• Filtering: configures filter rules.
• NAT: configures address translation rules.
222
Address translation
"NAT" MENU
• Creation of a rule and header
18
The NAT tab consists of a header to manage translation rules:

• New rule:
• Standard rule: adds a standard translation rule.
• Source address sharing rule (masquerading): adds a rule for
dynamic translation by specifying the port range ephemeral_fw.
• Separator – rule grouping: adds a rule separator which groups all
rules located below it, allowing the separator to be collapsed to
hide the display of the rules belonging to it. The separator may also
be customized with a color and comments.
• Static NAT rule (bimap): launches a wizard that will facilitate the
addition of bimap static translation rules.
• Delete: deletes the selected rule(s).
• Up / Down: moves selected rules up or down the list.
• Expand all / Collapse all: expands/collapses all the separators to
show/hide NAT rules.
• Cut: cuts the selected rule(s).
• Copy: copies the selected rule(s).
• Paste: pastes rule(s) that were copied/cut earlier from the same or
another policy.
• Search in logs: searches for the name of this rule in audit logs.
• Search in monitoring: searches for the name of this rule in connection
monitoring
• Reset rule statistics: Reinitializes counters of all the filter and NAT rules in
the policy. The date of the last reinitialization can be seen by placing the
mouse cursor over the icon.
• Reset columns: reinitializes the display of columns that make up the rule
window.
223
Address translation
• Traffic before translation: allows you to enter the parameters of the

original traffic.
• Source: the IP address or the source network.
• Destination: the IP address or the source network.
• Dest port: destination port.
• Comments: allows comments to be added. The date, time, administrator
and the administration PC’s IP address are added by default when the rule
is created.
• Traffic after translation: adds the new values of parameters after
translation. If nothing is entered here, the traffic will keep its original
values.
• Source: the IP address or the source network.
• Src. Port: Source port.
• Destination: the IP address or the source network.
• Dest port: destination port.
• Options: When traffic goes through a transition rule, it is not logged in
standard mode. In Log mode, traffic is logged in the Filtering log. The
second option also allows NAT to be enabled in an VPN IPSec tunnel.
• Comments: allows comments to be added. The date, time, administrator
and the administration PC’s IP address are added by default when the rule
is created.
224
Address translation
"NAT" MENU
• Indicator of use of NAT rules

• Saving and activating a security policy
20
The use indicator (blue box) indicates the number of times processed traffic matched
the criteria of the translation rule. The digital counter appears when you scroll over
the indicator. It can display four colors, and shows the results of an equation
between the number of hits for this rule and the maximum number of hits reached
by a rule in the same slot:
• White (blank): the rule has never been applied,
• Blue: the value displayed is between 0% and 2% of the maximum number
of hits,
• Green: the value displayed is between 2% and 20% of the maximum
number of hits,
• Orange: the value displayed is higher than or equal to 20% of the
maximum number of hits and exceeds 10,000 hits.
To save a policy, click on Apply. The policy is saved immediately. A new window
opens, allowing you to enable or disable the policy by clicking on YES, ACTIVATE THE
POLICY or LATER.
225
Address translation
"NAT" MENU
• Column display
21
The display of columns in the window may be customized by clicking first on the icon
indicated by the blue arrow above then on the columns. Simply select a column for it
to be displayed.
NAT rules can be moved in the window by dragging and dropping by clicking on the
rule number on the left.
NOTE : When searches are performed in logs or monitoring, they rely on the name
of the rule, so you can display the Name column. Do note that a rule always has a
default name, which the administrator can change.
226
Address translation
"NAT" MENU
• Parameters of a rule
22
The parameters of a rule may be entered directly in the rule window or in a new
window that appears by double-clicking on any parameter of this rule. This window
also enables access to advanced configuration parameters.
Since the values of the parameters are objects, they can be copied from one rule to
another by dragging and dropping.
227
Address translation
"NAT" MENU
• Dynamic translation
23
Dynamic NAT rules can be created with the button New rule ⇒ source address
sharing rule (masquerading) which automatically adds the port range
ephemeral_fw to the src port in the traffic after translation.
The diagram above sets out an example of a dynamic NAT rule with the main
parameters that need to be entered. In the section original traffic (before
translation), the source represents the internal network Network_in accessible from
the "in" interface which wants to access any destination on any destination port. In
the section traffic after translation, the source is modified by the public IP address
of the "out" interface and the source port is translated into a port number in the
range ephemeral_fw.
You are advised to select the option Choose a random translated source port which
allows a port number to be chosen at random in the range ephemeral_fw for new
connections. This option provides protection from certain attacks by making the
translated port less predictable.
228
Address translation
"NAT" MENU
• Static translation by port
24
The static NAT rule by port is created from a standard rule. An example is given in
the diagram above.
In the section on original traffic, the source represents any host on the public
network going to the fire all’s public IP address on port 80 (HTTP). In the section on
traffic after translation, the destination IP address is replaced with the ser er’s
private IP address and port number 80 (HTTP) is kept as the destination port. It is
important to note that destination ports before and after translation may differ.
229
Address translation
"NAT" MENU
• Static translation
25
Static NAT rules can be created with New rule ⇒ static NAT rule (bimap) which
launches a wizard to enter the following information:
• Private host(s): the private IP address(es) of the internal server
• Virtual host(s): the virtual public IP address dedicated to the internal
server
• Only on the interface: external interface from which the server can be
accessed with its virtual public IP address.
• Only for ports: the static NAT rule allows all ports to be translated,
however it can be restricted by specifying one or several port ranges in
this parameter. You are advised to leave this value as Any and to restrict
the port directly in the filter rules.
• ARP publication: enables ARP broadcast for the public IP address.
The example illustrated in the diagram above statically translates an internal SMTP
server identified by a private IP address srv_mail_priv and a dedicated virtual public
IP address srv_mail_pub.
The wizard adds two translation rules: the first rule for the translation of the internal
server’s outgoing traffic toward the public network and the second for incoming
traffic going to the virtual public IP address. Both rules can be modified separately
later.
230
Address translation
ORDER OF APPLICATION
OF NAT RULES
ADDRESS TRANSLATION
✔ Overview
✔ Static translation
✔ "NAT" Menu
➔ Order of application of NAT rules
231
Address translation
ORDER OF APPLICATION OF NAT RULES
27
The order in which translation rules appear in the list is very important, as it defines
the order in which new connections will be compared against translation rules.
Therefore, a new connection will be compared against the rules starting from the
first in the list to the last. When the connection matches a rule, the translation
defined by this rule will be applied and the connection will no longer be analyzed by
the rules that follow.
This mode of operation may cause overlaps if rules are not in a logical sequence. An
example is illustrated in the diagram above – the second translation rule will never
be used because a more general rule above it in the list will override it (the IP
addresses in the group IP_PUB are included in the object Internet).
The firewall has a built-in checker that detects such overlaps, which will be indicated
to the administrator through an alert that appears at the bottom of the window.
NOTE: A simple solution to this example is to reverse the order of both translation
rules.
232
Address translation
• Rename the production policy
• Prevent rule overlaps
• Do not leave any unused rules
• Name your rules
28
To make filter policies easier to read, you are advised to give them clear names with
a specific naming system.
Never let rules overlap. Besides them being unnecessary, doing so would create
entry points when the current rule is removed.
Every unnecessary rule is a potential entry point and increases the attack surface, so
they must be identified and deleted regularly.
The name column, hidden by default, allows you to identify a rule by its name. It is
very useful when searching for a rule or monitoring its behavior during debugging.
233
Address translation
LAB 4 – ADDRESS TRANSLATION
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13

192.168.1.254/24
172.16.1.254/24
192.36.253.10/24
Instructor
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
29

• Technical note - Setting up a NAT rule

kb.stormshield.eu.
234
APPENDIX - ADDRESS
TRANSLATION
235
Appendix
Address translation
ADVANCED PROPERTIES
ADDRESS TRANSLATION
Program
➔ Advanced properties
236
Appendix
Address translation
ADVANCED PROPERTIES: THE INCOMING INTERFACE IN A NAT RULE
In a NAT rule, you can specify the incoming interface of traffic that the rule must
match. This advanced configuration, which applies to the source field of a rule,
accommodates several use cases.
The first case presented above consists of translating two physical networks (in and
dmz1) belonging to the same logical network (network_bridge) to two public IP
addresses Firewall_out and IP_pub_virtual. Specifying the incoming interface is the
only way to differentiate both physical networks.
237
Appendix
Address translation
ADVANCED PROPERTIES: THE INCOMING INTERFACE IN A NAT RULE
In the second use case, the various network aliases used by an interface are
translated to the firewall’s public IP address.
When additional IP addresses are configured using the same interface, the firewall
creates additional objects.
In the above example, when three IP addresses are configured in different
addressing schemes, three host objects are created: Firewall_in, Firewall_in_1 and
Firewall_in_2, followed by three corresponding network objects.
In this case, all networks that match the aliases, or a group containing them, should
be added to the rule. Specifying an interface in a translation rule makes it possible to
use Any as the source network to translate all the aliases of this interface.
238
Appendix
Address translation
ADVANCED PROPERTIES: THE OUTGOING INTERFACE IN A NAT RULE
In a NAT rule, you can also specify the outgoing interface that the rule must match.
This applies to the destination field of the traffic before translation, thereby making
it possible to restrict the translation rule to only this interface’s outgoing traffic. This
interface is determined beforehand through the routing function that sets the MAC
address of the remote gateway as the destination MAC address of the packet.
The diagrams above illustrate the use of the outgoing interface when the firewall has
access to two WAN networks and when load balancing must be set up on both links.
NOTE: load balancing is set up with router objects.
239
Appendix
Address translation
ADVANCED PROPERTIES: DISTRIBUTION OF REDIRECTED

CONNECTIONS
The advanced configuration settings for translation rules allow the distribution of
redirected connections for both incoming and outgoing connections:
• Load balancing of outgoing connections: (rule 1): This consists of
translating outgoing connections with several source IP addresses.
• Load balancing of incoming connections over several servers or ports
(services). There are several types:
• Load balancing over several hosts (rule 2): This option consists of
redirecting incoming connections to several hosts by entering a
group made up of several IP addresses as the traffic destination
after translation. It can be used when a service is hosted on several
servers.
• Load balancing over several ports (rule 3): This option consists of
redirecting incoming connections to several destination ports on a
single host by specifying a port range for traffic after translation. It
is used when several instances of the same application are hosted
on the workstation. Each of these instances listens on a particular
port from the destination port range.
• Load balancing over several hosts and several ports (rule 4): This
option represents a combination of the two previous load balancing
modes. It allows incoming traffic to be distributed over the various
destination ports of several hosts.
240
Appendix
Address translation
ADVANCED PROPERTIES: DISTRIBUTION OF REDIRECTED

CONNECTIONS
The various types of load balancing can be based on four types of algorithms:
• Round-robin: Connections alternate between IP addresses and port
numbers.
• Source IP hash: A hash of the source IP address of the connection before
translation is calculated in order to choose the IP address or port number.
This algorithm guarantees that connections from the same host will always
be associated with the same IP address or the same port number.
• Connection hash: A hash of the connection parameters before translation
(source IP, source port, destination IP, destination port), is calculated in
order to choose the IP address or port number. This algorithm makes it
possible to distribute connections originating from the same host over
several IP addresses or several port numbers.
• Random: the IP address or port number is randomly selected.
NOTE: The accessibility of the chosen IP address or port number will not be verified
(even if they are not accessible, the firewall will continue to send traffic to them).
241
Appendix
Address translation
ADVANCED PROPERTIES: ADVANCED SOURCE CRITERIA
Advanced configuration parameters of address translation rules allow the definition

of other source criteria, such as:
• Users or user groups: defines specific translation rules for authenticated
users (based on the assumption that a directory and an authentication
mechanism were set up beforehand on the firewall).
• The DSCP field: makes it possible to translate addresses according to DSCP
field values. This field is located in the IP header of a packet and indicates
the service class (QoS) to which the traffic belongs.
242
Appendix
Address translation
ADVANCED PARAMETERS: ADDRESS TRANSLATION EXCEPTION
Network
network
LAN
In certain configurations, it may be necessary to not translate addresses for certain

types of traffic. In the example shown above, all the addresses in the LAN are
translated to the IP address of the firewall’s external interface, except for traffic to
the partner network.
To implement this configuration, a specific translation rule has to be added to

indicate that the traffic from the internal network to the partner network must not
be translated. In this rule, the parameters of the traffic after translation must be the
same as the parameters of the traffic before translation. Furthermore, this rule has
to be placed before the translation rule going to the Internet in order to prevent an
overlap.
NOTE: It is also possible to use the translation exception for a specific host on a
translated network.
243
FILTERING
Training program

✔ Objects
✔ Address translation
➔ Filtering
VPN
SSL VPN
244
Filtering
OVERVIEW
FILTERING
What we will cover in this module
➔ Overview
The concept of "stateful"
Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
245
Filtering
OVERVIEW
• Definition of traffic allowed and/or blocked by the firewall

• Criteria for the rule to be applied
• Security inspections according to traffic
With the filter policy, the administrator can define rules that make it possible to
allow or block traffic going through the Stormshield Network UTM. Depending on
the type of traffic, certain security inspections (antivirus scan, antispam scan, URL
filtering, etc) can be enabled. These will be covered in detail in the Appli atio
prote tio module. The defined filter rules must be in line with the o pa y’s
security policy.
A filter rule relies on many criteria in order to define a traffic type, thereby offering
higher granularity. Some of the criteria that can be specified include:
• Source and/or destination IP address,
• The reputation and location of the source and/or destination IP
address,
• Incoming and/or outgoing interface,
• Source and/or destination network address,
• Source and/or destination FQDN,
• Value of the DSCP field,
• TCP/UDP service (destination port number),
• IP-based protocol – for ICMP, the type of ICMP message can be
specified,
• Users or user groups requiring authentication.
The number of active filter rules in a policy is limited. This restriction depends
exclusively on the model of the firewall.
The first packet belonging to each new traffic stream received by the UTM is
compared against the filter rules from the first to the last line. You are therefore
advised to arrange your rules in the order of the most restrictive to the most
permissive.
By default, any traffic that is not explicitly allowed by a filter rule will be blocked.
246
Filtering
THE CONCEPT OF
"STATEFUL"
FILTERING
✔ Overview
➔ The concept of "stateful"
Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
247
Filtering
THE CONCEPT OF "STATEFUL"
query 1
TCP, UDP and ICMP
exchanges
2 response
Source Source Destination Destination
address port address port
@privA xxxx @web 80 @web
Stormshield Network firewalls use SPI (Stateful Packet Inspection) technology, which
makes it possible to memorize the status of connections for TCP, UDP and ICMP
protocols in order to keep track of them and detect potential anomalies or attacks.
The direct consequence of this stateful tracking is that filter rules only allow traffic
in the direction in which the connection was initiated; replies that are part of the
same connection will be implicitly allowed. There is therefore no need for an
additional filter rule to allow response packets for connections that were set up
through the firewall.
248
Filtering
SEQUENCING OF FILTER
AND TRANSLATION
RULES
FILTERING
✔ Overview
✔ The concept of "stateful"
➔ Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
249
Filtering
SEQUENCING OF FILTER AND TRANSLATION RULES
Initial packet
Block
0 Implicit filtering
Pass
Block
1 Global filtering
P
Pass
R Block
I 2 Local filtering
Pass
O No rule
R
I
Implicit NAT Block
T 3
Y
4 Global NAT
5 Local NAT
On Stormshield Network firewalls, filter and NAT rules are organized in various levels
called slots represented in their order of priority in the diagram above:
• Implicit filtering: groups filter rules that have been pre-configured or
added dynamically by the firewall in order to allow or block certain types
of traffic after a service is enabled. For example, an implicit rule allows
connections going to the UTM’s internal interfaces on the HTTPS port
(443/TCP) in order to ensure constant access the web administration
interface. In another example, as soon as the SSH service is enabled, a set
of implicit rules will be added to allow these connections from all hosts on
internal networks.
• Global filtering: groups filter rules that have been inserted on the firewall
from the "Stormshield Management Server" (SMC) administration tool or
after global policies have been displayed.
• Local filtering: represents filter rules added by the administrator from the
administration interface.
• Implicit NAT: groups NAT rules that the firewall adds dynamically. These
rules are used mainly when high availability is enabled.
• Global NAT: like global filtering, it groups NAT rules that have been
inserted on the firewall from the "Stormshield Management Server" (SMC)
administration tool or after global policies have been displayed.
• Local NAT: groups NAT rules that the administrator has added from the
administration interface.
250
Filtering
The first packet received is compared against the filter rules of the various slots
according to the order shown in the diagram above. As soon as elements in the
packet match a rule in a slot, the action set in the rule (block or pass) will be applied
and the packet will no longer be compared against the rules that follow. If none of
the filter rules match, the packet will be blocked by default.
If the packet is allowed, it will be compared against the NAT rules of the various
slots, following the sequence shown above.
251
Filtering
“FILTERING” MENUS
FILTERING
✔ Overview
✔ Sequencing of filter and translation rules
➔ Filteri g menus
Policy analyzer
252
Filtering
10
Implicit rules can be configured in the menu CONFIGURATION ⇒ SECURITY POLICY

⇒ Implicit rules. Every rule can be enabled/disabled.
NOTE : Modifying the statuses of these rules will directly affect how services run on
the firewall. To ensure that the affected service continues to run correctly, first,
confirm whether lower-priority rules, such as global or local rules, allow such traffic.
253
Filtering
• Display and additional action
11
To display global rules, select Display global policies (Filtering, NAT, VPN IPsec and
Objects) in the Preferences menu that can be accessed directly from the header icon
in the red box. This option will display in the header of the menu CONFIGURATION
⇒ SECURITY POLICY ⇒ Filtering and NAT a drop-down list allowing global or local
policies to be selected. By default, there are no filter or NAT rules in the global slots.
254
Filtering
• Creation of a rule
• Selection of columns to display
12
Filter rules are part of a policy, as explained earlier in the "Address translation"
module.
The "FILTERING" tab is made up of a header to manage filter rules:
• New rule:
• Single rule: adds a standard filter rule. By default, a new rule is
disabled and all its criteria are set to "Any".
• Separator – rule grouping: adds a separator which groups all rules
located under it (or until the next separator). This simplifies the
display of a policy containing a large number of rules. The separator
may be customized with a specific color and comments.
• Authentication rule: opens a wizard that adds a rule created
specifically to direct the connections of unauthenticated users to
the captive portal (see the Users and Authe ti atio module for
more details on the subject).
• SSL inspection rule: opens a wizard that adds rules to enable the
SSL proxy.
• Explicit HTTP proxy rule: opens a wizard that adds rules to enable
the explicit HTTP proxy.
• Delete: deletes a rule.
• Up / Down: moves selected rules up or down the list.
255
Filtering
• Naming rules
• Header options
13
• Expand all / Collapse all: expands/Collapses all the separators to

show/hide filter rules.
• Cut: cuts the selected rule(s).
• Copy: copies the selected rule(s).
• Paste: pastes rule(s) that were copied/cut earlier from the same or
another policy.
• Search in logs: searches for logs that were generated in audit logs after
this rule was applied. Searches are based on the name of the rule.
• Search in monitoring: searches for the name of this rule in connection
monitoring
• Reset rule statistics: reinitializes counters that show the number of times
all filter and NAT rules in the active policy have been used. The date of the
last reinitialization can be seen by scrolling over the icon.
• Reinit columns: reinitializes the display of columns that make up the rule
window according to the default display.
NOTE : When searches are performed in logs or monitoring, they rely on the name
of the rule. You will see in the above example that a rule always has a default name,
which the administrator can change.
256
Filtering
• Indicator of use of filter rules

• Composition of a filter rule
14
The rule window comprises several columns listed below:

• Rule number and an indicator (blue box) of the number of times elements
of the received packet have matched criteria in the filter rule. The digital
counter appears when you scroll over the indicator. It can display four
colors, and shows the results of an equation between the number of hits
for this rule and the maximum number of hits reached by a rule in the
same slot:
• White (blank): the rule has never been applied,
• Blue: the value displayed is between 0% and 2% of the maximum
number of hits,
• Green: the value displayed is between 2% and 20% of the
maximum number of hits,
• Orange: the value displayed is higher than or equal to 20% of the
maximum number of hits and exceeds 10,000 hits.
• Status: makes it possible to enable/disable a filter rule.
• Action: indicates the action applied on the connection: pass, block, log,
redirect to a captive portal, etc.
• Source: specifies the source of the traffic: source IP address or network,
incoming interface, user, etc.
• Destination: specifies the destination of the traffic: destination IP address
or network, outgoing interface.
• Dest port: indicates the destination port of the traffic.
257
Filtering
• Protocol: makes it possible to enter the protocol used by the traffic.

• Security inspection: makes it possible to select the level of inspection
(IPS/IDS/Firewall) and enable application inspection. (This section will be
covered in greater detail in the Appli atio Prote tio module)
NOTE : The indicator re-orders the most frequently used filter rules by placing them
at the top of the list. This makes it possible to optimize the reading of the policy
before finding the action to apply.
258
Filtering
• OmniBox to edit all fields in the rule at one go
16
The parameters of a rule may be entered directly in the rule window or in a new
window (omnibox) that appears by double-clicking on any parameter of this rule.
Since the values of the parameters are objects, they can be copied from one rule to
another by dragging and dropping. This also allows filter rules to be moved by
clicking on the rule number. Rules added have to be saved and manually enabled
with the Save and enable button.
259
Filtering
• Action menu: definition of the action
17
The ACTION menu is made up of several tabs, but we will focus on the GENERAL tab,
which makes it possible specify the following parameters:
• Action: defines the action to apply to the packet that matches the filter
rule:
• Pass: allows the packet,
• Block: blocks the packet,
• Decrypt: sends the packet to the SSL proxy,
• reinit. TCP/UDP: in the case of TCP traffic, the firewall will send
back a TCP R“T packet to the sender. In the case of UDP traffic,
the firewall will send an ICMP port u rea ha le notification to
the sender.
260
Filtering
• Action menu: definition of the log level
18
• Log level: logs traffic processed by the rule. It can have different levels:
• standard (connection log): this is the default value; only
established connections that use a TCP/UDP transport layer are
logged:
• In the Net ork o e tio s or Appli atio o e tio s
log, if a plugin performs an application analysis in IPS or IDS
mode,
• Connections with a Blo k action will not be logged.
• verbose (filtering log): Traffic is logged in the Filteri g log. This
option is only useful when you log:
• Traffic directly above the IP layer (ICMP, GRE, ESP, etc.),
• Traffic blocked by a Blo k action.
• minor alarm: the connection will be logged in the alar s log
with a minor alarm.
• major alarm: the connection will be logged in the alar s log with
a major alarm.
NOTE : Verbose mode is unnecessary in TCP/UDP connections and creates duplicates

with one entry in connection logs and another entry in the filtering log for the same
traffic.
261
Filtering
• Action menu: scheduling and policy-based routing
19
• Scheduling: selects a time object that allows events to be defined in

weekly, annual or ad hoc time slots. Time objects can be created in the
menu CONFIGURATION ⇒ OBJECTS ⇒ Time objects or by clicking on the
button in the blue box. If this parameter has been entered, the filter rule
will be active only during the time slot defined by the time object.
• Gateway – router: this parameter allows you to implement policy-based
routing (covered in the Net ork o figuratio module). Once a gateway
has been entered, all traffic processed by this filter rule will be sent to this
gateway instead of the default gateway if no other routing directive with
higher priority was configured.
262
Filtering
• Source menu: general tab
20
The SOURCE > GENERAL menu groups parameters that identify the source of the
traffic affected by the filter rule:
• User: indicates the user or user group at the source of the traffic. This
parameter works in authentication systems based on user directories (see
the Users and Authe ti atio module).
• Source hosts: indicates the IP address, Fully Qualified Domain Name
(FQDN) or network address of the traffic. The icons = or ≠ mean that
the parameter may be equal to or different from the value specified. It is
also possible to enter a list of objects by clicking on Add. If the top left
corner of an object name is red, this means that the added object has not
yet been saved.
• Incoming interface: specifies the traffic's incoming interface. This
parameter comes in useful when there are bridges in which the interfaces
share the same address range.
263
Filtering
• Source menu: geolocation/reputation tab
21
The Source ⇒ GEOLOCATION / REPUTATION menu groups the following

parameters:
• Geolocation: a continent or country at the source of the traffic can be
entered here. The list does not contain any IP addresses, as the firewall
will determine the country to which an IP address belongs instead of
loading all IP addresses (address blocks are highly fragmented over the
Internet).
• Public IP address reputation: the reputation of a public IP address may
border on two categories. The "Bad" group contains the following
categories: anonymizer, botnet, malware, phishing, scanner, spam and tor.
• Host reputation: filtering can be based on the reputation score of hosts on
the internal network. Host reputation management must be enabled
beforehand and the hosts affected by the calculation of a reputation score
must be defined. This topic will be covered in the appendices.
In the Source menu, the Geolocation and Public IP address reputation settings are
generally used to qualify incoming traffic (originating from the Internet) whereas the
Host reputation parameter is used for qualifying outgoing traffic.
NOTE : The reputation score of internal hosts, which can be configured in this menu,
makes it possible to specify the score above or below which the filter rule will be
applied to monitored hosts.
264
Filtering
• Destination menu: general tab
22
The Destination menu groups the parameters that identify the traffi ’s destination.
In the GENERAL tab, the Destination hosts parameter indicates the traffic's
destination IP address, network address or FQDN. It is also possible to choose
whether the parameter needs to be equal to or different from the value and to enter
a list of objects.
Location, public IP address reputation and host reputation information can also be
used as destination settings in the GEOLOCATION / PUBLIC IP ADDRESS
REPUTATION tab.
NOTE: when the destination object is an FQDN object, it must be the only object in
the rule.
265
Filtering
• Destination menu: advanced properties
23
In the ADVANCED PROPERTIES tab, it is possible to restrict the application of the

rule to only traffic leaving from the interface indicated in Outgoing interface.
NOTE: For rules that allow incoming traffic, you are advised against entering the
outgoing interface because the path to the traffi ’s destination is not yet known.
266
Filtering
• Port - Protocol menu: definition of a port
24
In the PORT / protocol menu, the Destination port can be entered with the
possibility of selecting whether it has to be equal to, different from, higher than or
lower than the value selected. A list of destination ports can also be entered.
267
Filtering
• Port - Protocol menu: definition of a protocol
25
In the PORT - Protocol , the ID of the IP protocol that will be affected by the filter
rule can also be entered. To do so, select the Protocol type parameter and select the
value IP protocol, then specify the protocol in the IP protocol field. If ICMP has
been selected, the ICMP message parameter will automatically appear so that the
filter can be refined by selecting the type of ICMP notification relevant to the filter
rule.
NOTE : Stateful inspection, which memorizes and tracks connections going through
the firewall, is enabled and cannot be modified only on TCP, UDP and ICMP
protocols. For other protocols (GRE, ESP, etc), you will need to select this option to
enable tracking.
268
Filtering
• Filter rule with NAT on the destination
26
NAT can be applied to the destination (DNAT) in a filter rule unless it contains an
FQDN object or geolocation
and/or reputation items.
Example: The screen captures above illustrate translation on the destination of

incoming SMTP traffic. The filter rule allows this traffic coming from an external
network and going to the public IP address of the SMTP server over SMTP port 25.
The address and destination port are translated respectively into the SMTP ser er’s
private IP address and the port SMTP/25 directly in the filter rule in which ARP
publication has also been enabled. In this configuration, there is no need to add a
translation rule to redirect this traffic.
There are several advantages in creating a NAT on destination instruction in a filter

rule:
• Quick view of what traffic is allowed and redirected to the internal host,
• Incoming rules can be managed and monitored in a single menu,
• The processing of NAT rules can be optimized since the rules in the NAT tab
will not be read.
• Application protections can be enabled (SMTP filtering, antispam, etc) on
translated incoming connections.
269
Filtering
POLICY ANALYZER
FILTERING
✔ Overview
✔ Sequencing of filter and translation rules
✔ Filteri g menus
➔ Policy analyzer
270
Filtering
POLICY ANALYZER
28
Stormshield Network firewalls have a built-in checker that detects any overlaps or
inconsistencies created in the filter policy. When this happens, a warning message
will appear at the bottom of the menu.
Three examples are shown in the screen captures above:
• In rule no. 1, the HTTP destination port is incompatible with UDP as the
HTTP application protocol uses the TCP transport protocol,
• Rule no. 3 will never be used as rule no. 2 overrides it,
• Rule no. 4 indicates that traffic arrives on an object with an IP address that
may change (dynamic IP associated with the out branch) and that the in
interface (source field) needs to be specified.
NOTE : Messages indicated with a red cross prevent the policy from being saved and
enabled.
271
Filtering
• Enable filtering as a complement to anti-spoofing rules
• Disable implicit rules
• Use object groups
• Delete rules that overlap or are unnecessary
29
Anti-spoofing has its limits and does not block all private networks that arrive
through the Internet. To ensure full protection, you need to define block rules that
cater to the topology of the network. For example, you can block IP RFC5735 on
public networks.
Since implicit rules are read before other rules, they can negate rules that the
administrator created. Ensure that you define web interface access rules carefully to
maintain control over the firewall. As SSH access to SNS is allowed by default on all
internal interfaces, this is the ideal moment to restrict it.
Object groups make it easier to modify rules, and you are advised to use groups
instead of creating lists of hosts in rules. This also makes rules easier to read.
Never let rules overlap. Likewise, regularly keep track of and delete all unused rules.
272
Filtering
LAB 5 – FILTERING
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13

192.168.1.254/24
172.16.1.254/24
192.36.253.10/24
Instructor
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
30
Below are links to two technical notes published by the ANSSI
• Recommendations on defining a firewall's network filter policy:

https://www.ssi.gouv.fr/guide/recommandations-de-securisation-dun-pare-feu-
stormshield-network-security-sns/
• Recommendations on how to secure a Stormshield Network Security (SNS)

firewall:
https://www.ssi.gouv.fr/guide/recommandations-pour-la-definition-dune-politique-
de-filtrage-reseau-dun-pare-feu/
For more information, refer to the technical note at documentation.stormshield.eu:

• Implementing a filter rule

kb.stormshield.eu.
273
APPENDIX –
FILTERING
274
Appendix
Filtering
ADVANCED PROPERTIES
FILTERING
Program
➔ Advanced properties
275
Appendix
Filtering
ADVANCED PROPERTIES: “DELEGATE” ACTION
Global filter rules, most often used in SMC, the centralized administration server,
offer a new action that delegates the choice of the action to the local filter. So
packets that match a global filter rule set to delegate will continue to be compared
directly with local filter rules.
To see global policies, go to the top of the screen, in Admin > Preferences and select
Display global policies.
Once this rule is enabled, you will see it in console mode when you enter the
command:
sfctl –s filter
This rule contains the action jump followed by the number of rules to ignore to
reach the local filter (1 in the above example, in which only one other global rule
follows the delegation rule).
276
Appendix
Filtering
ADVANCED PROPERTIES: SOURCE PORT
A filter rule makes it possible to use the source port as a criterion to identify traffic.
This parameter does not appear by default in the rule window but it can be shown
by selecting the corresponding column. It can also be configured in the ADVANCED
PROPERTIES tab in the source field.
277
Appendix
Filtering
ADVANCED PROPERTIES: FILTERING BY THE VALUE OF THE DSCP

FIELD
The value of the DSCP field can be used as a criterion in a filter rule. It can be
selected in the Source DSCP parameter in the ADVANCED PROPERTIES tab of the
source field, which also offers the possibility of defining a customized non-standard
value.
NOTE : the DSCP field is part of the IP header and indicates the service class (QoS) to
which an IP packet belongs.
278
Appendix
Filtering
ADVANCED PROPERTIES: TAGGING THE DSCP FIELD
Stormshield Network firewalls make it possible to impose the value of the DSCP field
on selected traffic in the Action field of a filter rule. This means that IP packets
belonging to such traffic streams will be tagged with the chosen value of the DSCP
field when they leave the firewall. Tagging can be configured in the DSCP section of
the QUALITY OF SERVICE tab in the Action field.
279
APPLICATION
PROTECTION
Training program

✔ Objects
✔ Filtering
➔ Application protection
VPN
SSL VPN
280
ENABLING PROXY MODE

APPLICATION PROTECTION
➔ Enabling proxy mode

HTTP proxy
HTTPS proxy
Antivirus analysis
Breach Fighter analysis
Intrusion prevention module and security inspection
281
ENABLING PROXY MODE
• Objectives:
– Control access to websites via URL filtering and SSL filtering
– Create an anti-relay policy via SMTP filtering
– Analyze data traffic, e.g., HTTP, SMTP, FTP and POP3
– Block malware using behavioral analysis on sandboxing hosts

such as Breachfighter
The full analysis of application behavior in traffic - regardless of whether it was

initially encrypted - requires the use of proxy mode on Stormshield firewalls.
282
ENABLING PROXY MODE
• Implementation:
When application inspection is enabled (red box) on a filter rule on the firewall, it
will run analyses in transparent proxy mode:
• The firewall acts as the client to the server, and as the server to the client,
• The configuration of the client workstation remains unchanged because it is in

transparent mode. For example, the listening port and IP address of the proxy do
not need to be configured on the browser.
NOTE:
• Explicit proxy mode will not be covered in this chapter, as this mode on
Stormshield firewalls offers fewer features than with a transparent proxy. Explicit
proxies are not compatible with multi-directory authentication and the SSL proxy,
for example, since HTTPS traffic cannot be decrypted for antivirus analyses. The
use of the proxy in transparent mode is therefore recommended.
• Analyses of filter rules in IPS mode only do not use proxy mechanisms.
283
HTTP PROXY
✔ Enabling proxy mode

➔ HTTP proxy
HTTPS proxy
Antivirus analysis
284
HTTP PROXY
• Controlling access to websites in HTTP:
– Using custom key words
– Using websites in a database:

• Built-in Stormshield database: 16 categories
• EWC: Extended Web Control base: 65 categories
With the URL filtering feature, you can control all of your users’ access to websites.
To do so, the URL filter policy will rely on a list of categorized URL entries or custom
key words.
There are two URL database providers:

1. A built-in URL database consisting of 16 categories that can be downloaded from
update servers,
2. A Extended Web Control (EWC) database consisting of 65 categories, all of which
are stored in the cloud. This feature is not available by default and needs the
purchase of a specific license. Please read the section "EWC: how it works" for
more details on how to operate it.
285
HTTP PROXY
• Extended Web Control:
– URL filtering solution
– Database updated in the cloud
– Prevents disk saturation, especially on entry-level appliances
Extended Web Control is a cloud-based URL filtering provider. The database is

updated in the Cloud.
As such, the firewall does not need to download the database, preventing disk
saturation issues.
As this is a paid option, it is not enabled on our product range by default.
286
HTTP PROXY
• Extended Web Control: how it works
www.lost.com
HTTP request
Request for classification
Classification
(entertainment)
Local cache
CloudURL servers
As soon as it receives an HTTP connection to a public website, the firewall will send a
request to one of the EWC servers in order to get the categories that contain the
visited website (if it is not already in its local cache). The results will then be
compared to the active URL filter policy.
EWC servers can return up to 5 categories per URL. A URL can therefore
simultaneously be part of a blocked category and an allowed category. If it happens,
the way rules are ordered in the URL filter policy counts the most; be sure to
organize the policy in the most efficient way.
In order to optimize the way it works, and avoid sending many requests to EWC
servers for the same URL, the Extended Web Control feature uses a cache to
remember the decision for a website that has already been visited. The cache size
varies according to appliance and is configured to keep data for one day of browsing.
Its contents cannot be viewed, even in console mode.
The cache is purged when the firewall or the proxy daemon (tproxyd) reboots. The
two scenarios presented in the slides that follow will explain how the Extended Web
Control cache works.
287
HTTP PROXY
• Extended Web Control: the URL is not in the cache
www.lost.com
HTTP request
2 3
1 Request for classification
Classification
6 (entertainment)
Local cache 4
CloudURL servers
The proxy queries the local cache. Since the URL is not in the cache, a classification
request is then forwarded to Extended Web Control servers to know which
categories include this URL.
As soon the categories are received, the URL filter policy decides whether access to
the website will be allowed or blocked.
In the object database, Extended Web Control servers (CloudURL) are called
cloudurl[1-5]-sns.stormshieldcs.eu
288
HTTP PROXY
• Extended Web Control: the URL is in the cache
www.lost.com
4
HTTP request
2
1
3
Local cache
CloudURL servers
10
The proxy queries the local cache and the URL is in the base. In this case, Extended
Web Control servers will not be queried.
The result applied during the last visit (grant access or block) will also be applied for
this connection.
289
HTTP PROXY
• Choosing the EWC URL database
11
You can choose the URL database provider from the menu CONFIGURATION ⇒
OBJECTS ⇒ WEB OBJECTS, in the URL Database tab.
Switching from the built-in URL database to EWC will delete the embedded
categories - you will see a warning message.
After the database has been changed, we advise you to check the active URL filter
policy because category names might differ from one base to another.
E.g.: the "Job search" category exists in the Extended Web Control database but does
not exist in the embedded URL database. As such, when this category is used in the
URL filter policy, it will generate a warning when the policy is enabled if you attempt
to return to the embedded database.
290
HTTP PROXY
• Creation of a custom category
12
In CONFIGURATION ⇒ OBJECTS ⇒ Web objects, in the URL tab, you can create your
own categories. Each category contains a list of URLs, which need to be added by
following the suggestions.
291
HTTP PROXY
• Creation of a group of custom categories
13
In Configuration ⇒ Objects ⇒ Web Objects, in the GROUPS OF CATEGORIES TAB,

you can add and edit your own groups of categories. Create a URL category group
object.
A category group can be made up of categories already in the database (EWC or

embedded), or custom categories, as shown in the above example.
Use the CTRL and SHIFT keys to select several groups before moving them.
292
HTTP PROXY
• Contents of groups or classification check
14
There is no way to view the contents of existing categories. However, classification

fields allow you to know the category of your requested keyword or URL.
These fields are available in the Web Objects menu and in URL filter policies.
293
HTTP PROXY
• Editing the URL filter policy
15
From the menu Configuration ⇒ Security Policy ⇒ URL Filtering, choose the policy
to edit (in the above example, policy default00 was renamed Block_prohibited_URL).
Then, select sites categories that have to be authorized, basically blocked or

redirected to one of the 4 customizable block pages.
The real-time policy checker will show any errors detected in your policy.
294
HTTP PROXY
• Create a policy in a click!
16
Use the Add rules by category button to create a policy quickly.
This option adds a line with the action BlockPage_00 for each category in the current
URL database. However, this option does not take into account custom groups,
which have to be added manually.
Websites can belong to several categories. When this occurs, the order of the rules
in the filter policy determines the action to apply for the website in question.
Example: www.amazon.com belongs to two EWC groups – Leisure and Recreation,

and Shopping. The order of these two groups in the active URL filter policy defines
the action to apply every time a user visits www.amazon.com.
295
HTTP PROXY
• Application of URL filtering in the filter policy
17
Once your URL filter policy is ready, you have to apply it to a filter rule that allows
outgoing HTTP traffic as shown in the above example. In this rule, Network_dmz1
will only have access to websites that are in the News category.
By following this procedure, you can enable more than one URL filter policy at a
time, to handle access for different networks or source hosts.
296
HTTP PROXY
• Customizing block pages
18
Block pages can be edited from the menu CONFIGURATION ⇒ NOTIFICATIONS ⇒

BLOCK MESSAGES ⇒ HTTP BLOCK PAGE tab. With the Edit button at the top left, you
can:
• Modify the contents of the block page,
• Rename the current policy,
• Reset the policy to factory settings,
• Copy the contents of the page to another page.
You can make changes with two editors (simplified or HTML). Both of them use the
WYSIWYG format (What You See Is What You Get: instant preview of the content).
Via the simplified editor, you can quickly change the page information such as its
title, block message, e-mail address of the administrator to contact to report wrong
URL classifications, or the logo to display.
For those who feel more comfortable with web programming languages, the HTML
editor makes it possible to modify the contents of the page more accurately.
297
HTTPS PROXY

✔ HTTP proxy
➔ HTTPS proxy
Antivirus analysis
298
HTTPS PROXY
• Controlling access to websites in HTTPS:

– By checking the SNI in the
client request and looking
up website categories in
the databases:
• Stormshield embedded
base: 16 categories
• Extended Web Control
base: 65 categories
– By decrypting HTTPS traffic to apply a URL filter policy as seen

earlier
20
When clients initiate a connection to a website in HTTPS, they send the domain
name of the requested website in plaintext to the server. This is known as Server
Name Indication (SNI), and allows the server to select the right certificate to present
to the client.
Stormshield Network Security relies on this system to control access to these
websites without decrypting traffic.
NOTE: In this chapter, we will cover only SNI verifications and their classifications to
allow or block traffic without decryption. Advanced operations, such as URL filter
policies and antivirus analyses, that are enabled with HTTPS traffic decryption, will
be covered in the CSNE course.
299
HTTPS PROXY
• Creation of a custom category
21
In Configuration ⇒ Objects ⇒ Web Objects, in the Certificate name (CN) tab, you
can create your own categories. Each category contains a list of CNs that will be
compared with the SNIs of SSL/TLS connections.
300
HTTPS PROXY
• Creation of a group of categories
22
In Configuration ⇒ Objects ⇒ Web Objects, in the GROUPS OF CATEGORIES TAB,

you can add and edit your own groups of categories. Create a Certificate category
group object.
A category group can be made up of categories already in the database (EWC or

embedded), or custom categories, as shown in the above example.
Use the CTRL and SHIFT keys to select several groups before moving them.
301
HTTPS PROXY
• Editing the SSL filter policy
23
In CONFIGURATION ⇒ SECURITY POLICY ⇒ SSL filtering, select a policy to edit.
Next, select the SNIs that you intend to Block without decrypting and Pass without
decrypting.
Reminder: the Decrypt action, which enables a thorough analysis of HTTPS traffic,
will be covered in CSNE.
The real-time policy checker will show any errors detected in your policy.
302
HTTPS PROXY
• Application of SSL filtering in the filter policy
24
Once your SSL filter policy is ready, you have to apply it, together with a Decrypt
action, to a filter rule that allows outgoing HTTPS traffic as shown in the above
example.
By following this procedure, you can enable more than one SSL filter policy at a time,
to handle access for different networks or source hosts.
303
HTTPS PROXY
• Message that appears in the browser (Block without

decrypting)
25
If the CN of the requested website depends on the Pass without decrypting action,
no changes will be made to the requested web page.
If the CN of the requested website depends on the Block without decrypting action,
the web page will only indicate that the administrator rejects the connection.
304
ANTIVIRUS ANALYSIS

✔ HTTP proxy
✔ HTTPS proxy
➔ Antivirus analysis
305
ANTIVIRUS ANALYSIS
• Choice of the antivirus engine
27
You can choose the antivirus engine from the menu Configuration ⇒ Application
protection ⇒ Antivirus.
Two antivirus solutions are available on Stormshield Network firewalls:

• ClamAV: included free of charge and by default on every Stormshield
Network appliance
• Kaspersky: to use the Kaspersky antivirus, you have to purchase a security
pack containing this option. For further information on the Kaspersky
antivirus service, please contact your distributor.
If you decide to switch engines, a message will prompt you to download the relevant
base. This means that for the entire duration of the download, the antivirus analysis
will not be effective.
NOTE : The "Sandboxing" option, which can only be used with Kaspersky antivirus, is
available if you have subscribed to the additional license option called "Breach
Fighter Sandboxing", which will be covered in the chapter "Breach Fighter analysis".
306
ANTIVIRUS ANALYSIS
• Analyzing files
28
You can find additional parameters to be applied to protocols that may be scanned
by the antivirus (see menu Configuration ⇒ Application Protection ⇒ Protocols ⇒
HTTP, SMTP, FTP or POP3 ⇒ Analyzing files)
This menu is the same for FTP, SMTP and POP3 protocols and contains:
• Maximum size for the antivirus analysis,
• Actions to perform on messages.
For HTTP protocols, an additional frame makes it possible to define the antivirus
behavior according to MIME types declared in the HTTP header.
307
ANTIVIRUS ANALYSIS
• Response from the antivirus to the user
29
From the menu Configuration ⇒ Notifications ⇒ Block messages, you can change
the notifications sent to users when an e-mail or a file downloaded via FTP contains
a virus.
This is a global setting. Messages for incoming traffic and outgoing traffic cannot be
distinguished, for example.
308
ANTIVIRUS ANALYSIS
• Activating the antivirus analysis
30
The antivirus engine can analyze the following traffic:

• HTTP and HTTPS*,
• FTP,
• SMTP and SMTPS*,
• POP3 and POP3S*.
To apply this analysis, select the Antivirus application inspection in the

corresponding filter rule.
NOTE : HTTPS, SMTPS and POP3S must be decrypted by an SSL rule before being
analyzed by the antivirus engine.
309
BREACH FIGHTER
ANALYSIS

✔ HTTP proxy
✔ HTTPS proxy
✔ Antivirus analysis
➔ Breach Fighter analysis
310
32
BREACH FIGHTER ANALYSIS
Static Heuristic Dynamic Behavioral
Kaspersky analysis Breach Fighter analyses in cloud mode
32
Breach Fighter is available as an additional software option for subscribers to the security
pack containing Kaspersky antivirus.
This option allows users to counter new threats for which an antivirus and heuristic analysis
no longer suffices (8 out of 10 malware programs manage to evade conventional
antiviruses).
The protocols that the Kaspersky antivirus engine analyzes (FTP, HTTP(s), SMTP(s) and
POP3(s)) are taken into account.
The solution is based on a dedicated Stormshield cloud and offers several layers of analysis
for optimum protection of Windows operating systems:
• Static analysis: a file's hash is compared against existing hashes referenced in the
database shared by the community so that threats can be blocked,
• Heuristic analysis: variants of a malware program will be detected,
• Dynamic analysis: our dedicated team of security researchers implements rules
to detect and protect against new threats,
• Behavioral analysis: the behavior of malware is replayed in virtual Windows
environments to simulate how it is actually used. The environment is called a
"sandbox" and integrates Stormshield Endpoint Security (SES) technologies to
provide zero-day protection.
All files that pass through the appliance are scanned by Kaspersky antivirus. Files that
Kaspersky does not block will be scanned one more time by Breach Fighter.
As soon as an infected file is detected, its hash will be added to the shared database, making
it possible to immediately protect all clients.
The security team dedicated to "Threat Intelligence" contributes to the continuous
optimization of Breach Fighter's capabilities.
311
33
BREACH FIGHTER ANALYSIS
33
The Breach Fighter analysis can be enabled on a filter rule using the SECURITY
INSPECTION ⇒ APPLICATION INSPECTION ⇒ SANDBOXING parameter. The antivirus
analysis will automatically be enabled when Breach Fighter is enabled.
Files that undergo a Breach Fighter sandboxing analysis are assigned a score on a
scale of 0 to 100. A score of 0 means that the file is not dangerous.
Sandboxing can be configured in the menu Configuration ⇒ APPLICATION

PROTECTION ⇒ ANTIVIRUS, in the drop-down menu Sandboxing threshold above
which files will be blocked:
• Minor (score between 1 and 30),
• Suspicious (score between 31 and 70),
• Potentially malicious (score between 71 and 99),
• Malicious (score of 100).
312
INTRUSION PREVENTION
MODULE AND SECURITY
INSPECTION

✔ HTTP proxy
✔ HTTPS proxy
✔ Antivirus analysis
✔ Breach Fighter analysis
➔ Intrusion prevention module and security inspection
313
INTRUSION PREVENTION MODULE AND SECURITY INSPECTION
• Definition
– Analyses from the IP layer Context-based
– Up to the application layer patterns
– Checks compliance with
protocols Plugins
TCP, UDP & ICMP
Fragmentation
IPv4/IPv6
analyses
35
STORMSHIELD appliances embed an intrusion prevention system by default called

ASQ (Active Security Qualification). Each packet the UTM receives will go through a
set of analyses starting from the IP protocol.
ASQ's main role is to ensure that packets comply with the protocols used from the IP
layer up to the application layer (thanks to plugins) and with context-based patterns.
ASQ is also in charge of filtering and applying NAT on packets if necessary.
The operation of ASQ and its options are covered in detail in the Expert course.
314
INTRUSION PREVENTION MODULE AND SECURITY INSPECTION
• Interactions with the filtering module

– Inspection modes
– Inspection profiles
36
Each packet that the UTM receives will go through the filter policy. By default, the
IPS analysis will be applied, meaning that the firewall is capable of detecting
anomalies and blocking the corresponding packet(s).
Other inspection modes can be used for testing or out of necessity; for example
when contacting a server that does not comply with the RFCs of the protocols it
manages.
These modes have to be selected from the Security Inspection field in the related
filter rule.
• IPS: Detect and block (default choice). ASQ will submit the packet to all the
layers it can analyze and block it in the event of an anomaly.
• IDS: Detect. ASQ performs an analysis similar to the one performed by the
IPS, except that the packet will always be authorized. This is a profile that
allows quick auditing for a given filter rule.
• Firewall: Do not inspect. ASQ will only perform a few analyses on the
received packet. To know which alarms firewall mode does not bypass, refer
to the article "Are there any alarms that are not bypassed by Firewall Mode
(Security Inspection)?" in our knowledge base.
315
ASQ is made up of 10 configurations, also known as IPS profiles. Each of these

configurations can be edited according to the administrator's requirements.
By default, and as shown in the menu Configuration ⇒ Application Protection ⇒

Inspection profiles, profiles IPS_00 and IPS_01 will be applied for incoming
connections (packet whose source IP address does not belong to an internal
network) and outgoing connections (packet whose source IP address belongs to an
internal network).
Despite this configuration, the use of a specific ASQ profile can be forced in the filter
table from the Security inspection column. Each profile can then be managed from
the menus Protocols and APPLICATIONS AND PROTECTIONS under
CONFIGURATION ⇒ APPLICATION PROTECTION.
316
• Adapt inspection profiles to the role of the appliance
• Adapt inspection profiles to the context
• Report false positives to Stormshield
38
Depending on how the appliance is used, it may help to disable certain IPS
verifications to free up resources. For example, do not apply IPS filtering to HTTP if
the traffic will be redirected later to a filtering proxy.
IPS is enabled by default on all filter rules in automatic protocol detection mode. For
better traffic inspection, you are advised to manually qualify the type of protocol if a
non-standard port is used. IPS may not detect the application correctly.
If legitimate traffic raises alarms, ASQ parameters must be changed to avoid slowing
down production. In this case, the changes must be very specific, preferably in a
dedicated profile that will be applied to rules that specifically identify the traffic in
question. Feel free to report false positives in the default configuration to technical
support or your Stormshield contact.
317
LAB 6 – CONTENT FILTERING (HTTP)
39

• Filtering HTTPS connections

kb.stormshield.eu.
318
APPENDIX –
APPLICATION
PROTECTION
319
Appendix
SMTP FILTERING AND

ANTISPAM
Program
➔ SMTP filtering and antispam

Host reputation
320
Appendix
SMTP FILTERING AND ANTISPAM
• SMTP filter policy
SMTP filtering can be configured in Configuration ⇒ Security Policy ⇒ SMTP filtering.
Ten policies are available. Rules are processed in order of appearance (top to bottom).
321
Appendix
• SMTP connections subject to mail filtering
The SMTP filter policy is applied when application inspection is defined for filter rules that allow
incoming and outgoing SMTP traffic. For incoming mail traffic, an antispam analysis can be
combined with SMTP filtering (recommended).
322
Appendix
• Translated incoming SMTP connections (static

translation) subject to mail filtering:
• Address translation to the internal server must be applied in the
filter rule
For SMTP connections translated using a public IP address "SMTP_PUBLIC_IP" dedicated to the
internal mail server "SMTP_PRIVATE_IP" (static translation), certain rules must be observed
before enabling SMTP filtering.
For incoming SMTP traffic, address translation to the internal SMTP server must be applied in
the filter rule that allows the traffic (ARP publication must be enabled for this type of
translation).
For SMTP filtering to be as transparent as possible, the original source IP addresses of incoming
connections will be kept when these connections are sent back over the internal network after
SMTP filtering. This is possible because of the "Keep original source IP address" option which is
enabled by default for incoming traffic in the "Proxy" tab of the SMTP protocol (incoming profile
smtp_00).
323
Appendix
• Translated outgoing SMTP connections (static

translation) subject to mail filtering:
For outgoing SMTP traffic (usually smtp_01, but the global configuration applies to all profiles),
the option "Apply the NAT rule on scanned traffic" must be enabled in the global configuration
of the SMTP protocol to force outgoing SMTP connections to go through the NAT rules.
Otherwise, the source IP address of SMTP connections will be the IP address of the firewall
interface they are leaving.
324
Appendix
• Antispam module
Spam detection relies on two technologies to provide the most effective protection possible:
• Reputation-based analysis (DNS blacklists – RBL), which consists of checking a list of IP
addresses considered as spam senders or forwarders.
• Heuristic analysis, which relies on a set of mathematic algorithms. These algorithms
can detect abnormal behaviors in e-mails such as the repetition of unwanted characters
or the presence of characteristic words. Once the calculations are done, a score is
applied to the e-mail. Depending on the score, and the parameters of the heuristic
analysis, the e-mail will be considered spam or legitimate.
These two technologies can be configured in CONFIGURATION ⇒ APPLICATION PROTECTION ⇒

ANTISPAM.
325
Appendix
• Antispam module
In the parameters of the reputation-based analysis, it is possible to choose server(s) to retrieve

IP addresses of spammers or forwarders.
In heuristic analysis parameters, you can:

• Choose the prefix for tagging advertisement e-mails.
• Choose the prefix for tagging emails considered spam.
• Define the minimum score before considering an e-mail spam.
326
Appendix
• Implementing antispam analyses
The antispam analysis can be applied on SMTP or POP3 traffic. SMTPS and POP3S traffic must be
decrypted beforehand by an SSL inspection rule.
The example above shows an antispam analysis being enabled for incoming SMTP traffic.
327
Appendix
HOST REPUTATION
Program
✔ SMTP filtering and antispam

➔ Host reputation
328
Appendix
HOST REPUTATION
11
A feature added in SNS version 3 makes it possible to filter by internal hosts' reputation,
using their reputation score as a criterion in filter rules.
A healthy host that has never generated network traffic therefore has a reputation score of
0.
This feature can be configured in CONFIGURATION ⇒ APPLICATION PROTECTION ⇒ HOST
REPUTATION.
By default, a host's score is likely to increase when traffic involving this host causes:
• an alarm to be raised,
• the detection of a viral load,
• the Breach Fighter Sandboxing tool to detect malware:
o Malicious: the host is infected,
o Suspicious: the host has been connected to potentially infected hosts.
Scores associated with these risks can be changed according to the configuration of your
network, based on the values indicated in square brackets.
In an actual production environment, the average score of a host is not necessarily a sign of
trouble, as tests need to be conducted for configured values to be consistent.
The way the reputation score decreases cannot be configured in the web administration
interface., but the reputation score of all monitored hosts can be reset.
After the events that raised the score are fixed, whether the score will decrease depends on
the following factors:
• When a host's score is 100, it will be halved after 6 hours, then quartered after
12 hours.
• A risk will be ignored if it is older than 24 hours.
329
Appendix
HOST REPUTATION
12
In the tab where you configure the hosts that need to be monitored, you can select
the hosts or networks that will be part of an inclusion or exclusion list.
Since networks and internal hosts are not all subject to the same threats, you will
need to test various behaviors before applying the protection in a production
environment.
330
Appendix
HOST REPUTATION
13
The reputation score assigned to a host can be seen in MONITORING ⇒ Host

monitoring.
You need private data access privileges to view the graph.
Select the host to be monitored then click on the Reputation history tab.
After you have selected the desired duration, move the mouse over a point in the
graph to find out the global reputation score associated with this host at a given
time, as well as the reputation sub-scores by type of risk (alarm, antivirus,
sandboxing, etc.).
331
Appendix
HOST REPUTATION
14
A reputation criterion can be added for internal hosts in filter rules at the source or
destination depending on the direction of the traffic.
In the example above, a host from Network_in will be able to contact an SMTP
server via the firewall, only if its reputation score is below 20.
332
Appendix
LAB – HOST REPUTATION

LAB – SMTP FILTERING
15
333
USERS &
AUTHENTICATION
Training program

✔ Objects
✔ Filtering
✔ Application protection
➔ Users & authentication
VPN
SSL VPN
334
INTRODUCTION
USERS & AUTHENTICATION
➔ Introduction
Linking to a directory
Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
335
INTRODUCTION
• Objective:
To grant users specific access privileges to networks
and services (captive portal, SSL VPN, IPsec VPN,
firewall administration, etc.)
• Steps in the configuration of a Stormshield firewall
1. Directory(ies) 2. Users and groups
4. Authentication policy 3. Authentication method(s)
5. Captive portal 6. Security policy (filtering)
Setting up authentication on a Stormshield firewall

The diagram above shows the sequence in which authentication is set up. The
chapters in this module explain the steps in this order.
1. Directories store data in a tree hierarchy. The LDAP standard allows data to be
organized in the directory and provides a protocol that queries the directory (RFC
4510); the configuration of authentication on a firewall consists of setting up a
link to one or several directories.
2. Users are stored in a directory and described using attributes that the firewall
uses for authentication, e.g., first name, last name, ID, password, e-mail address,
certificate, etc.
3. The authentication methods used determine how the firewall verifies user
identity.
4. The authentication policy determines which which users wil be granted access
privileges to networks and services managed by the firewall.
5. There are several uses for the captive portal: authenticating users to access the
network, enrolling new users, requesting the creation of a certificate,
downloading the SSL VPN client and its configuration, submitting a sponsorship
request in order to access the network, etc.
6. The security policy contains the filter rules needed to redirect unknown users to
the chosen authentication solution, e.g., via the captive portal.
NOTE : Depending on the chosen authentication method, some steps in the

configuration are optional.
336
LINKING TO A
DIRECTORY
✔ Introduction
➔ Linking to a directory
Managing users
Captive portal
337
LINKING TO A DIRECTORY
• 4 types of LDAP/AD directories:
• External:
LDAP TCP/389
LDAPS TCP/636
LDAP client
LDAP protocol
• Microsoft Active Directory
• External LDAP
• PosixAccount external LDAP
• Internal:
LDAP client LDAP directory

LDAP protocol
Firewalls support four types of directories that fall under two categories:
• External LDAP/AD: the directory is hosted on an external server. Three types of

servers are supported:
• Microsoft Active Directory (AD),
• Standard LDAP,
• PosixAccount LDAP.
• Internal LDAP: the LDAP is created on the firewall and hosts users.
Firewalls can support up to five directories simultaneously: an internal LDAP and

four external LDAPs/ADs, or five external LDAPs/ADs. This means that firewalls can
support five different domains at the same time.
NOTE:
• LDAP clients built into the firewall make it possible to log on to any type of
directory (internal or external) using LDAP (or LDAPS to secure connections with
external directories).
• For internal LDAPs, the directory and users are automatically backed up/restored
with the configuration of the firewall.
338
• Adding and configuring a directory
Default directory
6
Directories can be added and configured from Configuration ⇒ Users ⇒ Directory

configuration.
Click on Add a directory to launch the wizard. With the Action button, you can:
• Delete a directory,
• Specify a default directory,
• Check the connection to the directory,
• Check the use of the directory,
• Rename a directory.
The rest of the menu lists all the directories that have been added - the default
directory appears in green. Clicking on a directory will display its settings on the right
side of the page.
339
• Adding and configuring an external directory
The configuration of external directories (Microsoft Active Directory, LDAPs and

PosixAccount LDAPs) is practically the same. The configuration wizard will first ask
you to enter the parameters of the server to be contacted:
• Domain name DNS name of the domain,

• Server: the host object that bears the IP address of the server that hosts the
directory,
• Port: your LDAP server's listening port. The default ports are: 389/TCP for a
plaintext authentication (LDAP) and 636/TCP for an SSL authentication (LDAPS)
• Root domain (Base DN): the DN (Domain Name) of your directory’s root
(example: stormshield.eu or dc=stormshield,dc=eu)
• Login (user DN) and password: an administrator account that allows your firewall
to access your LDAP server and perform read/write operations on certain fields.
We recommend that you create a specific account for the firewall and assign
privileges to it only on the fields that it needs (e.g.:
cn=TrainingAdmin,ou=Training).
340
Next, the wizard will suggest that you enable authentication profile 0 (internal) on an
interface, if the profile has not yet been enabled. If it was enabled earlier, this step
will not appear.
341
The parameters of an external directory are set out in two tabs:
• CONFIGURATION: contains 3 sections:

• Remote directory: groups the parameters for connecting to the directory
(IP address of the server, port number, base DN, login, etc.).
• Secure connection (SSL): enables (or disables) a secure connection with
the directory by specifying the certification authority from which the
certificate must be issued when it is presented by the directory server.
• Advanced properties: defines a backup server, specifies the login (firewall
or user) used for logging in to the directory and indicates whether the
Base DN needs to be added to it during the connection. Nested groups
(user groups containing other groups) can also be allowed.
• STRUCTURE: also contains 3 sections:

• Read-only access: makes it possible to define filters to select users and
groups in the directory. These filters depend on the type of directory and
are pre-configured as a result. In this section, you can also indicate
whether the directory can be accessed in read-only or read/write.
NOTE: even if a Microsoft Active Directory is in read/write access, users still cannot
be added to or deleted from the firewall. However, certificates for AD users can still
be published.
342
• Mapped attributes: here, attributes used by the firewall can be matched

to those used by the external directory. For instance, with a Microsoft
Active Directory, the Stormshield attribute uid will have sAMAccountName
as the Active Directory equivalent. Templates can be applied depending on
the type of directory.
• Advanced properties:
• Protected characters: defines characters that must be protected with a "\"
in LDAP requests. This is to ensure that these characters are not
considered special characters used by the LDAP server's search engine.
• Password hash: selects the hash algorithm that must be used to save user
passwords to avoid saving them in plaintext.
• 'User' branch and 'Group' branch: to be used when an external LDAP is

accessible in read/write. This field makes it possible to define the branches
in which users and groups created from the firewall will be saved. For
example, ou=users for the user branch.
• Certification authority branch: defines the location of the certification

authority found in the external directory. This location is used especially
when searching for the CA used in SSL.
343
• Adding and configuring an internal directory
11
The following information needs to be entered in the configuration of an internal

directory:
• Organization: the name of the organization. For example, Stormshield,

• Domain: the TLD (Top Level Domain) of the domain. For example, in the
"Stormshield.eu" domain, the TLD is "eu".
• Password: password that enables a connection to the LDAP directory from an
LDAP browser.
344
12
The next step allows you to configure additional parameters:
• Enable authentication profile 0 (internal) on the selected interface, if the

profile has not yet been enabled. If it was already enabled, this option will
be disabled (grayed out) and a message will indicate that the
authentication profile has been associated with the interface.
• Enable user enrollment through profile 0 (internal) on the web portal:

enables the enrollment service on profile 0 (internal), allowing users to fill
in an account creation form that will be submitted to the administrator for
approval.
• Allow access to the LDAP database: possibility of accessing the LDAP

directory from a public IP address via an LDAP browser. If such access is
not mandatory, then you are strongly advised to leave this option
unchecked.
345
13
Once the configuration is complete, certain parameters of the internal LDAP can be
modified:
• Enable user directory: this option makes it possible to start the LDAP
service,
• Password: password that enables a connection to the directory, and can
be modified later.
• Enable unencrypted access (PLAIN): enables access to the directory
without encryption,
• Enable SSL access: enables secure access to the directory; the SSL
certificate issued by the server field must be entered,
• Use the firewall account to check user authentication on the directory: if
this option has not been selected, the user account will be used for
authentication. By default, the user with all privileges on the directory is
cn=NetasqAdmin.
346
MANAGING USERS
✔ Introduction
✔ Linking to a directory
➔ Managing users
Captive portal
347
MANAGING USERS
15
Users and groups from all configured directories can be looked up in the menu
CONFIGURATION⇒ USERS ⇒ Users.
The menu is made up of three sections:
• The menu bar, which offers the following:
• Search bar,
• Filtering the display by object type: groups or users,
• Filtering the display by directory (appears only if several directories have
been configured),
• Adding users,
• Adding groups,
• Deleting users or groups,
• Checking whether users or groups are in use,
• CN: the list of users and groups from all directories. To differentiate directories, a
suffix is added to users and groups to indicate the name of the directory (instead
of the domain name). For example: user6@institute.com
• Parameters of a group or user appear on the right of the page. Users’ settings are
organized in three tabs: information about the user (ACCOUNT), their certificate
(CERTIFICATE) and the groups to which they belong (MEMBER OF THESE
GROUPS).
The Access privileges link redirects to the CONFIGURATION⇒ USERS ⇒ Access

privileges menu ⇒ DETAILED ACCESS tab so that privileges can be granted to the
user.
348
NOTE: The list of users and groups is always empty when you open this menu. If you
are logged in to a directory that contains many users and groups, displaying all of
them without a filter in the Search field may impact the performance of the
graphical interface.
To see users or groups, you can:
• Click on one of the filters (users or groups),
• Open the firewall preferences menu by clicking on the icon that represents
tools in the header of the web interface, and select the checkbox Display
users at startup of odule .
349
MANAGING USERS
• Creating users
17
With an internal LDAP, or external LDAP accessible in read/write, users and groups
can be added and deleted in the menu CONFIGURATION ⇒ USERS ⇒ Users.
NOTE:
• Users and groups can be created in the default directory defined in the menu
CONFIGURATION ⇒ USERS ⇒ Directory configuration,
• Users cannot be created once attributes on the firewall have been mapped to the
external LDAP base (see slide 10).
350
CAPTIVE PORTAL
✔ Introduction
✔ Managing users
➔ Captive portal
351
CAPTIVE PORTAL
• URL of the portal: https://(firewall_@IP | firewall_FQDN)/auth
19
The captive portal or authentication portal is an embedded web page on the firewall
and accessible via a secure connection (HTTPS) from its IP addresses (it can be
enabled on all of the firewall's interfaces).
There are several uses for the captive portal: authenticating users to access the
network, enrolling new users, creating and downloading a certificate, downloading
the SSL VPN client and its configuration, submitting a sponsorship request in order to
access the network, etc.
Users can log in to the portal by using their directory login/password. If several
directories have been configured on the firewall, users can add their domain names
to their logins, for example, j.doe@company-a.com. If no domain names have been
specified, authentication will be carried out with the method or directory defined by
default on the authentication profile.
352
CAPTIVE PORTAL
20
The captive portal can be configured in the menu Configuration ⇒ Users ⇒

Authentication ⇒ Captive Portal tab. The tab comprises several sections:
• AUTHENTICATION PROFILE AND INTERFACE MATCH: there are 10 different

profiles for the captive portal, called authentication profiles. To enable the portal
on an interface, simply add a line in this section, in which you need to select an
interface and an authentication profile. Only a single profile can be selected per
interface.
• SSL Server: makes it possible to change the certificate issued by the captive
portal.
353
CAPTIVE PORTAL
21
• Conditions of use for Internet access: allows you to add a charter stipulating the
rules that govern the use of access to the network, which users need to accept
once they are authenticated. It can be downloaded in PDF or HTML. The
Reinitialize customization of Conditions of use for Internet access button makes
it possible to delete a charter uploaded earlier.
• Interrupt connections once the authentication period expires,
• Proxy configuration file (.pac),
• Captive portal: changes the port of the captive portal and its appearance:
hide the Stormshield logo on the portal, download a new logo and modify
the style sheet.
354
CAPTIVE PORTAL
22
Authentication profiles can be configured in the menu CONFIGURATION ⇒ USERS ⇒

Authentication ⇒ CAPTIVE PORTAL PROFILES tab. In the drop-down list, select the
profile that you wish to modify. There are ten different profiles, five of which are pre-
configured:
• internal, external: they have the same configuration. The first profile is meant to
be attached to internal interfaces and the second to external interfaces by using
any authentication method that uses the captive portal,
• Guest: pre-configured for the guest authentication method,
• Voucher: pre-configured for the temporary account authentication method,
• Sponsor: pre-configured for the sponsorship authentication method.
355
CAPTIVE PORTAL
23
The default method or directory used by the profile selected in the previous step
needs to be configured. For an LDAP authentication, this parameter may have one of
the following values:
• LDAP directory (none): This means that there is no default directory. Users
who authenticate on the captive portal will need to enter their logins
followed by their domain, for example, j.smith@institute.com. If the
domain is not indicated, authentication will fail.
• LDAP directory (Domain): This means that the directory of the selected
domain will be used to authenticate users who enter only their logins
(without the domain) on the captive portal, like j.smith, for example. As
for users from other domains, they will need to enter the domain with the
login in order to be authenticated.
NOTE: the default method or directory does not restrict this profile to only this
method or this directory. Such restrictions can only be placed with an
authentication policy.
• Conditions of use for Internet access: groups all the parameters that control the
display of the conditions of use entered in the Captive portal tab. It also contains
three customizable fields that appear on the authentication portal with the guest
method and which make it possible to retrieve information about the guest user
(first and last names, telephone number, email address, etc.).
356
CAPTIVE PORTAL
24
• Authentication periods allowed: configures maximum and minimum

authentication durations for explicit authentication. Users will then be able to
select a duration within these limits when they authenticate. The authentication
duration can also be defined for transparent methods (SSL certificates and
SPNEGO).
• Management of the portal, which includes enabling a profile and enabling
the logoff page,
• Definition of the user password policy,
• Management of user enrollment from the captive portal.
357
CAPTIVE PORTAL
• Logging out from the browser
25
When the checkbox Enable logoff page is selected in CONFIGURATION ⇒ USERS ⇒

Authentication ⇒ CAPTIVE PORTAL PROFILE tab (advanced properties), a logoff tab
will open in the browsers of users who have managed to log in. To log out, users
simply need to click on Logout in this tab.
358
CAPTIVE PORTAL
• Logging off from the captive portal
26
To log off, users need to log in to the captive portal again, click on Login in the menu
on the left, and then on the Logout button.
359
CAPTIVE PORTAL
• Logging off a user from the graphical interface
27
The administrator can log off users from the web interface in Monitoring > Users.
Right-click on the user, and select Log off this user.
360
CAPTIVE PORTAL
• Enabling enrollment on the captive portal

From the captive portal's profile
When adding the internal or

external LDAP database
28
Enrollment allows users to register themselves from the captive portal. The
registration request is sent to the firewall first for the administrator's approval. Once
it has been approved, it will be automatically added to the directory.
Enrollment can be enabled when a directory is added, on profile 0 (internal) only.

Otherwise, it can also be enabled from the authentication profile in the User
enrollment section in Advanced properties.
NOTE: enrollment cannot be enabled with an Active Directory, as users cannot be

added from the firewall on such directories.
361
CAPTIVE PORTAL
• Enrollment form
29
When enrollment has been enabled, users can register by filling in the form obtained
by clicking on New user in the menu on the left. When they have filled in the form,
users can then send their requests by clicking on Submit request.
NOTE: enrollment is ordinarily used to register users from outside your organization
in your directory. The domains of their e-mail addresses are therefore different from
yours.
362
CAPTIVE PORTAL
• Configuring enrollment
30
On the firewall’s administration interface, enrollment requests are listed in the menu
CONFIGURATION ⇒ USERS ⇒ Enrollment. The administrator can either approve,
reject or ignore the request.
The administrator can first modify the user's login generated automatically in the
default format %F.%L, corresponding to FIRST NAME.LAST NAME (case-sensitive).
Changes must be applied before the first enrollment is confirmed, so that all logins
follow the same rules.
With the user John Doe show in our example:
• %f1.%l: means j.doe (without spaces: first letter of the first name in lowercase,
period, and last name in lowercase),
• %f%L1: means joh D (without spaces: first name in lowercase, first letter of the
last name in uppercase).
The administrator can also enable e-mail notifications when accepting or rejecting
users' requests. To do so, a mail server must be configured on the firewall in the
menu CONFIGURATION ⇒ NOTIFICATIONS ⇒ E-mail notifications.
363
CAPTIVE PORTAL
• Confirming enrollment
31
On the firewall’s administration interface, enrollment requests are listed in the menu
CONFIGURATION ⇒ USERS ⇒ Enrollment. The administrator can either approve,
reject or ignore the request. When the administrator approves a request, the user’s
login will be automatically generated in the format chosen in the previous step.
364
AUTHENTICATION
METHODS
✔ Introduction
✔ Managing users
✔ Captive portal
➔ Authentication methods
365
AUTHENTICATION METHODS
Methods Authentication methods with SNS

without directories
Guest method
Sponsorship Explicit via the captive

Implicit (transparent)
method portal
Temporary
accounts
Internal/external LDAP Kerberos RADIUS

AD (External LDAP or AD) (External LDAP or AD)
SSL certificates Spnego SSO

(Internal/external LDAP or AD) (AD) (AD)
Methods
with directories
Multi-user method with cookies

(HTTP traffic)
33
SNS firewalls implement several authentication methods that fall under two
categories:
• Explicit methods via the captive portal: the user is redirected to the captive
portal to enter a login and password, which the firewall retrieves to verify the
identity of the user depending on the method used:
• LDAP: the user's identity is verified on an internal or external directory
(LDAP/AD)
• RADIUS: the user's identity is verified by an external Radius server that

receives the user's login/password.
• KERBEROS: the user's identity is verified by an external Kerberos server

that receives the user's login/password.
Three other explicit authentication methods can be used for specific

requirements:
• Temporary accounts: this method allows temporary users to authenticate

via the captive portal using a login/password provided by the
administrator.
366
The administrator can add temporary users in the menu CONFIGURATION

⇒ USERS ⇒ Temporary accounts; their passwords are automatically
generated and the duration for which these accounts remain valid may be
restricted. The administrator therefore does not need to add these users
to the directory (internal or external) in order for them to authenticate.
• Sponsorship: allows users identified by their first and last names to access
the network through the sponsorship of a local user holding the relevant
privileges. Users will first be asked to enter their first and last names on
the captive portal as well as the email address of their sponsor. The
sponsor will then receive an email containing a link to confirm this
request. After the request has been validated, the sponsored user will
automatically be redirected from the captive portal to the requested web
page.
• Guest: allows users to access the network after they accept the conditions
of use on the authentication portal. This method is very often used for
public places such as hotels, railway stations or public hotspots.
• Implicit or transparent methods: authentication is a seamless process for the

user who does not need to explicitly enter his identity in order to access the
network.
• SSL certificate: users are automatically authenticated thanks to the

certificate stored on their hosts, such as theirs browsers.
• Transparent authentication (SPNEGO): is users are authenticated on an

Active Directory domain, they will automatically be authenticated on the
firewall after connecting to a website in HTTP.
• SSO agent (Single Sign-On): if users are already authenticated on an Active

Directory domain, they will also be automatically authenticated on the
firewall.
NOTE:
• "Multi-user" mode with the cookie method allows several users to authenticate
from the same IP address. Since users are differentiated by cookies in HTTP
requests, this option will work only for HTTP (or decrypted HTTPS) traffic going
through the HTTP proxy. It is available for all authentication methods except SSO
agent.
• Implicit authentication methods will be covered in detail in the CSNE course.
367
AUTHENTICATION METHODS
35
The authentication methods used by the firewall can be added from the menu
CONFIGURATION ⇒ USERS ⇒ Authentication ⇒ AVAILABLE METHODS tab. Specific
parameters need to be entered for each method.
After the LDAP directory is configured in the example above, the LDAP
authentication method will be automatically entered.
368
AUTHENTICATION
POLICY
✔ Introduction
✔ Managing users
✔ Captive portal
✔ Authentication methods
➔ Authentication policy
369
AUTHENTICATION POLICY
37
Since SNS firewalls are able to support several directories and several authentication
methods simultaneously, an authentication policy needs to be defined in order to
indicate the method(s) to be applied according to two criteria: the user or user
group, and the source IP address or incoming interface.
The authentication policy can be defined in the menu CONFIGURATION ⇒ USERS ⇒

Authentication ⇒ AUTHENTICATION POLICY tab. It may consist of several rules
applied in the order in which they appear in the policy.
Several authentication methods can be used in a single rule. In this case, the
methods will be applied in the order in which they appear in the rule. If a method
allows a user to authenticate, the methods that follow it will not be tested. For
example, in rule #3, all users on the "institute.com" domain who log in from the
internal network must first authenticate via the SSO agent method. If authentication
fails, the user will be asked to select his certificate. If the SSL method fails (e.g., no
certificate for this user), he will be asked to enter his login and password to
authenticate via the LDAP method.
If no rules match the traffic criteria, the default authentication method will be
applied.
NOTE: whenever it is used in a rule, the SSO agent method will automatically take
priority over all other methods as it authenticates users on the firewall as soon as
they are authenticated on the Active Directory domain.
370
• Creating an authentication policy
38
To add an authentication rule, click on New rule ⇒ Standard rule. Rules can be
created in a wizard in three steps:
1. Enter the users or groups,

2. Enter the source networks or interfaces, If this is the first directory that you are
creating, you will be given the possibility of connecting authentication profile 0
(internal) to an interface. Otherwise, profiles can be connected in the menu
CONFIGURATION ⇒ USERS ⇒ Authentication ⇒ CAPTIVE PORTAL, by adding an
entry to the AUTHENTICATION PROFILE AND INTERFACE MATCH list.
The interface and profile must be selected in the entry. The default method or
directory will be automatically entered depending on the configuration of selected
profile.
3. Choose the authentication methods to be used (Kerberos, Radius, SSL, SPNEGO,

SSO agent, default method and block).
For the other methods: guests, temporary accounts and sponsorship, users can be
added through the respective buttons: New rule ⇒ Guest method rule, Temporary
account method rule and Sponsorship method rule.
371
• Example of an LDAP authentication policy
39
In the authentication policy, you can create a policy to determine which networks
and users will use the LDAP method, or define it as the default method.
372
FILTER RULES FOR

AUTHENTICATION
✔ Introduction
✔ Managing users
✔ Captive portal
✔ Authentication policy
➔ Filter rules for authentication
373
FILTER RULES FOR AUTHENTICATION
• Redirection to the captive portal
Attempt to access a website in HTTP HTTP request intercepted

http://www.bbc.com by the firewall
Redirection to the captive portal

https://firewall_@IP/auth
User’s logi /password

Authentication of the user by
the internal LDAP database or
external LDAP/AD
Redirection to the website in

HTTP
http://www.bbc.com
41
The process of LDAP authentication via the captive portal is described above. The
user opens a browser to access a website in HTTP. The firewall intercepts the HTTP
request and redirects the user to the authentication portal
(https://firewall_IP@/auth). The user then enters his directory login/password,
which will be sent to the firewall through a secure connection (HTTPS). The firewall
authenticates the user on the directory (internal/external LDAP or AD). If the user is
authenticated, the browser will be redirected to the website requested initially.
NOTE: users may be redirected to the captive portal when accessing websites in
HTTPS, but the SSL proxy needs to be enabled - this will be covered in the CSNE
course.
LDAP configuration via the captive portal will be covered in the following slides.
374
• Redirecting HTTP requests of unauthenticated users to

the captive portal
42
HTTP connections are redirected to the authentication portal via an authentication

rule in the filter rules. However, before adding such a rule, ensure that DNS
connections are allowed for all users (authenticated or otherwise), as without DNS
resolution, there will not be any HTTP requests and as a result, no redirection to the
captive portal.
To create the authentication rule, click on New rule > Authentication rule. In the
wizard, enter the source network from which users will log on, the destination
network and, if you wish to (optional), a list of URL categories that can be accessed
without authentication.
375
• Creating specific filter and NAT rules for users or groups
43
Since the authentication rule only allows unknown users to be redirected to the
captive portal, you must then add other rules that allow authenticated users to
access the network.
When you edit the source of a filter or NAT rule, the User field makes it possible to
specify the user (or the group) that has to be authenticated in order to match the
rule. A few options are listed:
• No User: default choice when you add a new rule. The rule will be applied
without taking the user parameter into account,
• Any user@any: refers to any authenticated user, regardless of the directory
or authentication method used,
• Any user@guest_users.local.domain: refers to any user authenticated via
the guest method,
• Any user@voucher_users.local.domain: refers to any user authenticated
via the temporary account method,
• Any user@sponsored_users.local.domain: refers to any user
authenticated via the sponsorship method.
• Any user@<domain>: refers to any user authenticated via the domain
directory,
• Any user@none: refers to any user authenticated via a method that does
not use a directory, for example, sponsorship, temporary account, etc.
• Unknown users: refers to any user who has not been authenticated. This
value is used mostly in authentication rules.
• The list of all users and groups found in the directories.
The button to the right of the user parameter makes it possible to filter users by
directory or authentication method.
376
DEFINING NEW
ADMINISTRATORS
✔ Introduction
✔ Managing users
✔ Captive portal
✔ Authentication policy
✔ Filter rules for authentication
➔ Defining new administrators
377
DEFINING NEW ADMINISTRATORS
• Specific administration privileges

• Creating accounts to monitor or modify the configuration
• Choosing the modules to assign
45
From the menu Configuration ⇒ System ⇒ Administrators ⇒ Administrators tab, it

is possible to define an access privilege policy for each user of the LDAP base. A few
templates are available:
• Administrator without any privileges,

• Administrator with read-only access,
• Administrator with all privileges,
• Administrator of temporary accounts: authorizes the creation of accounts
for the temporary account authentication method.
• Administrator with access to sensitive data: allows full access to logs
• Administrator without access to sensitive data: restricts access to certain
information in logs.
Two editing modes are available here - simple view or advanced view (as above)
which provides more detail on granted privileges.
378
DEFINING NEW ADMINISTRATORS
• Every administrator can modify his own password
• An administrator cannot modify the password of another

administrator
• “admin” can modify any user's password
• An administrator with "user" privileges can modify the

password of a simple user
46
379
• Protect the local administrator account

• Use accounts assigned to users by name
• Use groups to manage privileges
• Adjust administration privileges, separate roles
• Authenticate locally by certificate
• Dedicate an external directory to administrators

• Ensure secure configuration of the LDAP
• Access the directory using a restricted and secure
account
47
The administrator password must be kept in a vault, and when it is used

exceptionally, it must be monitored and restricted to a set group of persons. It must
be used only for SSH access or to define user privileges.
Only the local administrator account can assign administrator privileges, which is
why we advise assigning privileges to groups. User accounts will then be distributed
in groups, but this operation can be performed from the directory.
An administrator dedicated to a specific task must have only one restricted area of
responsibility, so that risks can be contained if the account is compromised, and
accidental changes to the configuration can be prevented.
Secure and redundant access to the external LDAP directory must be configured. The
account that is used to authenticate the firewall on the directory must hold the basic
privileges (read only) and must be specific.
380
LAB 7 – AUTHENTICATION
48

• SSO configuration - Microsoft SPNEGO
• Configuring guest authentication methods
• Installing and deploying the SSO agent
• Complying with regulations on personal data

kb.stormshield.eu.
381
APPENDIX – USERS &
AUTHENTICATION
382
Appendix
GUEST METHOD
Program
➔ Guest method
383
Appendix
GUEST METHOD
• Enabling guest
method
• Authentication
policy
• Enabling the
captive portal
Guest method can be configured easily and quickly. In the list of available methods,
the only parameter to set is the frequency with which usage conditions will be
displayed – 18 hours by default.
When you edit the authentication policy, a wizard will assist you through the
configuration of the guest method. This wizard asks only for the network or interface
from which client hosts will authenticate. The guest method will then be applied to
all users coming from the selected object or arriving through the interface.
To allow users to accept the Internet access conditions, the captive portal must be
configured.
384
Appendix
GUEST METHOD
• Selecting the files that

contain Internet
access conditions
• Checking the guest

profile
HTML or PDF files describing access conditions to guests are added to the
configuration panel on the captive portal.
Then, write a filter rule that redirects guests to the captive portal.
385
VIRTUAL PRIVATE
NETWORKS
Training program

✔ Objects
✔ Filtering
✔ Users & authentication
➔ VPN
SSL VPN
386
Virtual private networks
DIFFERENT TYPES OF
VPNS
VIRTUAL PRIVATE NETWORKS
➔ Different types of VPN

IPSec VPN – Concepts and overview
IPSec VPN – Configuration of a site-to-site tunnel
IPSec VPN – Configuration of multiple site-to-site tunnels
IPSec VPN – Virtual Tunneling Interface
387
• Three families of VPNs
• PPTP: for mobile clients only (see appendix)

• This solution is obsolete, and not recommended due to its security
risks
• SSL VPN: for mobile clients only
• IPSec VPN: for site-to-site tunnels or mobile clients
• GRE / GRETAP: site-to-site to transport IP packets or Ethernet

frames (seen in CSNE)
388
IPSEC VPN – CONCEPTS

AND OVERVIEW
✔ Different types of VPN

➔ IPSec VPN – Concepts and overview
IPSec VPN – Configuration of a site-to-site tunnel
389
IPSEC VPN – CONCEPTS AND OVERVIEW
Traffic endpoints or traffic selectors

Local Network A Remote Network B
or or
VTI_A interface Tunnel endpoints VTI_B interface
IP@ FW A IP@ FW B
IP@ B
IP@ A
Opening the tunnel
ISAKMP = IKE v1 or v2
Original packet Original packet

IP@ A, IP@ B Data... Forwarding data through the tunnel IP@ A, IP@ B Data...
IP@ FW A, IP@ FW B E_ESP IP@ A, IP@ B Data... F_ESP Auth
Encrypted fields
Authenticated fields
The site-to-site IPSec VPN tunnel enables the connection of two private networks
through a public network while providing the following security services:
• Authentication: makes it possible to verify the identities of both tunnel endpoints.

Two authentication methods are possible: PSK (Pre-Shared key) or certificates (PKI:
Public Key Infrastructure),
• integrity: ensures that data has not been modified by using hash algorithms,
• confidentiality: ensures that data cannot be read by third parties intercepting the
traffic,
• Anti-replay: allows older packets to be ignored (packets with sequence numbers
lower than a certain threshold) that have already been received, if they are sent again.
The site-to-site IPSec VPN tunnel can be set up between the SNS firewall and any IPsec
VPN-compatible equipment. Tunnels are negotiated through ISAKMP (Internet Security
Association Key Management Protocol), also known as IKE (Internet Key Exchange),
which currently exists in two versions, V1 (RFC 2409) and V2 (RFC 7296).
The negotiation takes place between the tunnel endpoints, which correspond to the
appliance's IP addresses (IP@ FW A and IP@ FW B). The IKE protocol is sent over UDP on
port 500.
390
Once a tunnel has been set up between two appliances, the traffic endpoints
corresponding to private networks can communicate via ESP (Encapsulating Security
Payload) which ensures data confidentiality and integrity. The ESP protocol (the IP
protocol number is 50, defined in RFC 4303) is encapsulated directly in an IP packet.
Two operating modes determine whether IP packets are encapsulated in ESP:
• Policy match (standard operating mode): matches users' IP addresses with the
IPSec policy; this operating mode relies on the [source IP + destination IP] criteria
of these IP packets compared with the policy loaded in the system's IPSec
structures. In this operating mode, the IPSec policy will be evaluated before the
general IP routing instructions. Whether it is applied depends only on whether it
"matches" the policy.
• Virtual Tunneling Interface (operating mode if routing via VTI is enabled):

routing via the remote VTI (Virtual Tunneling Interface) with an IP address that
belongs to the same network as the local VTI. VTIs make it possible to define
routes going through the IPSec tunnel. They act as mutual gateways for each
other. They are like the tunnel's entry and exit points. This operating mode has
priority over policy matching.
NOTES:
• Stormshield firewalls support versions 1 and 2 of the IKE protocol. From V3.3.0
onwards, you can configure tunnels using IKEv1 and IKEv2 in the same IPSec VPN
policy. The combination of IKEv1 and IKEv2 in the same policy is still under
experiment and must not be used in a production environment.
• If one tunnel endpoint is located in a translated network, NAT-Traversal will

automatically be enabled so that the UDP protocol on port 4500 will be used to
finalize the IKE negotiation and forward ESP packets (this theme is covered in the
CSNE course).
391
• Peer identities:
• Site-to-site with fixed IP addresses
IP@ FW A IP@ FW B
Firewall A Firewall B
• Site-to-site with a peer with a dynamic IP address
FQDN
IP@ FW A fw.company-b.com
During authentication, each endpoint verifies the other endpoint's identity. The
following identities may represent a tunnel endpoint:
• The IP address of the external network interface "Firewall_out" when it is

configured with a fixed IP address,
• An FQDN when the endpoint does not have a fixed IP address.
Depending on the authentication method used, the identity will be associated with:
• A PSK (pre-shared key): each endpoint will provide proof that it holds the
common PSK.
• A PKI (Public Key Infrastructure): each endpoint will present an X509 digital
certificate that must be signed by a trusted certification authority for the other
peer. The use of certificates for authentication is covered in the CSNE course.
392

Phase 1 encryption profile Phase 1 encryption profile
• Encryption algorithm: AES, • Encryption algorithm: AES,

Blowfish Blowfish
• Hash function: sha1, sha2

IKE Phase 1 • Hash function: sha1, sha2
• Diffie-Hellman group • Diffie-Hellman group
• Maximum lifetime (s) • Maximum lifetime (s)
IKEv1: ISAKMP-SA
Authentication: PSK, PKI
Authentication: PSK, PKI IKEv2: PARENT-SA
Phase 2 encryption profile Phase 2 encryption profile
• Perfect Forward Secrecy • Perfect Forward Secrecy

(PFS) IKE Phase 2 (PFS)
• Lifetime (s) • Lifetime (s)
• Authentication code: • Authentication code:

HMAC-SHA1 and HMAC- HMAC-SHA1 and HMAC-
MD5 IKEv1: ESP-SA 1, IKEv2: Child-SA 1 MD5
• Encryption algorithm: AES, • Encryption algorithm: AES,

Blowfish Blowfish
Traffic endpoints IKEv1: ESP-SA 2, IKEv2: Child-SA 2 Traffic endpoints
There are two phases in the IKE negotiation to set up an IPSec VPN tunnel:
• Phase 1: during this phase, both tunnel endpoints negotiate a Phase 1 encryption
profile that contains encryption/authentication algorithms. In this phase as well,
both endpoints authenticate with a pre-shared key or certificates.
If both endpoints are unable to agree on a common encryption profile or if they
are unable to authenticate, Phase 1 will fail and the negotiation ends.
Otherwise, an encrypted application dialog, called ISAKMP-SA (Internet Security
Association Key Management Protocol – Security Association) in IKEv1 and
PARENT-SA in IKEv2, will be set up between both endpoints. It will enable the
negotiation of Phase 2, which will be fully encrypted with the Phase 1 ISAKMP-SA
key.
• Phase 2: during this phase, both endpoints negotiate the Phase 2 encryption
profile and the traffic endpoints that can communicate through the IPSec VPN
tunnel.
393
If both endpoints are unable to make these parameters match, Phase 2 will fail;
otherwise, two channels will be opened for data transmission (one in each
direction). Each channel will use its own encryption key. They are called ESP-SA1
and ESP-SA2 in IKEv1 and CHILD-SA1 and CHILD-SA2 in IKEv2. Each endpoint will
therefore possess a key pair - one to encrypt sent data and the other to decrypt
received data.
NOTES:
• In IKEv1, Phase 1 may take place in two modes: MAIN or AGGRESSIVE. RFC2409
requires identifiers to be the IP addresses of peers when the negotiation mode is
MAIN and for authentication to be based on a PSK. AGGRESSIVE mode will
therefore be applied as soon as a peer cannot be identified by a static IP address.
• In IKEv1, traffic endpoints must be identical for both peers, otherwise Phase 2 will
fail. However, in IKEv2, this is not mandatory but you are strongly advised to
configure these parameters identically to avoid unpleasant surprises.
• To simplify and standardize the presentation of logs, IKEv1 terminology is

preferred on SNS firewalls (Phase 1 and Phase 2) over IKEv2 terminology.
• The peer whose local network initiated traffic to the remote network will start the
tunnel negotiation. As a result, if no traffic passes between the tunnel's networks,
the tunnel will not be opened.
394
IPSEC VPN –
CONFIGURATION OF A
SITE-TO-SITE TUNNEL

✔ IPSec VPN – Concepts and overview
➔ IPSec VPN – Configuration of a site-to-site tunnel
395
IPSEC VPN – CONFIGURATION OF A SITE-TO-SITE TUNNEL
11
Site-to-site IPsec VPN tunnels can be configured in the menu VPN ⇒ IPsec VPN tab
⇒ ENCRYPTION POLICY – TUNNELS tab ⇒ SITE-TO-SITE (GATEWAY – GATEWAY) tab,
by clicking on Add ⇒ Site-to-site tunnel.
396
12
A wizard will appear allowing you to enter the main parameters: traffic endpoints
(local networks and remote network) and the remote tunnel endpoint (the peer).
If the peer does not exist, it needs to be created by clicking on the IKE version (v1 or
v2) that will be used for the tunnel negotiation. A new wizard will open to allow you
to enter the peer's parameters.
In the first step, you will be able to enter the host object that bears the peer's IP
address.
397
13
The second step allows you to select and configure the authentication method. If
PSK is selected, the pre-shared key specified will be associated with the peer's
identity.
In the last step, all parameters that have been defined will be listed, and if necessary,
a backup gateway can be added. When you click on Finish, you will go back to the
VPN tunnel creation wizard.
398
14
When you have defined the three parameters (local network, remote network and
peer), click on Finish. The VPN tunnel will be added to a separate line in the policy. A
detailed summary can be displayed by clicking on the icon represented by an eye.
399
• Phase 1 and Phase 2 encryption profiles
Phase 1 profile or IKE profile
Phase 2 profile or IPSec profile
15
The Phase 1 encryption profile, also known as IKE profile, is configured on the peer,
whereas the Phase 2 encryption profile, also known as IPSec profile, is configured on
the VPN tunnel.
400
• Looking up, modifying and creating Phase 1 and Phase

2 encryption profiles
16
For both phases, there are three pre-configured profiles: StrongEncryption,

GoodEncryption and Mobile. The ENCRYPTION PROFILES tab in the menu VPN ⇒
IPSec VPN makes it possible to:
• Look up and modify pre-configured configuration profiles,
• Define the profiles that will be used by default when tunnels are added,
• Create new customized Phase 1 and Phase 2 profiles.
401
• Keepalive
17
The purpose of the Keepalive function is to keep the tunnel available by sending a
UDP packet to the remote network over port 9 with a certain frequency. This will
cause the initial negotiation of the tunnel, and then its periodic renegotiations.
The keepalive column can be hidden by default; to make it appear, click on the
header of a column, then select Columns and select the Keepalive option. It allows
configuring the frequency with which UDP packets will be sent (in seconds).
402
• Implicit rules allow IKE and ESP traffic originating from

the remote peer.
18
For site-to-site IPSec VPN tunnels, implicit rules are automatically added when the
tunnel is created in order to allow receiving traffic that is part of an IPsec VPN
tunnel: UDP ports 500 and 4500, and ESP.
These implicit rules only concern incoming traffic as outgoing traffic is already
covered by the firewall's implicit traffic rules.
403
• Explicit filter rules to allow traffic between traffic

endpoints (remote networks)
19
Traffic that has to be allowed between users of the tunnel must be explicitly defined
in the filter rules:
• The first rule makes it possible to initiate connections from local network
Network_in to remote network NET_IN_B.
• As for the second rule, it allows initiating connections from remote network
NET_IN_B to local network Network_in. The via IPsec VPN tunnel instruction was
added to the source of this rule in order to ensure that traffic from the remote
network originates from the IPSec VPN tunnel.
NOTE: These sample rules are really permissive as they do not specify any particular
traffic; in a real situation, it would be better to define a filter policy that will strictly
describe traffic to be allowed in order to cover the communications needed between
the various machines on both sites.
404
• IKE negotiation logs
– IKEv1
– IKEv2
20
The menu LOGS ⇒ VPN displays events relating to the IKE negotiation process.
Traffic endpoints that were the reason for the negotiations and for which the tunnel
is available appear clearly on the log line relating to the Phase 2 negotiation.
For diagnosis purposes and especially if a warning or an error message was reported,
it is essential to point out the phase to which the event relates.
The columns displayed above have been deliberately kept to the minimum needed
for the example. You can seen more detailed technical information by clicking on the
arrow in column headers and selecting the columns you would like to add.
405
• IPSEC VPN policy
21
In the Monitoring ⇒ IPSec VPN tunnels menu, you can see the active IPSec VPN
policy on the firewall.
When the option Hide established tunnels to display only policies with issues is
selected, only policies that do not have negotiated tunnels will be shown.
406
• Monitoring IPSec VPN tunnels opened in the GUI
22
In the Tunnels section, you can monitor available tunnels. The current age of the SAs
and the selected algorithms for negotiations are shown.
The Status column may display one of three values:
• larval: the tunnel is being negotiated,

• mature: Phase 2 SAs have been negotiated and the tunnel is operational,
• dying: Phase 2 SAs have reached 80 % of their lifetimes.
407
IPSEC VPN –
CONFIGURATION OF
MULTIPLE SITE-TO-SITE
TUNNELS

✔ IPSec VPN – Configuration of a site-to-site tunnel
➔ IPSec VPN – Configuration of multiple site-to-site tunnels
408
IPSEC VPN – CONFIGURATION OF MULTIPLE SITE-TO-SITE TUNNELS
NET_DMZ1_A NET_DMZ1_B
DMZ1_A DMZ1_B
OUT_A OUT_B
IN_A IN_B
NET_IN_A NET_IN_B
24
The goal is to configure an IPsec VPN policy to allow communication between the
local IN and DMZ1 networks on both sites. There are two ways to configure this
policy:
1. One rule for each pair of networks to be linked.
2. One rule for all networks, by using groups.
409
1. One rule for each pair of networks to be linked.
The same number of tunnels for IKEv1 and IKEv2
25
The first configuration allows using various encryption profiles or enabling keepalive
only for certain selected tunnels.
Regardless of the version of the IKE protocol used, the loaded policy will be the same
and will generate four separate tunnels, meaning four pairs of IPSec-SA tunnels.
410
2. One rule for all networks, by using groups
Different number of tunnels between IKEv1 and IKEv2
IKEv2
IKEv1
26
The second configuration is more concise and therefore easier to read as long as a
strict and sufficiently descriptive naming system is adopted for group names, in
order to avoid ambiguities or confusion when reading it later.
This configuration generates a different number of tunnels depending on the version

of the IKE protocol:
• IKEv1: four tunnels, the same as the first configuration.
• IKEv2: a single tunnel, which will be used to transport all communications
between the various networks. This behavior is sometimes described as
“hared“A .
WARNING: the configuration method on policies must therefore be standardized for

tunnels negotiated in IKEv2 between SNS firewalls.
411
IPSEC VPN
- VIRTUAL TUNNELING
INTERFACE

✔ IPSec VPN – Configuration of a site-to-site tunnel
✔ IPSec VPN – Configuration of multiple site-to-site tunnels
➔ IPSec VPN – Virtual Tunneling Interface
412
IPSEC VPN - VIRTUAL TUNNELING INTERFACE
IP_VTI_A: x.y.z.1/30 IP_VTI_B: x.y.z.2/30
IPSEC VPN
VTI_A VTI-B NET_DMZ1_B
NET_DMZ1_A
DMZ1_A DMZ1_B
NET_IN_A OUT_A OUT_B
NET_IN_B
IN_A IN_B
DMZ2_A DMZ2_B
NET_DMZ2_A NET_DMZ2_B
Routes on A Routes on B
NET_IN_B ⇨ IP_VTI_B NET_IN_A ⇨ IP_VTI_A

NET_DMZ1_B ⇨ IP_VTI_B NET_DMZ1_A ⇨ IP_VTI_A
NET_DMZ2_B ⇨ IP_VTI_B NET_DMZ2_A ⇨ IP_VTI_A
28
There is now another approach available, that uses VTIs dedicated to an IPSec
tunnel.
These particular IPSec interfaces will be passage points for traffic entering and
leaving the IPSec tunnel. They will act as gateways to each other to transport traffic
between networks through the IPSec tunnel.
This approach has several advantages:

• The independence of the IPSec policy with regard to the IP addresses of tunnel
users and traffic to be managed.
• The immediate availability of the tunnel for any new network or traffic.
• The flexible and accurate selection of traffic to be sent through the tunnel.
• The restriction to a single tunnel (and therefore to a single Phase 2 negotiation)
regardless of the number of IP networks to be linked to one another.
In the following slides, you will see how to configure a site-to-site IPSec VPN tunnel
using VTIs.
Priority between policy matching and routing over VTI:

Routing over the VTI has priority over policy matching. This means that if an IPSec
VPN policy contains two tunnels that are used in linking up the same networks – one
defined by policy matching and a second using routing over the VTI, packets will be
sent over the second tunnel.
413
• Creation of VTIs on each peer:
Creation of the
VTI on Peer A
Creation of the
VTI on Peer B
29
VTIs created on both peers each have a common name and IP address from the
same address range:
• On Peer A, the VTI is named VTI_A and its IP address is 172.25.255.1/30.

• On Peer B, the VTI is named VTI_B and its IP address is 172.25.255.2/30.
To prevent ambiguities with the existing architecture and its future additions, it
would be best to select an address range entirely dedicated to the use of VTIs, in an
officially private and sufficiently original range to avoid overlapping with an existing
network or the remote network of a future interconnection.
NOTE: From V3.3.0 onwards, /31 networks can be used; they are better suited to
point-to-point interfaces as they do not use network and broadcast addresses.
The common names of these interfaces will automatically be associated with an

implicit host object on each peer:
• On Peer A: Firewall_VTI_A.
• On Peer B: Firewall_VTI_B.
414
• Creation of the host object that has the IP address of the

remote peer's VTI.
On A, creation of the
host object that has the
IP address of VTI_B.
On B, creation of the
host object that has the
IP address of VTI_A.
30
On each firewall, the object with the IP address of the remote peer's VTI must also
be created.
As with all objects, it is best to give objects clear names to faciliate the use of VTIs on
IPSec VPN architectures with multiple peers. Such a practice would make it easier to
use VTIs on IPSec VPN architectures with multiple peers.
415
• Definition of the IPSec VPN policy based on VTIs:
• On Peer A
• On Peer B
31
Objects corresponding to the IP addresses of VTIs will be defined as the tunnel's

traffic endpoints. Unlike IPSec configurations based on policy matching, IPSec will
not exclusively manage communications between two IP addresses on VTIs but all
traffic that will go through these interfaces due to the routing instructions.
416
• Definition of routes for the tunnel's user traffic: static

routes
• On Peer A
• On Peer B
32
In this operating mode, it is important to ensure that the routing of return packets
coincides with the tunnel taken by outgoing packets.
Below, static routes globally indicate on each peer that the remote networks can be
contacted through the same tunnel.
417
• Definition of routes for the tunnel's user traffic: Policy-

Based Routing
• On Peer A, a filter rule with PBR indicates the remote peer's VTI
as the gateway:
• On Peer B, the return route must be defined
33
The use of policy-based (PBR) routing instructions also imposes the routing of return
packets by the same tunnel.
This is why the return route has to be defined via the VTI corresponding to the
tunnel through which outgoing packets arrived.
These instructions have to be applied on both peers if communications in the tunnel

can be initiated indiscriminately by the networks on the A side to networks on the B
side and vice versa.
418
• Traffic allowed between both remote networks
34
The via IPsec VPN tunnel instruction must not be used with VTIs; instead, the VTI
needs to be used as the incoming interface in the rule that allows incoming traffic
from the tunnel.
419
• Use strong algorithms for IKE and IPsec
• Use IKEv2
↓ If not available, use main mode in IKEv1
• Use certificate-based authentication

↓ If not available, use strong PSKs
• Configure Keepalive
• Disable PPTP
35
You are strongly advised against using the MD5 hash function, DES encryption, RSA
keys smaller than 2048 bits or ECDSA keys smaller than 200 bits.
We also do not recommend the use of 3DES, SHA-1 and ECDSA with keys smaller
than 256 bits if stronger alternatives are available, such as AES, SHA-2 and ECDSA
with keys of at least 256 bits.
Choose the Diffie-Hellman group carefully. Higher group numbers are preferred (such
as 14 or 15), or elliptic curve groups of at least 256 bits.
To avoid losing packets while waiting for a tunnel to be set up, we recommend that
you enable Keepalive which will keep the tunnel up.
PPTP is an obsolete protocol and must no longer be used.
420
LAB 8 – IPSEC VPN
36

• Stormshield IPSec VPN Client user guide
• Technical notes
• IPSec virtual interfaces
• Integrating NAT into IPSec
• IPSec VPN: Authentication by pre-shared key
• IPSec VPN: Certificate-based authentication
• IPSec VPN: Hub and spoke configuration

kb.stormshield.eu.
421
APPENDIX - VIRTUAL
PRIVATE NETWORKS
422
Appendix
POINT-TO-POINT
TUNNELING PROTOCOL
Program
➔ Point-to-Point Tunneling Protocol

IPSec VPN – dynamic peers
423
Appendix
PPTP: CONCEPTS
• Point-to-Point Tunneling Protocol

– Native client on any Microsoft operating system
– Control channel over 1723/tcp + GRE encapsulation (proto=47)
– Authentication through MS-CHAP
– MPPE encryption in 40,56 and 128 bits
– PPP: the client dynamically creates a PPP network interface that

has an IP address from the LAN that needs to be reached
– A DNS and WINS server can also be associated with this PPP
interface
CSNAv1.0
3
424
Appendix
PPTP: SETTING UP THE SERVICE
• The Host_group object describes hosts that belong to the same addressing scheme
as an interface on the firewall, and can also be an address range.
• The selected DNS and WINS servers will be assigned to the client when the
connection is set up.
CSNAv1.0
4
The IP address range allocated to PPTP clients must be dedicated to these clients
only; hosts on the LAN must not use any of these addresses as this would cause an IP
address conflict on the LAN.
425
Appendix
PPTP: USER PRIVILEGES AND PASSWORDS
• Users allowed to use PPTP will be indicated individually in the VPN UAC.
• A password dedicated to the PPTP connection will be assigned to them.
CSNAv1.0
5
The PPTP password is different from the password that the user would usually use to
authenticate on the captive portal.
So when the firewall relies on an Active Directory LDAP or a more general external
LDAP, the PPTP password will not be synchronized with the user’s authentication
password.
426
Appendix
IPSEC VPN – DYNAMIC

PEERS
Program
✔ Point-to-Point Tunneling Protocol

➔ IPSec VPN – dynamic peers
427
Appendix
IPSEC VPN – DYNAMIC PEERS
• Configuring an anonymous tunnel

FQDN
IP@ FW A fw.company-B.net
In the example above, Firewall B has a dynamic IP address, so a site-to-site tunnel

cannot be configured on Firewall A.
In such cases, an Anonymous tunnel may be configured on Firewall A, which will

check the identity of Firewall B by using its FQDN combined with a PSK. On the other
side, Firewall B will configure a standard site-to-site tunnel as Firewall A has a static
IP address. In this case, it is obvious that Firewall B will initiate the IPSec VPN tunnel.
The anonymous tunnel can be configured via a wizard in the tab ANONYMOUS –
MOBILE USERS, by clicking on Add ⇒ New policy.
428
Appendix
CSNAv2.x
8
In the wizard, the remote tunnel and traffic endpoints are not defined, which is why
they are often referred to as Anonymous tunnels. Only the local traffic endpoint
needs to be selected. In the diagram above, the hosts that need to be reached
through IPSec are located in Network_in.
The remote traffic endpoint is predefined as All in the wizard (blue box). It is
supposed to be unpredictable, because in the case of mobile users, it depends on
what the client presents in phase 2 based on its configuration and its network
location during negotiation. All therefore means Any as an indefinite IP entity, i.e.,
any address or address range.
To configure remote peers (mobiles), click on a version of the IKE protocol (v1 or v2).
A wizard will open to define their configuration.
429
• Creating a configuration for dynamic IKEv1 peers
Two consecutive windows from the wizard are shown above, in which you can:
• Choose a name for dynamic peers; note that the firewall already added the prefix
mobile_ .
• Select PSK authentication.
430
Appendix
• Adding the identity of the peer and the associated pre-

shared key
10
Add the identity of a dynamic peer (a firewall with a dynamic IP address). The
identity fw.company-B.net is an FQDN (Fully Qualified Domain Name). The FQDN is
associated with a PSK.
431
Appendix
11
Finalize the configurations of the peers and the tunnel.
432
Appendix
• The local ID is optional
CSNAv2.x
12
In IKEv1, when an FQDN identity is defined, the configuration will automatically

switch to AGGRESSIVE negotiation mode The Local ID for Firewall A is optional as it
has a static IP address.
433
Appendix
• Configuration of Peer A on Firewall B
CSNAv2.x
13
On Firewall B (which has a dynamic IP address), the IPSec VPN tunnel will be a site-to-site
configuration with:
• Fully defined tunnel endpoints.

• Fully defined traffic endpoints as well.
• Since firewall B initiates traffic, you can enable keepalive to force the tunnel to
stay up.
• The identity of this firewall must be defined as an FQDN fw.company-B.net. This
FQDN will be entered in the Local ID field of the peer's settings, mandatory in this
case. The peer's ID is optional, but if it is entered, it must match the FQDN that
Firewall A presents.
• The PSK associated with the identity of Firewall A with a static IP address.
In IKEv1, the negotiation mode will automatically switch to AGGRESSIVE once an

identifier is specified in the Local ID field.
434
Appendix
• Filter rules on Peer A
CSNAv2.x
14
Unlike site-to-site tunnels, implicit filter rules are not automatically added, so
tunnels cannot be set up. The filter policy on the firewall with a static public IP
address must explicitly allow negotiations and traffic that make up the tunnel (IKE
and ESP).
Similarly to site-to-site tunnels, filter rules must also be defined to specify which
traffic can go through the IPSec tunnel.
435
SSL VPN
Training program

✔ Objects
✔ Filtering
✔ Users & authentication
✔ VPN
➔ SSL VPN
436
SSL VPN
CONCEPTS AND
OVERVIEW
SSL VPN
➔ Concepts and overview

Configuring a tunnel
437
SSL VPN
CONCEPTS AND OVERVIEW
• Stormshield firewalls embed two types of SSL VPNs
• SSL VPN portal:

– Accesses HTTP web servers and application servers through the
captive portal after authentication
• SSL VPN (full):

– Uses the SSL VPN client (free)
– Accesses the internal network transparently
Note:
• Both SSL VPN modes (portal and full) can run simultaneously.
• The SSL VPN portal will not be covered in this course. All references to ““L VPN
in the rest of this document refer exclusively to SSL VPN in full mode.
438
SSL VPN
CONCEPTS AND OVERVIEW

OPENVPN server
Mobile
users Accessible
resources
TCP/UDP TCP/UDP TCP/UDP

IP IP IP
TLS session
TLS TLS
Any TCP/UDP port
TCP/UDP except for a few
TCP/UDP
IP IP
SSL VPN allows remote users to securely access a company's internal resources.
Communications between the remote user and the firewall are encapsulated and
protected via an encrypted TLS tunnel.
On the firewall, SSL VPN tunnels are managed by the OpenVPN server (freeware)
which is embedded in the firmware as a new service. OpenVPN can run on any TCP
and/or UDP port except for a few, which are used for the firewall’s internal
processes:
• smtp_proxy: 8081/TCP
• ftp_proxy: 8083/TCP
• pop3_proxy:8082/TCP
• ssl_proxy: 8084/TCP
• http_proxy: 8080/TCP
• loopback_proxyssl: 8085/TCP
• firewall_srv: 1300/TCP
• ldap: TCP/389, ldaps TCP/636
• pptp: TCP/1723, TCP/4444, TCP/8087
• smux_tcp: TCP/199.
As for mobile users, the SSL VPN client (Stormshield or standard OpenVPN) manages
the tunnel, which must be installed on the machines. Once the tunnel is set up, the
remote host will retrieve an IP address provided by the SSL VPN server. It will be
deemed to belong to the firewall's (protected) internal networks and the user will be
considered authenticated.
439
SSL VPN
NUMBER OF SSL VPN TUNNELS
• The maximum number of VPN tunnels depends on the

UTM model:
SN160 SN210 SN310 SN510 SN710 SN910 SN2100 SN3100 SN6100 SNi40
UTM SN160W SN210W
Number of
users 5 20 20 100 150 150 400 500 500 100
• Limits on virtual appliances:

V-UTM EVA1 EVA2 EVA3 EVA4 EVAU
Number of
users 100 150 200 250 500
440
SSL VPN
SSL VPN CLIENTS
• The client may use the following to set up a tunnel:
• The standard OpenVPN application

• PC: Windows, iOS, Linux
• Mobile: Android, iOS
• The Stormshield SSL VPN client

• PC: Windows
Compatible SSL VPN clients:
• The Stormshield Network SSL VPN client (based on the OpenVPN client) can be
launched transparently on a Windows user workstation with user privileges
(however, using it requires administrator privileges). This client can be
downloaded for free from your mystormshield.com secure area and from the
firewall's captive portal after authentication.
• A standard OpenVPN client has to be launched with the client workstation's

administration privileges.
• Smartphones and tablets (Android or iOS) can also log in via an SSL VPN with an
OpenVPN Connect client (available in Google Play Store and Apple Store).
441
SSL VPN
SSL VPN CLIENTS
• The SSL VPN network defined on the server is considered an

internal network ⇒ It must not overlap an existing internal
network
• The SSL VPN network is divided into /30 sub-networks:

• The first is used by the server
• A sub-network is used for each client
• Example: 192.168.100.0/24 ⇒ maximum 63 clients
• Server [192.168.100.0| .1 | .2 | .3] /30

• Client 1 [192.168.100.4| .5| .6| .7] /30
• Client 2 [192.168.100.8| .9 | .10 | .11] /30
• Client 3 [192.168.100.12| .13 | .14 | .15] /30
• …
SSL VPN clients are part of the same network defined on the firewall. This network is
considered a protected internal network and therefore must not overlap an existing
internal network.
For its internal operation, the server will reserve the first /30 sub-network
originating from the SSL VPN network (an interface "tun0" will be created, and has
the first IP address of the network. This interface can only be seen in command line).
The following /30 sub-networks will be used by clients.
For example, if the SSL VPN service uses the network 192.168.100.0/24, the first SSL
VPN client will use the second /30 sub-network:
• Network address: 192.168.100.4
• Address of the tunnel's interface on the server side: 192.168.100.5
• Address of the tunnel's interface on the client side: 192.168.100.6
• Broadcast address: 192.168.100.7
As such, the maximum number of SSL VPN clients on this network is 63 (64 /30 sub-
networks including one used by the server).
This behavior is explicitly defined in OpenVPN.
442
SSL VPN
SETTING UP AN SSL VPN TUNNEL
1 Authentication of the user

on the captive portal • Verification of the user's VPN
privileges
2 Request for configuration files
Openvpn_client.zip
Openvpn_client.zip
• CA.cert.pem
• Openvpnclient.cert.pem
• Openvpnclient.pkey.pem
• Openvpnclient.ovpn
• Verification of the maximum

3 Authentication and number of users possible
• Verification of the IP address
setup of the TLS tunnel pool
• Creation of the tunnel
• The user is authenticated on
the firewall
8
The SSL VPN tunnel can be set up in three main steps:
1. The SSL VPN client authenticates the user through the captive portal. During this
step, the firewall will check whether the authenticated user has the privileges to
open an SSL VPN tunnel.
2. If the authentication is successful, the client will send a request to retrieve the
configuration files sent back by the firewall in a compressed folder
open pn_client.zip . The folder includes the following files:
• The certificate of the certification authority (CA.cert.pem),
• The client's certificate and its private key (openvpnclient.cert.pem
andopenvpnclient.pkey.pem),
• The configuration of the OpenVPN client.
3. The client begins the setup of the TLS tunnel with certificate authentication,
using the certificates retrieved in the previous step. Before the tunnel is set up,
the firewall will check whether the maximum number of users has been reached
and whether a sub-network can be reserved for this new client. If all the
conditions have been verified, the tunnel will be set up and the user will be
considered authenticated.
NOTE: If the SSL VPN server can be accessed through a UDP or TCP port, the SSL VPN
client will first attempt to set up the tunnel with the UDP protocol; if that fails, the
client will automatically make a new attempt with the TCP protocol.
443
SSL VPN
CONFIGURING A TUNNEL
SSL VPN
✔ Concepts and overview

➔ Configuring a tunnel
444
SSL VPN
REQUIREMENTS: DIRECTORY, CAPTIVE PORTAL AND AUTHENTICATION
• An internal or external directory has to be configured

• A profile of the captive portal must be attached to the interface from
which users log on
• An authentication
method has to be
configured
10
The first step in setting up an SSL VPN tunnel is the authentication of the user via the
captive portal, meaning that:
• an external or internal directory has to be configured on the firewall,
• a profile of the captive portal must be attached to the interface from which users
log in,
• an authentication method has to be configured.
The possible authentication methods for the SSL VPN service are explicit methods
that require a login/password pair, in this case LDAP (internal, external or Microsoft
Active Directory), Kerberos and Radius.
445
SSL VPN
REQUIREMENTS: THE SSL VPN CERTIFICATION AUTHORITY
• PKI that provides certificates for the OpenVPN server

and OpenVPN clients (the same certificate will be
assigned to all OpenVPN clients):
11
Certificates wil be used for authentication between the client and the SSL VPN
server. For this purpose, a root certification authority (CA) exists in the factory
configuration on all Stormshield Network firewalls. This CA is named sslvpn-full-
default-authority, and contains a server certificate (which identifies the SSL VPN
server), and a client certificate (which identifies all clients; each one of them will
then be distinguished by a login/password pair).
NOTE : A CA dedicated to the SSL VPN can be created without the need to rely on
the default CA. The creation of CAs is covered in the Expert level course.
446
SSL VPN
SSL VPN ACCESS PRIVILEGES
Default settings
Custom
settings
12
To allow a user to set up an SSL VPN tunnel, you will need to assign the
corresponding privileges in the menu Configuration ⇒ Users ⇒ Access privileges.
Regardless of which user is connected, default access can be selected in the tab
Detailed access ⇒ SSL VPN column. Select Allow in the field Default SSL VPN policy
However, a more thorough management of access privileges is recommended by

keeping the value of the default SSL VPN policy as "Block", and by adding users or
user groups in the tab DETAILED ACCESS⇒ ADD with SSL VPN privileges set to Allow.
447
SSL VPN
IMPLICIT FILTER RULE FOR SSL VPN
13
To allow SSL VPN clients to access the authentication portal on interfaces associated
with the firewall's authentication profiles, the implicit filter rule named Allow
interfaces associated with authentication profiles (Authd) to access the
authentication portal and SSL VPN has to be enabled.
If this is not the case, explicit filter rules have to be added in the active policy that
allows traffic to the public interface on the service's listening port.
448
SSL VPN
CONFIGURATION OF THE SSL VPN SERVICE
14
The SSL VPN service can be configured in Configuration ⇒ VPN ⇒ SSL VPN.
• Network parameters section:
• IP address (or FQDN) of the UTM used: this refers to the address to which
SSL VPN clients will log on (public address most of the time). Warning:
entering an FQDN will involve name resolution via a DNS service,
• Available networks or hosts: hosts or networks to which users may have

access once the tunnel has been set up (access will still depend on the
active filter policy). The object Any can be selected. In this case, all VPN
client traffic will go through the tunnel and will be subject to the firewall's
filter and NAT operations.
• Network assigned to clients (UDP): network assigned to mobile clients
once the tunnel has been set up via the UDP protocol. The minimum value
that can be chosen here is a /29 network.
• Network assigned to clients (TCP): network assigned to mobile clients
once the tunnel has been set up via the TCP protocol. The minimum value
that can be chosen here is a /29 network.
• Maximum number of simultaneous tunnels allowed: this parameter
cannot be configured in the GUI. It indicates the maximum number of
tunnels (clients) allowed, which is the minimum between the number of
tunnels allowed for the firewall model and the number of tunnels possible
calculated from the network assigned to clients.
NOTE: the networks assigned to UDP and TCP clients must be different.
449
SSL VPN
CONFIGURATION OF THE SSL VPN SERVICE
15
As seen earlier, this network is divided into /30 sub-networks, one of

which is used by the server for its internal operations and the others used
by clients. As such, a /24 network will allow a maximum of 63 tunnels.
• DNS settings sent to client section:

• Domain name: in general, this refers to the domain on which the networks
accessible by the client will depend
• Primary (and secondary) DNS server: inside the corporate network if the
client needs to be able to access local resources. Otherwise a public server
can be chosen.
• Advanced configuration section:
• UTM IP address for the SSL VPN (UDP): this is the address to which SSL
VPN clients will log in if they have been configured to use UDP (usually a
public address).
• Port (UDP): the UDP listening port of the SSL VPN service.
• Port (TCP): the TCP listening port of the SSL VPN service.
NOTE: Warning: certain ports are reserved for internal use only and cannot
be selected. These ports are smtp_proxy: 8081/TCP, ftp_proxy: 8083/TCP,
pop3_proxy: 8082/TCP, ssl_proxy: 8084/TCP, http_proxy: 8080/TCP,
loopback_proxyssl: 8085/TCP, firewall_srv: 1300/TCP, ldap: TCP/389, ldaps
TCP/636, pptp: TCP/1723, TCP/4444, TCP/8087, smux_tcp: TCP/199,
isakmp: UDP/500, isakmp_nat: UDP/4500, bootps: UDP/67, bootpc:
UDP/68.
450
SSL VPN
• Interval before key renegotiation (seconds): duration before a new TLS

session is renegotiated.
• Use DNS servers provided by the firewall: when this option is selected,
the SSL VPN client will add the DNS servers that were retrieved via the SSL
VPN tunnel to the network configuration of the client workstation.
• Prohibit use of third-party DNS servers: when this option is selected, the
client workstation will use only DNS servers that were retrieved through
the SSL VPN tunnel.
• Scripts to run on the client: makes it possible to run scripts when the clients logs
in and logs out. Examples of scripts are provided in detail in the document
snentno_SSL_VPN_Tunnel.pdf accessible via https://mystormshield.eu.
• Used certificates: customizes the certificates used. Reminder: the server

certificate makes it possible to identify the SSL VPN server while the user
certificate allows SSL VPN clients to be identified (each client will then be
identified by its login). If these certificates are modified, ensure that they are
issued by the same certification authority. Otherwise, the configuration will not
be applied.
• Configuration: the configuration file can be downloaded in OpenVPN format.
451
SSL VPN
FILTER - NAT
• Explicit filter rules have to be defined for the management of traffic

coming from tunnels:
• Address translation can be implemented if clients need to use the

SSL VPN to access the Internet:
17
Filter rule no. 1 makes it possible to initiate connections from SSL VPN clients to the
internal server SRV_INTRANET,
Filter rule no. 2 makes it possible to initiate connections from SSL VPN clients to the
Internet; in this case, a NAT rule must also be added.
452
SSL VPN
CONFIGURING THE STORMSHIELD SSL VPN CLIENT
18
The Stormshield Network SSL VPN application can be downloaded from your secure-
access area https://mystormshield.eu and on the firewall's captive portal after
authentication.
Once it is started, the SSL VPN client requests three parameters:

• The IP address or FQDN of the firewall to contact,
• The login of the user with SSL VPN privileges,
• The user’s password.
A window will indicate that the connection to this site is not secure, because the
client did not trust the CA that signed the server certificate presented by the
firewall’s captive portal. You can therefore:
• display the certificate to know which CA signed it,
• trust this certificate, meaning that the CA is added to the trusted
authorities and you can continue with the setup of the tunnel,
• cancel the connection, which will stop the setup of the tunnel.
If the tunnel setup fails, right-click on the Stormshield Network SSL VPN icon to
display logs.
When the tunnel is set up, the client workstation will have a specific interface for the
SSL VPN tunnel with an IP address that belongs to the object Network assigned to
the client in the server configuration.
453
SSL VPN
CONFIGURING THE STORMSHIELD SSL VPN CLIENT
Disconnected
Connecting
Connected
19
The color of the Stormshield SSL VPN client icon that appears in the notification zone
of the Windows taskbar corresponds to its status:
• Red: the client is disconnected,

• Yellow: the client is trying to set up the tunnel,
• Blue: the client is connected,
When the client is connected, information about the connection will appear when
you scroll over the icon.
454
SSL VPN
SSL VPN TUNNELS IN THE GUI
20
In the firewall’s monitoring page, you can view open SSL VPN tunnels in Monitoring
=> SSL VPN tunnels tab. You can also delete tunnels by clicking on Log off this user
when you right-click.
Users connected via an SSL VPN tunnel are considered authenticated and can be
viewed in the Users menu. The Auth. method column indicates that the VPN client
authenticated via an SSL VPN tunnel.
455
SSL VPN
LAB 9 – SSL VPN
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13

192.168.1.254/24
172.16.1.254/24
192.36.253.10/24
Instructor
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
21

• SSL VPN tunnels

kb.stormshield.eu.
456
APPENDIX -
TROUBLESHOOTING
457
Appendix
Troubleshooting
INTRODUCTION
TROUBLESHOOTING
Program
➔ Introduction
Before creating an incident
Essential elements
Additional information
Access to the firewall
458
Appendix
Troubleshooting
INTRODUCTION
• How to speed up the technical support's resolution of an

incident
• Finding out more about the situation and active
configuration at the time the issue occurred
• Each element provides crucial information
Stormshield Network's technical support team will not be able to diagnose incidents
without knowing specific information about the firewall and the architecture in
which it runs.
The cause of an issue may be a configuration error as much as an architecture flaw,
or abnormal behavior on the communication protocol used.
This chapter explains the elements that technical support needs in order to examine
an incident. These elements are sorted by troubleshooting level.
459
Appendix
Troubleshooting
BEFORE CREATING AN
INCIDENT
TROUBLESHOOTING
Program
✔ Introduction
➔ Before creating an incident
Essential elements
460
Appendix
Troubleshooting
BEFORE CREATING AN INCIDENT
• Check the configuration very closely

• Read various sources of documentation (technical notes,
webinars, user guides, etc)
• Is the incident already covered in the technical support
knowledge base?
Webinars
Opening an incident
Verification of the configuration
Before creating an incident with technical support, you are advised to check the
firewall configuration first. A few general questions you need to ask:
• Is the module in question enabled?

• Do logs reflect events?
• Does the active filter policy allow the related traffic?
• Do the objects used in this module have the expected values?
• Is there a routing operation for this traffic?
• Is there a higher routing priority that applies before the one expected?
• Which new event may have caused this change in behavior?
•…
Documents and knowledge base
Comprehensive documentation is available on https://mystormshield.eu. In this

secure-access area, you will also find technical notes explaining how to set up the
various features. User guides for the SN administration suite, as well as full
descriptions of the GUI menus are available at http://documentation.stormshield.eu
covering all supported versions.
461
Appendix
Troubleshooting
On the main page of technical support's knowledge base, a section named "Online
training" lists the courses conducted by members of the support team on the various
features.
The main goal of the knowledge base is to catalog well-known issues or tips on how
to configure the firewall. Use the search field or the section Categories to find
articles you need.
A category called "Opening an incident" provides a list of useful troubleshooting

information based on the type of issue encountered. (Example: Opening an incident:
High availability).
Once you have identified the type of information you need to provide, you can log in
to your client area (https://mystormshield.eu) to open a case:
For more details on how to access technical support, refer to the documents
"Getting Started with STORMSHIELD Support" and "Technical support charter"
found in the "Operational" section of the Documentation / Document base menu in
your "mystormshield" area.
462
Appendix
Troubleshooting
ESSENTIAL ELEMENTS
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
➔ Essential elements
463
Appendix
Troubleshooting
ESSENTIAL ELEMENTS
• Technical report when the issue occurs

• Configuration backup
• Network diagram
• Detailed description of the issue
SSH mode:
• sysinfo > /log/sysinfo
• sysinfo –a > /log/sysinfo-a
CLI mode:
• system information > /log/sysinfoCLI
Technical report
The technical report (also called sysinfo or system report) is the most crucial element
required by the support team for any incident. It is a shell script that executes a set
of commands on the firewall, which provides a lot of information on the status of
the firewall when the report was generated.
There are several ways to obtain this report:

• In Configuration ⇒ System ⇒ Maintenance ⇒ Configuration tab ⇒
Download the system report,
• In SSH mode via the command sysinfo,
• In CLI mode via the command system information.
464
Appendix
Troubleshooting
In SSH mode, the sysinfo command can display additional sections if you add the
relevant option. The output of the sysinfo help command follows:
sysinfo -h
sysinfo [-arp] [-ndp] [-host] [-conn] [-raid] [-proxy] [-global] [-smart] [-time] [-sysctl] [-vmstat] | [-a]
-arp: add ARP table
-ndp: add NDP table
-host: add ASQ host table
-conn: add ASQ Connection table
-raid: add RAID information
-proxy: add PROXY information
-global: add GLOBAL information
-smart: add SMART information
-time: display time objects information
-sysctl: display sysctl information
-vmstat: display vmstat information
-a: add all optional information
Configuration backup
The backup of the configuration serves two purposes. First, it shows the active
configuration used and the features potentially involved when the incident occurred.
This helps STORMSHIELD's support to identify any mistakes in the configuration.
The second role of a configuration backup is to reconstruct an environment similar
to yours in an attempt to reproduce the problem while allowing changes to be made
to the configuration without disrupting production.
Network diagram
A diagram of the network will provide a view of the environment in which the
firewall was installed. Interoperability with other devices may sometimes be the
cause.
Detailed description of the issue
While it is easy to gather information on the issue encountered, steps involved to

reproduce the incident, protocols used, hosts affected by the incident, the operating
system and the versions of software it uses, unfortunately most of the time it is not
provided. Feel free to provide all of these details as soon as you open the incident.
A detailed description will allow support to quickly diagnose the issue and avoid
misunderstandings, ambiguity or the wrong interpretation of the conditions under
which the problem arose.
465
Appendix
Troubleshooting
ADDITIONAL
INFORMATION
TROUBLESHOOTING
Program
✔ Introduction
✔ Essential elements
➔ Additional information
466
Appendix
Troubleshooting
ADDITIONAL INFORMATION
• Logs that cover a test period
• Activity reports
• SSH mode
less /log/l_alarm
id=firewall time="2014-07-23 15:29:03" fw="U70SXA00000" tz=+0200 startime="2014-07-23 15:29:02" pri=4
confid=00 srcif="Ethernet0" srcifname="out" ipproto=icmp icmptype=3 icmpcode=10 proto=icmp src=64.1.2.3
srcname=public.ip.test srcmac=00:01:02:03:04:05 dst=172.21.3.1 dstname=Firewall_bridge_out ipv=4
action=block msg="Message ICMP invalide (no TCP/UDP linked entry)" class=protocol classification=0 alarmid=67
11
Logs that cover a test period
Logs (or events) show why a packet is blocked, so it helps to monitor them when the
issue occurs.
There are several ways to view events in real time in the monitoring tab:
• Logs that specifically capture the incident
• Activity reports
When you create a ticket with support, provide the logs that cover a test/issue
period. All log files are saved in the /log partition and named according to the format
l_<category_name> (example: l_alarm or l_connection).
To send these files to support, transfer them via SCP on your workstation and add
them to the current ticket.
467
Appendix
Troubleshooting
ADDITIONAL INFORMATION
• Enabling verbose mode on the module in question

• Providing the coredump file if the daemon unexpectedly
reboots
• Capturing frames simultaneously on affected interfaces to
binary files (text format not allowed!)
• -> Example of syntax to capture access to the website

www.stormshield.eu in HTTP:
• tcpdump -ni eth0 -s0 -w /log/out.pcap host 91.238.220.14 and

port 80
• tcpdump -ni eth1 -s0 -w /log/in.pcap host 91.238.220.14 and
port 80
12
Enabling verbose mode on the module in question
When verbose mode is enabled, you can analyze the processes that a module runs,
based on the packets it receives. This is a way to check whether the behavior of the
module complies with its intended purpose.
When illegal behavior is detected, support will report such information to the R&D
department. In this case, you will be given a "fix request" number in your ticket. This
number will also appear in the release notes of the version in which a fix has been
included.
Find out how to implement verbose mode under the Verbose mode category of the
knowledge base on https://mystormshield.eu.
Coredump files
If a daemon restarts unexpectedly, a coredump file (state of the memory during

restart) will be generated. Coredump files are stored in the /log/crash directory.
Simply provide technical support with the corresponding file inside your current
ticket so that it can be analyzed.
E.g.: tproxyd.core
468
Appendix
Troubleshooting
Traffic captures
The FreeBSD operating system has by default a command that can capture traffic
going through the firewall's interfaces – tcpdump.
When the incident relates to traffic that goes through the firewall, frames must be
captured simultaneously on the network interfaces that such traffic passes through.
The -w option of the tcpdump command saves the results of the capture in a binary
file that can be used later with a frame analyzer such as Wireshark (frame captures
in text format provide too little usable information, unlike the binary format which
contains detailed data about each layer).
The –s0 option captures all frames and provides comprehensive information about
the application layers, and also makes it possible to verify checksums (IP, TCP, UDP,
etc).
The general syntax of a tcpdump command is:

tcpdump –[ne]i <interface> [options] [filters]
469
Appendix
Troubleshooting
ACCESS TO THE
FIREWALL
TROUBLESHOOTING
Program
✔ Introduction
✔ Essential elements
✔ Additional information
➔ Access to the firewall
470
Appendix
Troubleshooting
ACCESS TO THE FIREWALL
• Access to SSH or the GUI in HTTPS

• Access to an internal host
15
SSH access or GUI (HTTPS)
Technical support may need access to the firewall via an SSH connection or the GUI.
This will make it easier to retrieve information or observe incidents in real time and
then capture the corresponding traffic with all the necessary options.
To enable SSH access, you must confirm:

• That SSH is enabled. This can be done in Configuration ⇒ System ⇒
Configuration ⇒ Firewall Administration tab.
• A filter rule must allow technical support's public IP address to contact one
of your firewall’s public IP addresses and the listening port of your SSH
service.
To enable GUI access, you must confirm that:

• Technical support's IP address belongs to the list of hosts allowed to
manage the firewall. This list is available in Configuration ⇒ System ⇒
Configuration ⇒ Firewall Administration tab
• The implicit filter rule to access administration pages has been enabled.
Alternatively, that an explicit rule allows technical support's IP address to
contact one of the public IP addresses of your firewall on the listening port of
the administration interface.
471
Appendix
Troubleshooting
Access to an internal host

When the issue occurs only for a specific host on your internal network or an
operating system in particular, support may request access to this host. As a result,
you may be asked to set up port redirection in your NAT rules or provide access to
the workstation using remote control tools such as TeamViewer.
472
VIRTUAL LABS
473
Virtual labs
ARCHITECTURE
TRAINEE B
TRAINEE A
Graphical virtual machine Graphical virtual machine

Virtual machine provided Virtual machine provided
by Stormshield by Stormshield
OR OR
Physical host Physical host
192.168.1.254 192.168.2.254
192.36.253.10 192.36.253.20
WAN
172.16.1.254 172.16.2.254
192.36.253.1
DNS: 172.16.1.10
WEB: 172.16.1.11 DNS: 172.16.2.10
FTP: 172.16.1.12 WEB: 172.16.2.11
MAIL: 172.16.1.13 FTP: 172.16.2.12
MAIL: 172.16.2.13
Debian Virtual
Machine Debian Virtual
Machine
Lab exercises will be carried out in VirtualBox. The platform for these exercises is
presented above, consisting of two sites (Trainee A and Trainee B) linked up with each
other via an external network "192.36.253.0/24".
Each site has a virtual SNS firewall (EVA1) and a Debian virtual machine (abbreviated as
VM) that embeds four servers (DNS, WEB, FTP and MAIL).
A graphical client machine, to which a user account has been assigned and allows
Internet access, makes it possible to change network parameters.
The trainee is free to choose the graphical virtual machine:
• Virtual machine provided by Stormshield (recommended): all exercises can be done
in fully virtualized configuration mode, which simplifies the network configuration
with VirtualBox and offers the possibility of assigning a graphical virtual machine to
each site.
• Trai ee’s host workstation (not recommended): the network configuration must
allow the host workstation to act as a PC on either Network A or B.
Two private networks are configured on each site: IN 192.168.x.0/24" et DMZ : and
DMZ " 172.16.x.0/24". The Debian virtual machine is connected to the DMZ private
network.
NOTE: On all firewalls, the password of the "admin" user is "admin".
474
Virtual labs
FULLY VIRTUALIZED CONFIGURATION
TRAINEE A TRAINEE B
Internal Network Internal Network
LAN_DMZ1_A Debian LAN_DMZ1_B Debian

LAN_IN_A LAN_IN_B
NatNetwork
The network configuration of virtual machines is described in the illustration above.

It allows the user to access the web interface of the SNS firewall on the site from the
graphical client VM deployed by OVA, and also allows firewalls to connect to the
Internet via the "NatNetwork" interface.
NOTE: The NatNet ork VirtualBox network must be created and configured before
starting the virtual machines.
The I ter al_Net orks networks are deployed by importing OVAs.
REQUIREMENTS: The full virtual infrastructure described above requires at least 11.5
GB of disk space (the VMs provided have dynamic disk allocation) and 4.2 GB of
RAM. Use a host with at least 8 GB of RAM for best results.
475
Virtual labs
VIRTUAL CONFIGURATION + PHYSICAL HOST
TRAINEE A TRAINEE B
LAN_DMZ1_A Debian LAN_DMZ1_B Debian
Virtualbox Host-only Virtualbox Host-only

Ethernet adapter #2 Ethernet adapter #3
Bridged adapter
(Physical Ethernet interface)
The network configuration of virtual machines is described in the illustration above.

It allows the user to access the web interface of the SNS firewall on the site from the
physical workstation. After the virtual machines are restarted, the Virtual Host-only
Ethernet Adapter #X on the site that we are using may not be disabled.
The configuration also allows firewalls to connect to the Internet via the "Bridged
adapter" interface.
NOTES:
• All "Virtual Host-only Ethernet Adapter #X" VirtualBox interfaces must be created
and configured before starting the virtual machines.
• In the following lab exercises, the pu li network behind the bridge interface
replaces the network 192.36.253.0/24 ; on this network, every firewall must
have an IP address, and the physical network card must not have a default
gateway (otherwise, the physical host will use this gateway instead of going
through one of the firewalls and a firewall will need to be created for each virtual
Host-only Ethernet adapter).
• Since Stormshield provides a VM that allows you to do all lab exercises in full
virtualization mode, we will not explain the use of the physical host in this
module.
REQUIREMENTS: The virtual infrastructure with a physical host described above

requires at least 7.5 GB of disk space (the VMs provided have dynamic disk
allocation) and 2.2 GB of RAM. Use a host with at least 6 GB of RAM for best results.
476
Virtual labs
Installing and preparing the virtual platform
1. Install Virtualbox.
2. Create the "NatNetwork" interface from VirtualBox in the menu File ⇒

Preferences ⇒ Network ⇒ NAT networks tab, configure it with the WAN
network "192.36.253.0/24" and disable the "Supports DHCP" option.
Add the network
3. Only if you are not using the graphical VM provided by Stormshield, create the
two "Virtual Host-only Ethernet Adapter #X" interfaces (X=2-3) from VirtualBox
by clicking on Global Tools ⇒ Host Network Manager ⇒ Create and configure
their IP addresses as follows:
• "Virtual Host-only Ethernet Adapter #2": 10.0.0.10/8

• "Virtual Host-only Ethernet Adapter #3": 10.0.0.20/8
Add the interface
4. Import the package named C“N -v4-FW-DEBIAN.o a , which contains a firewall

and a Debian VM. In the VirtualBox menu File ⇒ Import Appliance ⇒ select the
checkbox Rei itialize the MAC address of all network ards . The firewall is in
factory configuration.
5. If you wish to use the graphical VM provided by Stormshield, import the package
Clie t_TRAINING_V1.x.o a .
477
Virtual labs
6. Check or configure the network interfaces of the SNS, Debian and graphical
VMs by following the diagram on page 4 (or the diagram on page 5 if you are
using your physical host). These VMs are on Trainee A’s site; rename them
where necessary.
7. Clone each VM by right-clicking on a VM ⇒ Clone. In the wizard that opens,

rename your clone (cloned VMs will be on Trainee B’s site) and select the
checkbox Rei itialize the MAC address of all network ards . On the next page,
select Full lo e and click on Clo e . Alternatively, instead of cloning
packages, they can also be imported again – the VMs can be renamed after
they are imported.
8. Change the network interfaces for all three VMs: LAN_IN_A and LAN_DMZ1_A
are renamed LAN_IN_B and LAN_DMZ1_B respectively.
478
Virtual labs
9. Start the VMs named “N“_EVA1_V4_A and Graphi al_ lie t_A . Open a
session on Clie t_TRAINING_A (login: user; password: user) and double-click
on the desktop shortcut et ork_ o fig.sh , then click on Ru in Ter i al .
Since the SNS firewall is still in factory mode, the s s option must be enabled.
10. When you run a terminal, you can check whether the IP address of your
network card is correct by using the command ip address sho (short format
ip a , and pinging 10.0.0.254 (the connection with the SNS is confirmed).
11. Repeat points 9 and 10 with the VMs on site B.
479
Virtual labs
LAB 1: Getting started with the firewall
1. Take a snapshot of each VM before you begin the lab exercises (with Oracle
VirtualBox, take the snapshot when the VM is off).
2. Log in to the web administration interface Trai ee firewalls are in factory

configuration).
3. Change your preferences so that you will never be disconnected from the
interface when idle. Preferences are listed in the drop-down menu, which you
can access by clicking on the arrow next to the user name, at the top on the
right side of the header.
4. Set the language (logs and keyboard) and time zone of your firewall. Restart
the firewall to apply the new time zone (icon at the top on the right). Then set
your firewall to the correct time after rebooting.
5. Enable the SSH service with password authentication.
6. Check the validity of your license and any available options, and in the
advanced options, configure a weekly check for the automatic update of your
license.
7. Change the password of the "admin" user (choose a password of at least 8

characters, without special characters). Refresh the password to log in again
and test the new password.
8. Check that local log storage has been enabled on the hard disk of the VM.
9. Back up the configuration and download it on the administration workstation.

Remember to back up the configuration at the end of every lab exercise.
NOTES:
• For each lab exercise to run smoothly, you need to apply the required
configurations to site A, then on Site B.
• If you raise the alarm Possi le attack on capacity o e tio during a lab
exercise, this means that you have reached the maximum number of connections
allowed by the trainee VM license. When this happens, all new connections will
be blocked, so wait for a few minutes until the connection table clears and returns
to normal.
480
Virtual labs
LAB 2: OBJECTS
Note: In the next steps, "x" needs to be replaced with the letter representing the
company A⇒1, B⇒2.
1. Create host and network objects for the other company:
– Remote firewalls (address for external interfaces)
• Example: Fw_B in 192.36.253.20
– Remote networks (address for internal networks)
• Example: Lan_in_B in 192.168.2.0 / 255.255.255.0
2. Add a new TCP- ased ser i e alled e ail operati g o er port
3. Create an object named "pc_admin" using the address 192.168.x.2
4. Create an object named "srv_dns_priv" with the IP address 172.16.x.10
5. Create an object named "srv_web_priv" with the IP address 172.16.x.11
6. Create an object named "srv_ftp_priv" with the IP address 172.16.x.12
7. Create an object named "srv_mail_priv" with the IP address 172.16.x.13
8. Create a group of objects containing the four servers created earlier.
9. If the default DNS servers (dns1.google.com and dns2.google.com) configured

on the firewall cannot be reached at your location, replace them with the
appropriate DNS servers.
Bonus:
• Export the objects database into a CSV file.
• Based on the format of this file, create another CSV file containing two host
objects:
• "srv_ftp_pub": 192.36.253.x2
• "srv_mail_pub": 192.36.253.x3
• Import the file created in the network object database.
481
Virtual labs
LAB 3: Network configuration
For the remaining lab exercises, you must select and enable the filter policy (10) Pass
all in the menu CONFIGURATION ⇒ SECURITY POLICY ⇒ Filter - NAT that will allow
all traffic through or from the firewall.
• Interface configuration:
1. Configure your firewall's OUT, DMZ1 and IN interfaces as follows:
• OUT: 192.36.253.x0/24
• DMZ1: 172.16.x.254/24
• IN: 192.168.x.254/24
2. If you are using the VM Clie t_TRAINING_ , double-click on the desktop

shortcut et ork_ o fig.sh , and choose the letter corresponding to the
company. If you are using your physical host, configure the network interface
Virtual Host-only Ethernet Adapter #2 or #3 on your workstation as follows:
• IP address: 192.168.x.2/24
• Default gateway: 192.168.x.254
• DNS server: 172.16.x.10
• Routing configuration:
1. Configure the default gateway of your firewall "192.36.253.1".
2. Configure static routing on your firewall to enable your workstation

Clie t_TRAINING_ to contact the internal network "192.168.x.0/24" of the
remote company.
• Configuration of the DNS proxy cache:

Enable the DNS proxy cache. The DNS proxy cache is not covered in the course, but it
must be used during these lab exercises to enable the proper resolution of DNS
names. The next page gives details on this option and how to configure it.
482
Virtual labs
The firewall intercepts DNS requests heading to the Internet, and queries its own
DNS servers (configured in lab 2, point 9).
If the requested name is in its cache, the firewall will respond directly to the request
based on the information that it has.
This technique will be covered in the appendices of the network configuration.
Apply the following configuration:
• Go to CONFIGURATION ⇒ Network ⇒ DNS proxy cache and enable the DNS

cache.
• The object allowed to use this cache is your DNS server on the DMZ (172.16.x.10).
Add it to the List of lie ts allo ed to used the DN“ a he .
483
Virtual labs
LAB 4: Address translation
LAB 4: ADDRESS TRANSLATION
Company B Private Network_in

Company A Private Network_in
192.168.2.0/24
192.168.1.0/24
Inter-Company public network

192.168.1.254 192.36.253.0/24 192.168.2.254
192.36.253.10 192.36.253.20
172.16.1.254 172.16.2.254
192.36.253.1
Company B Private Network_dmz1

Company A Private Network_dmz1 172.16.2.0/24
172.16.1.0/24
12
For this lab exercise, we will consider the inter-company external network a public network in which
no private IP addresses are allowed.
1. Disable static routes added in the previous lab exercise.
2. Copy the filter/NAT policy (10) Pass all to an empty policy that should be renamed "company_X"
(replace X with the letter representing the company). Next, enable this policy.
3. Add a NAT rule so that your internal networks can access the Internet without revealing their
private IP addresses. Next, test access to the external network and Internet access from your
workstation.
4. You have two additional public IP addresses "192.36.253.x2" and "192.36.253.x3" reserved
respectively for your FTP and MAIL servers in the DMZ. Add static NAT (bimap) rules that make
it possible to reach each server from the external network using its public IP address.
5. Add a port-based static NAT rule so that your Web server in the DMZ can be reached via a port
redirection through the public IP address of your firewall "192.36.253.x0".
6. Log the NAT rules for incoming traffic. Logging can be enabled in the options section of the NAT
rule.
7. With the other company, test access to all the resources (the mail server can be tested using a
telnet command) and confirm that the requested rules have indeed been logged.
Bonus:
• Add a NAT rule so that internal hosts can access your servers in the DMZ without revealing their
private IP addresses.
• What are the advantages and disadvantages of translating addresses from your internal network
to your DMZ, which is itself an internal network?
484
Virtual labs
LAB 5: Filtering
In the filter/NAT policy " o pa _X in the filtering tab, delete the Pass any any any
filter rule and add the rules that comply with the following specifications (use
separators indicating the role of each rule):
Internal traffic:
1. Your internal network must be able to access servers in the DMZ (DNS, web –
ports 80 and 808 for webmail – FTP and SMTP).
Outgoing traffic:
2. Your internal network must be able to browse Internet websites in HTTP and
HTTPS, except for South Korean websites (test with www.visitkorea.or.kr).
3. Access to https://www.cnn.com must be blocked from the internal network,
by using an FQDN object.
4. A new trainee in the company is prohibited from making any FTP requests. The
IP address of his host (pc_200) is 192.168.x.200.
5. Your internal network should be able to contact the other o pa ’s FTP and
web servers.
6. Your internal network must be able to ping any destination.
7. Only your internal DNS server (172.16.x.10) is allowed to resolve to the
outside.
8. Your mail server can send messages to the servers published by the other
company.
Incoming traffic:
9. The other company can contact your Web and FTP servers; these events must
be logged.
10. The mail server of the other company is allowed to send messages to your mail
server.
11. The other company is allowed to ping your firewall's external interface; this
type of event must raise a minor alarm.
12. The other company can connect to your firewall via the web interface and in
SSH. This type of event must raise a major alarm.
485
Virtual labs
13. Test outgoing traffic and make the other company test incoming traffic. When
accessing the logs, confirm that:
• Each traffic type is handled by the corresponding filter rule,

• Alarms for the requested rules are logged and raised.
NOTE: You can use the webmail service to send and receive e-mails in SMTP: the
following information is needed for configuration (replace with the letter
representing the company: a, b):
• SMTP server: mail.x.net

• Web access server: http://172.16.x.11:808
• Login: user
• Password: user
486
Virtual labs
LAB 6: Content filtering (HTTP and HTTPS)
1. Select the built-in URL database.
2. Identify the categories in which the following URLs are classified:

www.twitter.com, www.home.barclays and www.mozilla.org.
3. Customize the block page of your choice with your company logo. This page
will be displayed for all banned HTTP websites. You can test your block page on
an HTTP website: http://perdu.com.
4. Configure a URL filtering policy and an SSL filtering policy which allow access to
all websites except the websites that you have classified above, online
shopping sites and news websites. However, make sure the www.bbc.com site
remains reachable.
5. Attempt to access the website www.cnn.com and then www.euronews.com.

Why does the SSL traffic reject page not appear for www.cnn.com?
487
Virtual labs
LAB 7: Authentication
1. Start the LDAP wizard and create an internal LDAP database:
▪ The organization name is companyX, and the domain is fr .
▪ Enable authentication profile 0 (internal) and user enrollment on the

IN interface.
▪ Test access to the captive portal via https://192.168.x.254/auth.
2. Create a user John Smith:
▪ Login: jsmith
▪ Password: password
▪ E-mail address: jsmith@companyX.com
3. Using the enrollment function, create a user "Peter Wood" with the
password: pwood1
4. Adapt the filter policy so that all users are redirected to the captive portal
when trying to access websites, except sites in the News category.
5. Test the access to a site in the news category using HTTP and confirm the
redirection to the captive portal for any other site using HTTP not
belonging to this category.
6. Amend the filter policy to allow pings to be sent from your internal
network to only John Smith. This rule must always raise a minor alarm.
7. Give John Smith monitoring privileges on the firewall.
8. Log in to the firewall using the account "jsmith" and confirm access to
various menus. Test the authentication of this account on the captive
portal as well.
488
Virtual labs
LAB 8: IPSec VPN (site to site)
1. Reactivate the filter policy "(10) Pass all" on your firewall.
2. Set up an IPsec tunnel with PSK authentication to connect your internal network
" . 6 . . / 4" to the other o pa ’s et ork usi g the default e r ptio
profiles (StrongEncryption).
3. Generate traffic corresponding to traffic endpoints and track the steps in the
negotiation of the tunnel and tunnel activity from logs and the corresponding
monitoring menu.
4. Change your IPSec policies to connect both your internal networks (IN + DMZ)
ith the other o pa ’s i ter al et orks IN + DM) .
▪ Enable the keepalive function for both tunnels.
▪ Determine the number of negotiated tunnels in monitoring.
5. After confirming that your tunnels function, reactivate the filter policy
"company_x" and add the rules to allow remote hosts to contact and ping your
FTP server.
6. Create the following encryption profiles:

▪ IKE Phase 1: Diffie-Hellman (DH14 MODP), Maximum lifetime
(21600s), authentication algorithm (sha2_256) and encryption
algorithm (AES 256bits).
▪ IPSEC Phase 2: PFS (DH14 MODP), Lifetime (3600s), authentication
algorithm (hmac_sha256) and encryption algorithm (AES 256bits).
7. Apply your new encryption profiles to your VPN, then check whether everything
is running properly.
8. Interconnect these networks, but this time by configuring tunnels based on VTIs.
489
Virtual labs
LAB 9: SSL VPN
1. The OpenVPN client is installed on the graphical VM provided by Stormshield.

Configure the firewall so that users who log in from the external network can
access your IN and DMZ internal networks:
• The network allocated to SSL VPN users is named Net-““LVPN with
the value 172.31.x.0/24.
• The DNS server announced to the client corresponds to the host srv-
dns.
2. Grant the SSL VPN privilege to John Smith.
3. Filtering:
• Allow all users (authenticated and unauthenticated) on your network to
access the other o pa ’s firewall in HTTPS.
• Allow the network Net-SSLVPN to access internal networks.
4. Retrieve the file ““L VPN profile for mobile OpenVPN Connect lie ts (single
.ovpn file) through the captive portal over the public IP address of the other
company. It is downloaded by default in /home/user/Downloads, open a
terminal and type the following commands:
su –
cd /home/user/Download
openvpn openvpn_mobile_client.ovpn
An error may occur during the addition of a route if the pushed route already
exists, but this does not prevent the tunnel from being set up.
On a second terminal, look up your routing table to see which routes have
been added on the client, using the command ip route show.
5. Look up the list of authenticated users in ASQ as well as logs relating to SSL
VPN on the firewall side.
6. Confirm access to the various servers on the DMZ and ping the internal IP
address of the firewall on the LAN.
7. Close the tunnel from the first terminal using [CTRL+C].
Bonus:
1. Modify the SSL VPN configuration to provide access to the object "Any".
2. Add rules (NAT + filter) allowing the network Net-SSLVPN to access the Internet
once the tunnel has been set up.
3. Add a URL filter policy so that access to only sites in the "Information Security"
and "News" groups is allowed.
490
VIRTUAL LABS
-
SOLUTIONS
491
Virtual lab exercises - Solutions
LAB 1: Getting started with the firewall

1. In Oracle VirtualBox, right-click on the running VMs, select Close , then ACPI
shuto . For each highlighted VM, click on “ apshots , then Take ; you can
name it I it for example.
2. After you have restarted the VMs, run the script again on the graphical VMs,
because the IP configuration pushed on these machines does not persist after a
reboot. In a Chromium browser, enter the URL https://10.0.0254/admin.
3. Click on the name of the user, then on "Preferences" (top right - icon with a key
and screwdriver), then select the value "Always stay connected" in the line "log
off when idle".
4. Language and time zone: click on the menu System => Configuration in the
menu on the left. Start with the configuration of the time zone first, as the
firewall must be rebooted after changes are made. Later on, you can check the
date, time (and synchronize it with the date and time on your machine) and
language of messages generated by the firewall in the General configuration
tab
5. SSH can be enabled in the menu System => Configuration => Firewall
administration tab by selecting Enable SSH access and Allow passwords.
6. Details of the license can be viewed in the menu "System => License" in the
menu on the left. In advanced properties, enable the automatic installation of
the license.
7. The password can be changed in the menu System => Administrators =>
ADMIN account tab.
8. You can check whether local log storage has been enabled in the menu
Configuration => Notifications – Logs – Syslog - IPFIX.
9. The configuration can be backed up in the menu "System => Maintenance => Backup
tab".
492
NOTE: All solutio s sho Trai ee A’s o figuratio .
LAB 2: OBJECTS
To add required objects, go to the menu Configuration => Objects => Network
objects. Next, add the requested objects using the Add button. Ensure that you use
appropriate object types (network objects for networks, host objects for firewalls,
etc). You can use the Create and duplicate button to create objects of the same type.
For the DNS servers on the firewall, go to the Configuration => System =>
Configuration => menu, Network settings tab=> List of DNS servers used by the
firewall. Delete the two objects in the list, then add objects with the IP addresses of
the DNS servers configured on your physical host, by using the Add button.
Bonus
Use the Import and Export buttons to modify the objects database from a CSV file. If
you encounter issues during the import, encode the files in UTF-8 with Unix (LF)
carriage returns. The imported file is in /home/user/Downloads. Use it as a base to
create the file to import, for example:
Check whether there are the two objects created in the objects database after the
import:
493
LAB 3: Network configuration
• Interfaces configuration
1. Interfaces can be configured in the menu Configuration => Network =>

Interfaces, by removing the Ethernet interfaces from the bridge interface.
2. After you change the IP address of your client host, log in to the firewall again
at https://192.168.x.254/admin.
• Routing configuration
1. The default gateway can be configured in the menu (Configuration => Network
=> Routing => IPv4 static routes tab).
2. To contact the LAN of the other company, you need to create a static route in
the same tab, as follows:
• Configuration of the DNS proxy cache:

• DNS servers can be configured in the menu Configuration ⇒ Network ⇒ DNS
proxy cache.
494
LAB 4: Address translation
Disable the static routes to the remote networks (menu Configuration => Network =>
Routing => Static route tab). If you have not done the Objects bonus lab exercise,
create two new objects that will then be used in your NAT rules: srv_ftp_pub =
192.36.253.x2 and srv_mail_pub = 192.36.253.x3. To build up your policy, go to the
menu "Security policy => Filtering - NAT". Copy the policy (10) Pass all to an empty
one by clicking on Edit then Copy to. From the drop-down menu, select the
appropriate policy, click on Edit then Rename. Add the following NAT rules:
As you can see, the dynamic NAT rule was placed after the static NAT rules. If this is
not the case, FTP and SMTP servers that attempt to access the Internet would get
the public IP address of the firewall after translation instead of their dedicated public
IP addresses. The instructions in the specifications given during the lab exercise were
therefore inaccurate.
Do not forget to enable the policy and confirm access with the other company.
Logged NAT rules can be found in Monitoring => Audit logs => Filtering.
Bonus:
• The NAT rule that allows access to servers in the DMZ without revealing the
private IP address is disabled in the example above, and must remain disabled for
the rest of the lab exercises.
• If you enable it, the firewall that processes the rule will use more resources and
slow down performance (since it needs to keep the NAT table up to date).
However, if an attacker took over control of one of your servers in the DMZ, they
would not be able to find out the IP address of the local network by capturing
packets that originate from it because they have been translated.
495
LAB 5: Filtering
First you need to create a host object named "pc_200" with the IP address
192.168.x.200.
To build up your filter policy, go to the menu "Security policy => Filtering - NAT".
Next, add the following policy:
All traffic is logged with this policy, with rules set to Pass for TCP/UDP, and Pass or
Blo k for ICMP packets in verbose mode.
To allow the other company to connect to your firewall via the web interface, its public
IP address needs to be added in the section Access to the firewall's administration pages
in the menu System => Configuration => Firewall administration tab (so no alarm for
this specific type of traffic).
NOTE: Rule 13 (Q7_allow-dns_resolv) is unnecessary because name resolution was already

configured with the DNS proxy cache (implicit rule) to allow only the DNS server in your DMZ
to resolve names.
496
LAB 6: Content filtering (HTTP and HTTPS)
1. The URL database can be selected in the menu Configuration > Objects > Web
Objects > URL database. Downloading an embedded URL database may take
some time.
2. To determine the groups in which the URLs www.facebook.com,

www.home.barclays and www.mozilla.org will be classified, go to the web
objects menu then enter these values in the "Check URL classification" field.
With the built-in URL database chosen, the listed categories are respectively
Online, Bank, IT et News.
3. The block page can be modified in the menu "Configuration => Notifications =>
Block messages => HTTP block page"
4. While all websites described in the step are in HTTPS, you must still create a
URL filter policy to block requested categories in addition to the SSL filter policy
you need to implement to manage the websites.
Begin by creating web objects in Configuration => Objects => Web objects =>
Certificate name (CN) tab; two custom CN categories must be created:
• A custom category named White-list", containing the CNs
*.bbc.com/*, *.bbci.co.uk/* and *.bbc.co.uk/*
• A custom category named Bla k-list", containing the CNs
*.mozilla.org, *.home.barclays and *.twitter.com
Go to the menu Configuration => Security Policy => SSL Filtering in the slot
SSLFilter_00, and change its contents so that it includes the following policy:
497
4. As for URL filtering, go to Configuration => Security Policy => URL Filtering in
the slot URLFilter_00, and change its contents so that it includes the following
policy:
Then, modify the filter policy (menu configuration => security policy =>
Filtering and NAT) and change the HTTP and HTTPS rules as follows:
5. The www.cnn.com website has been blocked by a filter rule with an FQDN
object, which blocks HTTP requests without the need for any response to be
sent to the browser. However, the URL filter blocks the www.euronews.com
website if you attempt to access it in HTTP (the block page appears), and the
SSL filter blocks it if you attempt to access it in HTTPS.
498
LAB 7: Authentication
1. To use an internal LDAP directory, start the LDAP configuration wizard . To do so,
go to the menu "Configuration => Users => Directory configuration". Choose
"Internal LDAP", and fill in the requested fields (select the IN interface for Profile
0 and remember to enable user enrollment for this profile). Test access to the
captive portal via https://192.168.x.254/auth.
2. From the menu Configuration => Users => Users and groups, click on Add user to
add the user whose ID is js ith . After you confirm the addition, enter the
password pass ord .
3. To create the user Peter Wood using enrollment, connect to the captive portal
and click on the New User tab. Fill out the form with the required information
and confirm. On the firewall, go to Configuration => Users => Enrollment =>
Advanced properties, to change the default ID format, and type %f1%l. Confirm
the changes, select the request from user Peter Wood and click on OK.
4. In the filter policy, create the rule to authenticate users if they are not
authenticated. To do so, add an authentication rule before the current rule for
HTTP, which will contain: PASS (+redirect to the authentication service) from
UnknownUser@Network_in to Internet (service http) + Exception for the News
group
5. In a browser, access a news website in HTTP (www.euronews.com for example),

and then another website in HTTP. The captive portal should appear
automatically.
6. To send pings, create a rule respecting the following syntax:
PASS log: Minor from jsmith@Network_in to Any Protocol:ICMP Message: Echo

request (ping)
7. In the menu Configuration => System => Administrators, add an entry for the
user granting him supervision privileges and confirm.
8. Log in to the firewall with a browser (https://192.168.y.254/admin) by using the

jsmith account. Likewise, connect to the captive portal
(https://192.168.y.254/auth) and test authentication with this user.
499
LAB 8: IPSec VPN (site to site)
1. In configuration => security policy => filter - NAT, select the policy (10) Pass All
and enable it.
2. In the menu "Configuration => VPN => IPSEC VPN => encryption policy –
tunnels => Site-to-site (gateway-gateway)", start the wizard to create a site-to-
site tunnel "add => Site-to-Site tunnel". The wizard will ask you to configure the
traffic endpoints and PSK authentication mode by entering the PSK. The Phase1
encryption profile is selected with the peer parameter IKE Profile in the Peers
tab. The Phase 2 encryption profile is selected with Encryption profile
parameter in the VPN policy.
4. To link up the IN and DMZ networks, two object groups need to be created. The
first contains the local "IN " and "DMZ" networks while the second contains the
"IN " and "DMZ" networks of the remote site. Modify the traffic endpoints of
your VPN policy using the two object groups created. Enable keepalive by
changing its value from 0 to 30.
5. Add the following filtering rules to allow access and ping your FTP server:
The other company will have to add the following policies to access your FTP
server:
6. Encryption profiles can be created in the menu Configuration => VPN => IPSEC VPN =>
Encryption profiles tab. At the bottom left of the window, you can create Phase 1 and
Phase 2 profiles by entering the specified parameters.
7. Change the profile used in phase 2 in Configuration => VPN => IPSEC VPN => Encryption
policy – tunnels, site-to-site tab. The profile for phase 1 can be modified in Configuration
=> VPN => IPSEC VPN => Peers; select your peers and change the IKE profile field.
500
8. To interconnect both sites using VTIs, follow the steps below on both firewalls by
adapting the IP addresses and networks:
o Create a VTI that has an address in a network other than the networks
configured on the firewall:
o Add the static routes (or policy-based routes) to access the remote
networks via the local VTI and the IP address of the remote VTI:
o Modify the IPSec VPN policy using the IP addresses of VTIs as traffic
endpoints:
o Modify the filter rules to indicate the VTI as the source and destination
interface for traffic sent through the IPSec VPN tunnel.
501
LAB 9: SSL VPN
1. Create a network object Net-““LVPN with the value 172.31.x.0/24, then

configure the SSL VPN server in Configuration ⇒ VPN ⇒ SSL VPN. First, enable
the server by selecting Enable SSL VPN. Next, enter the following information
in the sections Network parameters and DNS parameters sent to the client:
• The IP address of the firewall used: 192.36.253.x0 (the IP address of the

out interface),
• Available networks or hosts: Network_internals,
• Network assigned to clients (TCP): enter the network object Net-SSLVPN,
• Domain name: companyx.fr,
• Main DNS server: srv-dns (172.16.x.10).
• Apply the configuration.
In the Configuration ⇒ Users ⇒ Authentication menu ⇒ Captive portal tab,
attach the captive portal's External profile to the out interface.
2. SSL VPN privileges can be assigned to the user created in the authentication lab
exercise via Configuration ⇒ Users ⇒ Access privileges tab ⇒ Detailed access
tab. Apply the following line:
3. Add the following filter rules:
4. On the client side (the other company), open a terminal and perform the
following operations:
502
4. On a second terminal, type:
5. You can look up the connected user in the Monitoring section of the Users menu,
then in SSL VPN logs in VPN logs.
6. Test access to the other o pa ’s web and FTP servers using the servers'
private IP addresses.
Bonus:
1. Go to Configuration ⇒ VPN ⇒ SSL VPN and select the object any for the
parameter Available networks or hosts. You need to download the file named
ope p _ o ile_ lie t.o p again on the client side in order to conduct
checks later.
2. Add the following filter and NAT rules:
3. Select a new URL filter policy from the menu Configuration ⇒ Security policy ⇒
URL Filtering. In the Action field of the default Any rule, redirect to a block
page. Add two new rules above with the action pass for the Information
Security and News categories. Apply the configuration. In the menu
Configuration ⇒ Security policy ⇒ Filtering and NAT, select the URL filter policy
that you have just defined in the rule’s security inspection which allows the SSL
VPN network to access the Internet. Apply and activate the filter policy
503
Solutions – Advanced Labs
ADVANCED LABS
504
Advanced Labs
Introduction
This document presents a set of CSNA lab exercises and their solutions, which can be used directly with the virtual
training platform on Institute. This platform is open to all certified users and trainees. However, the infrastructure used
in Lab 1 will be slightly different from the infrastructure used in the CSNA lab exercises, so that all the advanced lab
exercises provided in this document can be covered.
From Lab 2 onwards, exercises will not be related to one another. If any lab exercise uses objects that were not seen
during the course, explanations will be provided.
Requirements
CSNA Lab 1 (getting started with the firewall) completed.
505
Advanced Labs
LAB 1: Implementing the infrastructure

Initial network configuration
In a fully virtualized infrastructure, the initial VirtualBox network configuration is:
In the first point of Lab 1 in the CSNA course, trainees had to take a snapshot (named init below) of each machine.
Your Oracle VirtualBox configuration must look like this by the end of Lab 1 (all VMs shut down):
• NatNetwork 192.36.253.0/24:
− Interface 1 on firewall SNS_EVA1_V4_A.
− Interface 1 on firewall SNS_EVA1_V4_B.
• Internal network LAN_IN_x (where x is either A or B):
− Interface 2 on firewall SNS_EVA1_V4_x.
− Interface 1 on client Graphical_client_x.
• Internal network LAN_DMZ1_x:
− Interface 3 on firewall SNS_EVA1_V4_x.
− Interface 1 on server Debian-Training-Webmail_x.
506
Advanced Labs
Final network configuration
1. Add the firewall SNS_TRAINER by fully cloning one of the available firewalls, and assign its three network cards
as follows:
• Interface 1: internal network LAN_INTERCO (to be created).
• Interface 2: physical network card of the host, wired or wireless (in bridge mode), faster than Natnetwork
mode.
• Interface 3: network card of the host Virtual Host Ethernet Adapter#1 (administration).
2. Modify interface 1 on the firewalls SNS_EVA1_V4_x (where x is either A or B) by spreading them out on the
internal network LAN_INTERCO.
3. If you wish to do so, enable interface 4 on the firewalls SNS_EVA1_V4_x and connect it to the network card of
the host Virtual Host Ethernet Adapter#1 (by default on network 192.168.56.0/24). Configure only one IP address and
mask on this network card (no default gateway) - it will only be used for firewall administration from your host.
507
Advanced Labs
The table below is based on the assumption that the firewall SNS_TRAINER, bridged on the physical network card of
your host (bridge), obtains its IP address via DHCP. If this is not the case, change its address parameters for Internet
access.
1. Configure the network as follows:
FIREWALL SNS_EVA1_V4_A SNS-EVA1_V4_B SNS_TRAINER

Firewall_out (external) 192.36.253.10/24 192.36.253.20/24 192.36.253.254/24
Firewall_in 192.168.1.254/24 192.168.2.254/24 DHCP Client
(internal) (internal) (external – Internet
access)
Firewall_dmz1 (internal) 172.16.1.254/24 172.16.2.254/24 192.168.56.50/24
Firewall_dmz2 (internal) 192.168.56.10/24 192.36.56.20/24 -
2. On the firewalls SNS_EVA1_V4_x (where x is either A or B), configure the DNS proxy cache as seen in the CSNA
exercises (only the DNS server located on the Debian can resolve to the Internet).
3. On the firewall SNS_TRAINER, configure the DNS proxy cache to allow the network 192.36.253.0/24 to resolve
to the Internet. The firewall's DNS servers must be learned via DHCP, so configure the firewall accordingly.
508
Advanced Labs
LAB 2: Embedded reports

1. Enable the following embedded reports :
• Top hosts generating alarms,
• Top users by volume exchanged,
• Top most frequent alarms,
• Top most visited web sites,
• Top most blocked web sites.
LAB 3: DHCP features

1. Configure the DHCP server by setting the parameters below:
• DNS server: srv_dns 172.16.x.10
• A new IP address range from 192.168.x.20 to 192.168.x.50.
• The gateway for this range will be the IP address of the firewall interface connected to your internal
network.
2. Configure your workstation in DHCP client mode to test the IP address assignment.
3. Modify the object admin_pc to associate it with your host’s MAC address.
4. Configure the DHCP server to reserve the IP address of the object pc_admin for your host. The gateway for
this range will be the IP address of the firewall interface connected to your internal network. Test IP address assignment
again on your workstation to confirm that the reservation has been applied.
509
Advanced Labs
LAB 4: VLANs and router objects
1. Configure the firewalls SNS_EVA1_V4_x (where x is either A or B), by following the diagram above:
• Disable the OUT interface then create two VLANs (public interfaces) with OUT as the parent interface,
• Apply the following configuration for each VLAN interface:
VLAN_ID SNS_EVA1_V4_A SNS-EVA1_V4_B
10 11.1.10.10/24 -
11 11.1.11.10/24 -
20 - 11.1.20.10/24
21 - 11.1.21.10/24
2. Configure the firewall SNS_TRAINER by disabling its out interface, and create the four VLANs above on this
interface (IP address ending in .254). Configure its Internet access as well, and use CLI commands to check that it
works:
• system ping host=8.8.8.8
• system nslookup host=www.stormshield.com.
If name resolution is not working with the DNS servers that the firewall uses by default, replace them where necessary
with DNS servers obtained via DHCP.
3. On the firewalls SNS_EVA1_V4_x, check whether the DNS proxy cache is enabled (Lab 1 point 8), with the DNS
server in the DMZ as the only one allowed to resolve (srv_dns_priv). On the firewall SNS_TRAINER, modify the
configuration of the DNS proxy cache so that only VLANs are allowed to resolve.
4. On the firewalls SNS_EVA1_V4_x, configure a router object, which will be your default gateway, directed at the
instructor’s two gateways – 11.1.x0.254 and 11.1.x1.254, in load balancing mode on SNS_EVA1_V4_A, and as a backup
gateway on SNS_EVA1_V4_B.
5. On each firewall, configure the return routes for each link where necessary.
6. On each firewall, copy the Pass all policy in a blank slot and configure translation rules to enable Internet
access.
510
Advanced Labs
7. On the firewall SNS_Trainer, configure filter rules to block traffic on VLANs x0 or x1, by leaving these rules
disabled.
8. On the firewall SNS_EVA1_V4_A, test the Internet access in connection-based load balancing mode. In the
monitoring menus, check whether this load balancing mode has been applied by opening the same web page several
times in separate tabs in the browser on your machine GRAPHICAL_CLIENT_A.
9. On the firewalls SNS_EVA1_V4_B, test the Internet access in backup gateway mode and check whether the
expected switch takes place when the main link is shut down. This fault can be simulated by enabling the filter rule
Block VLAN_x0 on the firewall SNS_TRAINER.
10. While still in connection-based load balancing mode, test the application of different weights on both links so
that 2/3 of traffic goes through the main link, and check the monitoring menus.
Note:
Before moving on to another exercise, disable VLAN interfaces on each firewall, as well as any return routes that were
created, and enable the out interface again. Replace the router object that was created with a host object
192.36.253.254.
511
Advanced Labs
LAB 5: Advanced SMTP application filtering

1. Change the following SMTP filter rules:
2. Incoming: with the object Network_out as the source allowed
3. Outgoing: the SMTP server in the DMZ is allowed to reach the public IP address of the neighbor’s SMTP server,
allow Network_in to do so as well
4. In both rules, choose the firewall inspection mode
5. As Trainee A, test the mail server on the public IP address of B’s SMTP server with Telnet, as shown in the
example below:
telnet 192.36.253.23 25
(server data)
HELO myhostname
(server data)
MAIL FROM: <user@a.net>
(server data)
RCPT TO: <user@b.net>
(server data)
DATA
(server data)
Subject: test1
Legitimate communication from A to B

.
(server data)
QUIT
Commands can be typed in lowercase. But you must:
• not include a space before the colon character : ,
• insert an empty line after the subject line,
• end your input with a period . .
6. Change the Telnet test by using HELLO , which is not recognized in the RFC. What do you observe? Do you see
logs relating to this operation on A’s and B’s firewalls?
7. Repeat the same operation in IDS, then IPS, inspection mode.
8. Implement an incoming SMTP policy on B to:
9. Prohibit address spoofing on your mail domain
10. Prohibit the SMTP server from relaying external messages to your mail domain
11. Change the Telnet test that Trainee A conducted by using a prohibited e-mail address (source or destination),
e.g. user@b.net as the source or user@c.net as the destination
12. What logs do you see in Trainee A’s and B’s logs when you attempt this spoofing operation?
13. What if you implemented an outgoing SMTP policy on Trainee A’s firewall?
14. In the incoming filter rule on firewall B, enable the antivirus analysis, then check that the firewall's signature
database is up to date. Next, switch to firewall A and get the text file named eicar.com.txt found on A’s web server.
Send a message from A using its Debian webmail server (http://172.16.1.11:808). Send a message to user@b.net by
adding this file as an attachment and check whether:
• The sender received a non-delivery notification

512
Advanced Labs
• Firewall B detected and blocked the viral load
15. Configure the antispam policy on firewall B based on the following criteria:
• DNS RBL analysis is enabled, and the domain a.net is blacklisted (check that the DNS RBL database is up
to date)
• Only level 3 spam is blocked
16. Enable the antispam policy on B, and switch to the Trainee A’s webmail to send a message to user@b.net ,
then check whether:
• The sender received a non-delivery notification
• Firewall B detected and blocked spam
513
Advanced Labs
LAB 6: Authentication and temporary accounts

In this scenario, you are holding a training course in your premises, and you need to create a temporary account for each
trainee.
1. Enable the Temporary account authentication method.
2. Create a temporary account:
• First name: John
• Last name: Smith
• E-mail address: jsmith@othercompany.com
• Company: Othercompany
• Valid for: 1 day
3. Create an authentication policy and profile, and configure the captive portal for temporary accounts, which will
log in to Network_in.
4. Enable the display of Internet access conditions.
5. All temporary accounts are logged in to Network_in. Only Internet access to news websites is available to them
with antivirus and URL filtering. The antivirus can be tested on eicar.org, which also has to be allowed, or on one of the
public addresses of site B’s web servers. Test Internet access with John Smith and check the authentication method
shown in monitoring.
6. Change the date on your computer, moving forward by one day, and synchronize your firewall with the date and
time of your workstation. Check the users that appear in the list of temporary accounts.
7. After this test, set your computer back to the right time.
514
Advanced Labs
LAB 7: Authentication and sponsorship

You must configure sponsorship so that external users can access resources, after an internal sponsor has confirmed
their requests. As external users arrive from site B, they will connect via the out interface.
You must configure sponsorship so that external users can access resources, after an internal sponsor has confirmed
their requests. As the sponsored user is on the host GRAPHICAL_CLIENT_B, and the sponsor is on
GRAPHICAL_CLIENT_A, the sponsored user will therefore connect on the out branch of firewall A.
Before you begin, to ensure that this lab exercise goes smoothly, connect to the Debian server on A and in the command
prompt, type:
sed -s 's/tls=yes/tls=no/g' /etc/postfix/main.cf

/etc/init.d/postfix restart
Without this required step, the SMTP server will not receive e-mail notifications from the firewall.
1. Add static routes to allow users on site B to reach the network lan_dmz1_A.
2. Configure an internal LDAP directory (a.net) and create an account (user) that is allowed to confirm sponsorship
requests.
3. Create an internal authentication policy and profile, and the captive portal for the sponsor, who will log in via the
IN interface.
4. Create an external authentication policy and profile, configure e-mails via SMTP and configure the captive portal
for sponsored users, who will log in via the out interface.
5. As a sponsored user, submit a sponsorship request. As a sponsor, use the user@a.net account found on your
SMTP server to accept sponsored users (use webmail to display your mailbox).
6. Configure rules to allow sponsored users to send pings to the dmz1 on A, and check that the pings are
successful.
7. Force the sponsored user to log out, and ensure that the ping no longer works.
515
Advanced Labs
LAB 8: SSL VPN and Site-to-site IPSec VPN

In this exercise, you will configure a topology with an SSL VPN client that will be the user GRAPHICAL_CLIENT_B, who
needs to log in to your SSL VPN server.
You will also set up a site-to-site IPSec VPN tunnel with the instructor’s firewall.
The SSL VPN client must be able to access resources on site A and those available via IPSec VPN on the instructor’s
firewall, according to this path: GRAPHICAL_CLIENT_B => SSL VPN tunnel => firewall A => IPSec VPN tunnel =>
instructor’s firewall => host or local network.
1. Create a loopback interface on the instructor’s firewall, named loopvpn with the IP address 10.255.255.1/32.
2. Configure an IPSec tunnel with Strong encryption profiles and the Keep alive function enabled, according to
the following topology:
• Site A uses the public IP address 192.36.253.10,
• The instructor’s firewall uses the public IP address 192.36.253.254,
• Traffic endpoints are the networks Network_in on site A and Firewall_loopvpn .
3. After you have checked that your IPSec VPN tunnel works, add rules to allow communication between the local
networks chosen as traffic endpoints. Check by pinging 10.255.255.1 from the graphical client on site A.
4. Enable the SSL VPN server on site A to let the SSL VPN client contact all networks (any), and test access to
resources from site B using a user account created in the LDAP directory for this purpose.
5. Configure filter rules to allow the SSL VPN client to ping loopvpn on the instructor’s firewall. Modify the IPsec
VPN topology where necessary.
516
Advanced Labs
LAB 9: Routing via VTIs
1. Create the child VLAN interfaces of the out interface on sites A and B. Assign the IP addresses as shown in the
diagram.
Scenario 1: fault tolerance/load balancing with a router object

1. Check whether Internet access functions on sites A and B, and according to which criteria.
2. Create two VPN tunnels between the head office (site A) and the agency (site B) using VTIs (IPpub1_A to
IPpub1_B and IPpub2_A to IPpub2_B).
3. Use a router object at the head office and the agency to reach resources located on the networks of the remote
site, with 50-50 load balancing. Make the necessary changes to the configuration to enable communications.
4. All traffic must be encrypted between the IN and DMZ networks at the head office and the agency.
5. On the instructor’s firewall, simulate an Internet access failure at the head office, and check what impact the
failure had on network traffic between sites A and B. Then, revert to the normal operating mode.
6. Fill in the following table with your observations:
Operational tunnels Load balancing Fault tolerance Advantages of router object Disadvantages of router object
Scenario 2: fault tolerance/load balancing with Bird static routing

In the graphical interface, you can attempt to add a route to the remote network LAN_IN_x via the interface VTI1. But if
you attempt to add the same route as well via the interface VTI2, the error message Network already declared appears.
This is normal because the graphical interface does not use metrics. We will use Bird to inject in the kernel several static
routes that implement metrics. The Bird project documentation is available at: https://bird.network.cz. Other resources
on Bird static routing are also provided in Appendix 2.
517
Advanced Labs
1. Enable Bird dynamic routing. After reading the tests in Appendix 2, create static routes on each site to reach
resources located on the network LAN_IN_x on the remote site. For each test, compare the Bird routing table with the
firewall’s routing table to determine which routes were added.
2. For functional tests, use the instructor’s firewall to simulate an Internet access failure at the head office, for
example by disabling a VLAN interface. Check what impact the failure had on network traffic between sites A and B,
then revert to the normal operating mode.
Load balancing Fault tolerance Advantages of Bird static routing Disadvantages of Bird static routing
Variations of scenario 2
1. From site A, you must allow access not only to the remote network LAN_IN_B 192.168.2.0/24, but also to a
network LAN_IN_B2 192.168.3.0/24 (configure a second IP address for the IN interface on firewall B), without changing
the number of static routes that Bird injected in the system.
2. Set up the configuration to observe the results, and indicate your conclusions.
518
Advanced Labs
Scenario 3: fault tolerance/load balancing with OSPF via Bird

In the web interface, you can attempt to add a static route to the remote network LAN_IN_x via the interface VTI1. But
if you attempt to add the same route as well via the interface VTI2, the error message Network already declared
appears. This is normal because the graphical interface does not use metrics. We will use Bird to inject in the kernel
several routes with OSPF. The Bird project documentation is available at: https://bird.network.cz. Resources on OSPF
routing via Bird are also provided on Stormshield’s documentation website:
https://documentation.stormshield.eu/SNS/v4/en/Content/PDF/SNS-TechnicalNotes/sns-en-
bird_dynamic_routing_technical_note_V4.pdf.
1. Enable OSPF dynamic routing with Bird. After reading and applying the tests in Appendix 3, ideally, you should
have dynamic routes on each site to reach resources located on the networks LAN_IN_x and LAN_DMZ1_x on the remote
site. For each test, check the routes that OSPF injected in the system and check the resulting routing table on the
firewalls to determine which routes were added. Use filters to view only routes to networks that you want to observe.
2. For functional tests, use the instructor’s firewall to simulate an Internet access failure at the head office, for
example by disabling a VLAN interface. Check what impact the failure had on network traffic between sites A and B,
then revert to the normal operating mode.
Load balancing Fault tolerance Advantages of Bird dynamic routing Disadvantages of Bird dynamic routing
519
Advanced Labs
LAB 10: Centralizing logs with SVC

1. Import the Stormshield Visibility Center (SVC) machine from the .ova file that you can download from
http://mystormshield.eu.
2. Decrease the reserved RAM to 2 GB, then start the machine.
3. Configure SVC with the static IP address 172.16.X.14.
4. Enable Syslog on the firewall to send all logs to SVC in TCP (RFC 5424).
5. Log in to the SVC's web interface and check that the logs have indeed been received.
6. Edit an SNS log view and use display filters to familiarize yourself with the administration interface.
520
SOLUTIONS
ADVANCED LABS
521
LAB 2: Embedded reports

1. Embedded reports can be enabled in Configuration => Notifications – Report configuration by selecting the
option "Enable reports" and the desired reports.
LAB 3: DHCP features

1. DHCP servers can be configured in Configuration ⇒ Network ⇒ DHCP. The service must be enabled and
configured in DHCP server mode (General section):
2. Under Parameters, add the domain name as well as a DNS server (the object "srv_dns" created during the
previous exercise).
3. Through the Address range section, add the address range requested in the exercise, and delete the default
range (named dhcp_range). Enter "Firewall_in" as the gateway for your address range.
4. Edit the object "pc_admin" to include your host's MAC address (you will find this address in the results of the
command "ipconfig /all" on your Windows system, or "ifconfig" if you are using a Linux system).
5. Select the object "pc_admin" in the Reservation section of the configuration menu in the DHCP module. To test
whether the new IP address was assigned, ensure that your machine is in DHCP mode, and unplug/plug in the network
cable that connects it to the UTM.
522
LAB 4: VLANs and router objects

1. To configure the firewalls SNS_EVA1_V4_x, go to CONFIGURATION => NETWORK => INTERFACES; your
configuration should look like this:
• On firewall A:
• On firewall B:
2. On the firewall SNS_TRAINER, the configuration of your interfaces is:
Configure routing in CONFIGURATION => NETWORK => ROUTING; your default gateway must be Firewall_in_router if
you are a DHCP client on this interface.
Go to CONFIGURATION => SYSTEM => CLI.
The command system ping host=8.8.8.8 confirms that Internet access functions.
The command system nslookup host=www.stormshield.com makes it possible to confirm that name resolution
functions properly. If it fails (e.g., your ISP does not recognize the servers dns1.google.com and dns2.google.com),
check the following points:
• In the Advanced DHCP properties window of the IN interface, the checkbox Request domain name
servers from the DHCP server and create host objects is selected,
523
• In CONFIGURATION => SYSTEM => CONFIGURATION, NETWORK SETTINGS tab, REMOVE THE SERVERS
dns1.google.com and dns2.google.com from the list of DNS servers that the firewall uses, and add the
server Firewall_in_dns1. The resolution test must now be functional.
3. The menu CONFIGURATION => NETWORK => DNS PROXY CACHE must look like this, respectively on firewalls
A and B, then on TRAINER:
4. On the firewalls SNS_EVA1_V4_x, go to CONFIGURATION => OBJECTS => NETWORK OBJECTS to create a router
object on A as follows:
The object created on B is identical but with the host GW_TRAINER_VLAN_20 as the main gateway and
GW_TRAINER_VLAN_21 as the backup gateway.
524
On the firewall SNS_TRAINER, the following return routes must be created:
However, return routes are not necessary on the firewalls SNS_EVA1_V4_x, unless you want to publish a server in a DMZ
so that it can be reached from one or both links. In this case, you can create return routes as follows (example of
SNS_EVA1_V4_A):
5. Go to MONITORING => SECURITY POLICY => FILTER - NAT. Add the following translation rules in the slot used,
respectively for A and SNS_TRAINER:
525
6. On the firewall SNS_Trainer, add block rules to simulate a failure with the ISP:
7. After opening www.stormshield.com twice on GRAPHICAL_CLIENT_A, go to MONITORING => MONITORING =>

ROUTING on the firewall SNS_EVA1_V4_A: 50-50 load balancing functions:
You can also go to MONITORING => LOGS – AUDIT LOGS => Network traffic to check whether connections alternate
between two different routes:
526
8. After generating traffic from GRAPHICAL_CLIENT_B, check on the firewall SNS_EVA1_V4_B whether all traffic
takes a single route:
• After the block rule is enabled on the firewall SNS_TRAINER, all traffic will take the backup route:
9. Go back to the firewall SNS_EVA1_V4_A after you have disabled the block rule on the firewall SNS_TRAINER,
and change the router object as follows:
10. You will see that load balancing is 2/3 – 1/3 in the monitoring menus.
527
LAB 5: Advanced SMTP application filtering

1. Change the following SMTP filter rules:
2. When HELLO, which is not recognized in the RFC, is used, the server replies:
3. A connection log will be captured on both firewalls
4. In IDS inspection mode, the logs are plugin logs and firewall B shows an application alarm, but allows
the traffic. In IPS mode, the application alarm invalid SMTP protocol (BadCmdWaitingHeloEhlo) appears
and the Telnet connection is shut down:
5. To set up an incoming SMTP policy, go to Configuration > Security policy > SMTP filtering:
• Rule 1 prohibits address spoofing on your mail domain, since external users are not allowed to
use internal addresses,
• Rule 2 accepts only messages that are intended for you. The implicit Block all rule, which cannot be seen
but is active, prohibits your SMTP server from relaying external messages to your mail domain.
6. This SMTP policy must now be applied to the incoming filter rule, which must also be modified to add
the translation directive in the filter rule so that the "proxy operation will applied correctly. Go to
528
Configuration > Security policy > Filter - NAT:
Edit the properties of the SMTP protocol in the Proxy tab in Configuration > Application protection >
Protocols > SMTP:
7. When you run Telnet from the client workstation, the firewall may block your access and raise a
Possible DNS rebinding attack alarm. You can also run Telnet directly from the Debian machine, first with
an illegal recipient, then an illegal sender. The Telnet output resembles:
Do note that the firewall did not shut down the connection, but the illegal users were blocked.
8. The SMTP proxy logs on firewall B show that two successive operations were blocked: Default policy: recipient
is blocked , then Sender is blocked .
9. To implement an outgoing SMTP policy in firewall A, go to Configuration > Security policy >
SMTP filtering:
Apply this policy to the outgoing SMTP filter rule then go to Configuration > Security policy > SMTP
filtering (smtp_01 profile), click on Go to global configuration and select Apply the NAT rule on
529
scanned traffic :
You will now see an attempt to spoof an e-mail address via Telnet in firewall A’s logs: Default policy: sender
is blocked .
10. Apply the antivirus analysis to the incoming filter rule on firewall B:
11. In the monitoring tab, check whether the signature database is up to date, and if it is not, force
an update:
On Trainee A’s workstation, open http://172.16.1.11/Virus, right-click on eicar.com.txt and save the file on your
computer. Log in to Trainee A’s webmail, attach this file to an e-mail and send it. You will immediately receive a code
530
554 reply (virus detected):
The SMTP proxy logs on firewall B will show that this e-mail was blocked.
On firewall B, go to Configuration > Application protection > Antispam and apply the same configurations:
12. Enable the antispam analysis to the incoming filter rule on firewall B:
531
Next, check whether the DNS RBL database is up to date, then on firewall A, send a message to
user@b.net from your webmail; you will receive a non-delivery notification immediately.
The SMTP proxy logs show that the e-mail was blocked with the message Message not sent due to antispam
policy .
532
LAB 6: Authentication and temporary accounts

1. Add the temporary accounts method through the menu CONFIGURATION => USERS => AUTHENTICATION.
2. Go to CONFIGURATION => USERS => TEMPORARY ACCOUNTS and create the user John Smith. Users are
created by default for one day. Take note of this account’s UID and password:
3. Create an authentication policy via the menu CONFIGURATION => USERS => AUTHENTICATION =>
Authentication policy tab:
Configure the interface corresponding to the authentication profile in the menu CONFIGURATION => USERS =>
AUTHENTICATION => CAPTIVE PORTAL tab:
4. To allow Internet access conditions to be displayed, go to the menu CONFIGURATION => USERS =>
AUTHENTICATION => CAPTIVE PORTAL PROFILES tab and select the relevant option:
533
5. Create a web object named custom_antivir-test containing www.eicar.org :
Configure the following URL filter policy:
Configure the following filter rules to test your policy:
Use the object any@voucher_users.local.domain in rule 4 to define a user with a temporary account.
On the host GRAPHICAL_CLIENT_A, test access to www.eicar.org. You will be redirected to the captive portal on which
you log in as jean.dupont with the password indicated earlier. The Internet access conditions appear:
534
When you accept the terms at the bottom of the page (select I have read the terms and click on I accept ), you will be
redirected to the website. Go to MONITORING => MONITOR => USERS to view the properties of the connected user:
In the browser on GRAPHICAL_CLIENT_A that displays the welcome page of eicar.org, click on Download anti-malware
test file and download the file for the HTTP protocol, and observe the results in the alarm log.
You can also test news websites (www.euronews.com) or other categories in HTTP to check whether your URL filter
has been applied.
6. After the temporary account expires - which you can simulate by changing the date on the firewall - the
temporary account created will disappear.
535
LAB 7: Authentication and sponsorship

1. Go to CONFIGURATION=> NETWORK=> ROUTING, IPv4 STATIC ROUTES tab.
• Add the following route on B:
• Add the following route on A:
2. The configuration of the internal directory on firewall A is the same as the configuration in the CSNA course.
The only difference is in CONFIGURATION => USERS => AUTHENTICATION => Captive portal profiles tab. Select the
checkbox Enable sponsorship:
3. Go to CONFIGURATION => USERS => AUTHENTICATION, Authentication policy tab to create the following
policy for the sponsor:
Then create the internal authentication profile:
536
Create an internal authentication policy and profile, and configure the captive portal for the sponsor, who will log in via
the IN interface.
4. First, add the sponsorship method to the authentication methods:
A link to the configuration of the firewall’s SMTP server (making it possible to send the request to the sponsor) is
highlighted; click on it to configure the service:
In the RECIPIENTS tab, add a sponsor group containing user@a.net :
537
Use the Testing the SMTP configuration button to test user@a.net, and on GRAPHICAL_CLIENT_A, check whether this
test is effective, by logging in to the webmail:
Go back to CONFIGURATION => USERS => AUTHENTICATION, Authentication policy tab. Create the following policy:
As well as the profile for sponsored users:
5. As a sponsored user, log in from GRAPHICAL_CLIENT_B to site A’s captive portal, and fill in your sponsorship
request:
538
Use the user@a.net account found on your SMTP server to accept sponsored users (use webmail to display your
mailbox):
You will be asked to authenticate as a sponsor on the captive portal if you have not already done so; the sponsorship
request is successful:
539
The sponsored user is logged in on GRAPHICAL_CLIENT_B:
6. In CONFIGURATION ⇒ SECURITY POLICY ⇒ FILTER - NAT on firewall A, add the following rules:
(The logged in sponsored user belongs to any@any). Pings from the sponsored user’s workstation were successful.
7. Log off the sponsored user from the monitoring menu on A:
Pings from the sponsored user’s workstation no longer succeed.
540
LAB 8: SSL VPN and Site-to-site IPSec VPN

1. On the firewall SNS_TRAINER, go to CONFIGURATION => NETWORK => VIRTUAL INTERFACES, Loopback tab,
and create the interface as follows:
2. Configure the following tunnel on the Trainer firewall:
Nothing more difficult than in the CSNA course. On firewall A:
3. At this stage, the tunnel is mounted. This is the view of the logs on A:
541
After you have checked that your IPSec VPN tunnel works, add the following filter rules, respectively on A and TRAINER:
Pinging 10.255.255.1 works.
4. The SSL VPN tunnel is enabled in the same way as in the CSNA course, with the user jdupont:
Likewise for filter rules (allow SSL VPN clients to access internal resources).
542
Jean Dupont logs in as an SSL VPN client, can access resources on site A, but not the loopback interface on the Trainer
firewall, even though using any in accessible networks includes the loopback interface available via IPSec VPN.
5. The IPsec VPN topology must be modified to create a route between the SSL VPN client network and the
loopback interface on Trainer (from the instructor’s point of view):
As soon as the filter rules are defined on the Trainer site and on site A, the SSL VPN client can ping the loopback interface
on Trainer (via IPSec VPN) through the SSL VPN tunnel:
543
LAB 9: Routing via VTIs

Solution to scenario 1
This solution is based on the .na files downloaded and installed on each firewall.
1. The firewall on site A uses a router object to access the Internet, so you can check whether load balancing
works in Monitoring => Logs => Network traffic, show the column Translated source address. In the example below,
we opened four tabs to the same website on GRAPHICAL_CLIENT_A, in which we clearly see alternating translated
source addresses on both VLAN interfaces on site A:
The firewall on site B works in exactly the same way.
2. Go to Configuration => Network => Virtual interfaces, IPSec interfaces (VTI) tab, and create the interfaces as
shown below, respectively on A and B:
Create host objects that represent remote VTIs on sites A and B, in Configuration => Objects => Network objects, Add
button:
Create host objects as well that represent each public IP address on the remote site:
Create static routes respectively on A and B that make it possible to reach remote public IP addresses, in
Configuration => Network => Routing, IPv4 static routes tab:
544
Return routes are already configured in the .na files provided, but you can check them. You would have created such
files in a configuration that was fully set up.
In Configuration => VPN => IPSec VPN, Peers tab, create the following peers on site A:
Then on site B:
You will notice that the outgoing interface is forced.

545
In the Encryption policy - Tunnels tab, Site-to-site (Gateway- Gateway) sub-tab, click on Add > Site-to-site tunnel., and
create the following tunnels respectively on A and B:
The Keep alive option is enabled on one of the firewalls (A in this example) to force tunnels to be set up.
You can check VPN logs or tunnel monitoring at this stage (example given from A):
546
Note:
Before going on to point 3, back up the configuration of firewalls A and B. This will save you time for the other scenarios
in this document.
547
3. Create router objects respectively on A and B in Configuration => Objects => Network objects, Add button:
Reminder: router objects can be used as default gateways or for policy-based routing (PBR). Go to Configuration =>
Security policy => Filter - NAT, and create the following rules respectively on A and B:
When PBR is used with VTIs, you must create return routes on each firewall (the first two return routes in the examples
below were in the .na files) in Configuration => Network => Routing, IPv4 return routes tab:
548
On GRAPHICAL_CLIENT_A, try to open the web page of the server Debian-Training-Webmail_B four times with its private
IP address, and display the connection logs to check whether load balancing is functioning (show the column
Destination interface on firewall A):
4. Traffic is encrypted between the networks of the head office and the agency as soon as it goes through a VTI.
When the corresponding router object is being created, the value Do not route is already configured for the parameter
If no gateways are available. There is nothing else to configure.
5. Two disabled filter rules on the instructor’s firewall make it possible to simulate an ISP failure. Enable rule 1:
The route monitoring menu illustrates this problem (from A’s point of view in this example):
549
However, nothing has changed in the IPSec VPN tunnel monitoring menu or IPSec VPN logs, which is normal because
when peers are configured, the advanced Liveness option in IKEv2 (DPD in IKEv1) did not change, and its default value
is Passive (IKE will not send messages to detect the validity of its phase 1 key). Set peers to Low on one of the sides (A
or B):
550
Repeat the test on GRAPHICAL_CLIENT_A, i.e., opening the web page of the server Debian-Training-Webmail_B several
times with its private IP address, and display the connection logs (show the column Destination interface on firewall A):
When access simulating the ISP1 on the firewall TRAINER is enabled again, and access for ISP2 is disabled, VPN logs
now show the issue (the message Remote seems to be dead appears for the disabled link) since the detection of phase
1 validity was enabled in the meantime.
6. You now have all the information you need to fill in the table:
Operational tunnels Load balancing Fault tolerance Advantages of router Disadvantages of router object
object
YES YES YES Prorating possible, Can only be used through
do not forget to depending on the filter rules, cannot be seen in
enable DPD and real bandwidth on the proprietary FreeBSD
keep alive links routing table, incompatible
with third-party vendors
Note:
Attempts to add links to a peer already used in the topology (e.g., a link between the second public IP address on A to
the first address on B, with VTI interfaces) will fail. Moreover, if you attempt to create a new peer (on an existing public
IP address and with the same parameters as the previous one), the peer will encounter an error whether you use PSK or
certificates, because it will be considered a duplicate.
The following configurations cannot be set up:
• Site A: 2 Internet connections, site B: 1 Internet connection; 1 tunnel via VTI from B to A1, another from B
to A2.
• Site A: 2 Internet connections, site B: 2 Internet connections; 4 tunnels in all, from A1 to B1, from A1 to B2,
from A2 to B1, from A2 to B2.
Generally speaking, since an IPsec VPN peer is associated with a single public IP address, for full fault tolerance and
several tunnels up simultaneously, VTIs must be used with Stormshield firewalls, and on both sites, there must be as
many public IP addresses as the desired number of simultaneous tunnels.
551
All screen captures in this solution are from A’s point of view.
1. Begin by testing whether load balancing works; the screen captures below represent the Bird configuration and
the result in command line:
The show static command shows that the routes have the same weight, but are not injected into the system routing
table. During routing, IP packets are routed, so sending one packet via the first route and the next packet via a second
route is not compatible with firewalls that must manage sessions, so load balancing is not an option.
Now, test fault tolerance:
Only the route with the highest preference will be injected into the system table, which is somewhat logical.
Since the test was successful, il will be implemented in the next point.
552
Note:
Comments that begin with # in the Bird configuration have been removed from the screen captures in this solution to
make the configuration easier to read, but keep them in the actual configuration so that administrators who share the
firewall management role with you can refer to them.
Now, add monitoring on each link with BFD on both sides:
The routing table is the same as the previous one; a frame capture using the command tcpdump –ni enc1 port 3784
(and on the second link with enc2) shows BFD in action:
2. Routing without BFD is tested first, by disabling the interface vlan_10 on the firewall TRAINER:
On the firewall on site A, the route monitoring menu shows that the first link is unavailable:
553
IPSec VPN logs also show that tunnel 1 is unavailable, but because it was idle for too long (this corresponds to the
frequency of Liveness tests to detect the validity of the phase 1 key):
Show firewall A’s routing table:
The route to the network LAN_IN_B 192.168.2.0/24 has not changed, and is associated with the traffic endpoint VTI of
the tunnel that is down, and therefore no longer valid!
The show interfaces Bird command shows that both enc1 and enc2 are active:
The observations made here are logical, because the routing table is supposed to change only if one of the interfaces
is down. But you will notice that even when an IPSec VPN tunnel with VTIs is down, the VTIs remain active - this makes
it easier for the tunnel to resume operation quickly.
The check link option used in the Bird configuration file at the beginning of the protocol static section is therefore
unnecessary.
The status of the link must then be detected via BFD.
Applying the same tests as before (interface vlan_10 disabled on the firewall TRAINER), BFD frames no longer travel
over the link vti1 (a capture with tcpdump –ni enc1 port 3784 remains mute).
554
This time, the output of the system routing table shows that the route is operational:
As soon as normal operations resume (the interface vlan_10 enabled on the firewall TRAINER), the system routing table
will point back very quickly to the route with the highest priority.
You can send a test ping from Graphical_client_A to the IP address 192.168.2.254, and repeatedly enable/disable the
interface of the firewall TRAINER; it takes so little time to switch that it is almost not noticeable. BFD can be configured
with detection intervals in milliseconds (the default value is 100 ms), but this is not necessary in our case, since the
renegotiation of the tunnel will only take a few seconds.
3. You can now fill in the table with your findings:
Load balancing Fault tolerance Advantages of Bird static routing Disadvantages of Bird static routing
OUI, but only with Multiple links possible, and with

NO No load balancing as is the case
BFD BFD, very quick switch to the
with a router object
route to take
1. The networks 192.168.2.0/24 and 192.168.3.0/24 can be aggregated by changing the mask to a single line:
192.168.2.0/23 192.168.2.0-192.168.3.255); the configuration of dynamic routing on site A therefore becomes:
2. You can immediately send a test ping from Graphical_client_A to 192.168.3.254.
Note:
Whether or not there is a firewall, smart rules that minimize the contents of the routing table remain in force. On each
site, it is preferable that you use contiguous networks and route aggregation by using masks of varying lengths.
555
1. Modify the file presented in the first test in Appendix 3 for A and B as follows:
#On A: #On B:
router id 172.20.0.0; router id 172.20.0.1;

filter network { filter network {
if net ~ [ 192.168.56.0/24, 0.0.0.0/0 ] then if net ~ [ 192.168.56.0/24, 0.0.0.0/0 ] then
reject; reject;
else accept; else accept;
} }
protocol direct { protocol direct {
preference 251; preference 251;
} }
protocol kernel { protocol kernel {
learn; learn;
persist; persist;
scan time 20; scan time 20;
import filter network; import filter network;
export filter network; export filter network;
preference 254; preference 254;
} }
protocol device { protocol device {
scan time 10; scan time 10;
} }
protocol ospf via_vti1 { protocol ospf via_vti1 {
tick 2; tick 2;
rfc1583compat yes; rfc1583compat yes;
area 0 { area 0 {
stub no; stub no;
interface "local_vti1_A" { interface "local_vti1_B" {
type pointopoint; type pointopoint;
neighbors { 172.20.0.1 eligible; neighbors { 172.20.0.0 eligible;
}; };
strict nonbroadcast yes; strict nonbroadcast yes;
}; };
}; };
} }
protocol ospf via_vti2 { protocol ospf via_vti2 {
tick 2; tick 2;
rfc1583compat yes; rfc1583compat yes;
area 0 { area 0 {
stub no; stub no;
interface "local_vti2_A" { interface "local_vti2_B" {
type pointopoint; type pointopoint;
neighbors { 172.20.0.3 eligible; neighbors { 172.20.0.2 eligible;
}; };
strict nonbroadcast yes; strict nonbroadcast yes;
}; };
}; };
} }
556
Switch to command line to see site A’s point of view, for example, routes injected into the kernel from Bird:
Filtering that involves the default gateway 0.0.0.0/0 and the network 192.36.253.0/24 was effective, but OSPF also sees
networks connected on the OUT interface of the remote firewall, and host addresses in /32.
Modify the existing filter so that you do not see these networks:
• 11.1.0.0/16+ makes it possible to ignore any network beginning with 11.1, for any mask higher than
or equal to 16.
• 0.0.0.0/0{32,32} makes it possible to ignore the mask /32, regardless of the IP address.
Your filter should now look like this:
filter network {
if net ~ [ 192.168.56.0/24, 0.0.0.0/0, 11.1.0.0/16+, 0.0.0.0/0{32,32} ] then reject;
else accept;
}
After you modify the configuration file in Configuration => Network => Routing, IPv4 dynamic routing tab, save the
changes and in command line, view the injected routes as seen earlier:
Only the internal networks on the remote site will now be imported into the routing table on A as a type 2 external route.
The routes in question were indeed imported in OSPF by the pseudo-protocol kernel on firewall B. OSPF therefore does
not learn them directly, as a type 2 external route is supposed to be redistributed in OSPF by an ASBR router, which is
an OSPF router connected to other routers that do not use OSPF to exchange external routes inside and outside the
OSPF domain, which is somewhat the case here.
The routing table on A is:
The output via the command netstat –rn shows the path taken to reach the remote networks:
557
Since timers were not configured for Hello messages, they must adopt the default values in OSPF; display them so that
you can predict the average time before a failure is detected:
During a failure on VTI1, if the firewall does not receive any Hello messages for 40 seconds, the system will switch to
the second link.
2. Disable the interface vlan_10 on the firewall TRAINER:
On the firewall on site A, you must wait for about 40 seconds before the changes to the routing table are applied (switch
to VTI2):
After normal operations resume (the interface on TRAINER enabled again), the route to the remote networks does not
change (no reply on interface enc1), unless link 2 is disabled on TRAINER.
3. You can now fill in the table with your findings:
Load balancing Fault tolerance Advantages of Bird dynamic routing Disadvantages of Bird dynamic routing
NO* YES Standard OSPF protocol that Switch time depends on the OSPF
implements fault detection Dead Timer, set to 40 seconds by
mechanisms default
Note:
There is a parameter in the Bird configuration called ECMP (Equal Cost Multiple Paths) that you can test to set up fault
tolerance, but you will arrive at the same conclusions as the ones in scenario 2. Since routing on layer 3 implements
packet-based load balancing, it is not compatible with a firewall that must analyze sessions (all packets relating to a
connection must go through the same interfaces).
558
LAB 10: Centralizing logs with SVC

1. The SVC server is installed by default with 8 GB of RAM - lower this value to avoid causing problems on your
workstation.
2. To enable syslog on the firewall, go to Configuration => Notifications => Logs – Syslog - >IPFIX. Open the
SYSLOG tab and enable a profile by specifying the IP address, protocol and port of the syslog server.
559
Lab - Exercices
training@stormshield.eu
560

CSNA v4 Training Book With Virtual Labs and Appendices 2020-09-14

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSNA v4 Training Book With Virtual Labs and Appendices 2020-09-14

Uploaded by

Copyright:

Available Formats

UNIFIED THREAT MANAGEMENT AND NEXT-GENERATION FIREWALL SOLUTIONS

NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

6 Copyright © Stormshield 14/09/2020

➔ Training and certification program

TRAINING AND CERTIFICATION LEVELS

CSNA CSNE CSNTS

SNS training includes five certificate courses:

The format of the exam depends on the certification level:

• CSNA: the exam consists of 70 MCQ/MRQ questions to be completed

✔ Training and certification course

Program of this module

➔ Stormshield: presentation of the company

STORMSHIELD: PRESENTATION OF THE COMPANY

Businesses, government institutions and defense organisations around the world

Find out more at www.stormshield.com

We channel our technology into three complementary product ranges to ensure

Program of this module

STORMSHIELD DATA SECURITY

Program of this module

STORMSHIELD ENDPOINT SECURITY

PROTECTION FROM ILLICIT AND MALICIOUS USE

• Protection from current and future attacks,

When targeted, sophisticated attacks strike, Stormshield Endpoint Security responds

Although it does not rely on signature databases, Stormshield Endpoint Security

Program of this module

SMES, AGENCIES, MID-SIZE BUSINESSES AND AGENCIES

• Products in the SN range are divided into four families:

• Stormshield Network Security version 2.2.6 is:

Virtual appliances are compatible with the following hypervisors:

SMALL BUSINESSES, AGENCIES AND BRANCH OFFICES

SN160 SN210 SN310

SN160(W) SN210(W) SN310

SD card slot Yes Yes Yes

Hard disk drive - - -

MID-SIZE ORGANIZATIONS AND LARGE AGENCIES

SN510 SN710 SN910

Number of 10/100/1000 interfaces 12 8-16 8-16

Number of 1Gb fiber interfaces - 0-8 0-10

Number of 10Gb fiber interfaces - 0-4 0-4

IPS throughput (Gbps) 3.3 8 15

IPSec VPN throughput (Gbps AES) 1 2.4 4

Concurrent connections 500,000 1,000,000 1,500,000

Hard disk drive > 200 GB > 200 GB 120 GB SSD

LARGE CORPORATIONS AND DATACENTERS

SN2100 SN3100 SN6100

Number of 10/100/1000 interfaces 2-26 2-26 8-64

Number of 1/ 10/ 40 Gb fiber interfaces 0-24/0-12/0-6 0-24/0-12/0-6 0-64/0-34/0-16

IPS throughput (Gbps) 35 55 68

IPSec VPN throughput (Gbps AES) 8 10 20.5

Concurrent connections 2,500,000 5,000,000 20,000,000

Number of 10/100/1000 interfaces 5

Number of 1G SFP fiber interfaces 0-2

IPS throughput (Gbps) 2.9

IPSec VPN throughput (Gbps AES) 1.1

Concurrent connections 500,000

Hard disk drive 32 GB SSD

Redundant power supply yes

EVA1 EVA2 EVA3 EVA4 EVAU

Concurrent connections 200,000 400,000 1,000,000 1,500,000 5,000,000

Number of 802.1q VLAN interfaces 128 256 512 512 1024

Number of tunnels 200 500 750 5,000 10,000

Simultaneous SSL VPN clients 100 150 200 250 500

Max number of vCPU/memory (GB) 1/2 2/3 4/6 4/8 16 / 64

LONG TERM SUPPORT BRANCH VERSION