Professional Documents
Culture Documents
ADMINISTRATOR
TRAINING
STORMSHIELD
NETWORK SECURITY
3
Network configuration 132
Configuration modes 133
Types of interfaces 139
System routing 156
Advanced routing 161
Order of routing types 174
Appendix 178
Wi-Fi interfaces 179
Dynamic DNS 185
DHCP 189
Static multicast routing 194
DNS proxy cache 197
Bird static routing 200
Bird dynamic routing 203
Address translation 206
General points 207
Dynamic translation 209
Static translation by port 212
Static translation 215
"NAT" Menu 220
Order of application of NAT rules 231
Appendix 235
Advanced properties 236
Filtering 244
General points 245
The "stateful" concept 247
Sequencing of filter and translation rules 249
“Filtering” Menus 252
Coherence and compliance analyzer 270
Appendix 274
Advanced properties 275
Application protection 280
Enabling proxy mode 281
HTTP proxy 284
HTTPS proxy 298
Antivirus analysis 305
Breach Fighter analysis 310
Intrusion prevention module and security inspection 313
Appendix 319
SMTP filtering and antispam 320
Host reputation 328
4
Users & authentication 334
Introduction 335
Linking to a directory 337
Managing users 347
Authentication methods 351
Authentication policy 355
Captive portal 359
Filter rules for authentication 369
Defining new administrators 377
Appendix 382
Guest method 383
VPN 386
Different types of VPN 387
IPSec VPN – Concepts and general points 389
IPSec VPN – Configuration of a site-to-site tunnel 395
IPSec VPN – Configuration of multiple site-to-site tunnels 408
IPsec VPN - Virtual Tunneling Interface 412
Appendix 422
Point to Point Tunneling Protocol 423
IPSec VPN dynamic peers 427
SSL VPN 436
Concepts and general points 437
Setting up a tunnel 444
Appendix - Troubleshooting 457
Introduction 458
Before creating an incident 460
Essential elements 463
Additional information 466
Access to the firewall 470
Virtual Labs 473
Architecture diagram 474
Installing and preparing the virtual platform 475
LAB 1: Handling the firewall 480
LAB 2: Objects 481
LAB 3: Network configuration 482
LAB 4: Address translation 484
LAB 5: Filtering 485
LAB 6: Content filtering (HTTP and HTTPS) 487
LAB 7: Authentication 488
LAB 8: IPSec VPN (site to site) 489
LAB 9: SSL VPN 490
5
Virtual Labs - Corrections 491
LAB 1: Handling the firewall 492
LAB 2: Objects 493
LAB 3: Network configuration 494
LAB 4: Address translation 495
LAB 5: Filtering 496
LAB 6: Content filtering (HTTP and HTTPS) 497
LAB 7: Authentication 499
LAB 8: IPSec VPN (site to site) 500
LAB 9: SSL VPN 502
Advanced labs 504
LAB 1: Implementing the infrastructure 506
LAB 2: Embedded reports 509
LAB 3: DHCP features 509
LAB 4: VLANs and router objects 510
LAB 5: Advanced SMTP application filtering 512
LAB 6: Authentication and temporary accounts 514
LAB 7: Authentication and sponsorship 515
LAB 8: SSL VPN and Site-to-site IPSec VPN 516
LAB 9: Routing via VTIs 517
LAB 10: Centralizing logs with SVC 520
Advanced labs - solutions 521
All images in this document are for representation only, actual products
may differ.
Training program
The topics in this module will not be evaluated in Stormshield certification exams.
7
Training and certification course
CSMCE
Certified Stormshield Network Certified Stormshield Network Certified Stormshield Network
Administrator Expert Troubleshooting & Support
FSNOT CSNOT
Fundamental / Certified
Stormshield Network
Operational Technology
8
Training and certification course
Apart from the FSNOT course, each course level concludes with a certification that
trainees obtain by taking a test on our e-learning platform at
https://institute.stormshield.eu
Trainees are allowed two attempts for each exam from their Institute accounts.
Access to the exam automatically begins the day after the end of the course and
remains open for three weeks for CSNA, CSNE and CSMCE, CSNOT exams, and six
months for the CSNTS exam. If trainees fail their first attempt or are unable to sit for
the exam within this time frame, they will be entitled to a second and final attempt,
which will open with immediate effect for an additional week. The minimum score
required for all exams in order to obtain the certification is 70%.
For all levels, trainees must score at least 70% in order to be certified.
Stormshield certifications are valid for three years, during which trainees can attend
classroom-based courses to validate certification at a higher level. When trainees
obtain certification at a higher level, lower-level certifications will be automatically
renewed.
Trainees can also remotely renew their last certification obtained by ordering a
recertification kit.
9
STORMSHIELD:
PRESENTATION OF THE
COMPANY AND ITS
PRODUCTS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
The topics in this module will not be evaluated in Stormshield certification exams.
10
Stormshield: presentation of the company
and its products
STORMSHIELD:
PRESENTATION OF THE
COMPANY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
11
Stormshield: presentation of the company
and its products
1998 NETASQ
Creation of Netasq (FR)
ARKOON 2000 First firewall that embedded an IPS
Creation of Arkoon (FR)
First UTM on the market
2013
Acquisition and Merger
Fully owned subsidiary of Airbus CyberSecurity
STORMSHIELD 2014
Launch of the brand and product range
12
Stormshield: presentation of the company
and its products
STORMSHIELD DATA
SECURITY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
➔ Stormshield Data Security
Stormshield Endpoint Security
Stormshield Network Security
Standard and optional features in SNS
13
Stormshield: presentation of the company
and its products
Stormshield Data Security lets users stay in control of their data in Microsoft environments by
offering the following possibilities:
• Transparent encryption of local or shared folders with Disk and Team, including USB devices,
• Integration with mail applications, such as Microsoft Outlook and Lotus Notes, to encrypt
and/or sign e-mails with Mail,
• Secured collaborative data with Team,
• Easier paperless administrative and sales procedures with Sign, which signs all types of files,
• Safe destruction of files and folders with Shredder,
• Administration through Powershell commandlets or business APIs with Connector,
• Centralized administration with Authority Manager.
Stormshield Data Security for Cloud & Mobility aters to orga izatio s’ eed for o ility a d
the migration of their data to the cloud.
When an agent is installed on Windows or Mac OS X platforms or on Apple and Android
smartphones, users can access their work data without protection. All data that needs to be
stored locally or with a cloud provider will be encrypted before it is sent.
With agentless encryption technology, the encryption/decryption function can be used directly
in the browser as an add-on to encrypt files processed by web applications or e-mails from a
webmail account. So, no need for administrators to deploy any agents, and no need to install
agents for external users who need to receive confidential information.
Stormshield Data Security Enterprise version 9.1.2 was awarded EAL3+ certification for its
transparent file encryption feature in September 2016.
14
Stormshield: presentation of the company
and its products
STORMSHIELD
ENDPOINT SECURITY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
✔ Stormshield Data Security
➔ Stormshield Endpoint Security
Stormshield Network Security
Standard and optional features in SNS
15
Stormshield: presentation of the company
and its products
Stormshield Endpoint Security version 7.2.6 was awarded EAL3+ certification for its
surface encryption functional module,
16
Stormshield: presentation of the company
and its products
STORMSHIELD
NETWORK SECURITY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
✔ Stormshield Data Security
✔ Stormshield Endpoint Security
➔ Stormshield Network Security
Standard and optional features in SNS
17
Stormshield: presentation of the company
and its products
FIREWALL HARDWARE
INDUSTRY
LARGE CORPORATIONS,
WIFI DATACENTERS
The Stormshield Network Security product range consists mainly of two large categories
illustrated in the figure above: physical appliances (SN range) and virtual appliances (EVA).
The technology on all Stormshield Network products is based on a proprietary IPS (Intrusion
Prevention System) engine embedded in a FreeBSD kernel.
18
Stormshield: presentation of the company
and its products
VIRTUAL APPLIANCES
10
Virtual appliances for the cloud are available from AWS (Amazon web services) and Microsoft
Azure providers, making it possible to protect your servers hosted with them.
Stormshield also offers the Stormshield Pay As You Go range, which caters to private cloud
providers that offer hosted services and/or Internet access, either in the form of SaaS or IaaS.
When these appliances are deployed in your virtual infrastructure, you will be able to offer your
clients a network security service that can be billed monthly based on the number and size of
virtual firewalls used.
19
Stormshield: presentation of the company
and its products
11
Use cases
• SN160(W): Remote site connected via VPN, unified security for small
structures. Two separate WiFi networks can be created with the SN160W.
• SN210(W): Remote site connected via VPN, unified security for small
structures with a DMZ or dual WAN access. With the SN210, two trusted
zones can be created on the internal network, and Internet access link
redundancy can be set up. The SN210W also makes it possible to create
two separate WiFi networks.
• SN310: Unified security for small structures requiring continuity (high
availability) and safety zones. The SN310 offers 8 physical ports and
supports high availability.
Log storage is limited by default on this appliance range, but can be extended with
the use of SD cards.
20
Stormshield: presentation of the company
and its products
12
Use cases
• SN510: Mid-size organizations that need to archive logs locally. With the
SN510, logs can be stored locally and archived on the hard disk.
• SN710: Mid-size organizations that require network modularity, offering a
combination of copper ports (up to 16) and 10-gigabit Ethernet fiber ports.
• SN910: Mid-size organizations that require flexibility in order to enhance
performance. The SN910 can also support 8 Ethernet ports, 10 1G fiber
ports or 4 10G fiber ports.
21
Stormshield: presentation of the company
and its products
Use cases
• SN2100: Organizations with high performance and scalability
requirements. The SN2100 offers a high level of modularity thanks to
optional network extension modules.
• SN3100: Organizations with critical architectures. The SN3100 embeds
redundant hardware components to ensure better availability: SSD hard
disks in RAID1 and redundant power supply. It supports the same network
configurations as the SN2100.
• SN6100: Large corporations and datacenters. The SN6100 offers unrivaled
network modularity and can support up to 64 copper or fiber ports. It
offers firewall performance of up to 170Gbps and hardware component
monitoring via IPMI.
22
Stormshield: presentation of the company
and its products
INDUSTRY
Sni40
14
Use cases
• When industrial protocols need to be used (Profinet, Modbus, S7 200-300-
400, OPC UA).
• Hardware bypass: service continuity is critical in industrial settings. The
SNi40 appliance builds in a hardware bypass feature (ports 6 and 7) that
allows network traffic to continue to pass through during a power outage
or hardware failure.
• Resistance to external elements (e.g., impact, electromagnetic
interference, dust or extreme temperatures), the level of protection that
the appliance provides is IP30 (IP code).
• DIN rail hardware format to protect PLCs (Programmable Logic
Controllers).
23
Stormshield: presentation of the company
and its products
VIRTUAL APPLIANCES
15
Stor shield’s Elastic Virtual Appliance range offers organizations a full range of
security features without the need for an initial investment, only subscriptions to
services that include system updates and various protections.
The performance of these products automatically adapts to the resources that the
hypervisor allocates. This means that you can monitor your operating costs
whenever you need to expand your infrastructure.
Stor shield’s Elastic Virtual Appliance also protects virtual servers and virtual
networks in clouds hosted by Amazon Web Services or Microsoft Azure. This is easy
to set up, simply by including SN firewalls in the cloud provider’s Marketplace.
24
Stormshield: presentation of the company
and its products
Main
LTSB
1 year support minimum
16
Major or minor versions with this label are considered versions that will be stable
over a long term, and will be supported for at least 12 months. These versions are
recommended for clients whose priority is stability instead of new features and
optimizations.
25
Stormshield: presentation of the company
and its products
CENTRALIZED ADMINISTRATION
17
26
Stormshield: presentation of the company
and its products
STANDARD AND
OPTIONAL FEATURES IN
SNS
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
✔ Stormshield Data Security
✔ Stormshield Endpoint Security
✔ Stormshield Network Security
➔ Standard and optional features in SNS
27
Stormshield: presentation of the company
and its products
Application
Mobile
control
device
Extended control
DDoS Web Control
Antivirus protection
Antivirus
Antivirus
Antimalware
URL
filtering
Firewall
Transparent
authentication
Filtering
Antispam Collaborative
Antiphising Security Industrial
protocols Microsoft
Security features Web 2.0
protection
Scheduling
of rules
Services
Firewall
Filtering by
IDS/IPS user Internal
Application and external
Content
inventory PKI
control
SSL Vulnerability
decryption detection
Detection of
Protocol Interactive Physical link
Dynamic
analysis connections redundancy
Site-to-site routing
(LACP)
or mobile
IPSec VPN WAN
Transparent Link
routed/hybrid redundancy
Stormshield PPTP
mode
IPSec VPN remote access
Client
HTTP cache
Quality of
proxy
Encryption Support for
Service
Secure
IPSec IPv4/IPv6 High
availalbility Network features
Publication Policy-based
of web routing
applications
Standard features
Optional features
19
You will find all product datasheets and features available in the SNS range on
Stormshield.com.
28
APPENDIX –
STORMSHIELD:
PRESENTATION OF THE
COMPANY AND ITS
PRODUCTS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
29
Appendix
Stormshield: presentation of the company and
its products
STANDARD FEATURES
STANDARD AND OPTIONAL FEATURES
Program
➔ Standard features
Security packs and software options
Hardware options
30
Appendix
Stormshield: presentation of the company and
its products
STANDARD FEATURES
• Protocol analysis:
• IP, ICMP, TCP, UDP, HTTP, FTP, SIP, RTSP, etc Yes Yes Yes Yes Yes
• Industrial (SCADA): MODBUS, S7
• Context-based patterns Yes Yes Yes Yes Yes
Antispam
SYSTEM
• RAID 1 - - - Yes -
• IPS Protocol Analysis: includes all the checks applied on network (IP, TCP,
UDP, etc.) and application (HTTP, FTP, etc) protocols to ensure their
compliance. From version 2.3 onwards, this analysis will also make it
possible to check two industrial protocols (SCADA): MODBUS and S7.
• IPS contextual signatures: an attack database used in addition to the
protocol analysis to rapidly detect known attacks.
• Antispam:
o Heuristic engine: allows the firewall to qualify an email as spam by
using a specific algorithm that determines the degree of legitimacy
of emails.
o Reputation based detection (DNS RBL: Real time Blackhole List):
based on RBL servers that indicate if an email is spam, based on
the reputation of the sender. The list of RBL servers is constantly
updated.
• ClamAV Antivirus: open-source antivirus engine designed to detect
viruses, Trojans and malware. Its library provides different file format
detection mechanisms and tools that operate in conjunction with
compressed files and archives.
• Stormshield URL Filtering: proprietary URL database used for web
filtering. The URLs are classified into 16 categories.
31
Appendix
Stormshield: presentation of the company and
its products
• System:
o RAID 1 (Redundant Array of Independent Disks): Ensures the
reliability of data storage by placing a copy of the data on two
separate hard drives.
o Double system partition (main and backup): Allows storage of two
firmware versions.
o High availability: Ensures the continuity of services by using two
firewalls: one in active mode and the other in passive mode. If the
active firewall is no longer reachable, the passive firewall switches
to active mode to guarantee the transmission and protection of
data. This feature monopolizes a network interface on each
firewall.
32
Appendix
Stormshield: presentation of the company and
its products
STANDARD FEATURES
The table above presents the services available on Stormshield Network Security
products. Do note that local log storage is native on all products except SN160(w),
SN210(w) and SN310 models because they do not have a built-in hard disk drive.
However, with the E ternal storage license option, which is enabled by default on
models in v4 and above, logs can be stored locally on a removable SD card.
33
Appendix
Stormshield: presentation of the company and
its products
Program
✔ Standard features
➔ Security packs and software options
Hardware options
34
Appendix
Stormshield: presentation of the company and
its products
7
SECURITY PACKS
Certain additional features are available with a subscription to specific security packs:
• Stormshield Network Vulnerability Manager: identifies and reports vulnerabilities and
weaknesses on applications and services used on protected networks in real time. To do so,
SNVM works in collaboration with the IPS to collect and archive information relating in
particular to the operating system, various activities and the various versions of applications
installed. These may be client applications (Firefox) or networked services (Apache, Bind,
OpenSSH, etc). NVM reports the vulnerabilities it detects by identifying the hosts involved,
and suggests possible fixes as well.
• Kaspersky antivirus: developed and integrated by Kaspersky Labs, it represents one of the
best antivirus solutions currently available on the market. Its engine analyzes incoming and
outgoing mail, web traffic as well as files in real time to detect and eliminate all viral
intrusions on protected networks. To ensure optimum protection, the virus pattern database
is constantly updated. The advantages of this antivirus include its support for many archive
formats, its better processing performance compared to ClamAV, and the enhanced
performance of its heuristic analysis engine.
• Extended Web Control web filtering: relies on a cloud-hosted URL database provider. The
base references several hundred million URLs classified into 65 thematic categories:
shopping, education, banking, etc. The main advantage of this new option is the quick update
of the URL database, which is no longer downloaded on the firewall.
• Log storage on the "external storage" SD card: allows firewalls with SD memory card slots to
store logs on such cards. On SN160(w), SN210(w) and SN310 products, SD cards make it
possible to generate all activity reports (without an SD card, only five reports can be used).
• Breach Fighter: makes it possible to run an analysis in the cloud in addition to the one run by
Kaspersky antivirus to block sophisticated attacks, with the support of a dedicated security
team.
35
Appendix
Stormshield: presentation of the company and
its products
8
SECURITY PACKS
36
Appendix
Stormshield: presentation of the company and
its products
37
Appendix
Stormshield: presentation of the company and
its products
HARDWARE OPTIONS
STANDARD AND OPTIONAL FEATURES
Program
✔ Standard features
✔ Security packs and software options
➔ Hardware options
38
Appendix
Stormshield: presentation of the company and
its products
HARDWARE OPTIONS
11
The high range appliances (SN710, SN910, SN2000, SN3000 and SN6000) offer
incomparable network modularity on the market thanks to optional copper or fiber
modules:
• SN910 embeds 8 10/100/1000 ports + 2 SFP+ 10Gbps ports and can support an
additional 8 10/100/1000 ports, 6 SFP 1Gbps ports or 2 SFP+ 10Gbps ports (1
extension module).
• SN2100 and SN3100embed 2 10/100/1000 ports in the standard version and can
support an additional 24 10/100/1000 ports, 24 SFP 1Gbps ports, 12 SFP+ 10Gbps
ports (3 extension modules) or 6 40 Gbps ports.
• SN6100 embeds 8 10/100/1000 ports in the standard version and can support an
additional 62 10/100/1000 ports, 64 SFP 1Gbps ports, 34 SFP+ 10Gbps ports (7
extension modules) or 16 40 Gbps ports.
39
GETTING STARTED WITH
THE FIREWALL
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
40
Getting started with the firewall
REGISTERING THE
FIREWALL AND
ACCESSING
DOCUMENTATION
GETTING STARTED WITH THE FIREWALL
41
Getting started with the firewall
https://mystormshield.eu
In your MyStormshield personal area, you will be able to track and manage the life
cycle of your Stormshield products through two types of accounts: client and
partner.
With a client account, you can register all the Stormshield products belonging to a
single company.
With a partner account, you can oversee managed services for partner accounts, if
such services have been set up.
When you create a MyStormshield account, you need to enter information about
your company or your client’s company.
When you receive a Stormshield product, you need to register it in your or your
client’s account in order to activate the maintenance contract.
Several contacts can be entered for each user within the same user account.
You can access online help dedicated to the MyStormshield website from the
homepage.
42
Getting started with the firewall
43
Getting started with the firewall
44
Getting started with the firewall
STOP/START/RESET
GETTING STARTED WITH THE FIREWALL
45
Getting started with the firewall
STOP/START/RESET
SD card
slot LEDs
Power supply
Connectors are similar throughout the UTM range, but may have a different location
depending on the product:
• On/Off button,
• Three status LEDs:
o The first LED, in orange, indicates that the firewall is powered on
(power cable plugged),
o The second LED, in green, indicates that the firewall system is
starting up or shutting down,
o The third LED, in green, indicates that the firewall has finished
booting and is running,
• SD card slot: to add memory cards on the firewall,
• PS2 keyboard port and VGA or HDMI video connector: to connect a
keyboard and screen to the firewall and access console mode,
• Serial port or USB port connected internally to a serial adapter: to connect
a serial console on the firewall,
• Reset button: to restore the firewall's factory settings,
• USB port: to connect a USB key or a 3G modem,
• Network interfaces: type and number of interfaces depend on the firewall
model.
Note: The memory card must be at least Class 10, SDHC standard with a maximum
capacity of 32 GB (2 TB for SN160(W), SN210(W), and SN310).
46
Getting started with the firewall
47
Getting started with the firewall
CONNECTING TO THE
FIREWALL
GETTING STARTED WITH THE FIREWALL
48
Getting started with the firewall
Default configuration
Bridge → . . . /8
DHCP → [ . . . – 10.0.0.100]/8
10
In the default configuration, the first interface of the firewall is named "OUT", the
second "IN" and the remaining interfaces "DMZx". The "out" interface is an external
interface used to connect the firewall to the Internet and the other interfaces are
internal and are mainly used to connect the firewall to local networks.
Keeping internal/external interfaces separate ensures that you are protected from IP
address spoofing attacks.
All interfaces are included in a bridge with the address 10.0.0.254/8. A DHCP server
is enabled on all interfaces of the bridge and distributes IP addresses between
10.0.0.10 and 10.0.0.100 inclusive.
NOTE : With the default configuration, when a host connects to the external
interface then to an internal interface, the firewall will consider this an IP address
spoofing attempt on the bridge, and will then block all traffic generated by this
machine. The firewall must be rebooted to work around this situation.
49
Getting started with the firewall
https://10.0.0.254/admin
Microsoft Edge
Google Chrome
Mozilla Firefox
11
You can access the fire all’s administration interface through a browser in HTTPS at
"https://10.0.0.254/admin". In order for this interface to operate optimally, you are
advised to use the latest versions of Microsoft Edge, Google Chrome and Mozilla
Firefox.
In the advanced options, the administrator can select the language of the
configuration menus and read-only access, which prevents the configuration from
being modified.
At the top right side of the page, the following icon opens online help
50
Getting started with the firewall
51
Getting started with the firewall
Menu contents
Menus
13
When you click on the user name, you will be able to:
• Access the Preferences menu to configure parameters relating to the
administration interface. The most important are:
o Idle time before logging the user out of the administration
interface (30 minutes by default),
o Display options in the menus (always show advanced
configurations, number of filter rules per page, etc.),
o External links to Stormshield sites.
• Obtain or release write permissions. Note that at any given time, only one
user can have the write permission on the firewall.
• Access private data.
• Log out the user.
52
Getting started with the firewall
2. Menus (red box): configuration and monitoring menus, and shortcuts in the form
of expandable lists. Menus are classified under two categories: the Monitoring
tab for anything that relates to monitoring, logs or the status of the firewall; the
Configuration tab for objects and the configuration of various features.
3. Menu contents (blue box): displays the contents of the selected menu.
4. Administration interface logs (brown box): displays the list of web interface logs,
which can be customized. For example, you can choose to show only NSRPC
commands executed by the web interface, reported errors, warnings, etc.
53
Getting started with the firewall
DASHBOARD
GETTING STARTED WITH THE FIREWALL
54
Getting started with the firewall
DASHBOARD
16
The dashboard includes all information and indicators regarding the firewall:
• Status of Active Update
• Alarms,
• License (expiry date of each module),
• Properties (serial number, active policies, date and time, etc),
• Interfaces (list of configured network interfaces),
• Status of various services.
55
Getting started with the firewall
SYSTEM
CONFIGURATION
GETTING STARTED WITH THE FIREWALL
56
Getting started with the firewall
18
1. GENERAL CONFIGURATION:
• Name of the firewall, which is the serial number by default,
• Language of the firewall for logs: English or French,
• Layout of the keyboard used for direct console access: English, French,
Italian, Polish or Swiss.
• Cryptography settings offer two options which relate to certificates
(covered in the Expert course) and the AN““I Diffusion restreinte
mode respectively.
• The password policy defines the minimum length and mandatory
characters for passwords created in the firewall's various menus (for
example: user passwords in the internal directory (LDAP), passwords that
protect backup files, passwords of certificates created on the firewall). By
default, the minimum length is one character and no characters are
mandatory. However, the administrator may impose alphanumeric
passwords only or alphanumeric with special characters.
57
Getting started with the firewall
19
• Time settings: date, time and time zone. These parameters are crucial for
functions such as logs and authentication. The firewall must be restarted
if the time zone is changed.
• To allow the firewall to automatically synchronize its clock with an NTP
server, simply select Synchronize firewall time (NTP). By default, two NTP
servers belonging to Stormshield are preconfigured in the list of servers,
which may be modified.
58
Getting started with the firewall
20
2. FIREWALL ADMINISTRATION:
• The "admin" account’s permission to access the administration interface
can be withdrawn. This means that a new administrator with the right
permissions must be created. Otherwise, you will permanently lose access
to the fire all’s administration interface.
• The port used to access the fire all’s administration interface can be a
port other than the standard HTTPS (443/TCP), which is defined by default.
The access URL then becomes: https://firewall_@IP:port/admin.
• By default, the firewall's administration interface uses a certificate issued
by the firewall's certification authority. The link "Configure the SSL
certificate for access to the administration interface" will lead to the menu
that allows you to modify this certificate.
• Protection from brute force attacks on the administration interface can be
enabled/disabled; the number of attempts and the interval between
attempts (in minutes) can be configured. By default, after 3 unsuccessful
attempts, access from the IP address in question will be blocked for 1
minute.
• Access to the administration interface may be restricted to a specific host
or network. In this case, the host or network has to be in the Authorized
administration host list. By default, only internal networks and those
represented by the object "Network_internals" are allowed to access it.
59
Getting started with the firewall
• SSH (secure connection) access can be enabled and the ser ice’s listening
port – SSH (22/TCP) by default – can be changed. The password needs to
be activated for simplified access. In this case, users will be prompted to
enter their logins and passwords when logging in. Otherwise, you will need
to manage access using a key pair.
60
Getting started with the firewall
22
3. NETWORK PARAMETERS:
• When a firewall goes through a proxy to access the internet, the pro ’s
parameters have to be configured in this menu.
• One or several DNS servers may be added. The firewall contacts these
servers to resolve names that it sends or relays. These names have to be
resolved for features such as Active Update which queries update servers
in order to download databases (context-based patterns, antivirus,
Vulnerability Manager, etc). These DNS servers will also be used when the
DNS cache service is enabled in transparent mode (see the Appendix on
the DNS cache proxy).
61
Getting started with the firewall
62
Getting started with the firewall
24
The password of the ad in account can be changed in the ADMIN ACCOUNT tab
in the CONFIGURATION ⇒ SYSTEM ⇒ Administrators menu. The password must
contain at least 5 characters and comply with the password policy defined in the
CONFIGURATION menu.
The strength of the password indicates its level of security: Very weak, weak,
moderate, good, excellent. You are strongly advised to use uppercase letters and
special characters to increase the level of security.
The Export the private key and Export the public key buttons on the firewall make it
possible respectively to download the private key and the public key of the admin
account.
63
Getting started with the firewall
LICENSE
GETTING STARTED WITH THE FIREWALL
64
Getting started with the firewall
LICENSE: GENERAL
26
1. GENERAL:
At the top of the tab, a button allows you to search for new licenses directly on
Stormshield update servers and another button allows you to install licenses. These
buttons are followed by information on the duration of the license’s validity and the
various options available. The section Install from a file makes it possible to install a
license from the .license file stored on the PC.
The section Advanced configuration makes it possible to configure the frequency
with which the firewall will look for updates and automatically install them.
65
Getting started with the firewall
27
2. LICENSE DETAILS:
The buttons that allow you to search for and install licenses are also found in this
section. Use the search bar to find out whether an option or service is available in
the license.
The rest of the page sets out the contents of the license with validity durations of
various options.
66
Getting started with the firewall
MAINTENANCE
GETTING STARTED WITH THE FIREWALL
67
Getting started with the firewall
29
1. System update:
This tab allows the administrator to update the version of the system (firmware). The
".maj" update file can be downloaded from the Stormshield client account or the
firewall can automatically retrieve it when you click on “earch for new updates .
The diagram above illustrates the update of the partition system. The new version of
the system "x+1" will replace the older version "x" located on the active partition
while keeping the same configuration "y". The administrator can choose whether to
create a backup of the active partition on the backup partition before the update,
using the option Back up the active partition on the backup partition before
updating the firewall" (if the option has been selected, the older version of the
system "x-1" and the configuration "y-1" will be permanently lost).
68
Getting started with the firewall
30
2. BACKUP:
In this tab, the administrator can manually back up the fire all’s configuration,
downloaded and saved beforehand in a .na encrypted file format. The items that
are backed up in the file include:
69
Getting started with the firewall
31
The administrator can also enable the automatic backup of the configuration file.
Two options are available:
• Cloud backup: By enabling this option, the configuration file will be stored
on a server hosted in a service infrastructure called a cloud backup
ser ice managed by Stormshield. Backups may be performed every day,
every week or every month. In advanced configuration this frequency can
be configured and the configuration can be protected with a password
thanks to the Backup fre uenc and Backup file pass ord
parameters. Backups are secured via an HTTPS connection and certificate-
based authentication. A maximum of 5 configuration files per firewall can
be saved on the cloud’s servers. Beyond that, new files will overwrite
older files. These files can be accessed from “tor shield’s client area.
70
Getting started with the firewall
71
Getting started with the firewall
33
3. RESTORE:
A configuration may be restored from a .na file stored on the host. If the
configuration file is password-protected, the administrator will need to enter it in the
ad anced configuration section.
Partial restorations are possible. In this case, in Advanced properties, select the
necessary module(s). In all cases, you are advised to restart the firewall after a
restoration (you will be asked to restart after a full restoration).
NOTE : As the ad in user’s password is not saved in the configuration file, it will
not be restored or backed up.
72
Getting started with the firewall
34
Configurations can also be restored from the latest automatic backup from the date
indicated as Date of last backup. If the backup is password-protected, the
administrator will need to enter it in the ad anced configuration section.
73
Getting started with the firewall
MAINTENANCE: CONFIGURATION
35
4. CONFIGURATION:
All physical Stormshield Network UTM appliances hold two fully independent
partitions that make it possible to store various firmware versions. Each partition has
its own configuration. It is therefore important to distinguish between main/backup
partitions and active/passive partition. There are two possible scenarios as
illustrated above: (1) active partition => main and passive partition => backup or (2)
active partition => backup and passive partition => main.
The administrator can select the partition that will become active the next time the
firewall is started (main or backup). The other partition will then automatically
become the passive partition.
With the "Back up active partition button, the contents of the active partition
(configuration + firmware) can be copied to the backup partition.
The last maintenance options allow you to reboot or shut down the firewall and
download the system report, a text file that shows the fire all’s status and many
other indicators that will help technical support with their diagnosis.
74
Getting started with the firewall
36
The CONFIGURATION ⇒ SYSTEM ⇒ Active Update menu allows you to monitor the
automatic updates of the following modules:
The administrator can enable or disable the update of a single module or of all
modules at once using the buttons Allo all or ‘eject all .
The lists of update servers for the various modules and the URL database can be
accessed in ad anced configuration . The administrator can modify, add or delete
servers.
75
Getting started with the firewall
SECURITY RECOMMENDATIONS
37
As SSH access requires the use of the admin account, access must be occasional and
monitored. When not in use, SSH must be disabled to minimize the attack surface.
Passwords must be changed with every use.
An internal NTP server ensures the consistency of dates in logs, which is an absolute
necessity when logs need to be correlated.
With an internal DNS, you can:
- Maintain control over name resolution,
- Speed up resolution.
The firewall must be managed from a protected, identified network and kept
separate from production environments.
Users must understand the languages used to avoid mistakes when handling the
product.
38
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
77
LOGS AND MONITORING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
78
Logs and monitoring
LOG CATEGORIES
LOGS AND MONITORING
➔ Log categories
Configuring and viewing logs
Monitoring and history graphs
Syslog, SVC, e-mail notifications and reports
79
Logs and monitoring
LOG CATEGORIES
Connections
POP3 proxy Administration
connections
The features and services on Stormshield Network firewalls generate events that are
stored locally in log files (on the hard disk) or on an SD memory card for firewalls
that have the "external storage" option. Log files are organized in several categories
as described below:
• Administration: all events relating to firewall administration. Therefore all
changes made to the firewall’s configuration are logged.
• Authentication: all events relating to the authentication of users on the
firewall.
• Network connections: all events relating to TCP/UDP connections going
through or to the firewall that are not processed by an application plugin.
• System events: all events relating directly to the system: shutting
down/starting up the firewall, system errors, switching on/off an interface,
high availability, Active Update, etc.
• Alarms: all events relating to intrusion prevention features (IPS) and
events that have been logged with a minor or major alarm level in the
filter policy.
• HTTP Proxy: all events relating to connections going through the HTTP
proxy.
80
Logs and monitoring
81
Logs and monitoring
CONFIGURING AND
VIEWING LOGS
LOGS AND MONITORING
✔ Log categories
➔ Configuring and viewing logs
Monitoring and history graphs
Syslog, SVC, e-mail notifications and reports
82
Logs and monitoring
Log are rotated, i.e., older log entries will be overwritten by newer logs. This is the
default selection.
83
Logs and monitoring
• Viewing logs
The AUDIT LOGS menu in CONTEXT: MONITORING displays logs saved locally on
firewalls that are equipped with a hard disk or SD memory card with the external
storage option, grouped by log family: network traffic, alarms, web, etc. E.g.: the
Network traffic family concatenates the following logs: Network connections,
filtering, FTP proxy, application connections, POP3 proxy, SMTP proxy, SSL proxy,
HTTP proxy, VPN SSL.
Logs can be restricted to a predefined (last hour, today, last week or last month) or
customized time range.
Logs are displayed in the order of the most recent at the top of the list.
The default number of columns displayed is limited. However, all columns can be
displayed in one click using the option Expand all the elements in the Actions menu
(red box). To manually add one column at a time, click on the arrow framed in blue
and then on Columns .
To see all data relating to a log, highlight a row and click on the Log line details
(green box).
84
Logs and monitoring
A simple search field makes it possible to filter logs by searching for a character
string in all columns of all logs. In the example above, the search criterion is part of
the name of an ICMP filter rule. The results of the search are displayed regardless of
whether the column containing the information is visible on the screen.
When you right-click on an item in a log, a window appears with shortcuts to several
features that vary depending on the type of item selected, as shown in the example
above:
• Several actions can be performed with URL objects, e.g., adding a URL list
defined by the administrator (blue box, then green box).
• ICMP (red box) can be added as a search criterion, which will replace the
verbose criterion in the example above. In this case, the corresponding filter rule can
be highlighted directly in the active security policy.
These operations mean that the administrator can rely on logs to refine their
security policies, enrich the objects database on the firewall and check
configurations intuitively.
85
Logs and monitoring
Criterion 1 Criterion 2
Result:
86
Logs and monitoring
10
In order to apply the new European regulation on personal data, the GDPR (General
Data Protection Regulation), access to logs on SNS firewalls is restricted by default
for all administrators.
The admin super administrator and all administrators who hold the Access to
private data privilege can gain full access to logs simply by clicking on Obtain the
access privilege for private data (logs).
87
Logs and monitoring
11
Administrators who do not hold the Access to private data privilege can still obtain
full access using a temporary access code generated by another administrator who
holds the Management of access to private data permission.
88
Logs and monitoring
MONITORING AND
HISTORY GRAPHS
LOGS AND MONITORING
✔ Log categories
✔ Configuring and viewing logs
➔ Monitoring and history graphs
Syslog, SVC, e-mail notifications and reports
89
Logs and monitoring
13
The MONITORING menu shows graphs and data in real time organized in 12 sub-
menus:
90
Logs and monitoring
14
In addition to real-time graphs, four history graphs are also available if the History
curves button is set to ON in the menu CONFIGURATION ⇒ NOTIFICATIONS ⇒
Report configuration. History graphs show:
• CPU consumption,
• Bandwidth use for each interface,
• Bandwidth use for each QoS queue,
• Host reputation.
Like reports, history graphs can also be viewed over a configurable period: last hour,
specific day, last 7 days or last 30 days.
91
Logs and monitoring
• Configuration of monitoring
15
92
Logs and monitoring
16
NOTE: Activity reports and history graphs are available on firewalls that do not have
local log storage. However, they are limited to 5 reports and graphs in total with a
maximum history of 7 days.
93
Logs and monitoring
✔ Log categories
✔ Configuring and viewing logs
✔ Monitoring and history graphs
➔ Syslog, SVC, e-mail notifications and reports
94
Logs and monitoring
18
Details on these four features are covered in the appendix of the Logs and
Monitoring module.
95
Logs and monitoring
SECURITY RECOMMENDATIONS
19
A strong log policy ensures that logs will not be altered or easily accessed for
debugging.
Logs must be stored locally for appliances to be debugged effectively. The external
server secures access to logs and protects them from attempts to alter them when
the appliance is compromised.
SNMP must be used to monitor the appliance while keeping a high level of security,
by applying specific firewall rules to such traffic.
96
Logs and monitoring
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
20
97
APPENDIX – LOGS AND
MONITORING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
98
Appendix
Logs and monitoring
Program
99
Appendix
Logs and monitoring
Syslog Client
Syslog servers
Stormshield Network firewalls embed a syslog client that can be enabled to send
logs to external syslog servers. Up to four syslog servers can be enabled at the same
time by customizing the transmission protocol, format and log categories for each
server.
100
Appendix
Logs and monitoring
NOTE :
• The Certification authority, Server certificate and Client certificate parameters are
enabled only if the TLS protocol has been selected.
• The Backup server and Backup port parameters can only be used if TCP or TLS
have been selected.
101
Appendix
Logs and monitoring
STORMSHIELD VISIBILITY
CENTER (SVC)
LOGS AND MONITORING
Program
102
Appendix
Logs and monitoring
Stormshield provides its partners with a free syslog server built into a virtual
machine, Stormshield Visibility Center, which can be downloaded from the
mystormshield area in ".ova" or ".vhd" format.
Network parameters and the keyboard language can be manually configured when
the virtual machine starts up by holding down any key for 5 seconds. Otherwise, the
network interface will be in DHCP by default and the keyboard configuration will be
"US". During startup as well, a password must be entered for the "root" and "log"
users. The "root" user makes it possible to log in to the virtual machine's console,
whereas the "log" user allows access to the web interface.
Once the user has logged in to the console of the virtual machine, the command svc-
configurator makes it possible to view and configure several parameters: data,
network, database, password, keyboard language, date, etc.
103
Appendix
Logs and monitoring
Logs can be viewed through a web interface that can be accessed in HTTPS through
the virtual machine's IP address. The home page consists of several panels:
• Global - Menu: groups the home screens of each Stormshield product and the
configuration operations that link a Stormshield product to the SVC server.
• Global - Events: number of entries reported by Stormshield products.
• Events – Per types: provides an overview of logs by category
104
Appendix
Logs and monitoring
Default views can be used for SNS firewalls, but the interface makes it possible to
define other fully customized lines and sections.
Dashboards are displayed by default for a limited duration - the icon at the top right
of the web interface makes it possible to change it to a predefined or customizable
duration.
Display filters can also be used. For example, in the above view showing SNS logs,
windows containing graphs have been removed from the view and a filter makes it
possible to display log lines that contain a specific destination port.
105
Appendix
Logs and monitoring
E-MAIL NOTIFICATIONS
LOGS AND MONITORING
Program
106
Appendix
Logs and monitoring
NOTIFICATIONS BY E-MAIL
10
Start by configuring the users and/or groups that will receive notifications.
The RECIPIENTS tab allows you to create and configure mailing lists. Recipients in a
group can be e-mail addresses or users saved in the LDAP base. In this case, ensure
that users have entered their e-mail addresses in their LDAP identities.
107
Appendix
Logs and monitoring
NOTIFICATIONS BY E-MAIL
11
108
Appendix
Logs and monitoring
NOTIFICATIONS BY E-MAIL
12
109
Appendix
Logs and monitoring
NOTIFICATIONS BY E-MAIL
13
In the TEMPLATES tab, you can customize the body text in e-mails sent for various
events, except alarm management (seen earlier). This text can contain variables
($URL, $UID, etc.) that will be replaced with values that depend on the context of
the event.
110
Appendix
Logs and monitoring
REPORTS
LOGS AND MONITORING
Program
111
Appendix
Logs and monitoring
REPORTS
15
Reports are calculated based on log files and are stored in a database. These
calculations only take into account logs that were captured since reports were
enabled; log history is not factored in.
Next, you will be able to select which reports to enable/disable in the LIST OF
REPORTS tab by double-clicking on the Status field in a report.
112
Appendix
Logs and monitoring
REPORTS
16
Reports calculate statistics on the 50 most important events that occurred within the
selected time range, i.e., last hour, last day, last 7 days or last 30 days). However, the
page only displays the first 10 events (top 10) out of these 50. The rest of the events
(11th to 50th) are grouped in the Others category.
113
Appendix
Logs and monitoring
17
114
OBJECTS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
115
Objects
OVERVIEW
OBJECTS
➔ Overview
Network objects
116
Objects
OVERVIEW
• An object:
– Represents/bears a value (IP address, URL, time-based event, etc).
– Has a name and description
The configuration menus for Stormshield Network firewalls use objects to represent
values, e.g., IP addresses, network addresses, URLs, events, etc. There are two major
advantages in using objects instead of values:
1. The administrator deals with names, which are more recognizable than
values.
2. Whenever a value changes, only the object needs to be modified instead
of all the menus in which the object is used.
In this module, we will focus mainly on network objects. Web objects will be covered
in the "application protection" module. As for the segment on certificates and PKI, it
will be covered in the CSNE course.
117
Objects
OVERVIEW
Object names have to follow the syntax restrictions defined in the table above.
Names are not case-sensitive.
NOTE: Several objects bearing the same value can be created. However, we advise
against it in order to simplify the display of configuration menus (mainly filter and
NAT rules) and object databases, and of course, to simplify their maintenance.
118
Objects
NETWORK OBJECTS
OBJECTS
✔ Overview
➔ Network objects
119
Objects
NETWORK OBJECTS
The network object database can be accessed from the menu CONFIGURATION ⇒
OBJECTS ⇒ Network objects. It includes the following categories of objects:
• Host: an IP address
• DNS name (FQDN): all IP addresses associated with an FQDN name by DNS
resolution
• Network: a network address
• IP address range: an address range
• Port – port range: a port or a port range. It can be restricted to a particular
transport protocol (TCP or UDP),
• IP protocol: the ID of the IP protocol,
• Group: a group of objects with one or several IP addresses: hosts, IP address
ranges, networks or other groups,
• Port group: a group of objects containing ports or port ranges as well as other
port groups,
• Region group: a group of countries or continents. This type of object can be used
in the geolocation of IP addresses,
• Router: makes it possible to enter one or several gateways for a load balancing
route with or without backup gateways. This object will be covered in detail in the
Routing section of the Network Configuration module,
• Time: an event with a set time (ad hoc, day of the year, day(s) of the week or time
slot(s)).
120
Objects
NETWORK OBJECTS
121
Objects
NETWORK OBJECTS
There are two other particular categories of objects in addition to those that can be
created by the administrator:
• Implicit objects: these are created automatically by the firewall and depend on
the network configuration. These objects are in read-only mode and the
administrator can neither modify nor delete them. For example, the object
Firewall_out , created automatically when an IP address is associated with the
OUT interface or the object Network_i ter als , groups all networks
accessible via the internal interfaces.
• Preconfigured objects: these are present by default in the list of objects. They
represent values of standardized network parameters (ports, protocols,
networks) and the values needed for the firewall to run (IP addresses of
Stormshield servers for updates). The diagrams above represent ICMP and the
I ter et object, which groups all hosts that are not part of internal networks.
NOTE: We recommend that you use implicit and pre-configured objects and refrain
from creating other objects with the same values.
122
Objects
NETWORK OBJECTS
• Creating an object
• Selecting the object category
• Name of the object
• Corresponding value
The window comprises several tabs, one for each category of object to be created.
In most cases, to create an object, two mandatory fields – name and the value –
must be defined. The comments field is optional.
You can either "create" or "create and duplicate" the object. The second button will
create the object and keep the creation window open in order to facilitate the
creation of a new object of the same category.
123
Objects
NETWORK OBJECTS
10
The screen captures above illustrate the creation of FQDN, host and IP address range
objects.
NOTE: When you create an FQDN object, click on the magnifying glass to resolve the
name of the object, All affected IP addresses will be added to the objects database,
and the first IP address on the list will appear as the default address. If you still do
not have access to a DNS server that can resolve addresses, enter any IP address – it
will change when it is resolved.
124
Objects
NETWORK OBJECTS
11
The screen captures above illustrate the creation of port and time objects.
125
Objects
NETWORK OBJECTS
12
To add one or several objects to the group, simply select the object and move it from
the list on the left to the list on the right by clicking on the → button. Delete objects
from a group by doing the opposite with the ← button.
You can search for objects by typing partial names or the values of the desired
objects in the search field.
126
Objects
NETWORK OBJECTS
13
127
Objects
NETWORK OBJECTS
14
Object databases can be exported to a CSV file by clicking on "Export". You will then
be asked if you wish to download the file locally. The CSV file will contain host, IP
address range, network, FQDN, port - port range, protocol, group and port group
objects.
Objects are arranged by category, separated by lines that contain the names of
parameters: #type, #name, #IP, etc. (parameters differ according to object
categories). Object attributes are separated by commas.
128
Objects
NETWORK OBJECTS
15
Objects can be imported from a CSV file in the same format as the exported file.
To do so, click on I port , and a window will open to allow the CSV file to be
entered. Next, simply click on "Transfer" to start importing the file. A progress bar
shows how long the import will take. Once it is complete, a report will show the
number of objects imported by type.
NOTE: Objects already found on the firewall will be replaced with the objects
transferred from the file.
129
Objects
SECURITY RECOMMENDATIONS
• Avoid duplicates
16
if an object group contains all the administration IP addresses and networks, it can
be used in all filter rules relating to administration, ensuring consistency and making
it easier to modify groups.
Dynamic objects such as FQDNs and dynamic hosts generate DNS requests regularly,
requiring network and firewall resources. Ordinarily, the objects saved by default in
the configuration will not be necessary if the above recommendations have been
applied, i.e., the use of a mirror or internal proxy.
Unused objects, often forgotten and created again, will occupy unnecessary space.
To avoid any duplicates from being created in the first place, you are advised to avoid
keeping specific objects that will not be used in the configuration.
Duplicates have to be identified and deleted, as they can potentially cause errors
when filter rules are modified. For example, if an object with a duplicate is modified,
the changes will not be applied to all the filter rules that contain it, creating a
security flaw.
130
Objects
LAB 2 – OBJECTS
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
17
131
NETWORK
CONFIGURATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Course program
132
Network configuration
CONFIGURATION MODES
NETWORK CONFIGURATION
➔ Configuration modes
Types of interfaces
System routing
Advanced routing
Order of routing types
133
Network configuration
CONFIGURATION MODES
3- Hybrid Mode
There are three configuration modes on all models of the Stormshield Network
Security range:
• Transparent mode or bridge mode,
• Advanced mode or router mode,
• Hybrid mode.
Do note that there is no configuration wizard for these modes. Each mode can be
implemented when needed, by configuring network interfaces and translation rules.
134
Network configuration
CONFIGURATION MODES
Address range:
192.168.0.x/24
Default router:
192.168.0.1
Internet
access gateway
With transparent mode, the Stormshield Network firewall can be integrated easily
into an existing network without having to modify its configuration.
This mode is particular in that all of the firewall’s interfaces are included in a bridge
that bears the IP address of the local network (IP used to access the firewall’s
administration interface). This makes it possible to obtain several physical networks
(one network per interface) sharing the same logical network.
Physical networks and the Internet access gateway communicate in bridge mode
(level 2) but the firewall continues to monitor traffic between interfaces (filtering,
ASQ analysis, etc).
In the diagram above, the local network uses a private address range 192.168.0.0/24
and accesses the Internet via a gateway that performs address translations. The
Stormshield Network firewall acts on connections between hosts in the local
network and the Internet access gateway.
135
Network configuration
CONFIGURATION MODES
Default router:
172.16.1.1
Address range:
192.168.0.x/24
Default router:
192.168.0.1 DMZ address range Internet
172.16.1.1 access gateway
Public addresses
195.36.253.1
Internal address
range
192.168.0.1
Address translation
In advanced mode, the firewall acts as a router by managing several logical networks
(network addresses). Each interface is configured with a particular IP network, so
that the network can be physically and logically segmented.
In the image above, the local network is made up of two logical networks: a network
for internal hosts and a network for servers in the DMZ. Each network is connected
to the firewall via an interface with a specific IP address range. The public IP address
is configured directly on an external interface of the firewall.
In this mode, the Stormshield Network UTM has to manage the address translation
mechanisms to provide the local network with Internet access.
136
Network configuration
CONFIGURATION MODES
Address range:
192.168.0.x/24
Default router:
192.168.0.1
Internet
Public addresses access gateway
195.36.253.1
Address translation
Hybrid mode is a combination of the bridge and advanced modes. The purpose of
this combination is to have several interfaces in a bridge (same address range) and
other independent interfaces with different address ranges.
In this mode there are two possible scenarios. The first is illustrated here. The
network of the internal hosts and the network of servers in the DMZ share the same
address range and they are connected to the firewall via interfaces belonging to the
same bridge. Address translation has to be configured on the firewall in order for the
local network (network of the bridge) to access the Internet via the external
interface, configured with a public IP address.
137
Network configuration
CONFIGURATION MODES
Address range:
192.168.0.x/24
Default router:
IP address range of the
192.168.0.1
bridge
195.36.253.1
Internet
access gateway
Internal address
range
192.168.0.1
Address translation
The second scenario is illustrated above. The network of servers in the DMZ is
configured with a public IP address range. Each server will therefore have its own
public IP address.
This network is connected to the firewall by an interface in the same bridge as the
external interface that leads to the Internet access router. The servers in the DMZ
access the Internet via the bridge and no address translation is needed (connections
will still go through filter rules and other application analyses on the UTM).
The network of internal hosts has a private address range. which is connected to the
firewall via an interface that does not belong to the bridge. As a result, address
translation has to be configured in order to allow the network to access the internet.
138
Network configuration
TYPES OF INTERFACES
NETWORK CONFIGURATION
✔ Configuration modes
➔ Types of interfaces
System routing
Advanced routing
Order of routing types
139
Network configuration
TYPES OF INTERFACES
Bridge
VLAN1 VLAN2
Modem
3G/4G USB
PPPoE PPTP
modem
140
Network configuration
TYPES OF INTERFACES
10
NOTE: the icon in the screen capture above means that the administrator is logged in
to the firewall from the corresponding interface.
141
Network configuration
TYPES OF INTERFACES
11
142
Network configuration
TYPES OF INTERFACES
12
Every physical interface has at least one static or dynamic IP address (blue box), with
the following parameters:
• Status: enabled or disabled
• Name: the interface must be given a logical name that is different from the
interface’s system name,
• Comments: optional parameter to add remarks regarding the selected interface,
• This interface is:
• internal (protected): a protected interface only accepts packets coming
from a known address range, such as a directly connected network or a
network defined by a static route. This protection includes the registration
of hosts connected to this interface (thereby protecting against IP address
spoofing), and allows implicit filter rules to be generated during the
activation of certain services on the firewall (for example SSH). An icon
representing a shield appears on all protected interfaces.
• external (public): indicates that the interface does not benefit from the
protection of a protected interface and can therefore receive packets
coming from any address range (which are not assigned to internal
interfaces). This type of interface is used mainly to connect the firewall to
the Internet.
143
Network configuration
TYPES OF INTERFACES
13
NOTE: configurations will not be saved if they are not applied using the Apply
button.
144
Network configuration
TYPES OF INTERFACES
14
145
Network configuration
TYPES OF INTERFACES
15
146
Network configuration
TYPES OF INTERFACES
16
147
Network configuration
TYPES OF INTERFACES
17
148
Network configuration
18
NOTE: in the ADVANCED PROPERTIES tab of a PPTP or PPPoE modem, you can
specify whether connectivity is permanent or on demand.
149
Network configuration
19
Before you create the modem interface, you must configure a profile according to
the parameters that the modem vendor provided. For more details, see the technical
note: Configuring a 3G/4G modem on “N“ . The technical note explains which
parameters need to be entered in the profile.
After you have created the profile, you need to restart the firewall.
After the restart, create the interface and attach the profile, which you configured
earlier, to this interface.
150
Network configuration
TYPES OF INTERFACES
…To SERVER
VLAN ID 10 & 20
SERVER FIREWALL
802.1q Untagged ports 802.1q Router mode
Tagged 2 VLAN interfaces:
port - VLAN10
- VLAN20
C C
Ethernet Ethernet VLAN
From PC1… header IP DATAGRAM R
header header
IP DATAGRAM R
C C
VLAN ID 20
C C
Ethernet VLAN
…To SERVER Ethernet
header IP DATAGRAM R header header
IP DATAGRAM R
C C
VLAN ID 10 20
VLANs (Virtual Local Area Networks) introduce the concept of virtual segmentation
which makes it possible to create logical sub-networks within the same physical network
architecture. All network devices belonging to the same VLAN can communicate with
each other and make up a broadcast domain. The use of VLANs in a network
architecture therefore enhances performance by restricting broadcasts, and offers
better security by separating logical networks.
Stormshield manages IEEE 802.1q VLANs, for which an additional 4-byte header is:
• Added by a manageable switch or the firewall to an outgoing Ethernet frame over an
802.1q port,
• Removed by a manageable switch or the firewall to an incoming Ethernet frame over
an 802.1q tagged port,
This header includes the VLAN id (VID) field, which identifies the VLAN to which the
frame belongs. This field is coded in 12 bits and allows up to 4094 different VLANs to be
defined (VLANID=0 means that the frame does not belong to any VLAN and
VLANID=4095 is reserved). The header also includes the 3-bit Priority or CoS (Class of
Service) field which indicates the priority of the packet defined by the IEEE 802.1p
standard.
151
Network configuration
21
NOTE:
• The MTU value of the interface can be changed in the ADVANCED
PROPERTIES tab of a VLAN,
• In the above example, even though the parent interface of the VLAN is
disabled, the VLAN interface can still be created and run properly.
152
Network configuration
TYPES OF INTERFACES
VLAN ID 20
VLAN 20
PC FIREWALL
802.1q Tagged port Bridge mode
2 VLAN interfaces:
- VLAN20_1
C
VLAN C - VLAN20_2
From PC… Ethernet
header IP DATAGRAM R
Ethernet
header IP DATAGRAM R
C header C
SWITCH 2
VLAN ID 20
VLAN 20
SERVER
802.1q Tagged port
C C
Ethernet Ethernet VLAN
…To SERVER header IP DATAGRAM R
header IP DATAGRAM R
C header C
22
The example above shows what happens when a firewall is added between two
switches in bridge mode, and linked up via a 802.1q tagged link. The switches
continue to behave the same way despite the addition, but the firewall will analyze
traffic on the VLAN.
153
Network configuration
TYPES OF INTERFACES
23
The consistency of the network configuration is analyzed in real time. You can view it
by clicking on the arrow at the bottom of the screen.
Even when a warning appears, the configuration can still be backed up. However,
errors will prevent backups from being performed (the Apply button is grayed out).
154
Network configuration
24
155
Network configuration
SYSTEM ROUTING
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
➔ System routing
Advanced routing
Order of routing types
156
Network configuration
SYSTEM ROUTING
212.13.25.120/30
Default
out
dmz1
in
26
Traffic that does not match any route in the routing table will be sent back to the
default gateway, regardless of route type: standard (static or dynamic routing) or
Stormshield proprietary (policy-based routing).
157
Network configuration
SYSTEM ROUTING
27
The default gateway can be entered in the IPV4 STATIC ROUTES tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing, Default gateway (router) parameter, and
can be one of the following values:
• Host object: specifies a single default gateway without availability testing, load
balancing or backup gateways (example above),
• Router object: the various gateways configured in the router object make it
possible to conduct availability and load balancing tests and to use backup
gateways. Such objects will be explained later in this chapter.
NOTE: on interfaces that obtain their IP addresses dynamically via DHCP, when the
DHCP lease is obtained, an object named Firewall_<interface_na e>_router will
be created, and can be used as the default gateway.
For example, since the address range of your out interface is dynamic, you can enter
the object Firewall_out_router in the Default gateway (router) parameter.
158
Network configuration
SYSTEM ROUTING
Default router
Router R1
Router R2
sites
in Remote site C
Router R3 192.168.3.0/24
Remote site D
192.168.4.0/24
28
Static routing consists of manually entering the remote gateway to which packets
will be sent in order to reach a remote network. In the figure above, three static
routes are needed to reach the remote networks B, C and D via the outgoing
interface named sites", then routers R1, R2 and R3.
159
Network configuration
SYSTEM ROUTING
When a configuration
contains inconsistencies
29
Static routes can be configured in the section IPV4 STATIC ROUTES in the first tab of
the menu CONFIGURATION ⇒ NETWORK ⇒ Routing.
The section contains a search bar and two buttons to add or delete routes. It also
contains a window that lists all the static routes and their parameters. The Add
button adds entries to the list. Mandatory parameters for this line are:
• Status: on / off
• Destination network: may be a host, network or group object.
• Gateway: host object representing the IP address of the gateway that
makes it possible to reach the destination network.
• Interface: outgoing interface to reach the gateway. Based on the
parameters of the interface, the firewall automatically fills in the address
range. The selection of the interface is justified for bridges that may
contain protected and unprotected interfaces. You can find out whether
the network needs to be considered protected only when you select the
interface. When the address range of the interface is different from the
gateway’s address range, an error message will indicate that the gateway
is not routa le .
160
Network configuration
ADVANCED ROUTING
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
✔ System routing
➔ Advanced routing
Order of routing types
161
Network configuration
ADVANCED ROUTING
• Dynamic routing
BIRD
Remote site 1
RIP BGP OSPF 10.0.1.0/24
RO
OSPF
in Sites
Remote site 2
10.0.2.0/24
Remote site 3
10.0.3.0/24
31
In dynamic routing, routes are learned automatically through a routing protocol. SNS
firewalls use BIRD to implement dynamic routing. BIRD implements 3 routing
protocols - RIP, OSPF and BGP - the supported versions of which are entered in the
knowledge base. In the figure above, the OSPF routing protocol is enabled on the
sites interface on the firewall to allow the firewall to learn the routes that access
networks remote1, remote2 and remote3.
162
Network configuration
ADVANCED ROUTING
• Dynamic routing
32
Dynamic routing can be configured in the IPV4 DYNAMIC ROUTING tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing.
Destination networks that were added to the routing table by a dynamic protocol
can be added to the table of protected networks.
163
Network configuration
ADVANCED ROUTING
• Policy-based routing
ISP 1 ISP 2
Other Outgoing
traffic mail
isp1
dmz1 isp2
in
33
In the above example, outgoing e-mail traffic is redirected to the gateway "ISP2"
while the rest of the traffic is redirected to the gateway "ISP1", which is the default
gateway.
164
Network configuration
ADVANCED ROUTING
34
165
Network configuration
ADVANCED ROUTING
ISP 1 ISP 2
Connections Connections
isp1
dmz1 isp2
in
35
Router objects group several gateways so that they can be used simultaneously.
When a router object is created, a single route is created in the routing table. Router
objects also make it possible to conduct availability and load balancing tests and to
use backup gateways.
With load balancing, connections can be shared among several gateways. Traffic may
be shared equally or weighted so that each gateway receives a specific percentage of
the overall traffic. How traffic is shared may be based on the source IP address or the
parameters of a connection, i.e., source and destination IP addresses and port
numbers.
The figure above provides an example in which all outgoing connections will be
shared between the gateways I“P1 and I“P2 according to the chosen load
balancing mode (by source or by connection).
By using router objects, load balancing can be applied to traffic sent to the default
gateway or even to a particular type of traffic via policy-based routing. In the first
case, the router object has to be specified as the firewall's default gateway (see slide
27), whereas in the second case, the router object has to be entered in the gateway
parameter of the Action field in a filter rule (see slide 34).
166
Network configuration
ADVANCED ROUTING
36
Routing by load balancing can be configured in a router object. The various gateways
have to be added in the LIST OF GATEWAYS USED tab. Each line makes it possible to
enter:
• The gateway with a host object
• Availability testing: tests the availability of the gateway using pings. This
parameter may have several values:
• No availability testing: the availability of the gateway will not be tested.
• Test the gateway directly: pings will be sent directly to the gateway to test
its availability.
• A host or host group located behind the gateway, to which pings will be
sent to test the gateway's availability and operational status.
By default, the status of each gateway will be checked every 15 seconds by sending a
ping to each host entered. If no response is received after 2 seconds, the firewall will
try again three more times before considering the gateway unavailable.
167
Network configuration
ADVANCED ROUTING
37
The weight (red box) determines how much of the traffic managed by the router
object will be assigned to a gateway, based on the following calculation:
� � �
% � � = ×
� �
The algorithm used (blue box) for load balancing can be configured in the Load
balancing (Advanced configuration) parameter:
• No load balancing: traffic will be sent exclusively to the first gateway that
appears in the list.
• By connection: balances traffic according to source and destination IP
addresses and port numbers. This algorithm is recommended as it allows
connections from the same host to be balanced equally.
• By source IP address: balances traffic according to the source address.
This ensures that traffic from a particular host will always be sent to the
same gateway.
168
Network configuration
ADVANCED ROUTING
38
When a filter rule uses a router object (policy-based routing) and none of the
o ject’s gateways can be reached, the behavior of the firewall can be configured in
the If no gateways are available parameter:
• Default route: traffic is sent to the default router.
• Do not route: traffic will be blocked by the firewall.
169
Network configuration
ADVANCED ROUTING
• Backup gateways
ISP 1 ISP 2
Connections Connections
Connections Connections
isp1
dmz1 isp2
in
39
A router object also makes it possible to specify a list of backup gateways that will be
used in the event one, several or all main gateways are unavailable.
In the example illustrated above, the gateway "ISP2" is considered a backup gateway
that will be used for all traffic only when "IPS1" is no longer available.
Do note that router objects make it possible to use backup gateways for traffic sent
to the default gateway or only for a particular type of traffic using policy-based
routing.
170
Network configuration
ADVANCED ROUTING
40
• If one or all backup gateways must be enabled: by default, only the first
contactable backup gateway in the list will be used unless the option
Enable all backup gateways when unavailable is selected.
171
Network configuration
ADVANCED ROUTING
• Return route
ISP 1 ISP 2 (DEFAULT GW)
Incoming
connection 1
4 4
isp1
2 dmz1
isp2
3
.1 .2 .3
in
41
The return route specifies the outgoing interface to reach a remote gateway. Such
routes are used to force outgoing traffic from an incoming connection to go through
the connection's incoming interface.
The image above illustrates an example in which we have two WAN access points.
The "ISP1" access point is reserved exclusively for mail traffic (incoming and
outgoing). The "ISP2" access point is used as the default exit point for other traffic.
Without a return route, responses from incoming e-mail connections via "ISP1" can
be redirected through "ISP2".
172
Network configuration
ADVANCED ROUTING
42
Return routes can be configured in the RETURN ROUTE tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing. A row needs to be added for each route,
in which the gateway and the interface allowing it to be accessed have to be
specified.
173
Network configuration
ORDER OF ROUTING
TYPES
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
✔ System routing
✔ Advanced routing
➔ Order of routing types
174
Network configuration
IP packet
Return route
P Policy-based routing
R
I Static routing
O
R Dynamic Routing
I
T
Load balancing and/or
Y backup gateways
- Default route
44
The figure shown above illustrates the order in which the various types of routing
will be applied.
NOTE: When a router object is used in policy-based routing and no gateways can be
contacted, two options are possible: either routing can be delegated to the default
route or the firewall can block the traffic. These options are not possible if the router
object is used in the default route.
175
Network configuration
SECURITY RECOMMENDATIONS
45
If an interface is not in use, you are advised to disable it to prevent any traffic from
arriving on it.
In order to recognize networks that can be reached from an interface, they must be
known to the firewall. For this, you will need a route that leads from a protected
interface to these networks. On the other hand, any unreachable network defined in
the routing table may hinder the anti-spoofing mechanism, which is why you should
never leave unnecessary routes in the routing table.
176
Network configuration
46
177
APPENDIX - NETWORK
CONFIGURATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
178
Appendix
Network configuration
WI-FI INTERFACES
NETWORK CONFIGURATION
Program
➔ Wi-Fi interfaces
Dynamic DNS
DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
179
Appendix
Network configuration
WI-FI INTERFACES
PublicAP
PrivateAP
SN160W and SN210W firewalls build in an 802.11 a/b/g/n Wi-Fi card that makes it
possible to configure two separate WLAN access points to connect wireless
equipment over 2.4 GHz or 5 GHz frequency ranges.
180
Appendix
Network configuration
WI-FI INTERFACES
• General configuration:
• Scan frequency: select or create a time object to define when to enable
the Wi-Fi card.
• Mode: select the transmission standard that the Wi-Fi card uses:
o 802.11b, 802.11g or 802.11g/n in the 2.4 GHz range.
o 802.11a or 802.11a/n in the 5 GHz range.
181
Appendix
Network configuration
WI-FI INTERFACES
Available channels:
in 2.4 GHz in 5
GHz
• Channel configuration:
• Country: select the country in which the firewall is installed so that the Wi-
Fi transmission complies with the country's regulations. This choice will
determine the available communication channels and signal strength.
• Channel: select the channel that the Wi-Fi card uses. The channels offered
depend on the selected country and mode.
• Tx power: set the transmission strength of the Wi-Fi card. The strengths
offered depend on the selected country.
NOTES:
• the above parameters are the same for both WLAN access points.
• If you have other Wi-Fi access points in your company, refrain from using identical
or overlapping channels so that you can restrict interference on your wireless
network:
• In the 2.4 GHz frequency range, only channels 1, 6 and 11 do not overlap.
• In the 5 GHz frequency range, none of the channels overlap.
182
Appendix
Network configuration
WI-FI INTERFACES
After the Wi-Fi card is activated, you can configure both access points in
CONFIGURATION ⇒ NETWORK ⇒ Interfaces.
Both access points correspond to the WLAN interfaces PrivateAP andPublicAP,
disabled by default. They can be enabled simultaneously with different
configurations, making it possible to have two separate WLAN networks that can be
managed separately in other modules: DHCP, filtering, translation, authentication,
etc.
183
Appendix
Network configuration
NOTES:
• After having configured a WLAN interface, you need to configure the DHCP server
to automatically assign IP addresses to devices that log in to the WLAN. Refer to
the chapter on DHCP in this module to find out how to do so.
• WLAN interfaces can belong to a bridge.
• VLAN interfaces cannot have a WLAN interface as their parent interface.
184
Appendix
Network configuration
DYNAMIC DNS
NETWORK CONFIGURATION
Program
✔ Wi-Fi interfaces
➔ Dynamic DNS
DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
185
Appendix
Network configuration
Server
Client
Client
Client
2 Updates IP address
1 New IP address
Dynamic DNS makes it possible to match a domain name to a firewall that does not
have a static public IP address. This means that the firewall can always be reached
when its domain name is used. This feature relies on a DNS service provider;
Stormshield Network firewalls support two providers: DynDNS and No-IP.
The way Dynamic DNS works is illustrated in the diagram above. It involves two
entities: a client integrated into the Stormshield Network firewall, which sends IP
address updates to a server maintained by the DNS service provider. The domain
name is associated with an interface. Updates are performed every time the IP
address of the interface changes. If the address never changes, updates will take
place by default every 28 days.
186
Appendix
Network configuration
10
187
Appendix
Network configuration
• User name and Password: the ID and password used to authenticate the
client with the DNS service provider.
• Dynamic DNS server: indicates the DNS service pro ider’s server in the
form of a host object with an automatically resolved name (see the
O je t module).
• Dynamic DNS Service: indicates the service subscribed with the DNS
service provider.
188
Appendix
Network configuration
DHCP
NETWORK CONFIGURATION
Program
✔ Wi-Fi interfaces
✔ Dynamic DNS
➔ DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
189
Appendix
Network configuration
Broadcast/Unicast
DHCP DISCOVER
DHCP OFFER
Server
DHCP DHCP REQUEST
DHCP ACK
DHCP OFFER
DHCP OFFER
DHCP
DHCP DHCP REQUEST
DHCP REQUEST
DHCP ACK
DHCP ACK
13
The firewall cannot simultaneously manage DHCP server and relay features.
190
Appendix
Network configuration
14
• DHCP server:
The Parameters section defines the elements sent by default to DHCP clients:
Domain name, Default gateway, Primary DNS Server and Secondary DNS
server. This information can be customized for each address range defined in
the ADDRESS RANGE section. Ranges must comply with the following
conditions:
• An address range must belong to the same addressing scheme as the
protected i terfa e’s scheme.
• IP address ranges must not overlap.
• The gateway specified for a range has to be in the same addressing
scheme.
191
Appendix
Network configuration
15
Still in the same menu, the RESERVATION section makes it possible to reserve
static IP addresses for hosts in the LAN, identified by their MAC address.
Addresses can be reserved by adding a row in the list using the Add button. A
host object must be entered in the Reservation field. This object must
contain the IP address that will be assigned to the client and the MAC
address of the host that will obtain this IP address. If the host object entered
does not contain a MAC address, a error appears to indicate that a MAC
address could not be found for the host. A specific gateway can be entered
for the reserved IP address in the GATEWAY field.
192
Appendix
Network configuration
16
• DHCP relay
If the option Relay DHCP requests for all interfaces is selected, the firewall
will listen to client requests on all of its network interfaces (the list that
follows will then be grayed out).
Otherwise, the list will make it possible to specify interfaces for which
requests must be relayed.
193
Appendix
Network configuration
STATIC MULTICAST
ROUTING
NETWORK CONFIGURATION
Program
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
➔ Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
194
Appendix
Network configuration
Group1: 239.0.0.100
Group2: 239.0.0.200 Group2: 239.0.0.200
DMZ1
LAN2
Group1: 239.0.0.100
LAN1
18
Unlike a unicast transmission in which a copy of the traffic is sent to each recipient, a
multicast transmission distributes a single copy of the traffic to a group of recipients
identified by a multicast IP address (class D 224.0.0.0/8 to 239.255.255.255/8). This
transmission mode is used mainly to distribute real-time multimedia traffic (radio,
TV, conferences, etc). To receive a stream of traffic, the user must subscribe to the
multicast group using IGMP (Internet Group Management Protocol). IGMP requests
are received on the access router which manages multicast groups (subscription,
unsubscription, checking the presence of subscribers) in the internal network and
retrieves multicast traffic, by using a multicast routing protocol (PIM-SM, PIM-DM,
PIM-BIDIR, PIM-SSM, DVMRP and MOSPF) with the other routers.
Note:
• For the moment, multicast groups cannot be managed with IGMP on SNS
firewalls, which do not implement multicast routing protocols. Support for these
features is expected in future versions.
195
Appendix
Network configuration
19
To add a route, simply click on Add which will launch a wizard; in the first window,
enter the source interface and multicast address or network. Destination interfaces
are indicated in the second window.
Routing must be enabled by selecting the parameter Enable static multicast routing.
196
Appendix
Network configuration
Program
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
➔ DNS proxy cache
Bird static routing
Bird dynamic routing
197
Appendix
Network configuration
DNS cache
Domain name IP address
DNS Server
www.google.com . 9 . . , . 9 . .99, …
DNS response
DNS response . 9 . . , . 9 . .99, …
. 9 . . , . 9 . .99, …
DNS response
. 9 . . , . 9 . .99, …
21
The DNS proxy cache feature makes it possible to memorize the IP addresses of
names resolved by DNS requests. This saves bandwidth by preventing multiple
resolutions of the same name. This feature can be implemented in two situations:
• When the local network uses the firewall as a DNS server. The firewall
receives the DNS request and checks for the presence of the name in the
cache. If the name does not exist, the firewall will resolve it using its DNS
servers; it will add the name accompanied by the IP addresses to the
cache and sends a DNS response to the local network. If the name exists
in the cache, the firewall will send a DNS response based on available
information.
• When the local network uses any DNS server. The DNS request intended
for server X is intercepted by the firewall which begins by checking for the
name in the cache. If the name does not exist, the firewall will resolve it
using its servers instead of server X; it will add the name accompanied by
the IP addresses to the cache and sends a DNS response to the local
network by spoofing the IP address of server X, leading the local network
to believe that the name was resolved by this server. If the name exists in
the cache, the firewall will send a DNS response based on available
information, also by spoofing the IP address of server X.
198
Appendix
Network configuration
22
In CONFIGURATION ⇒ Network ⇒ DNS Proxy cache, the DNS cache can be enabled.
Objects that are allowed to use this cache must be explicitly added to the List of
clients allowed to use the DNS a he . These objects can be hosts, networks, address
ranges or groups.
199
Appendix
Network configuration
Program
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
✔ DNS proxy cache
➔ Bird static routing
Bird dynamic routing
200
Appendix
Network configuration
Route injection
Bird makes it possible to inject routes into the FreeBSD system routing table, and in
return, learn routes that are already in the routing table, so that they can be
redistributed via dynamic routing protocols, for example.
The Bird configuration file shown by default in the graphical interface is:
The sections seen in this file (pseudo-protocols) determine the interactions between
Bird and the system, in the following order:
• Protocol direct: routes to networks directly connected to the firewall's
local interfaces can be exported to Bird.
• Protocol kernel: the Bird routing table can be synchronized with the
syste ’s routing table.
• Protocol device: statuses of links on interfaces are monitored, e.g., when
an interface is disabled, routes that must go through this interface will be
deleted from the system routing table.
Bird commands
To view information on routes, the status of interfaces or other information about
Bird, you can use the following commands after you have enabled dynamic routing in
the web interface:
201
Appendix
Network configuration
Test the show i terfa es command, for example, which is particularly useful in
viewing the status of each interface, its system name and usual name. Also, when
you have pushed a configuration, regularly compare the Bird routing table (show
route) with the FreeBSD routing table (netstat –rn).
Fault tolerance
Stormshield firewalls support the use of two links with different priorities:
Fault detection depends on the status of interfaces, among other factors. But this
aspect does not apply to VTIs, since firewalls always consider them active. To force a
quick switch when a link fails, BFD (Bidirectional Forwarding Detection) can be used.
This is not a routing protocol, but an independent feature, which also works with
dynamic routing. BFD makes it possible to detect faults on links by monitoring
sessions that were created by sending UDP packets (port 3784). As soon as a BFD
instance is created, it must be attached to the corresponding static route.
protocol bfd {
interface "enc1"{
interval 1 s; #frequency of sending BFD control
messages for established BFD session
multiplier 3; #failure detection
idle tx interval 1 s; #frequency of sending BFD control
messages for not established BFD session
};
}
202
Appendix
Network configuration
Program
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
✔ DNS proxy cache
✔ Bird static routing
➔ Bird dynamic routing
203
Appendix
Network configuration
Introduction
Before you configure OSPF, several important factors must be taken into account,
based on the network topology:
• The links over which OSPF will be used, such as point-to-point links.
• Routes that do not need to be exported to OSPF, such as default gateways specific
to each site, networks with the same network pool on all sites, etc..
• Interfaces on which OSPF traffic does not need to be enabled, such as the internal
interfaces of a site.
The command show route export kernel1 will be particularly useful in verifying the
routes that Bird injects into the kernel, and modifying import-export filters as a
result.
204
Appendix
Network configuration
205
ADDRESS TRANSLATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
206
Address translation
OVERVIEW
ADDRESS TRANSLATION
➔ Overview
Dynamic translation
Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
207
Address translation
OVERVIEW
Address translation mechanisms have been developed to deal with the shortage of
public IP addresses. Basically, private IP addresses – defined by the IANA (Internet
Assigned Numbers Authority) and entered by RFC 1918 (table above) – are used for
local corporate and private networks. These networks are then connected to the
Internet via a single public IP address.s
208
Address translation
DYNAMIC TRANSLATION
ADDRESS TRANSLATION
✔ Overview
➔ Dynamic translation
Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
209
Address translation
DYNAMIC TRANSLATION
@pub_fw
1 2
4 3
Address translation
Original packet 1 Translated packet 2
Source Source Destination Destination Source Source Destination Destination
address port address port address port address port
@privA xxxx @Web 80 @pub_fw 20,000 @Web 80
The diagram above illustrates how this type of translation works when the host
pri A" accesses a web server "@web" over the internet. The IP packet sent by the
host " @privA " to the server " @web " is intercepted by the firewall which replaces
the source IP address source " @privA " with the fire all’s public IP address "
@pub_fw " and the source port " xxxx " (this port is chosen by the operating system
of the host " @privA ") with a port in the range [20000-59999]. The firewall
memorizes the translated match between (the IP address "@privA" /source port
"xxxx" ) and (the IP address "@pub_fw" /source port 20000). This match is used in
translating responses from the web server by replacing (the IP address destination
"@pub_fw" /destination port 2000) with (the IP address destination "@privA"
/destination port " xxxx " ).
210
Address translation
DYNAMIC TRANSLATION
HTTP connections
@pub_fw
Address translation
The modification of the source port is warranted mainly when two hosts "@privA"
and "@privC" use the same source port to set up a connection to the same web
server. If the source port is not modified by the firewall, the web server will receive
two connection requests coming from the same public IP address "@pub_fw" and
same source port. This may cause a malfunction on both connections and ambiguity
in the translation of responses with regard to the firewall, which will not know to
which host it needs to send the responses received from the server.
The source ports set by the firewall are selected from a predefined range called
ephemeral_fw [20000-59999]. By default, ports are chosen in sequence from the
range. There is however an option available to enable a random selection.
211
Address translation
STATIC TRANSLATION BY
PORT
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
➔ Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
212
Address translation
@pub_fw
2 1
3 4 HTTP connection
The diagram above illustrates the example of a local web server "@priv_web"
accessible from the Internet over the fire all’s public IP address "@pub_fw". A
translation rule is created on the firewall to match (the destination public IP address
"@pub_fw" /destination port 80) and (the IP address of the local server
"@priv_web" /destination port 80).
As such, the packet sent by the host "@client" to the IP address "@pub_fw" on port
80 will be modified before being sent to the web server on the same port. The
response sent by this server will also be modified as a result before being sent to the
host "@client" . It is important to note that destination ports before and after
translation may differ.
213
Address translation
@pub_fw
Address translation
A single public IP address may provide access to services hosted on several local
servers as shown in the diagram above. Servers are differentiated only by the port
number of the service.
214
Address translation
STATIC TRANSLATION
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
➔ Static translation
"NAT" Menu
Order of application of NAT rules
215
Address translation
STATIC TRANSLATION
3 4 SMTP connection
Address translation
Translated packet 2 Original packet 1
Source Source Destination Destination Source Source Destination Destination
address port address port address port address port
@client xxxx @priv_mail 25 @internet xxxx @pub_mail 25
11
Static translation must be two-way, meaning that the local server can be accessed by
all incoming connections from the Internet with its public IP address. Outgoing
connections initiated by this server to the Internet must have the same public IP
address as its source. This is reflected in two translation rules: a rule for incoming
connections and another rule for outgoing connections.
The diagram above shows the changes made to the packets of an incoming
connection to a local mail server based on the translation rule that matches (the
destination public IP address "@pub_mail") to (the IP address of the local server
"@priv_mail).
The packet sent by the mail server "@internet" to the IP address "@pub_mail" will
therefore be modified in order to be sent to the mail server. The response sent by
this server will also be modified as a result before being sent to the mail server
"@internet" . It is important to note that source ports before and after translation
may be restricted to a particular port number and may differ.
216
Address translation
STATIC TRANSLATION
@priv_mail
@pub_fw
+ @pub_mail
1 2
4 3
Address translation
Original packet 1 Translated packet 2
12
The diagram above shows the changes made to the packets of an outgoing
connection, initiated by the local web server, to a server over the Internet based on
the translation rule that matches (source private IP address "@ priv_mail") to (the
source public IP address "@pub_mail").
As such, the packet sent by the server "@priv_mail" to an IP address over the
Internet will be modified to replace the source address "@priv_mail" with the source
address "@pub_mail". The response sent by the external server will also be modified
as a result before being sent to the local mail server. It is important to note that
source ports before and after translation may be restricted to a particular port
number and may differ.
217
Address translation
STATIC TRANSLATION
Address translation
13
218
Address translation
STATIC TRANSLATION
Src IP Dst IP
IP packet
ARP broadcast: @pub_mail?
@pub_ftp ⇒ @MAC_fw
@pub_mail ⇒ @MAC_fw 1
Ethernet Frame
Given that virtual public IP addresses are not configured on the fire all’s external
interface, the firewall will not respond to ARP requests to resolve these IP addresses
to the fire all’s MAC address.
To resolve this issue, the ARP broadcast of virtual public IP addresses is needed so
that static translation will work. This means that entries can be added to the
fire all’s ARP table to match each virtual public IP address to the MAC address of
the external interface. The firewall will be able to respond to ARP requests to resolve
these IP addresses and receive all packets going to these address, as shown in the
diagram above.
219
Address translation
"NAT" MENU
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
✔ Static translation
➔ "NAT" Menu
Order of application of NAT rules
220
Address translation
"NAT" MENU
1) 2) (3) 4) 5) 6) 7) 8) 9) 10)
Block all High Medium Low Filter 05 Filter 06 Filter 07 Filter 08 Pass all High Pass all
NAT NAT
Filtering NAT
16
On Stormshield Network firewalls, filter and NAT rules (address translation) are
grouped in the same policy. Up to 10 different policies can be defined but only one
policy may be active at a given time, identified by the icon:
221
Address translation
"NAT" MENU
17
Filter and NAT rules can be configured in the menu CONFIGURATION ⇒ SECURITY
POLICY ⇒ Filtering and NAT.
The menu header makes it possible to:
• Select the filter and NAT policy using the drop-down list.
• Edit:
• Rename: changes the name of the policy.
• Reinitialize: resets to default filter and NAT rules.
• Copy to: copies from one policy to another.
• Export: exports filter/NAT rules from the selected policy to a CSV file,
which will then be used to retrieve rules on a Stormshield Management
Center (SMC) server.
The rest of the menu is made up of two tabs:
• Filtering: configures filter rules.
• NAT: configures address translation rules.
222
Address translation
"NAT" MENU
18
223
Address translation
224
Address translation
"NAT" MENU
20
The use indicator (blue box) indicates the number of times processed traffic matched
the criteria of the translation rule. The digital counter appears when you scroll over
the indicator. It can display four colors, and shows the results of an equation
between the number of hits for this rule and the maximum number of hits reached
by a rule in the same slot:
• White (blank): the rule has never been applied,
• Blue: the value displayed is between 0% and 2% of the maximum number
of hits,
• Green: the value displayed is between 2% and 20% of the maximum
number of hits,
• Orange: the value displayed is higher than or equal to 20% of the
maximum number of hits and exceeds 10,000 hits.
To save a policy, click on Apply. The policy is saved immediately. A new window
opens, allowing you to enable or disable the policy by clicking on YES, ACTIVATE THE
POLICY or LATER.
225
Address translation
"NAT" MENU
• Column display
21
The display of columns in the window may be customized by clicking first on the icon
indicated by the blue arrow above then on the columns. Simply select a column for it
to be displayed.
NAT rules can be moved in the window by dragging and dropping by clicking on the
rule number on the left.
NOTE : When searches are performed in logs or monitoring, they rely on the name
of the rule, so you can display the Name column. Do note that a rule always has a
default name, which the administrator can change.
226
Address translation
"NAT" MENU
• Parameters of a rule
22
The parameters of a rule may be entered directly in the rule window or in a new
window that appears by double-clicking on any parameter of this rule. This window
also enables access to advanced configuration parameters.
Since the values of the parameters are objects, they can be copied from one rule to
another by dragging and dropping.
227
Address translation
"NAT" MENU
• Dynamic translation
23
Dynamic NAT rules can be created with the button New rule ⇒ source address
sharing rule (masquerading) which automatically adds the port range
ephemeral_fw to the src port in the traffic after translation.
The diagram above sets out an example of a dynamic NAT rule with the main
parameters that need to be entered. In the section original traffic (before
translation), the source represents the internal network Network_in accessible from
the "in" interface which wants to access any destination on any destination port. In
the section traffic after translation, the source is modified by the public IP address
of the "out" interface and the source port is translated into a port number in the
range ephemeral_fw.
You are advised to select the option Choose a random translated source port which
allows a port number to be chosen at random in the range ephemeral_fw for new
connections. This option provides protection from certain attacks by making the
translated port less predictable.
228
Address translation
"NAT" MENU
24
The static NAT rule by port is created from a standard rule. An example is given in
the diagram above.
In the section on original traffic, the source represents any host on the public
network going to the fire all’s public IP address on port 80 (HTTP). In the section on
traffic after translation, the destination IP address is replaced with the ser er’s
private IP address and port number 80 (HTTP) is kept as the destination port. It is
important to note that destination ports before and after translation may differ.
229
Address translation
"NAT" MENU
• Static translation
25
Static NAT rules can be created with New rule ⇒ static NAT rule (bimap) which
launches a wizard to enter the following information:
• Private host(s): the private IP address(es) of the internal server
• Virtual host(s): the virtual public IP address dedicated to the internal
server
• Only on the interface: external interface from which the server can be
accessed with its virtual public IP address.
• Only for ports: the static NAT rule allows all ports to be translated,
however it can be restricted by specifying one or several port ranges in
this parameter. You are advised to leave this value as Any and to restrict
the port directly in the filter rules.
• ARP publication: enables ARP broadcast for the public IP address.
The example illustrated in the diagram above statically translates an internal SMTP
server identified by a private IP address srv_mail_priv and a dedicated virtual public
IP address srv_mail_pub.
The wizard adds two translation rules: the first rule for the translation of the internal
server’s outgoing traffic toward the public network and the second for incoming
traffic going to the virtual public IP address. Both rules can be modified separately
later.
230
Address translation
ORDER OF APPLICATION
OF NAT RULES
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
✔ Static translation
✔ "NAT" Menu
➔ Order of application of NAT rules
231
Address translation
27
The order in which translation rules appear in the list is very important, as it defines
the order in which new connections will be compared against translation rules.
Therefore, a new connection will be compared against the rules starting from the
first in the list to the last. When the connection matches a rule, the translation
defined by this rule will be applied and the connection will no longer be analyzed by
the rules that follow.
This mode of operation may cause overlaps if rules are not in a logical sequence. An
example is illustrated in the diagram above – the second translation rule will never
be used because a more general rule above it in the list will override it (the IP
addresses in the group IP_PUB are included in the object Internet).
The firewall has a built-in checker that detects such overlaps, which will be indicated
to the administrator through an alert that appears at the bottom of the window.
NOTE: A simple solution to this example is to reverse the order of both translation
rules.
232
Address translation
SECURITY RECOMMENDATIONS
28
To make filter policies easier to read, you are advised to give them clear names with
a specific naming system.
Never let rules overlap. Besides them being unnecessary, doing so would create
entry points when the current rule is removed.
Every unnecessary rule is a potential entry point and increases the attack surface, so
they must be identified and deleted regularly.
The name column, hidden by default, allows you to identify a rule by its name. It is
very useful when searching for a rule or monitoring its behavior during debugging.
233
Address translation
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
29
234
APPENDIX - ADDRESS
TRANSLATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
235
Appendix
Address translation
ADVANCED PROPERTIES
ADDRESS TRANSLATION
Program
➔ Advanced properties
236
Appendix
Address translation
In a NAT rule, you can specify the incoming interface of traffic that the rule must
match. This advanced configuration, which applies to the source field of a rule,
accommodates several use cases.
The first case presented above consists of translating two physical networks (in and
dmz1) belonging to the same logical network (network_bridge) to two public IP
addresses Firewall_out and IP_pub_virtual. Specifying the incoming interface is the
only way to differentiate both physical networks.
237
Appendix
Address translation
In the second use case, the various network aliases used by an interface are
translated to the firewall’s public IP address.
When additional IP addresses are configured using the same interface, the firewall
creates additional objects.
In the above example, when three IP addresses are configured in different
addressing schemes, three host objects are created: Firewall_in, Firewall_in_1 and
Firewall_in_2, followed by three corresponding network objects.
In this case, all networks that match the aliases, or a group containing them, should
be added to the rule. Specifying an interface in a translation rule makes it possible to
use Any as the source network to translate all the aliases of this interface.
238
Appendix
Address translation
In a NAT rule, you can also specify the outgoing interface that the rule must match.
This applies to the destination field of the traffic before translation, thereby making
it possible to restrict the translation rule to only this interface’s outgoing traffic. This
interface is determined beforehand through the routing function that sets the MAC
address of the remote gateway as the destination MAC address of the packet.
The diagrams above illustrate the use of the outgoing interface when the firewall has
access to two WAN networks and when load balancing must be set up on both links.
239
Appendix
Address translation
The advanced configuration settings for translation rules allow the distribution of
redirected connections for both incoming and outgoing connections:
• Load balancing of outgoing connections: (rule 1): This consists of
translating outgoing connections with several source IP addresses.
• Load balancing of incoming connections over several servers or ports
(services). There are several types:
• Load balancing over several hosts (rule 2): This option consists of
redirecting incoming connections to several hosts by entering a
group made up of several IP addresses as the traffic destination
after translation. It can be used when a service is hosted on several
servers.
• Load balancing over several ports (rule 3): This option consists of
redirecting incoming connections to several destination ports on a
single host by specifying a port range for traffic after translation. It
is used when several instances of the same application are hosted
on the workstation. Each of these instances listens on a particular
port from the destination port range.
• Load balancing over several hosts and several ports (rule 4): This
option represents a combination of the two previous load balancing
modes. It allows incoming traffic to be distributed over the various
destination ports of several hosts.
240
Appendix
Address translation
The various types of load balancing can be based on four types of algorithms:
• Round-robin: Connections alternate between IP addresses and port
numbers.
• Source IP hash: A hash of the source IP address of the connection before
translation is calculated in order to choose the IP address or port number.
This algorithm guarantees that connections from the same host will always
be associated with the same IP address or the same port number.
• Connection hash: A hash of the connection parameters before translation
(source IP, source port, destination IP, destination port), is calculated in
order to choose the IP address or port number. This algorithm makes it
possible to distribute connections originating from the same host over
several IP addresses or several port numbers.
• Random: the IP address or port number is randomly selected.
NOTE: The accessibility of the chosen IP address or port number will not be verified
(even if they are not accessible, the firewall will continue to send traffic to them).
241
Appendix
Address translation
242
Appendix
Address translation
Network
network
LAN
NOTE: It is also possible to use the translation exception for a specific host on a
translated network.
243
FILTERING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
244
Filtering
OVERVIEW
FILTERING
➔ Overview
The concept of "stateful"
Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
245
Filtering
OVERVIEW
With the filter policy, the administrator can define rules that make it possible to
allow or block traffic going through the Stormshield Network UTM. Depending on
the type of traffic, certain security inspections (antivirus scan, antispam scan, URL
filtering, etc) can be enabled. These will be covered in detail in the Appli atio
prote tio module. The defined filter rules must be in line with the o pa y’s
security policy.
A filter rule relies on many criteria in order to define a traffic type, thereby offering
higher granularity. Some of the criteria that can be specified include:
• Source and/or destination IP address,
• The reputation and location of the source and/or destination IP
address,
• Incoming and/or outgoing interface,
• Source and/or destination network address,
• Source and/or destination FQDN,
• Value of the DSCP field,
• TCP/UDP service (destination port number),
• IP-based protocol – for ICMP, the type of ICMP message can be
specified,
• Users or user groups requiring authentication.
The number of active filter rules in a policy is limited. This restriction depends
exclusively on the model of the firewall.
The first packet belonging to each new traffic stream received by the UTM is
compared against the filter rules from the first to the last line. You are therefore
advised to arrange your rules in the order of the most restrictive to the most
permissive.
By default, any traffic that is not explicitly allowed by a filter rule will be blocked.
246
Filtering
THE CONCEPT OF
"STATEFUL"
FILTERING
✔ Overview
➔ The concept of "stateful"
Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
247
Filtering
query 1
TCP, UDP and ICMP
exchanges
2 response
Source Source Destination Destination
address port address port
@privA xxxx @web 80 @web
Stormshield Network firewalls use SPI (Stateful Packet Inspection) technology, which
makes it possible to memorize the status of connections for TCP, UDP and ICMP
protocols in order to keep track of them and detect potential anomalies or attacks.
The direct consequence of this stateful tracking is that filter rules only allow traffic
in the direction in which the connection was initiated; replies that are part of the
same connection will be implicitly allowed. There is therefore no need for an
additional filter rule to allow response packets for connections that were set up
through the firewall.
248
Filtering
SEQUENCING OF FILTER
AND TRANSLATION
RULES
FILTERING
✔ Overview
✔ The concept of "stateful"
➔ Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
249
Filtering
Initial packet
Block
0 Implicit filtering
Pass
Block
1 Global filtering
P
Pass
R Block
I 2 Local filtering
Pass
O No rule
R
I
Implicit NAT Block
T 3
Y
4 Global NAT
5 Local NAT
On Stormshield Network firewalls, filter and NAT rules are organized in various levels
called slots represented in their order of priority in the diagram above:
• Implicit filtering: groups filter rules that have been pre-configured or
added dynamically by the firewall in order to allow or block certain types
of traffic after a service is enabled. For example, an implicit rule allows
connections going to the UTM’s internal interfaces on the HTTPS port
(443/TCP) in order to ensure constant access the web administration
interface. In another example, as soon as the SSH service is enabled, a set
of implicit rules will be added to allow these connections from all hosts on
internal networks.
• Global filtering: groups filter rules that have been inserted on the firewall
from the "Stormshield Management Server" (SMC) administration tool or
after global policies have been displayed.
• Local filtering: represents filter rules added by the administrator from the
administration interface.
• Implicit NAT: groups NAT rules that the firewall adds dynamically. These
rules are used mainly when high availability is enabled.
• Global NAT: like global filtering, it groups NAT rules that have been
inserted on the firewall from the "Stormshield Management Server" (SMC)
administration tool or after global policies have been displayed.
• Local NAT: groups NAT rules that the administrator has added from the
administration interface.
250
Filtering
The first packet received is compared against the filter rules of the various slots
according to the order shown in the diagram above. As soon as elements in the
packet match a rule in a slot, the action set in the rule (block or pass) will be applied
and the packet will no longer be compared against the rules that follow. If none of
the filter rules match, the packet will be blocked by default.
If the packet is allowed, it will be compared against the NAT rules of the various
slots, following the sequence shown above.
251
Filtering
“FILTERING” MENUS
FILTERING
✔ Overview
✔ The concept of "stateful"
✔ Sequencing of filter and translation rules
➔ Filteri g menus
Policy analyzer
252
Filtering
“FILTERING” MENUS
10
NOTE : Modifying the statuses of these rules will directly affect how services run on
the firewall. To ensure that the affected service continues to run correctly, first,
confirm whether lower-priority rules, such as global or local rules, allow such traffic.
253
Filtering
“FILTERING” MENUS
11
To display global rules, select Display global policies (Filtering, NAT, VPN IPsec and
Objects) in the Preferences menu that can be accessed directly from the header icon
in the red box. This option will display in the header of the menu CONFIGURATION
⇒ SECURITY POLICY ⇒ Filtering and NAT a drop-down list allowing global or local
policies to be selected. By default, there are no filter or NAT rules in the global slots.
254
Filtering
“FILTERING” MENUS
• Creation of a rule
• Selection of columns to display
12
Filter rules are part of a policy, as explained earlier in the "Address translation"
module.
The "FILTERING" tab is made up of a header to manage filter rules:
• New rule:
• Single rule: adds a standard filter rule. By default, a new rule is
disabled and all its criteria are set to "Any".
• Separator – rule grouping: adds a separator which groups all rules
located under it (or until the next separator). This simplifies the
display of a policy containing a large number of rules. The separator
may be customized with a specific color and comments.
• Authentication rule: opens a wizard that adds a rule created
specifically to direct the connections of unauthenticated users to
the captive portal (see the Users and Authe ti atio module for
more details on the subject).
• SSL inspection rule: opens a wizard that adds rules to enable the
SSL proxy.
• Explicit HTTP proxy rule: opens a wizard that adds rules to enable
the explicit HTTP proxy.
• Delete: deletes a rule.
• Up / Down: moves selected rules up or down the list.
255
Filtering
“FILTERING” MENUS
• Naming rules
• Header options
13
NOTE : When searches are performed in logs or monitoring, they rely on the name
of the rule. You will see in the above example that a rule always has a default name,
which the administrator can change.
256
Filtering
“FILTERING” MENUS
14
257
Filtering
NOTE : The indicator re-orders the most frequently used filter rules by placing them
at the top of the list. This makes it possible to optimize the reading of the policy
before finding the action to apply.
258
Filtering
“FILTERING” MENUS
16
The parameters of a rule may be entered directly in the rule window or in a new
window (omnibox) that appears by double-clicking on any parameter of this rule.
Since the values of the parameters are objects, they can be copied from one rule to
another by dragging and dropping. This also allows filter rules to be moved by
clicking on the rule number. Rules added have to be saved and manually enabled
with the Save and enable button.
259
Filtering
“FILTERING” MENUS
17
The ACTION menu is made up of several tabs, but we will focus on the GENERAL tab,
which makes it possible specify the following parameters:
• Action: defines the action to apply to the packet that matches the filter
rule:
• Pass: allows the packet,
• Block: blocks the packet,
• Decrypt: sends the packet to the SSL proxy,
• reinit. TCP/UDP: in the case of TCP traffic, the firewall will send
back a TCP R“T packet to the sender. In the case of UDP traffic,
the firewall will send an ICMP port u rea ha le notification to
the sender.
260
Filtering
“FILTERING” MENUS
18
• Log level: logs traffic processed by the rule. It can have different levels:
• standard (connection log): this is the default value; only
established connections that use a TCP/UDP transport layer are
logged:
• In the Net ork o e tio s or Appli atio o e tio s
log, if a plugin performs an application analysis in IPS or IDS
mode,
• Connections with a Blo k action will not be logged.
• verbose (filtering log): Traffic is logged in the Filteri g log. This
option is only useful when you log:
• Traffic directly above the IP layer (ICMP, GRE, ESP, etc.),
• Traffic blocked by a Blo k action.
• minor alarm: the connection will be logged in the alar s log
with a minor alarm.
• major alarm: the connection will be logged in the alar s log with
a major alarm.
261
Filtering
“FILTERING” MENUS
19
262
Filtering
“FILTERING” MENUS
20
The SOURCE > GENERAL menu groups parameters that identify the source of the
traffic affected by the filter rule:
• User: indicates the user or user group at the source of the traffic. This
parameter works in authentication systems based on user directories (see
the Users and Authe ti atio module).
• Source hosts: indicates the IP address, Fully Qualified Domain Name
(FQDN) or network address of the traffic. The icons = or ≠ mean that
the parameter may be equal to or different from the value specified. It is
also possible to enter a list of objects by clicking on Add. If the top left
corner of an object name is red, this means that the added object has not
yet been saved.
• Incoming interface: specifies the traffic's incoming interface. This
parameter comes in useful when there are bridges in which the interfaces
share the same address range.
263
Filtering
“FILTERING” MENUS
21
NOTE : The reputation score of internal hosts, which can be configured in this menu,
makes it possible to specify the score above or below which the filter rule will be
applied to monitored hosts.
264
Filtering
“FILTERING” MENUS
22
The Destination menu groups the parameters that identify the traffi ’s destination.
In the GENERAL tab, the Destination hosts parameter indicates the traffic's
destination IP address, network address or FQDN. It is also possible to choose
whether the parameter needs to be equal to or different from the value and to enter
a list of objects.
Location, public IP address reputation and host reputation information can also be
used as destination settings in the GEOLOCATION / PUBLIC IP ADDRESS
REPUTATION tab.
NOTE: when the destination object is an FQDN object, it must be the only object in
the rule.
265
Filtering
“FILTERING” MENUS
23
NOTE: For rules that allow incoming traffic, you are advised against entering the
outgoing interface because the path to the traffi ’s destination is not yet known.
266
Filtering
“FILTERING” MENUS
24
In the PORT / protocol menu, the Destination port can be entered with the
possibility of selecting whether it has to be equal to, different from, higher than or
lower than the value selected. A list of destination ports can also be entered.
267
Filtering
“FILTERING” MENUS
25
In the PORT - Protocol , the ID of the IP protocol that will be affected by the filter
rule can also be entered. To do so, select the Protocol type parameter and select the
value IP protocol, then specify the protocol in the IP protocol field. If ICMP has
been selected, the ICMP message parameter will automatically appear so that the
filter can be refined by selecting the type of ICMP notification relevant to the filter
rule.
NOTE : Stateful inspection, which memorizes and tracks connections going through
the firewall, is enabled and cannot be modified only on TCP, UDP and ICMP
protocols. For other protocols (GRE, ESP, etc), you will need to select this option to
enable tracking.
268
Filtering
“FILTERING” MENUS
26
NAT can be applied to the destination (DNAT) in a filter rule unless it contains an
FQDN object or geolocation
and/or reputation items.
269
Filtering
POLICY ANALYZER
FILTERING
✔ Overview
✔ The concept of "stateful"
✔ Sequencing of filter and translation rules
✔ Filteri g menus
➔ Policy analyzer
270
Filtering
POLICY ANALYZER
28
Stormshield Network firewalls have a built-in checker that detects any overlaps or
inconsistencies created in the filter policy. When this happens, a warning message
will appear at the bottom of the menu.
Three examples are shown in the screen captures above:
• In rule no. 1, the HTTP destination port is incompatible with UDP as the
HTTP application protocol uses the TCP transport protocol,
• Rule no. 3 will never be used as rule no. 2 overrides it,
• Rule no. 4 indicates that traffic arrives on an object with an IP address that
may change (dynamic IP associated with the out branch) and that the in
interface (source field) needs to be specified.
NOTE : Messages indicated with a red cross prevent the policy from being saved and
enabled.
271
Filtering
SECURITY RECOMMENDATIONS
29
Anti-spoofing has its limits and does not block all private networks that arrive
through the Internet. To ensure full protection, you need to define block rules that
cater to the topology of the network. For example, you can block IP RFC5735 on
public networks.
Since implicit rules are read before other rules, they can negate rules that the
administrator created. Ensure that you define web interface access rules carefully to
maintain control over the firewall. As SSH access to SNS is allowed by default on all
internal interfaces, this is the ideal moment to restrict it.
Object groups make it easier to modify rules, and you are advised to use groups
instead of creating lists of hosts in rules. This also makes rules easier to read.
Never let rules overlap. Likewise, regularly keep track of and delete all unused rules.
272
Filtering
LAB 5 – FILTERING
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
30
273
APPENDIX –
FILTERING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
274
Appendix
Filtering
ADVANCED PROPERTIES
FILTERING
Program
➔ Advanced properties
275
Appendix
Filtering
Global filter rules, most often used in SMC, the centralized administration server,
offer a new action that delegates the choice of the action to the local filter. So
packets that match a global filter rule set to delegate will continue to be compared
directly with local filter rules.
To see global policies, go to the top of the screen, in Admin > Preferences and select
Display global policies.
Once this rule is enabled, you will see it in console mode when you enter the
command:
sfctl –s filter
This rule contains the action jump followed by the number of rules to ignore to
reach the local filter (1 in the above example, in which only one other global rule
follows the delegation rule).
276
Appendix
Filtering
A filter rule makes it possible to use the source port as a criterion to identify traffic.
This parameter does not appear by default in the rule window but it can be shown
by selecting the corresponding column. It can also be configured in the ADVANCED
PROPERTIES tab in the source field.
277
Appendix
Filtering
The value of the DSCP field can be used as a criterion in a filter rule. It can be
selected in the Source DSCP parameter in the ADVANCED PROPERTIES tab of the
source field, which also offers the possibility of defining a customized non-standard
value.
NOTE : the DSCP field is part of the IP header and indicates the service class (QoS) to
which an IP packet belongs.
278
Appendix
Filtering
Stormshield Network firewalls make it possible to impose the value of the DSCP field
on selected traffic in the Action field of a filter rule. This means that IP packets
belonging to such traffic streams will be tagged with the chosen value of the DSCP
field when they leave the firewall. Tagging can be configured in the DSCP section of
the QUALITY OF SERVICE tab in the Action field.
279
APPLICATION
PROTECTION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
280
Application protection
281
Application protection
• Objectives:
282
Application protection
• Implementation:
When application inspection is enabled (red box) on a filter rule on the firewall, it
will run analyses in transparent proxy mode:
• The firewall acts as the client to the server, and as the server to the client,
NOTE:
• Explicit proxy mode will not be covered in this chapter, as this mode on
Stormshield firewalls offers fewer features than with a transparent proxy. Explicit
proxies are not compatible with multi-directory authentication and the SSL proxy,
for example, since HTTPS traffic cannot be decrypted for antivirus analyses. The
use of the proxy in transparent mode is therefore recommended.
• Analyses of filter rules in IPS mode only do not use proxy mechanisms.
283
Application protection
HTTP PROXY
APPLICATION PROTECTION
284
Application protection
HTTP PROXY
With the URL filtering feature, you can control all of your users’ access to websites.
To do so, the URL filter policy will rely on a list of categorized URL entries or custom
key words.
285
Application protection
HTTP PROXY
As such, the firewall does not need to download the database, preventing disk
saturation issues.
286
Application protection
HTTP PROXY
www.lost.com
HTTP request
Request for classification
Classification
(entertainment)
Local cache
CloudURL servers
As soon as it receives an HTTP connection to a public website, the firewall will send a
request to one of the EWC servers in order to get the categories that contain the
visited website (if it is not already in its local cache). The results will then be
compared to the active URL filter policy.
EWC servers can return up to 5 categories per URL. A URL can therefore
simultaneously be part of a blocked category and an allowed category. If it happens,
the way rules are ordered in the URL filter policy counts the most; be sure to
organize the policy in the most efficient way.
In order to optimize the way it works, and avoid sending many requests to EWC
servers for the same URL, the Extended Web Control feature uses a cache to
remember the decision for a website that has already been visited. The cache size
varies according to appliance and is configured to keep data for one day of browsing.
Its contents cannot be viewed, even in console mode.
The cache is purged when the firewall or the proxy daemon (tproxyd) reboots. The
two scenarios presented in the slides that follow will explain how the Extended Web
Control cache works.
287
Application protection
HTTP PROXY
www.lost.com
HTTP request
2 3
1 Request for classification
Classification
6 (entertainment)
Local cache 4
CloudURL servers
The proxy queries the local cache. Since the URL is not in the cache, a classification
request is then forwarded to Extended Web Control servers to know which
categories include this URL.
As soon the categories are received, the URL filter policy decides whether access to
the website will be allowed or blocked.
In the object database, Extended Web Control servers (CloudURL) are called
cloudurl[1-5]-sns.stormshieldcs.eu
288
Application protection
HTTP PROXY
www.lost.com
4
HTTP request
2
1
3
Local cache
CloudURL servers
10
The proxy queries the local cache and the URL is in the base. In this case, Extended
Web Control servers will not be queried.
The result applied during the last visit (grant access or block) will also be applied for
this connection.
289
Application protection
HTTP PROXY
11
You can choose the URL database provider from the menu CONFIGURATION ⇒
OBJECTS ⇒ WEB OBJECTS, in the URL Database tab.
Switching from the built-in URL database to EWC will delete the embedded
categories - you will see a warning message.
After the database has been changed, we advise you to check the active URL filter
policy because category names might differ from one base to another.
E.g.: the "Job search" category exists in the Extended Web Control database but does
not exist in the embedded URL database. As such, when this category is used in the
URL filter policy, it will generate a warning when the policy is enabled if you attempt
to return to the embedded database.
290
Application protection
HTTP PROXY
12
In CONFIGURATION ⇒ OBJECTS ⇒ Web objects, in the URL tab, you can create your
own categories. Each category contains a list of URLs, which need to be added by
following the suggestions.
291
Application protection
HTTP PROXY
13
Use the CTRL and SHIFT keys to select several groups before moving them.
292
Application protection
HTTP PROXY
14
These fields are available in the Web Objects menu and in URL filter policies.
293
Application protection
HTTP PROXY
15
From the menu Configuration ⇒ Security Policy ⇒ URL Filtering, choose the policy
to edit (in the above example, policy default00 was renamed Block_prohibited_URL).
The real-time policy checker will show any errors detected in your policy.
294
Application protection
HTTP PROXY
16
This option adds a line with the action BlockPage_00 for each category in the current
URL database. However, this option does not take into account custom groups,
which have to be added manually.
Websites can belong to several categories. When this occurs, the order of the rules
in the filter policy determines the action to apply for the website in question.
295
Application protection
HTTP PROXY
17
Once your URL filter policy is ready, you have to apply it to a filter rule that allows
outgoing HTTP traffic as shown in the above example. In this rule, Network_dmz1
will only have access to websites that are in the News category.
By following this procedure, you can enable more than one URL filter policy at a
time, to handle access for different networks or source hosts.
296
Application protection
HTTP PROXY
18
You can make changes with two editors (simplified or HTML). Both of them use the
WYSIWYG format (What You See Is What You Get: instant preview of the content).
Via the simplified editor, you can quickly change the page information such as its
title, block message, e-mail address of the administrator to contact to report wrong
URL classifications, or the logo to display.
For those who feel more comfortable with web programming languages, the HTML
editor makes it possible to modify the contents of the page more accurately.
297
Application protection
HTTPS PROXY
APPLICATION PROTECTION
298
Application protection
HTTPS PROXY
20
When clients initiate a connection to a website in HTTPS, they send the domain
name of the requested website in plaintext to the server. This is known as Server
Name Indication (SNI), and allows the server to select the right certificate to present
to the client.
Stormshield Network Security relies on this system to control access to these
websites without decrypting traffic.
NOTE: In this chapter, we will cover only SNI verifications and their classifications to
allow or block traffic without decryption. Advanced operations, such as URL filter
policies and antivirus analyses, that are enabled with HTTPS traffic decryption, will
be covered in the CSNE course.
299
Application protection
HTTPS PROXY
21
In Configuration ⇒ Objects ⇒ Web Objects, in the Certificate name (CN) tab, you
can create your own categories. Each category contains a list of CNs that will be
compared with the SNIs of SSL/TLS connections.
300
Application protection
HTTPS PROXY
22
Use the CTRL and SHIFT keys to select several groups before moving them.
301
Application protection
HTTPS PROXY
23
Next, select the SNIs that you intend to Block without decrypting and Pass without
decrypting.
Reminder: the Decrypt action, which enables a thorough analysis of HTTPS traffic,
will be covered in CSNE.
The real-time policy checker will show any errors detected in your policy.
302
Application protection
HTTPS PROXY
24
Once your SSL filter policy is ready, you have to apply it, together with a Decrypt
action, to a filter rule that allows outgoing HTTPS traffic as shown in the above
example.
By following this procedure, you can enable more than one SSL filter policy at a time,
to handle access for different networks or source hosts.
303
Application protection
HTTPS PROXY
25
If the CN of the requested website depends on the Pass without decrypting action,
no changes will be made to the requested web page.
If the CN of the requested website depends on the Block without decrypting action,
the web page will only indicate that the administrator rejects the connection.
304
Application protection
ANTIVIRUS ANALYSIS
APPLICATION PROTECTION
305
Application protection
ANTIVIRUS ANALYSIS
27
You can choose the antivirus engine from the menu Configuration ⇒ Application
protection ⇒ Antivirus.
If you decide to switch engines, a message will prompt you to download the relevant
base. This means that for the entire duration of the download, the antivirus analysis
will not be effective.
NOTE : The "Sandboxing" option, which can only be used with Kaspersky antivirus, is
available if you have subscribed to the additional license option called "Breach
Fighter Sandboxing", which will be covered in the chapter "Breach Fighter analysis".
306
Application protection
ANTIVIRUS ANALYSIS
• Analyzing files
28
You can find additional parameters to be applied to protocols that may be scanned
by the antivirus (see menu Configuration ⇒ Application Protection ⇒ Protocols ⇒
HTTP, SMTP, FTP or POP3 ⇒ Analyzing files)
This menu is the same for FTP, SMTP and POP3 protocols and contains:
• Maximum size for the antivirus analysis,
• Actions to perform on messages.
For HTTP protocols, an additional frame makes it possible to define the antivirus
behavior according to MIME types declared in the HTTP header.
307
Application protection
ANTIVIRUS ANALYSIS
29
From the menu Configuration ⇒ Notifications ⇒ Block messages, you can change
the notifications sent to users when an e-mail or a file downloaded via FTP contains
a virus.
This is a global setting. Messages for incoming traffic and outgoing traffic cannot be
distinguished, for example.
308
Application protection
ANTIVIRUS ANALYSIS
30
NOTE : HTTPS, SMTPS and POP3S must be decrypted by an SSL rule before being
analyzed by the antivirus engine.
309
Application protection
BREACH FIGHTER
ANALYSIS
APPLICATION PROTECTION
310
Application protection
32
BREACH FIGHTER ANALYSIS
32
Breach Fighter is available as an additional software option for subscribers to the security
pack containing Kaspersky antivirus.
This option allows users to counter new threats for which an antivirus and heuristic analysis
no longer suffices (8 out of 10 malware programs manage to evade conventional
antiviruses).
The protocols that the Kaspersky antivirus engine analyzes (FTP, HTTP(s), SMTP(s) and
POP3(s)) are taken into account.
The solution is based on a dedicated Stormshield cloud and offers several layers of analysis
for optimum protection of Windows operating systems:
• Static analysis: a file's hash is compared against existing hashes referenced in the
database shared by the community so that threats can be blocked,
• Heuristic analysis: variants of a malware program will be detected,
• Dynamic analysis: our dedicated team of security researchers implements rules
to detect and protect against new threats,
• Behavioral analysis: the behavior of malware is replayed in virtual Windows
environments to simulate how it is actually used. The environment is called a
"sandbox" and integrates Stormshield Endpoint Security (SES) technologies to
provide zero-day protection.
All files that pass through the appliance are scanned by Kaspersky antivirus. Files that
Kaspersky does not block will be scanned one more time by Breach Fighter.
As soon as an infected file is detected, its hash will be added to the shared database, making
it possible to immediately protect all clients.
The security team dedicated to "Threat Intelligence" contributes to the continuous
optimization of Breach Fighter's capabilities.
311
Application protection
33
BREACH FIGHTER ANALYSIS
33
The Breach Fighter analysis can be enabled on a filter rule using the SECURITY
INSPECTION ⇒ APPLICATION INSPECTION ⇒ SANDBOXING parameter. The antivirus
analysis will automatically be enabled when Breach Fighter is enabled.
Files that undergo a Breach Fighter sandboxing analysis are assigned a score on a
scale of 0 to 100. A score of 0 means that the file is not dangerous.
312
Application protection
INTRUSION PREVENTION
MODULE AND SECURITY
INSPECTION
APPLICATION PROTECTION
313
Application protection
• Definition
– Analyses from the IP layer Context-based
– Up to the application layer patterns
– Checks compliance with
protocols Plugins
Fragmentation
IPv4/IPv6
analyses
35
ASQ's main role is to ensure that packets comply with the protocols used from the IP
layer up to the application layer (thanks to plugins) and with context-based patterns.
The operation of ASQ and its options are covered in detail in the Expert course.
314
Application protection
36
Each packet that the UTM receives will go through the filter policy. By default, the
IPS analysis will be applied, meaning that the firewall is capable of detecting
anomalies and blocking the corresponding packet(s).
Other inspection modes can be used for testing or out of necessity; for example
when contacting a server that does not comply with the RFCs of the protocols it
manages.
These modes have to be selected from the Security Inspection field in the related
filter rule.
• IPS: Detect and block (default choice). ASQ will submit the packet to all the
layers it can analyze and block it in the event of an anomaly.
• IDS: Detect. ASQ performs an analysis similar to the one performed by the
IPS, except that the packet will always be authorized. This is a profile that
allows quick auditing for a given filter rule.
• Firewall: Do not inspect. ASQ will only perform a few analyses on the
received packet. To know which alarms firewall mode does not bypass, refer
to the article "Are there any alarms that are not bypassed by Firewall Mode
(Security Inspection)?" in our knowledge base.
315
Application protection
Despite this configuration, the use of a specific ASQ profile can be forced in the filter
table from the Security inspection column. Each profile can then be managed from
the menus Protocols and APPLICATIONS AND PROTECTIONS under
CONFIGURATION ⇒ APPLICATION PROTECTION.
316
Application protection
SECURITY RECOMMENDATIONS
38
Depending on how the appliance is used, it may help to disable certain IPS
verifications to free up resources. For example, do not apply IPS filtering to HTTP if
the traffic will be redirected later to a filtering proxy.
IPS is enabled by default on all filter rules in automatic protocol detection mode. For
better traffic inspection, you are advised to manually qualify the type of protocol if a
non-standard port is used. IPS may not detect the application correctly.
If legitimate traffic raises alarms, ASQ parameters must be changed to avoid slowing
down production. In this case, the changes must be very specific, preferably in a
dedicated profile that will be applied to rules that specifically identify the traffic in
question. Feel free to report false positives in the default configuration to technical
support or your Stormshield contact.
317
Application protection
39
318
APPENDIX –
APPLICATION
PROTECTION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
319
Appendix
Application protection
Program
320
Appendix
Application protection
Ten policies are available. Rules are processed in order of appearance (top to bottom).
321
Appendix
Application protection
The SMTP filter policy is applied when application inspection is defined for filter rules that allow
incoming and outgoing SMTP traffic. For incoming mail traffic, an antispam analysis can be
combined with SMTP filtering (recommended).
322
Appendix
Application protection
For SMTP connections translated using a public IP address "SMTP_PUBLIC_IP" dedicated to the
internal mail server "SMTP_PRIVATE_IP" (static translation), certain rules must be observed
before enabling SMTP filtering.
For incoming SMTP traffic, address translation to the internal SMTP server must be applied in
the filter rule that allows the traffic (ARP publication must be enabled for this type of
translation).
For SMTP filtering to be as transparent as possible, the original source IP addresses of incoming
connections will be kept when these connections are sent back over the internal network after
SMTP filtering. This is possible because of the "Keep original source IP address" option which is
enabled by default for incoming traffic in the "Proxy" tab of the SMTP protocol (incoming profile
smtp_00).
323
Appendix
Application protection
For outgoing SMTP traffic (usually smtp_01, but the global configuration applies to all profiles),
the option "Apply the NAT rule on scanned traffic" must be enabled in the global configuration
of the SMTP protocol to force outgoing SMTP connections to go through the NAT rules.
Otherwise, the source IP address of SMTP connections will be the IP address of the firewall
interface they are leaving.
324
Appendix
Application protection
• Antispam module
Spam detection relies on two technologies to provide the most effective protection possible:
• Reputation-based analysis (DNS blacklists – RBL), which consists of checking a list of IP
addresses considered as spam senders or forwarders.
• Heuristic analysis, which relies on a set of mathematic algorithms. These algorithms
can detect abnormal behaviors in e-mails such as the repetition of unwanted characters
or the presence of characteristic words. Once the calculations are done, a score is
applied to the e-mail. Depending on the score, and the parameters of the heuristic
analysis, the e-mail will be considered spam or legitimate.
325
Appendix
Application protection
• Antispam module
326
Appendix
Application protection
The antispam analysis can be applied on SMTP or POP3 traffic. SMTPS and POP3S traffic must be
decrypted beforehand by an SSL inspection rule.
The example above shows an antispam analysis being enabled for incoming SMTP traffic.
327
Appendix
Application protection
HOST REPUTATION
APPLICATION PROTECTION
Program
328
Appendix
Application protection
HOST REPUTATION
11
A feature added in SNS version 3 makes it possible to filter by internal hosts' reputation,
using their reputation score as a criterion in filter rules.
A healthy host that has never generated network traffic therefore has a reputation score of
0.
This feature can be configured in CONFIGURATION ⇒ APPLICATION PROTECTION ⇒ HOST
REPUTATION.
By default, a host's score is likely to increase when traffic involving this host causes:
• an alarm to be raised,
• the detection of a viral load,
• the Breach Fighter Sandboxing tool to detect malware:
o Malicious: the host is infected,
o Suspicious: the host has been connected to potentially infected hosts.
Scores associated with these risks can be changed according to the configuration of your
network, based on the values indicated in square brackets.
In an actual production environment, the average score of a host is not necessarily a sign of
trouble, as tests need to be conducted for configured values to be consistent.
The way the reputation score decreases cannot be configured in the web administration
interface., but the reputation score of all monitored hosts can be reset.
After the events that raised the score are fixed, whether the score will decrease depends on
the following factors:
• When a host's score is 100, it will be halved after 6 hours, then quartered after
12 hours.
• A risk will be ignored if it is older than 24 hours.
329
Appendix
Application protection
HOST REPUTATION
12
In the tab where you configure the hosts that need to be monitored, you can select
the hosts or networks that will be part of an inclusion or exclusion list.
Since networks and internal hosts are not all subject to the same threats, you will
need to test various behaviors before applying the protection in a production
environment.
330
Appendix
Application protection
HOST REPUTATION
13
After you have selected the desired duration, move the mouse over a point in the
graph to find out the global reputation score associated with this host at a given
time, as well as the reputation sub-scores by type of risk (alarm, antivirus,
sandboxing, etc.).
331
Appendix
Application protection
HOST REPUTATION
14
A reputation criterion can be added for internal hosts in filter rules at the source or
destination depending on the direction of the traffic.
In the example above, a host from Network_in will be able to contact an SMTP
server via the firewall, only if its reputation score is below 20.
332
Appendix
Application protection
15
333
USERS &
AUTHENTICATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
334
Users & authentication
INTRODUCTION
USERS & AUTHENTICATION
➔ Introduction
Linking to a directory
Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
335
Users & authentication
INTRODUCTION
• Objective:
To grant users specific access privileges to networks
and services (captive portal, SSL VPN, IPsec VPN,
firewall administration, etc.)
• Steps in the configuration of a Stormshield firewall
336
Users & authentication
LINKING TO A
DIRECTORY
USERS & AUTHENTICATION
✔ Introduction
➔ Linking to a directory
Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
337
Users & authentication
LINKING TO A DIRECTORY
• External:
LDAP TCP/389
LDAPS TCP/636
LDAP client
LDAP protocol
• Microsoft Active Directory
• External LDAP
• PosixAccount external LDAP
• Internal:
Firewalls support four types of directories that fall under two categories:
• Internal LDAP: the LDAP is created on the firewall and hosts users.
NOTE:
• LDAP clients built into the firewall make it possible to log on to any type of
directory (internal or external) using LDAP (or LDAPS to secure connections with
external directories).
• For internal LDAPs, the directory and users are automatically backed up/restored
with the configuration of the firewall.
338
Users & authentication
LINKING TO A DIRECTORY
Default directory
6
Click on Add a directory to launch the wizard. With the Action button, you can:
• Delete a directory,
• Specify a default directory,
• Check the connection to the directory,
• Check the use of the directory,
• Rename a directory.
The rest of the menu lists all the directories that have been added - the default
directory appears in green. Clicking on a directory will display its settings on the right
side of the page.
339
Users & authentication
LINKING TO A DIRECTORY
340
Users & authentication
LINKING TO A DIRECTORY
Next, the wizard will suggest that you enable authentication profile 0 (internal) on an
interface, if the profile has not yet been enabled. If it was enabled earlier, this step
will not appear.
341
Users & authentication
LINKING TO A DIRECTORY
NOTE: even if a Microsoft Active Directory is in read/write access, users still cannot
be added to or deleted from the firewall. However, certificates for AD users can still
be published.
342
Users & authentication
• Advanced properties:
• Protected characters: defines characters that must be protected with a "\"
in LDAP requests. This is to ensure that these characters are not
considered special characters used by the LDAP server's search engine.
• Password hash: selects the hash algorithm that must be used to save user
passwords to avoid saving them in plaintext.
343
Users & authentication
LINKING TO A DIRECTORY
11
344
Users & authentication
LINKING TO A DIRECTORY
12
345
Users & authentication
LINKING TO A DIRECTORY
13
Once the configuration is complete, certain parameters of the internal LDAP can be
modified:
• Enable user directory: this option makes it possible to start the LDAP
service,
• Password: password that enables a connection to the directory, and can
be modified later.
• Enable unencrypted access (PLAIN): enables access to the directory
without encryption,
• Enable SSL access: enables secure access to the directory; the SSL
certificate issued by the server field must be entered,
• Use the firewall account to check user authentication on the directory: if
this option has not been selected, the user account will be used for
authentication. By default, the user with all privileges on the directory is
cn=NetasqAdmin.
346
Users & authentication
MANAGING USERS
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
➔ Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
347
Users & authentication
MANAGING USERS
15
Users and groups from all configured directories can be looked up in the menu
CONFIGURATION⇒ USERS ⇒ Users.
The menu is made up of three sections:
• The menu bar, which offers the following:
• Search bar,
• Filtering the display by object type: groups or users,
• Filtering the display by directory (appears only if several directories have
been configured),
• Adding users,
• Adding groups,
• Deleting users or groups,
• Checking whether users or groups are in use,
• CN: the list of users and groups from all directories. To differentiate directories, a
suffix is added to users and groups to indicate the name of the directory (instead
of the domain name). For example: user6@institute.com
• Parameters of a group or user appear on the right of the page. Users’ settings are
organized in three tabs: information about the user (ACCOUNT), their certificate
(CERTIFICATE) and the groups to which they belong (MEMBER OF THESE
GROUPS).
348
Users & authentication
NOTE: The list of users and groups is always empty when you open this menu. If you
are logged in to a directory that contains many users and groups, displaying all of
them without a filter in the Search field may impact the performance of the
graphical interface.
To see users or groups, you can:
• Click on one of the filters (users or groups),
• Open the firewall preferences menu by clicking on the icon that represents
tools in the header of the web interface, and select the checkbox Display
users at startup of odule .
349
Users & authentication
MANAGING USERS
• Creating users
17
With an internal LDAP, or external LDAP accessible in read/write, users and groups
can be added and deleted in the menu CONFIGURATION ⇒ USERS ⇒ Users.
NOTE:
• Users and groups can be created in the default directory defined in the menu
CONFIGURATION ⇒ USERS ⇒ Directory configuration,
• Users cannot be created once attributes on the firewall have been mapped to the
external LDAP base (see slide 10).
350
Users & authentication
CAPTIVE PORTAL
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
➔ Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
351
Users & authentication
CAPTIVE PORTAL
19
The captive portal or authentication portal is an embedded web page on the firewall
and accessible via a secure connection (HTTPS) from its IP addresses (it can be
enabled on all of the firewall's interfaces).
There are several uses for the captive portal: authenticating users to access the
network, enrolling new users, creating and downloading a certificate, downloading
the SSL VPN client and its configuration, submitting a sponsorship request in order to
access the network, etc.
Users can log in to the portal by using their directory login/password. If several
directories have been configured on the firewall, users can add their domain names
to their logins, for example, j.doe@company-a.com. If no domain names have been
specified, authentication will be carried out with the method or directory defined by
default on the authentication profile.
352
Users & authentication
CAPTIVE PORTAL
20
• SSL Server: makes it possible to change the certificate issued by the captive
portal.
353
Users & authentication
CAPTIVE PORTAL
21
• Conditions of use for Internet access: allows you to add a charter stipulating the
rules that govern the use of access to the network, which users need to accept
once they are authenticated. It can be downloaded in PDF or HTML. The
Reinitialize customization of Conditions of use for Internet access button makes
it possible to delete a charter uploaded earlier.
• Advanced properties:
• Interrupt connections once the authentication period expires,
• Proxy configuration file (.pac),
• Captive portal: changes the port of the captive portal and its appearance:
hide the Stormshield logo on the portal, download a new logo and modify
the style sheet.
354
Users & authentication
CAPTIVE PORTAL
22
• internal, external: they have the same configuration. The first profile is meant to
be attached to internal interfaces and the second to external interfaces by using
any authentication method that uses the captive portal,
355
Users & authentication
CAPTIVE PORTAL
23
The default method or directory used by the profile selected in the previous step
needs to be configured. For an LDAP authentication, this parameter may have one of
the following values:
• LDAP directory (none): This means that there is no default directory. Users
who authenticate on the captive portal will need to enter their logins
followed by their domain, for example, j.smith@institute.com. If the
domain is not indicated, authentication will fail.
• LDAP directory (Domain): This means that the directory of the selected
domain will be used to authenticate users who enter only their logins
(without the domain) on the captive portal, like j.smith, for example. As
for users from other domains, they will need to enter the domain with the
login in order to be authenticated.
NOTE: the default method or directory does not restrict this profile to only this
method or this directory. Such restrictions can only be placed with an
authentication policy.
• Conditions of use for Internet access: groups all the parameters that control the
display of the conditions of use entered in the Captive portal tab. It also contains
three customizable fields that appear on the authentication portal with the guest
method and which make it possible to retrieve information about the guest user
(first and last names, telephone number, email address, etc.).
356
Users & authentication
CAPTIVE PORTAL
24
• Advanced properties:
• Management of the portal, which includes enabling a profile and enabling
the logoff page,
• Definition of the user password policy,
• Management of user enrollment from the captive portal.
357
Users & authentication
CAPTIVE PORTAL
25
358
Users & authentication
CAPTIVE PORTAL
26
To log off, users need to log in to the captive portal again, click on Login in the menu
on the left, and then on the Logout button.
359
Users & authentication
CAPTIVE PORTAL
27
The administrator can log off users from the web interface in Monitoring > Users.
Right-click on the user, and select Log off this user.
360
Users & authentication
CAPTIVE PORTAL
28
Enrollment allows users to register themselves from the captive portal. The
registration request is sent to the firewall first for the administrator's approval. Once
it has been approved, it will be automatically added to the directory.
361
Users & authentication
CAPTIVE PORTAL
• Enrollment form
29
When enrollment has been enabled, users can register by filling in the form obtained
by clicking on New user in the menu on the left. When they have filled in the form,
users can then send their requests by clicking on Submit request.
NOTE: enrollment is ordinarily used to register users from outside your organization
in your directory. The domains of their e-mail addresses are therefore different from
yours.
362
Users & authentication
CAPTIVE PORTAL
• Configuring enrollment
30
On the firewall’s administration interface, enrollment requests are listed in the menu
CONFIGURATION ⇒ USERS ⇒ Enrollment. The administrator can either approve,
reject or ignore the request.
The administrator can first modify the user's login generated automatically in the
default format %F.%L, corresponding to FIRST NAME.LAST NAME (case-sensitive).
Changes must be applied before the first enrollment is confirmed, so that all logins
follow the same rules.
With the user John Doe show in our example:
• %f1.%l: means j.doe (without spaces: first letter of the first name in lowercase,
period, and last name in lowercase),
• %f%L1: means joh D (without spaces: first name in lowercase, first letter of the
last name in uppercase).
The administrator can also enable e-mail notifications when accepting or rejecting
users' requests. To do so, a mail server must be configured on the firewall in the
menu CONFIGURATION ⇒ NOTIFICATIONS ⇒ E-mail notifications.
363
Users & authentication
CAPTIVE PORTAL
• Confirming enrollment
31
On the firewall’s administration interface, enrollment requests are listed in the menu
CONFIGURATION ⇒ USERS ⇒ Enrollment. The administrator can either approve,
reject or ignore the request. When the administrator approves a request, the user’s
login will be automatically generated in the format chosen in the previous step.
364
Users & authentication
AUTHENTICATION
METHODS
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
➔ Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
365
Users & authentication
AUTHENTICATION METHODS
33
SNS firewalls implement several authentication methods that fall under two
categories:
• Explicit methods via the captive portal: the user is redirected to the captive
portal to enter a login and password, which the firewall retrieves to verify the
identity of the user depending on the method used:
• LDAP: the user's identity is verified on an internal or external directory
(LDAP/AD)
366
Users & authentication
• Sponsorship: allows users identified by their first and last names to access
the network through the sponsorship of a local user holding the relevant
privileges. Users will first be asked to enter their first and last names on
the captive portal as well as the email address of their sponsor. The
sponsor will then receive an email containing a link to confirm this
request. After the request has been validated, the sponsored user will
automatically be redirected from the captive portal to the requested web
page.
• Guest: allows users to access the network after they accept the conditions
of use on the authentication portal. This method is very often used for
public places such as hotels, railway stations or public hotspots.
367
Users & authentication
AUTHENTICATION METHODS
35
The authentication methods used by the firewall can be added from the menu
CONFIGURATION ⇒ USERS ⇒ Authentication ⇒ AVAILABLE METHODS tab. Specific
parameters need to be entered for each method.
After the LDAP directory is configured in the example above, the LDAP
authentication method will be automatically entered.
368
Users & authentication
AUTHENTICATION
POLICY
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
➔ Authentication policy
Filter rules for authentication
Defining new administrators
369
Users & authentication
AUTHENTICATION POLICY
37
Since SNS firewalls are able to support several directories and several authentication
methods simultaneously, an authentication policy needs to be defined in order to
indicate the method(s) to be applied according to two criteria: the user or user
group, and the source IP address or incoming interface.
Several authentication methods can be used in a single rule. In this case, the
methods will be applied in the order in which they appear in the rule. If a method
allows a user to authenticate, the methods that follow it will not be tested. For
example, in rule #3, all users on the "institute.com" domain who log in from the
internal network must first authenticate via the SSO agent method. If authentication
fails, the user will be asked to select his certificate. If the SSL method fails (e.g., no
certificate for this user), he will be asked to enter his login and password to
authenticate via the LDAP method.
If no rules match the traffic criteria, the default authentication method will be
applied.
NOTE: whenever it is used in a rule, the SSO agent method will automatically take
priority over all other methods as it authenticates users on the firewall as soon as
they are authenticated on the Active Directory domain.
370
Users & authentication
AUTHENTICATION POLICY
38
To add an authentication rule, click on New rule ⇒ Standard rule. Rules can be
created in a wizard in three steps:
The interface and profile must be selected in the entry. The default method or
directory will be automatically entered depending on the configuration of selected
profile.
For the other methods: guests, temporary accounts and sponsorship, users can be
added through the respective buttons: New rule ⇒ Guest method rule, Temporary
account method rule and Sponsorship method rule.
371
Users & authentication
AUTHENTICATION POLICY
39
In the authentication policy, you can create a policy to determine which networks
and users will use the LDAP method, or define it as the default method.
372
Users & authentication
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
✔ Authentication policy
➔ Filter rules for authentication
Defining new administrators
373
Users & authentication
http://www.bbc.com
41
The process of LDAP authentication via the captive portal is described above. The
user opens a browser to access a website in HTTP. The firewall intercepts the HTTP
request and redirects the user to the authentication portal
(https://firewall_IP@/auth). The user then enters his directory login/password,
which will be sent to the firewall through a secure connection (HTTPS). The firewall
authenticates the user on the directory (internal/external LDAP or AD). If the user is
authenticated, the browser will be redirected to the website requested initially.
NOTE: users may be redirected to the captive portal when accessing websites in
HTTPS, but the SSL proxy needs to be enabled - this will be covered in the CSNE
course.
LDAP configuration via the captive portal will be covered in the following slides.
374
Users & authentication
42
To create the authentication rule, click on New rule > Authentication rule. In the
wizard, enter the source network from which users will log on, the destination
network and, if you wish to (optional), a list of URL categories that can be accessed
without authentication.
375
Users & authentication
43
Since the authentication rule only allows unknown users to be redirected to the
captive portal, you must then add other rules that allow authenticated users to
access the network.
When you edit the source of a filter or NAT rule, the User field makes it possible to
specify the user (or the group) that has to be authenticated in order to match the
rule. A few options are listed:
• No User: default choice when you add a new rule. The rule will be applied
without taking the user parameter into account,
• Any user@any: refers to any authenticated user, regardless of the directory
or authentication method used,
• Any user@guest_users.local.domain: refers to any user authenticated via
the guest method,
• Any user@voucher_users.local.domain: refers to any user authenticated
via the temporary account method,
• Any user@sponsored_users.local.domain: refers to any user
authenticated via the sponsorship method.
• Any user@<domain>: refers to any user authenticated via the domain
directory,
• Any user@none: refers to any user authenticated via a method that does
not use a directory, for example, sponsorship, temporary account, etc.
• Unknown users: refers to any user who has not been authenticated. This
value is used mostly in authentication rules.
• The list of all users and groups found in the directories.
The button to the right of the user parameter makes it possible to filter users by
directory or authentication method.
376
Users & authentication
DEFINING NEW
ADMINISTRATORS
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
✔ Authentication policy
✔ Filter rules for authentication
➔ Defining new administrators
377
Users & authentication
45
Two editing modes are available here - simple view or advanced view (as above)
which provides more detail on granted privileges.
378
Users & authentication
46
379
Users & authentication
SECURITY RECOMMENDATIONS
47
Only the local administrator account can assign administrator privileges, which is
why we advise assigning privileges to groups. User accounts will then be distributed
in groups, but this operation can be performed from the directory.
An administrator dedicated to a specific task must have only one restricted area of
responsibility, so that risks can be contained if the account is compromised, and
accidental changes to the configuration can be prevented.
Secure and redundant access to the external LDAP directory must be configured. The
account that is used to authenticate the firewall on the directory must hold the basic
privileges (read only) and must be specific.
380
Users & authentication
LAB 7 – AUTHENTICATION
48
381
APPENDIX – USERS &
AUTHENTICATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
382
Appendix
Users & authentication
GUEST METHOD
USERS & AUTHENTICATION
Program
➔ Guest method
383
Appendix
Users & authentication
GUEST METHOD
• Enabling guest
method
• Authentication
policy
• Enabling the
captive portal
Guest method can be configured easily and quickly. In the list of available methods,
the only parameter to set is the frequency with which usage conditions will be
displayed – 18 hours by default.
When you edit the authentication policy, a wizard will assist you through the
configuration of the guest method. This wizard asks only for the network or interface
from which client hosts will authenticate. The guest method will then be applied to
all users coming from the selected object or arriving through the interface.
To allow users to accept the Internet access conditions, the captive portal must be
configured.
384
Appendix
Users & authentication
GUEST METHOD
HTML or PDF files describing access conditions to guests are added to the
configuration panel on the captive portal.
Then, write a filter rule that redirects guests to the captive portal.
385
VIRTUAL PRIVATE
NETWORKS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
386
Virtual private networks
DIFFERENT TYPES OF
VPNS
VIRTUAL PRIVATE NETWORKS
387
Virtual private networks
388
Virtual private networks
389
Virtual private networks
IP@ FW A IP@ FW B
IP@ B
IP@ A
Opening the tunnel
ISAKMP = IKE v1 or v2
Encrypted fields
Authenticated fields
The site-to-site IPSec VPN tunnel enables the connection of two private networks
through a public network while providing the following security services:
The site-to-site IPSec VPN tunnel can be set up between the SNS firewall and any IPsec
VPN-compatible equipment. Tunnels are negotiated through ISAKMP (Internet Security
Association Key Management Protocol), also known as IKE (Internet Key Exchange),
which currently exists in two versions, V1 (RFC 2409) and V2 (RFC 7296).
The negotiation takes place between the tunnel endpoints, which correspond to the
appliance's IP addresses (IP@ FW A and IP@ FW B). The IKE protocol is sent over UDP on
port 500.
390
Virtual private networks
Once a tunnel has been set up between two appliances, the traffic endpoints
corresponding to private networks can communicate via ESP (Encapsulating Security
Payload) which ensures data confidentiality and integrity. The ESP protocol (the IP
protocol number is 50, defined in RFC 4303) is encapsulated directly in an IP packet.
• Policy match (standard operating mode): matches users' IP addresses with the
IPSec policy; this operating mode relies on the [source IP + destination IP] criteria
of these IP packets compared with the policy loaded in the system's IPSec
structures. In this operating mode, the IPSec policy will be evaluated before the
general IP routing instructions. Whether it is applied depends only on whether it
"matches" the policy.
NOTES:
• Stormshield firewalls support versions 1 and 2 of the IKE protocol. From V3.3.0
onwards, you can configure tunnels using IKEv1 and IKEv2 in the same IPSec VPN
policy. The combination of IKEv1 and IKEv2 in the same policy is still under
experiment and must not be used in a production environment.
391
Virtual private networks
• Peer identities:
IP@ FW A IP@ FW B
Firewall A Firewall B
FQDN
IP@ FW A fw.company-b.com
Firewall A Firewall B
During authentication, each endpoint verifies the other endpoint's identity. The
following identities may represent a tunnel endpoint:
Depending on the authentication method used, the identity will be associated with:
• A PSK (pre-shared key): each endpoint will provide proof that it holds the
common PSK.
• A PKI (Public Key Infrastructure): each endpoint will present an X509 digital
certificate that must be signed by a trusted certification authority for the other
peer. The use of certificates for authentication is covered in the CSNE course.
392
Virtual private networks
IKEv1: ISAKMP-SA
Authentication: PSK, PKI
Authentication: PSK, PKI IKEv2: PARENT-SA
There are two phases in the IKE negotiation to set up an IPSec VPN tunnel:
• Phase 1: during this phase, both tunnel endpoints negotiate a Phase 1 encryption
profile that contains encryption/authentication algorithms. In this phase as well,
both endpoints authenticate with a pre-shared key or certificates.
If both endpoints are unable to agree on a common encryption profile or if they
are unable to authenticate, Phase 1 will fail and the negotiation ends.
Otherwise, an encrypted application dialog, called ISAKMP-SA (Internet Security
Association Key Management Protocol – Security Association) in IKEv1 and
PARENT-SA in IKEv2, will be set up between both endpoints. It will enable the
negotiation of Phase 2, which will be fully encrypted with the Phase 1 ISAKMP-SA
key.
• Phase 2: during this phase, both endpoints negotiate the Phase 2 encryption
profile and the traffic endpoints that can communicate through the IPSec VPN
tunnel.
393
Virtual private networks
If both endpoints are unable to make these parameters match, Phase 2 will fail;
otherwise, two channels will be opened for data transmission (one in each
direction). Each channel will use its own encryption key. They are called ESP-SA1
and ESP-SA2 in IKEv1 and CHILD-SA1 and CHILD-SA2 in IKEv2. Each endpoint will
therefore possess a key pair - one to encrypt sent data and the other to decrypt
received data.
NOTES:
• In IKEv1, Phase 1 may take place in two modes: MAIN or AGGRESSIVE. RFC2409
requires identifiers to be the IP addresses of peers when the negotiation mode is
MAIN and for authentication to be based on a PSK. AGGRESSIVE mode will
therefore be applied as soon as a peer cannot be identified by a static IP address.
• In IKEv1, traffic endpoints must be identical for both peers, otherwise Phase 2 will
fail. However, in IKEv2, this is not mandatory but you are strongly advised to
configure these parameters identically to avoid unpleasant surprises.
• The peer whose local network initiated traffic to the remote network will start the
tunnel negotiation. As a result, if no traffic passes between the tunnel's networks,
the tunnel will not be opened.
394
Virtual private networks
IPSEC VPN –
CONFIGURATION OF A
SITE-TO-SITE TUNNEL
VIRTUAL PRIVATE NETWORKS
395
Virtual private networks
11
Site-to-site IPsec VPN tunnels can be configured in the menu VPN ⇒ IPsec VPN tab
⇒ ENCRYPTION POLICY – TUNNELS tab ⇒ SITE-TO-SITE (GATEWAY – GATEWAY) tab,
by clicking on Add ⇒ Site-to-site tunnel.
396
Virtual private networks
12
A wizard will appear allowing you to enter the main parameters: traffic endpoints
(local networks and remote network) and the remote tunnel endpoint (the peer).
If the peer does not exist, it needs to be created by clicking on the IKE version (v1 or
v2) that will be used for the tunnel negotiation. A new wizard will open to allow you
to enter the peer's parameters.
In the first step, you will be able to enter the host object that bears the peer's IP
address.
397
Virtual private networks
13
The second step allows you to select and configure the authentication method. If
PSK is selected, the pre-shared key specified will be associated with the peer's
identity.
In the last step, all parameters that have been defined will be listed, and if necessary,
a backup gateway can be added. When you click on Finish, you will go back to the
VPN tunnel creation wizard.
398
Virtual private networks
14
When you have defined the three parameters (local network, remote network and
peer), click on Finish. The VPN tunnel will be added to a separate line in the policy. A
detailed summary can be displayed by clicking on the icon represented by an eye.
399
Virtual private networks
15
The Phase 1 encryption profile, also known as IKE profile, is configured on the peer,
whereas the Phase 2 encryption profile, also known as IPSec profile, is configured on
the VPN tunnel.
400
Virtual private networks
16
401
Virtual private networks
• Keepalive
17
The purpose of the Keepalive function is to keep the tunnel available by sending a
UDP packet to the remote network over port 9 with a certain frequency. This will
cause the initial negotiation of the tunnel, and then its periodic renegotiations.
The keepalive column can be hidden by default; to make it appear, click on the
header of a column, then select Columns and select the Keepalive option. It allows
configuring the frequency with which UDP packets will be sent (in seconds).
402
Virtual private networks
18
For site-to-site IPSec VPN tunnels, implicit rules are automatically added when the
tunnel is created in order to allow receiving traffic that is part of an IPsec VPN
tunnel: UDP ports 500 and 4500, and ESP.
These implicit rules only concern incoming traffic as outgoing traffic is already
covered by the firewall's implicit traffic rules.
403
Virtual private networks
19
Traffic that has to be allowed between users of the tunnel must be explicitly defined
in the filter rules:
• The first rule makes it possible to initiate connections from local network
Network_in to remote network NET_IN_B.
• As for the second rule, it allows initiating connections from remote network
NET_IN_B to local network Network_in. The via IPsec VPN tunnel instruction was
added to the source of this rule in order to ensure that traffic from the remote
network originates from the IPSec VPN tunnel.
NOTE: These sample rules are really permissive as they do not specify any particular
traffic; in a real situation, it would be better to define a filter policy that will strictly
describe traffic to be allowed in order to cover the communications needed between
the various machines on both sites.
404
Virtual private networks
– IKEv1
– IKEv2
20
The menu LOGS ⇒ VPN displays events relating to the IKE negotiation process.
Traffic endpoints that were the reason for the negotiations and for which the tunnel
is available appear clearly on the log line relating to the Phase 2 negotiation.
For diagnosis purposes and especially if a warning or an error message was reported,
it is essential to point out the phase to which the event relates.
The columns displayed above have been deliberately kept to the minimum needed
for the example. You can seen more detailed technical information by clicking on the
arrow in column headers and selecting the columns you would like to add.
405
Virtual private networks
21
In the Monitoring ⇒ IPSec VPN tunnels menu, you can see the active IPSec VPN
policy on the firewall.
When the option Hide established tunnels to display only policies with issues is
selected, only policies that do not have negotiated tunnels will be shown.
406
Virtual private networks
22
In the Tunnels section, you can monitor available tunnels. The current age of the SAs
and the selected algorithms for negotiations are shown.
407
Virtual private networks
IPSEC VPN –
CONFIGURATION OF
MULTIPLE SITE-TO-SITE
TUNNELS
VIRTUAL PRIVATE NETWORKS
408
Virtual private networks
NET_DMZ1_A NET_DMZ1_B
DMZ1_A DMZ1_B
OUT_A OUT_B
IN_A IN_B
NET_IN_A NET_IN_B
24
The goal is to configure an IPsec VPN policy to allow communication between the
local IN and DMZ1 networks on both sites. There are two ways to configure this
policy:
1. One rule for each pair of networks to be linked.
2. One rule for all networks, by using groups.
409
Virtual private networks
25
The first configuration allows using various encryption profiles or enabling keepalive
only for certain selected tunnels.
Regardless of the version of the IKE protocol used, the loaded policy will be the same
and will generate four separate tunnels, meaning four pairs of IPSec-SA tunnels.
410
Virtual private networks
IKEv2
IKEv1
26
The second configuration is more concise and therefore easier to read as long as a
strict and sufficiently descriptive naming system is adopted for group names, in
order to avoid ambiguities or confusion when reading it later.
411
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING
INTERFACE
VIRTUAL PRIVATE NETWORKS
412
Virtual private networks
IPSEC VPN
VTI_A VTI-B NET_DMZ1_B
NET_DMZ1_A
DMZ1_A DMZ1_B
NET_IN_A OUT_A OUT_B
NET_IN_B
IN_A IN_B
DMZ2_A DMZ2_B
NET_DMZ2_A NET_DMZ2_B
Routes on A Routes on B
28
There is now another approach available, that uses VTIs dedicated to an IPSec
tunnel.
These particular IPSec interfaces will be passage points for traffic entering and
leaving the IPSec tunnel. They will act as gateways to each other to transport traffic
between networks through the IPSec tunnel.
In the following slides, you will see how to configure a site-to-site IPSec VPN tunnel
using VTIs.
413
Virtual private networks
Creation of the
VTI on Peer A
Creation of the
VTI on Peer B
29
VTIs created on both peers each have a common name and IP address from the
same address range:
To prevent ambiguities with the existing architecture and its future additions, it
would be best to select an address range entirely dedicated to the use of VTIs, in an
officially private and sufficiently original range to avoid overlapping with an existing
network or the remote network of a future interconnection.
NOTE: From V3.3.0 onwards, /31 networks can be used; they are better suited to
point-to-point interfaces as they do not use network and broadcast addresses.
• On Peer A: Firewall_VTI_A.
• On Peer B: Firewall_VTI_B.
414
Virtual private networks
On A, creation of the
host object that has the
IP address of VTI_B.
On B, creation of the
host object that has the
IP address of VTI_A.
30
On each firewall, the object with the IP address of the remote peer's VTI must also
be created.
As with all objects, it is best to give objects clear names to faciliate the use of VTIs on
IPSec VPN architectures with multiple peers. Such a practice would make it easier to
use VTIs on IPSec VPN architectures with multiple peers.
415
Virtual private networks
• On Peer A
• On Peer B
31
416
Virtual private networks
• On Peer B
32
In this operating mode, it is important to ensure that the routing of return packets
coincides with the tunnel taken by outgoing packets.
Below, static routes globally indicate on each peer that the remote networks can be
contacted through the same tunnel.
417
Virtual private networks
33
The use of policy-based (PBR) routing instructions also imposes the routing of return
packets by the same tunnel.
This is why the return route has to be defined via the VTI corresponding to the
tunnel through which outgoing packets arrived.
418
Virtual private networks
34
The via IPsec VPN tunnel instruction must not be used with VTIs; instead, the VTI
needs to be used as the incoming interface in the rule that allows incoming traffic
from the tunnel.
419
Virtual private networks
SECURITY RECOMMENDATIONS
• Use IKEv2
↓ If not available, use main mode in IKEv1
• Configure Keepalive
• Disable PPTP
35
You are strongly advised against using the MD5 hash function, DES encryption, RSA
keys smaller than 2048 bits or ECDSA keys smaller than 200 bits.
We also do not recommend the use of 3DES, SHA-1 and ECDSA with keys smaller
than 256 bits if stronger alternatives are available, such as AES, SHA-2 and ECDSA
with keys of at least 256 bits.
Choose the Diffie-Hellman group carefully. Higher group numbers are preferred (such
as 14 or 15), or elliptic curve groups of at least 256 bits.
To avoid losing packets while waiting for a tunnel to be set up, we recommend that
you enable Keepalive which will keep the tunnel up.
420
Virtual private networks
36
421
APPENDIX - VIRTUAL
PRIVATE NETWORKS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
422
Appendix
Virtual private networks
POINT-TO-POINT
TUNNELING PROTOCOL
VIRTUAL PRIVATE NETWORKS
Program
423
Appendix
Virtual private networks
PPTP: CONCEPTS
CSNAv1.0
3
424
Appendix
Virtual private networks
• The Host_group object describes hosts that belong to the same addressing scheme
as an interface on the firewall, and can also be an address range.
• The selected DNS and WINS servers will be assigned to the client when the
connection is set up.
CSNAv1.0
4
The IP address range allocated to PPTP clients must be dedicated to these clients
only; hosts on the LAN must not use any of these addresses as this would cause an IP
address conflict on the LAN.
425
Appendix
Virtual private networks
• Users allowed to use PPTP will be indicated individually in the VPN UAC.
• A password dedicated to the PPTP connection will be assigned to them.
CSNAv1.0
5
The PPTP password is different from the password that the user would usually use to
authenticate on the captive portal.
So when the firewall relies on an Active Directory LDAP or a more general external
LDAP, the PPTP password will not be synchronized with the user’s authentication
password.
426
Appendix
Virtual private networks
Program
427
Appendix
Virtual private networks
Firewall A Firewall B
The anonymous tunnel can be configured via a wizard in the tab ANONYMOUS –
MOBILE USERS, by clicking on Add ⇒ New policy.
428
Appendix
Virtual private networks
CSNAv2.x
8
In the wizard, the remote tunnel and traffic endpoints are not defined, which is why
they are often referred to as Anonymous tunnels. Only the local traffic endpoint
needs to be selected. In the diagram above, the hosts that need to be reached
through IPSec are located in Network_in.
The remote traffic endpoint is predefined as All in the wizard (blue box). It is
supposed to be unpredictable, because in the case of mobile users, it depends on
what the client presents in phase 2 based on its configuration and its network
location during negotiation. All therefore means Any as an indefinite IP entity, i.e.,
any address or address range.
To configure remote peers (mobiles), click on a version of the IKE protocol (v1 or v2).
A wizard will open to define their configuration.
429
Virtual private networks
Two consecutive windows from the wizard are shown above, in which you can:
• Choose a name for dynamic peers; note that the firewall already added the prefix
mobile_ .
• Select PSK authentication.
430
Appendix
Virtual private networks
10
Add the identity of a dynamic peer (a firewall with a dynamic IP address). The
identity fw.company-B.net is an FQDN (Fully Qualified Domain Name). The FQDN is
associated with a PSK.
431
Appendix
Virtual private networks
11
432
Appendix
Virtual private networks
CSNAv2.x
12
433
Appendix
Virtual private networks
CSNAv2.x
13
On Firewall B (which has a dynamic IP address), the IPSec VPN tunnel will be a site-to-site
configuration with:
434
Appendix
Virtual private networks
CSNAv2.x
14
Unlike site-to-site tunnels, implicit filter rules are not automatically added, so
tunnels cannot be set up. The filter policy on the firewall with a static public IP
address must explicitly allow negotiations and traffic that make up the tunnel (IKE
and ESP).
Similarly to site-to-site tunnels, filter rules must also be defined to specify which
traffic can go through the IPSec tunnel.
435
SSL VPN
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
436
SSL VPN
CONCEPTS AND
OVERVIEW
SSL VPN
437
SSL VPN
Note:
• Both SSL VPN modes (portal and full) can run simultaneously.
• The SSL VPN portal will not be covered in this course. All references to ““L VPN
in the rest of this document refer exclusively to SSL VPN in full mode.
438
SSL VPN
SSL VPN allows remote users to securely access a company's internal resources.
Communications between the remote user and the firewall are encapsulated and
protected via an encrypted TLS tunnel.
On the firewall, SSL VPN tunnels are managed by the OpenVPN server (freeware)
which is embedded in the firmware as a new service. OpenVPN can run on any TCP
and/or UDP port except for a few, which are used for the firewall’s internal
processes:
• smtp_proxy: 8081/TCP
• ftp_proxy: 8083/TCP
• pop3_proxy:8082/TCP
• ssl_proxy: 8084/TCP
• http_proxy: 8080/TCP
• loopback_proxyssl: 8085/TCP
• firewall_srv: 1300/TCP
• ldap: TCP/389, ldaps TCP/636
• pptp: TCP/1723, TCP/4444, TCP/8087
• smux_tcp: TCP/199.
As for mobile users, the SSL VPN client (Stormshield or standard OpenVPN) manages
the tunnel, which must be installed on the machines. Once the tunnel is set up, the
remote host will retrieve an IP address provided by the SSL VPN server. It will be
deemed to belong to the firewall's (protected) internal networks and the user will be
considered authenticated.
439
SSL VPN
Number of
users 5 20 20 100 150 150 400 500 500 100
Number of
users 100 150 200 250 500
440
SSL VPN
• The Stormshield Network SSL VPN client (based on the OpenVPN client) can be
launched transparently on a Windows user workstation with user privileges
(however, using it requires administrator privileges). This client can be
downloaded for free from your mystormshield.com secure area and from the
firewall's captive portal after authentication.
• Smartphones and tablets (Android or iOS) can also log in via an SSL VPN with an
OpenVPN Connect client (available in Google Play Store and Apple Store).
441
SSL VPN
SSL VPN clients are part of the same network defined on the firewall. This network is
considered a protected internal network and therefore must not overlap an existing
internal network.
For its internal operation, the server will reserve the first /30 sub-network
originating from the SSL VPN network (an interface "tun0" will be created, and has
the first IP address of the network. This interface can only be seen in command line).
The following /30 sub-networks will be used by clients.
For example, if the SSL VPN service uses the network 192.168.100.0/24, the first SSL
VPN client will use the second /30 sub-network:
• Network address: 192.168.100.4
• Address of the tunnel's interface on the server side: 192.168.100.5
• Address of the tunnel's interface on the client side: 192.168.100.6
• Broadcast address: 192.168.100.7
As such, the maximum number of SSL VPN clients on this network is 63 (64 /30 sub-
networks including one used by the server).
442
SSL VPN
Openvpn_client.zip
Openvpn_client.zip
• CA.cert.pem
• Openvpnclient.cert.pem
• Openvpnclient.pkey.pem
• Openvpnclient.ovpn
1. The SSL VPN client authenticates the user through the captive portal. During this
step, the firewall will check whether the authenticated user has the privileges to
open an SSL VPN tunnel.
2. If the authentication is successful, the client will send a request to retrieve the
configuration files sent back by the firewall in a compressed folder
open pn_client.zip . The folder includes the following files:
• The certificate of the certification authority (CA.cert.pem),
• The client's certificate and its private key (openvpnclient.cert.pem
andopenvpnclient.pkey.pem),
• The configuration of the OpenVPN client.
3. The client begins the setup of the TLS tunnel with certificate authentication,
using the certificates retrieved in the previous step. Before the tunnel is set up,
the firewall will check whether the maximum number of users has been reached
and whether a sub-network can be reserved for this new client. If all the
conditions have been verified, the tunnel will be set up and the user will be
considered authenticated.
NOTE: If the SSL VPN server can be accessed through a UDP or TCP port, the SSL VPN
client will first attempt to set up the tunnel with the UDP protocol; if that fails, the
client will automatically make a new attempt with the TCP protocol.
443
SSL VPN
CONFIGURING A TUNNEL
SSL VPN
444
SSL VPN
• An authentication
method has to be
configured
10
The first step in setting up an SSL VPN tunnel is the authentication of the user via the
captive portal, meaning that:
• an external or internal directory has to be configured on the firewall,
• a profile of the captive portal must be attached to the interface from which users
log in,
• an authentication method has to be configured.
The possible authentication methods for the SSL VPN service are explicit methods
that require a login/password pair, in this case LDAP (internal, external or Microsoft
Active Directory), Kerberos and Radius.
445
SSL VPN
11
Certificates wil be used for authentication between the client and the SSL VPN
server. For this purpose, a root certification authority (CA) exists in the factory
configuration on all Stormshield Network firewalls. This CA is named sslvpn-full-
default-authority, and contains a server certificate (which identifies the SSL VPN
server), and a client certificate (which identifies all clients; each one of them will
then be distinguished by a login/password pair).
NOTE : A CA dedicated to the SSL VPN can be created without the need to rely on
the default CA. The creation of CAs is covered in the Expert level course.
446
SSL VPN
Default settings
Custom
settings
12
To allow a user to set up an SSL VPN tunnel, you will need to assign the
corresponding privileges in the menu Configuration ⇒ Users ⇒ Access privileges.
Regardless of which user is connected, default access can be selected in the tab
Detailed access ⇒ SSL VPN column. Select Allow in the field Default SSL VPN policy
447
SSL VPN
13
To allow SSL VPN clients to access the authentication portal on interfaces associated
with the firewall's authentication profiles, the implicit filter rule named Allow
interfaces associated with authentication profiles (Authd) to access the
authentication portal and SSL VPN has to be enabled.
If this is not the case, explicit filter rules have to be added in the active policy that
allows traffic to the public interface on the service's listening port.
448
SSL VPN
14
The SSL VPN service can be configured in Configuration ⇒ VPN ⇒ SSL VPN.
• Network parameters section:
• IP address (or FQDN) of the UTM used: this refers to the address to which
SSL VPN clients will log on (public address most of the time). Warning:
entering an FQDN will involve name resolution via a DNS service,
NOTE: the networks assigned to UDP and TCP clients must be different.
449
SSL VPN
15
NOTE: Warning: certain ports are reserved for internal use only and cannot
be selected. These ports are smtp_proxy: 8081/TCP, ftp_proxy: 8083/TCP,
pop3_proxy: 8082/TCP, ssl_proxy: 8084/TCP, http_proxy: 8080/TCP,
loopback_proxyssl: 8085/TCP, firewall_srv: 1300/TCP, ldap: TCP/389, ldaps
TCP/636, pptp: TCP/1723, TCP/4444, TCP/8087, smux_tcp: TCP/199,
isakmp: UDP/500, isakmp_nat: UDP/4500, bootps: UDP/67, bootpc:
UDP/68.
450
SSL VPN
• Scripts to run on the client: makes it possible to run scripts when the clients logs
in and logs out. Examples of scripts are provided in detail in the document
snentno_SSL_VPN_Tunnel.pdf accessible via https://mystormshield.eu.
451
SSL VPN
FILTER - NAT
17
Filter rule no. 1 makes it possible to initiate connections from SSL VPN clients to the
internal server SRV_INTRANET,
Filter rule no. 2 makes it possible to initiate connections from SSL VPN clients to the
Internet; in this case, a NAT rule must also be added.
452
SSL VPN
18
The Stormshield Network SSL VPN application can be downloaded from your secure-
access area https://mystormshield.eu and on the firewall's captive portal after
authentication.
A window will indicate that the connection to this site is not secure, because the
client did not trust the CA that signed the server certificate presented by the
firewall’s captive portal. You can therefore:
• display the certificate to know which CA signed it,
• trust this certificate, meaning that the CA is added to the trusted
authorities and you can continue with the setup of the tunnel,
• cancel the connection, which will stop the setup of the tunnel.
If the tunnel setup fails, right-click on the Stormshield Network SSL VPN icon to
display logs.
When the tunnel is set up, the client workstation will have a specific interface for the
SSL VPN tunnel with an IP address that belongs to the object Network assigned to
the client in the server configuration.
453
SSL VPN
Disconnected
Connecting
Connected
19
The color of the Stormshield SSL VPN client icon that appears in the notification zone
of the Windows taskbar corresponds to its status:
When the client is connected, information about the connection will appear when
you scroll over the icon.
454
SSL VPN
20
In the firewall’s monitoring page, you can view open SSL VPN tunnels in Monitoring
=> SSL VPN tunnels tab. You can also delete tunnels by clicking on Log off this user
when you right-click.
Users connected via an SSL VPN tunnel are considered authenticated and can be
viewed in the Users menu. The Auth. method column indicates that the VPN client
authenticated via an SSL VPN tunnel.
455
SSL VPN
C A
DNS: 192.168.1.10
WEB: 192.168.1.11
FTP: 192.168.1.12
MAIL: 192.168.1.13
192,168,250,254/24
192.36.253.254/24
172.16.250.254/24
OUT
192.36.253.20/24 IN
172.16.2.254/24 DMZ
192.168.2.254/24
D B
21
456
APPENDIX -
TROUBLESHOOTING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 3.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
457
Appendix
Troubleshooting
INTRODUCTION
TROUBLESHOOTING
Program
➔ Introduction
Before creating an incident
Essential elements
Additional information
Access to the firewall
458
Appendix
Troubleshooting
INTRODUCTION
Stormshield Network's technical support team will not be able to diagnose incidents
without knowing specific information about the firewall and the architecture in
which it runs.
The cause of an issue may be a configuration error as much as an architecture flaw,
or abnormal behavior on the communication protocol used.
This chapter explains the elements that technical support needs in order to examine
an incident. These elements are sorted by troubleshooting level.
459
Appendix
Troubleshooting
BEFORE CREATING AN
INCIDENT
TROUBLESHOOTING
Program
✔ Introduction
➔ Before creating an incident
Essential elements
Additional information
Access to the firewall
460
Appendix
Troubleshooting
Webinars
Opening an incident
Before creating an incident with technical support, you are advised to check the
firewall configuration first. A few general questions you need to ask:
461
Appendix
Troubleshooting
On the main page of technical support's knowledge base, a section named "Online
training" lists the courses conducted by members of the support team on the various
features.
The main goal of the knowledge base is to catalog well-known issues or tips on how
to configure the firewall. Use the search field or the section Categories to find
articles you need.
Once you have identified the type of information you need to provide, you can log in
to your client area (https://mystormshield.eu) to open a case:
For more details on how to access technical support, refer to the documents
"Getting Started with STORMSHIELD Support" and "Technical support charter"
found in the "Operational" section of the Documentation / Document base menu in
your "mystormshield" area.
462
Appendix
Troubleshooting
ESSENTIAL ELEMENTS
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
➔ Essential elements
Additional information
Access to the firewall
463
Appendix
Troubleshooting
ESSENTIAL ELEMENTS
CLI mode:
• system information > /log/sysinfoCLI
Technical report
The technical report (also called sysinfo or system report) is the most crucial element
required by the support team for any incident. It is a shell script that executes a set
of commands on the firewall, which provides a lot of information on the status of
the firewall when the report was generated.
464
Appendix
Troubleshooting
In SSH mode, the sysinfo command can display additional sections if you add the
relevant option. The output of the sysinfo help command follows:
sysinfo -h
sysinfo [-arp] [-ndp] [-host] [-conn] [-raid] [-proxy] [-global] [-smart] [-time] [-sysctl] [-vmstat] | [-a]
-arp: add ARP table
-ndp: add NDP table
-host: add ASQ host table
-conn: add ASQ Connection table
-raid: add RAID information
-proxy: add PROXY information
-global: add GLOBAL information
-smart: add SMART information
-time: display time objects information
-sysctl: display sysctl information
-vmstat: display vmstat information
-a: add all optional information
Configuration backup
The backup of the configuration serves two purposes. First, it shows the active
configuration used and the features potentially involved when the incident occurred.
This helps STORMSHIELD's support to identify any mistakes in the configuration.
The second role of a configuration backup is to reconstruct an environment similar
to yours in an attempt to reproduce the problem while allowing changes to be made
to the configuration without disrupting production.
Network diagram
A diagram of the network will provide a view of the environment in which the
firewall was installed. Interoperability with other devices may sometimes be the
cause.
A detailed description will allow support to quickly diagnose the issue and avoid
misunderstandings, ambiguity or the wrong interpretation of the conditions under
which the problem arose.
465
Appendix
Troubleshooting
ADDITIONAL
INFORMATION
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
✔ Essential elements
➔ Additional information
Access to the firewall
466
Appendix
Troubleshooting
ADDITIONAL INFORMATION
• Activity reports
• SSH mode
less /log/l_alarm
id=firewall time="2014-07-23 15:29:03" fw="U70SXA00000" tz=+0200 startime="2014-07-23 15:29:02" pri=4
confid=00 srcif="Ethernet0" srcifname="out" ipproto=icmp icmptype=3 icmpcode=10 proto=icmp src=64.1.2.3
srcname=public.ip.test srcmac=00:01:02:03:04:05 dst=172.21.3.1 dstname=Firewall_bridge_out ipv=4
action=block msg="Message ICMP invalide (no TCP/UDP linked entry)" class=protocol classification=0 alarmid=67
11
Logs (or events) show why a packet is blocked, so it helps to monitor them when the
issue occurs.
There are several ways to view events in real time in the monitoring tab:
• Logs that specifically capture the incident
• Activity reports
When you create a ticket with support, provide the logs that cover a test/issue
period. All log files are saved in the /log partition and named according to the format
l_<category_name> (example: l_alarm or l_connection).
To send these files to support, transfer them via SCP on your workstation and add
them to the current ticket.
467
Appendix
Troubleshooting
ADDITIONAL INFORMATION
12
When verbose mode is enabled, you can analyze the processes that a module runs,
based on the packets it receives. This is a way to check whether the behavior of the
module complies with its intended purpose.
When illegal behavior is detected, support will report such information to the R&D
department. In this case, you will be given a "fix request" number in your ticket. This
number will also appear in the release notes of the version in which a fix has been
included.
Find out how to implement verbose mode under the Verbose mode category of the
knowledge base on https://mystormshield.eu.
Coredump files
468
Appendix
Troubleshooting
Traffic captures
The FreeBSD operating system has by default a command that can capture traffic
going through the firewall's interfaces – tcpdump.
When the incident relates to traffic that goes through the firewall, frames must be
captured simultaneously on the network interfaces that such traffic passes through.
The -w option of the tcpdump command saves the results of the capture in a binary
file that can be used later with a frame analyzer such as Wireshark (frame captures
in text format provide too little usable information, unlike the binary format which
contains detailed data about each layer).
The –s0 option captures all frames and provides comprehensive information about
the application layers, and also makes it possible to verify checksums (IP, TCP, UDP,
etc).
469
Appendix
Troubleshooting
ACCESS TO THE
FIREWALL
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
✔ Essential elements
✔ Additional information
➔ Access to the firewall
470
Appendix
Troubleshooting
15
Technical support may need access to the firewall via an SSH connection or the GUI.
This will make it easier to retrieve information or observe incidents in real time and
then capture the corresponding traffic with all the necessary options.
471
Appendix
Troubleshooting
472
VIRTUAL LABS
473
Virtual labs
ARCHITECTURE
TRAINEE B
TRAINEE A
192.168.1.254 192.168.2.254
192.36.253.10 192.36.253.20
WAN
172.16.1.254 172.16.2.254
192.36.253.1
DNS: 172.16.1.10
WEB: 172.16.1.11 DNS: 172.16.2.10
FTP: 172.16.1.12 WEB: 172.16.2.11
MAIL: 172.16.1.13 FTP: 172.16.2.12
MAIL: 172.16.2.13
Debian Virtual
Machine Debian Virtual
Machine
Lab exercises will be carried out in VirtualBox. The platform for these exercises is
presented above, consisting of two sites (Trainee A and Trainee B) linked up with each
other via an external network "192.36.253.0/24".
Each site has a virtual SNS firewall (EVA1) and a Debian virtual machine (abbreviated as
VM) that embeds four servers (DNS, WEB, FTP and MAIL).
A graphical client machine, to which a user account has been assigned and allows
Internet access, makes it possible to change network parameters.
The trainee is free to choose the graphical virtual machine:
• Virtual machine provided by Stormshield (recommended): all exercises can be done
in fully virtualized configuration mode, which simplifies the network configuration
with VirtualBox and offers the possibility of assigning a graphical virtual machine to
each site.
• Trai ee’s host workstation (not recommended): the network configuration must
allow the host workstation to act as a PC on either Network A or B.
Two private networks are configured on each site: IN 192.168.x.0/24" et DMZ : and
DMZ " 172.16.x.0/24". The Debian virtual machine is connected to the DMZ private
network.
474
Virtual labs
TRAINEE A TRAINEE B
Internal Network Internal Network
LAN_DMZ1_A Debian LAN_DMZ1_B Debian
NatNetwork
NOTE: The NatNet ork VirtualBox network must be created and configured before
starting the virtual machines.
The I ter al_Net orks networks are deployed by importing OVAs.
REQUIREMENTS: The full virtual infrastructure described above requires at least 11.5
GB of disk space (the VMs provided have dynamic disk allocation) and 4.2 GB of
RAM. Use a host with at least 8 GB of RAM for best results.
475
Virtual labs
TRAINEE A TRAINEE B
Internal Network Internal Network
LAN_DMZ1_A Debian LAN_DMZ1_B Debian
Bridged adapter
(Physical Ethernet interface)
NOTES:
• All "Virtual Host-only Ethernet Adapter #X" VirtualBox interfaces must be created
and configured before starting the virtual machines.
• In the following lab exercises, the pu li network behind the bridge interface
replaces the network 192.36.253.0/24 ; on this network, every firewall must
have an IP address, and the physical network card must not have a default
gateway (otherwise, the physical host will use this gateway instead of going
through one of the firewalls and a firewall will need to be created for each virtual
Host-only Ethernet adapter).
• Since Stormshield provides a VM that allows you to do all lab exercises in full
virtualization mode, we will not explain the use of the physical host in this
module.
476
Virtual labs
1. Install Virtualbox.
3. Only if you are not using the graphical VM provided by Stormshield, create the
two "Virtual Host-only Ethernet Adapter #X" interfaces (X=2-3) from VirtualBox
by clicking on Global Tools ⇒ Host Network Manager ⇒ Create and configure
their IP addresses as follows:
477
Virtual labs
6. Check or configure the network interfaces of the SNS, Debian and graphical
VMs by following the diagram on page 4 (or the diagram on page 5 if you are
using your physical host). These VMs are on Trainee A’s site; rename them
where necessary.
8. Change the network interfaces for all three VMs: LAN_IN_A and LAN_DMZ1_A
are renamed LAN_IN_B and LAN_DMZ1_B respectively.
478
Virtual labs
9. Start the VMs named “N“_EVA1_V4_A and Graphi al_ lie t_A . Open a
session on Clie t_TRAINING_A (login: user; password: user) and double-click
on the desktop shortcut et ork_ o fig.sh , then click on Ru in Ter i al .
Since the SNS firewall is still in factory mode, the s s option must be enabled.
10. When you run a terminal, you can check whether the IP address of your
network card is correct by using the command ip address sho (short format
ip a , and pinging 10.0.0.254 (the connection with the SNS is confirmed).
479
Virtual labs
1. Take a snapshot of each VM before you begin the lab exercises (with Oracle
VirtualBox, take the snapshot when the VM is off).
3. Change your preferences so that you will never be disconnected from the
interface when idle. Preferences are listed in the drop-down menu, which you
can access by clicking on the arrow next to the user name, at the top on the
right side of the header.
4. Set the language (logs and keyboard) and time zone of your firewall. Restart
the firewall to apply the new time zone (icon at the top on the right). Then set
your firewall to the correct time after rebooting.
6. Check the validity of your license and any available options, and in the
advanced options, configure a weekly check for the automatic update of your
license.
8. Check that local log storage has been enabled on the hard disk of the VM.
NOTES:
• For each lab exercise to run smoothly, you need to apply the required
configurations to site A, then on Site B.
• If you raise the alarm Possi le attack on capacity o e tio during a lab
exercise, this means that you have reached the maximum number of connections
allowed by the trainee VM license. When this happens, all new connections will
be blocked, so wait for a few minutes until the connection table clears and returns
to normal.
480
Virtual labs
LAB 2: OBJECTS
Note: In the next steps, "x" needs to be replaced with the letter representing the
company A⇒1, B⇒2.
Bonus:
• Based on the format of this file, create another CSV file containing two host
objects:
• "srv_ftp_pub": 192.36.253.x2
• "srv_mail_pub": 192.36.253.x3
481
Virtual labs
For the remaining lab exercises, you must select and enable the filter policy (10) Pass
all in the menu CONFIGURATION ⇒ SECURITY POLICY ⇒ Filter - NAT that will allow
all traffic through or from the firewall.
• Interface configuration:
1. Configure your firewall's OUT, DMZ1 and IN interfaces as follows:
• OUT: 192.36.253.x0/24
• DMZ1: 172.16.x.254/24
• IN: 192.168.x.254/24
• IP address: 192.168.x.2/24
• Routing configuration:
1. Configure the default gateway of your firewall "192.36.253.1".
482
Virtual labs
The firewall intercepts DNS requests heading to the Internet, and queries its own
DNS servers (configured in lab 2, point 9).
If the requested name is in its cache, the firewall will respond directly to the request
based on the information that it has.
• The object allowed to use this cache is your DNS server on the DMZ (172.16.x.10).
Add it to the List of lie ts allo ed to used the DN“ a he .
483
Virtual labs
172.16.1.254 172.16.2.254
192.36.253.1
12
For this lab exercise, we will consider the inter-company external network a public network in which
no private IP addresses are allowed.
1. Disable static routes added in the previous lab exercise.
2. Copy the filter/NAT policy (10) Pass all to an empty policy that should be renamed "company_X"
(replace X with the letter representing the company). Next, enable this policy.
3. Add a NAT rule so that your internal networks can access the Internet without revealing their
private IP addresses. Next, test access to the external network and Internet access from your
workstation.
4. You have two additional public IP addresses "192.36.253.x2" and "192.36.253.x3" reserved
respectively for your FTP and MAIL servers in the DMZ. Add static NAT (bimap) rules that make
it possible to reach each server from the external network using its public IP address.
5. Add a port-based static NAT rule so that your Web server in the DMZ can be reached via a port
redirection through the public IP address of your firewall "192.36.253.x0".
6. Log the NAT rules for incoming traffic. Logging can be enabled in the options section of the NAT
rule.
7. With the other company, test access to all the resources (the mail server can be tested using a
telnet command) and confirm that the requested rules have indeed been logged.
Bonus:
• Add a NAT rule so that internal hosts can access your servers in the DMZ without revealing their
private IP addresses.
• What are the advantages and disadvantages of translating addresses from your internal network
to your DMZ, which is itself an internal network?
484
Virtual labs
LAB 5: Filtering
In the filter/NAT policy " o pa _X in the filtering tab, delete the Pass any any any
filter rule and add the rules that comply with the following specifications (use
separators indicating the role of each rule):
Internal traffic:
1. Your internal network must be able to access servers in the DMZ (DNS, web –
ports 80 and 808 for webmail – FTP and SMTP).
Outgoing traffic:
2. Your internal network must be able to browse Internet websites in HTTP and
HTTPS, except for South Korean websites (test with www.visitkorea.or.kr).
3. Access to https://www.cnn.com must be blocked from the internal network,
by using an FQDN object.
4. A new trainee in the company is prohibited from making any FTP requests. The
IP address of his host (pc_200) is 192.168.x.200.
5. Your internal network should be able to contact the other o pa ’s FTP and
web servers.
6. Your internal network must be able to ping any destination.
7. Only your internal DNS server (172.16.x.10) is allowed to resolve to the
outside.
8. Your mail server can send messages to the servers published by the other
company.
Incoming traffic:
9. The other company can contact your Web and FTP servers; these events must
be logged.
10. The mail server of the other company is allowed to send messages to your mail
server.
11. The other company is allowed to ping your firewall's external interface; this
type of event must raise a minor alarm.
12. The other company can connect to your firewall via the web interface and in
SSH. This type of event must raise a major alarm.
485
Virtual labs
13. Test outgoing traffic and make the other company test incoming traffic. When
accessing the logs, confirm that:
NOTE: You can use the webmail service to send and receive e-mails in SMTP: the
following information is needed for configuration (replace with the letter
representing the company: a, b):
486
Virtual labs
3. Customize the block page of your choice with your company logo. This page
will be displayed for all banned HTTP websites. You can test your block page on
an HTTP website: http://perdu.com.
4. Configure a URL filtering policy and an SSL filtering policy which allow access to
all websites except the websites that you have classified above, online
shopping sites and news websites. However, make sure the www.bbc.com site
remains reachable.
487
Virtual labs
LAB 7: Authentication
▪ Login: jsmith
▪ Password: password
3. Using the enrollment function, create a user "Peter Wood" with the
password: pwood1
4. Adapt the filter policy so that all users are redirected to the captive portal
when trying to access websites, except sites in the News category.
5. Test the access to a site in the news category using HTTP and confirm the
redirection to the captive portal for any other site using HTTP not
belonging to this category.
6. Amend the filter policy to allow pings to be sent from your internal
network to only John Smith. This rule must always raise a minor alarm.
8. Log in to the firewall using the account "jsmith" and confirm access to
various menus. Test the authentication of this account on the captive
portal as well.
488
Virtual labs
2. Set up an IPsec tunnel with PSK authentication to connect your internal network
" . 6 . . / 4" to the other o pa ’s et ork usi g the default e r ptio
profiles (StrongEncryption).
3. Generate traffic corresponding to traffic endpoints and track the steps in the
negotiation of the tunnel and tunnel activity from logs and the corresponding
monitoring menu.
4. Change your IPSec policies to connect both your internal networks (IN + DMZ)
ith the other o pa ’s i ter al et orks IN + DM) .
▪ Enable the keepalive function for both tunnels.
▪ Determine the number of negotiated tunnels in monitoring.
5. After confirming that your tunnels function, reactivate the filter policy
"company_x" and add the rules to allow remote hosts to contact and ping your
FTP server.
7. Apply your new encryption profiles to your VPN, then check whether everything
is running properly.
8. Interconnect these networks, but this time by configuring tunnels based on VTIs.
489
Virtual labs
3. Filtering:
• Allow all users (authenticated and unauthenticated) on your network to
access the other o pa ’s firewall in HTTPS.
• Allow the network Net-SSLVPN to access internal networks.
4. Retrieve the file ““L VPN profile for mobile OpenVPN Connect lie ts (single
.ovpn file) through the captive portal over the public IP address of the other
company. It is downloaded by default in /home/user/Downloads, open a
terminal and type the following commands:
su –
cd /home/user/Download
openvpn openvpn_mobile_client.ovpn
An error may occur during the addition of a route if the pushed route already
exists, but this does not prevent the tunnel from being set up.
On a second terminal, look up your routing table to see which routes have
been added on the client, using the command ip route show.
5. Look up the list of authenticated users in ASQ as well as logs relating to SSL
VPN on the firewall side.
6. Confirm access to the various servers on the DMZ and ping the internal IP
address of the firewall on the LAN.
Bonus:
1. Modify the SSL VPN configuration to provide access to the object "Any".
2. Add rules (NAT + filter) allowing the network Net-SSLVPN to access the Internet
once the tunnel has been set up.
3. Add a URL filter policy so that access to only sites in the "Information Security"
and "News" groups is allowed.
490
VIRTUAL LABS
-
SOLUTIONS
491
Virtual lab exercises - Solutions
2. After you have restarted the VMs, run the script again on the graphical VMs,
because the IP configuration pushed on these machines does not persist after a
reboot. In a Chromium browser, enter the URL https://10.0.0254/admin.
3. Click on the name of the user, then on "Preferences" (top right - icon with a key
and screwdriver), then select the value "Always stay connected" in the line "log
off when idle".
4. Language and time zone: click on the menu System => Configuration in the
menu on the left. Start with the configuration of the time zone first, as the
firewall must be rebooted after changes are made. Later on, you can check the
date, time (and synchronize it with the date and time on your machine) and
language of messages generated by the firewall in the General configuration
tab
5. SSH can be enabled in the menu System => Configuration => Firewall
administration tab by selecting Enable SSH access and Allow passwords.
6. Details of the license can be viewed in the menu "System => License" in the
menu on the left. In advanced properties, enable the automatic installation of
the license.
7. The password can be changed in the menu System => Administrators =>
ADMIN account tab.
8. You can check whether local log storage has been enabled in the menu
Configuration => Notifications – Logs – Syslog - IPFIX.
9. The configuration can be backed up in the menu "System => Maintenance => Backup
tab".
492
Virtual lab exercises - Solutions
LAB 2: OBJECTS
To add required objects, go to the menu Configuration => Objects => Network
objects. Next, add the requested objects using the Add button. Ensure that you use
appropriate object types (network objects for networks, host objects for firewalls,
etc). You can use the Create and duplicate button to create objects of the same type.
For the DNS servers on the firewall, go to the Configuration => System =>
Configuration => menu, Network settings tab=> List of DNS servers used by the
firewall. Delete the two objects in the list, then add objects with the IP addresses of
the DNS servers configured on your physical host, by using the Add button.
Bonus
Use the Import and Export buttons to modify the objects database from a CSV file. If
you encounter issues during the import, encode the files in UTF-8 with Unix (LF)
carriage returns. The imported file is in /home/user/Downloads. Use it as a base to
create the file to import, for example:
Check whether there are the two objects created in the objects database after the
import:
493
Virtual lab exercises - Solutions
• Interfaces configuration
494
Virtual lab exercises - Solutions
Disable the static routes to the remote networks (menu Configuration => Network =>
Routing => Static route tab). If you have not done the Objects bonus lab exercise,
create two new objects that will then be used in your NAT rules: srv_ftp_pub =
192.36.253.x2 and srv_mail_pub = 192.36.253.x3. To build up your policy, go to the
menu "Security policy => Filtering - NAT". Copy the policy (10) Pass all to an empty
one by clicking on Edit then Copy to. From the drop-down menu, select the
appropriate policy, click on Edit then Rename. Add the following NAT rules:
As you can see, the dynamic NAT rule was placed after the static NAT rules. If this is
not the case, FTP and SMTP servers that attempt to access the Internet would get
the public IP address of the firewall after translation instead of their dedicated public
IP addresses. The instructions in the specifications given during the lab exercise were
therefore inaccurate.
Do not forget to enable the policy and confirm access with the other company.
Logged NAT rules can be found in Monitoring => Audit logs => Filtering.
Bonus:
• The NAT rule that allows access to servers in the DMZ without revealing the
private IP address is disabled in the example above, and must remain disabled for
the rest of the lab exercises.
• If you enable it, the firewall that processes the rule will use more resources and
slow down performance (since it needs to keep the NAT table up to date).
However, if an attacker took over control of one of your servers in the DMZ, they
would not be able to find out the IP address of the local network by capturing
packets that originate from it because they have been translated.
495
Virtual lab exercises - Solutions
LAB 5: Filtering
First you need to create a host object named "pc_200" with the IP address
192.168.x.200.
To build up your filter policy, go to the menu "Security policy => Filtering - NAT".
Next, add the following policy:
All traffic is logged with this policy, with rules set to Pass for TCP/UDP, and Pass or
Blo k for ICMP packets in verbose mode.
To allow the other company to connect to your firewall via the web interface, its public
IP address needs to be added in the section Access to the firewall's administration pages
in the menu System => Configuration => Firewall administration tab (so no alarm for
this specific type of traffic).
496
Virtual lab exercises - Solutions
1. The URL database can be selected in the menu Configuration > Objects > Web
Objects > URL database. Downloading an embedded URL database may take
some time.
3. The block page can be modified in the menu "Configuration => Notifications =>
Block messages => HTTP block page"
4. While all websites described in the step are in HTTPS, you must still create a
URL filter policy to block requested categories in addition to the SSL filter policy
you need to implement to manage the websites.
Begin by creating web objects in Configuration => Objects => Web objects =>
Certificate name (CN) tab; two custom CN categories must be created:
• A custom category named White-list", containing the CNs
*.bbc.com/*, *.bbci.co.uk/* and *.bbc.co.uk/*
• A custom category named Bla k-list", containing the CNs
*.mozilla.org, *.home.barclays and *.twitter.com
Go to the menu Configuration => Security Policy => SSL Filtering in the slot
SSLFilter_00, and change its contents so that it includes the following policy:
497
Virtual lab exercises - Solutions
4. As for URL filtering, go to Configuration => Security Policy => URL Filtering in
the slot URLFilter_00, and change its contents so that it includes the following
policy:
Then, modify the filter policy (menu configuration => security policy =>
Filtering and NAT) and change the HTTP and HTTPS rules as follows:
5. The www.cnn.com website has been blocked by a filter rule with an FQDN
object, which blocks HTTP requests without the need for any response to be
sent to the browser. However, the URL filter blocks the www.euronews.com
website if you attempt to access it in HTTP (the block page appears), and the
SSL filter blocks it if you attempt to access it in HTTPS.
498
Virtual lab exercises - Solutions
LAB 7: Authentication
1. To use an internal LDAP directory, start the LDAP configuration wizard . To do so,
go to the menu "Configuration => Users => Directory configuration". Choose
"Internal LDAP", and fill in the requested fields (select the IN interface for Profile
0 and remember to enable user enrollment for this profile). Test access to the
captive portal via https://192.168.x.254/auth.
2. From the menu Configuration => Users => Users and groups, click on Add user to
add the user whose ID is js ith . After you confirm the addition, enter the
password pass ord .
3. To create the user Peter Wood using enrollment, connect to the captive portal
and click on the New User tab. Fill out the form with the required information
and confirm. On the firewall, go to Configuration => Users => Enrollment =>
Advanced properties, to change the default ID format, and type %f1%l. Confirm
the changes, select the request from user Peter Wood and click on OK.
4. In the filter policy, create the rule to authenticate users if they are not
authenticated. To do so, add an authentication rule before the current rule for
HTTP, which will contain: PASS (+redirect to the authentication service) from
UnknownUser@Network_in to Internet (service http) + Exception for the News
group
7. In the menu Configuration => System => Administrators, add an entry for the
user granting him supervision privileges and confirm.
499
Virtual lab exercises - Solutions
1. In configuration => security policy => filter - NAT, select the policy (10) Pass All
and enable it.
2. In the menu "Configuration => VPN => IPSEC VPN => encryption policy –
tunnels => Site-to-site (gateway-gateway)", start the wizard to create a site-to-
site tunnel "add => Site-to-Site tunnel". The wizard will ask you to configure the
traffic endpoints and PSK authentication mode by entering the PSK. The Phase1
encryption profile is selected with the peer parameter IKE Profile in the Peers
tab. The Phase 2 encryption profile is selected with Encryption profile
parameter in the VPN policy.
4. To link up the IN and DMZ networks, two object groups need to be created. The
first contains the local "IN " and "DMZ" networks while the second contains the
"IN " and "DMZ" networks of the remote site. Modify the traffic endpoints of
your VPN policy using the two object groups created. Enable keepalive by
changing its value from 0 to 30.
5. Add the following filtering rules to allow access and ping your FTP server:
The other company will have to add the following policies to access your FTP
server:
6. Encryption profiles can be created in the menu Configuration => VPN => IPSEC VPN =>
Encryption profiles tab. At the bottom left of the window, you can create Phase 1 and
Phase 2 profiles by entering the specified parameters.
7. Change the profile used in phase 2 in Configuration => VPN => IPSEC VPN => Encryption
policy – tunnels, site-to-site tab. The profile for phase 1 can be modified in Configuration
=> VPN => IPSEC VPN => Peers; select your peers and change the IKE profile field.
500
Virtual lab exercises - Solutions
8. To interconnect both sites using VTIs, follow the steps below on both firewalls by
adapting the IP addresses and networks:
o Create a VTI that has an address in a network other than the networks
configured on the firewall:
o Add the static routes (or policy-based routes) to access the remote
networks via the local VTI and the IP address of the remote VTI:
o Modify the IPSec VPN policy using the IP addresses of VTIs as traffic
endpoints:
o Modify the filter rules to indicate the VTI as the source and destination
interface for traffic sent through the IPSec VPN tunnel.
501
Virtual lab exercises - Solutions
2. SSL VPN privileges can be assigned to the user created in the authentication lab
exercise via Configuration ⇒ Users ⇒ Access privileges tab ⇒ Detailed access
tab. Apply the following line:
4. On the client side (the other company), open a terminal and perform the
following operations:
502
Virtual lab exercises - Solutions
5. You can look up the connected user in the Monitoring section of the Users menu,
then in SSL VPN logs in VPN logs.
6. Test access to the other o pa ’s web and FTP servers using the servers'
private IP addresses.
Bonus:
1. Go to Configuration ⇒ VPN ⇒ SSL VPN and select the object any for the
parameter Available networks or hosts. You need to download the file named
ope p _ o ile_ lie t.o p again on the client side in order to conduct
checks later.
3. Select a new URL filter policy from the menu Configuration ⇒ Security policy ⇒
URL Filtering. In the Action field of the default Any rule, redirect to a block
page. Add two new rules above with the action pass for the Information
Security and News categories. Apply the configuration. In the menu
Configuration ⇒ Security policy ⇒ Filtering and NAT, select the URL filter policy
that you have just defined in the rule’s security inspection which allows the SSL
VPN network to access the Internet. Apply and activate the filter policy
503
Solutions – Advanced Labs
ADVANCED LABS
504
Advanced Labs
Introduction
This document presents a set of CSNA lab exercises and their solutions, which can be used directly with the virtual
training platform on Institute. This platform is open to all certified users and trainees. However, the infrastructure used
in Lab 1 will be slightly different from the infrastructure used in the CSNA lab exercises, so that all the advanced lab
exercises provided in this document can be covered.
From Lab 2 onwards, exercises will not be related to one another. If any lab exercise uses objects that were not seen
during the course, explanations will be provided.
Requirements
CSNA Lab 1 (getting started with the firewall) completed.
505
Advanced Labs
In the first point of Lab 1 in the CSNA course, trainees had to take a snapshot (named init below) of each machine.
Your Oracle VirtualBox configuration must look like this by the end of Lab 1 (all VMs shut down):
• NatNetwork 192.36.253.0/24:
506
Advanced Labs
1. Add the firewall SNS_TRAINER by fully cloning one of the available firewalls, and assign its three network cards
as follows:
• Interface 2: physical network card of the host, wired or wireless (in bridge mode), faster than Natnetwork
mode.
• Interface 3: network card of the host Virtual Host Ethernet Adapter#1 (administration).
2. Modify interface 1 on the firewalls SNS_EVA1_V4_x (where x is either A or B) by spreading them out on the
internal network LAN_INTERCO.
3. If you wish to do so, enable interface 4 on the firewalls SNS_EVA1_V4_x and connect it to the network card of
the host Virtual Host Ethernet Adapter#1 (by default on network 192.168.56.0/24). Configure only one IP address and
mask on this network card (no default gateway) - it will only be used for firewall administration from your host.
507
Advanced Labs
Network configuration
The table below is based on the assumption that the firewall SNS_TRAINER, bridged on the physical network card of
your host (bridge), obtains its IP address via DHCP. If this is not the case, change its address parameters for Internet
access.
2. On the firewalls SNS_EVA1_V4_x (where x is either A or B), configure the DNS proxy cache as seen in the CSNA
exercises (only the DNS server located on the Debian can resolve to the Internet).
3. On the firewall SNS_TRAINER, configure the DNS proxy cache to allow the network 192.36.253.0/24 to resolve
to the Internet. The firewall's DNS servers must be learned via DHCP, so configure the firewall accordingly.
508
Advanced Labs
• The gateway for this range will be the IP address of the firewall interface connected to your internal
network.
2. Configure your workstation in DHCP client mode to test the IP address assignment.
3. Modify the object admin_pc to associate it with your host’s MAC address.
4. Configure the DHCP server to reserve the IP address of the object pc_admin for your host. The gateway for
this range will be the IP address of the firewall interface connected to your internal network. Test IP address assignment
again on your workstation to confirm that the reservation has been applied.
509
Advanced Labs
1. Configure the firewalls SNS_EVA1_V4_x (where x is either A or B), by following the diagram above:
• Disable the OUT interface then create two VLANs (public interfaces) with OUT as the parent interface,
• Apply the following configuration for each VLAN interface:
VLAN_ID SNS_EVA1_V4_A SNS-EVA1_V4_B
10 11.1.10.10/24 -
11 11.1.11.10/24 -
20 - 11.1.20.10/24
21 - 11.1.21.10/24
2. Configure the firewall SNS_TRAINER by disabling its out interface, and create the four VLANs above on this
interface (IP address ending in .254). Configure its Internet access as well, and use CLI commands to check that it
works:
• system ping host=8.8.8.8
• system nslookup host=www.stormshield.com.
If name resolution is not working with the DNS servers that the firewall uses by default, replace them where necessary
with DNS servers obtained via DHCP.
3. On the firewalls SNS_EVA1_V4_x, check whether the DNS proxy cache is enabled (Lab 1 point 8), with the DNS
server in the DMZ as the only one allowed to resolve (srv_dns_priv). On the firewall SNS_TRAINER, modify the
configuration of the DNS proxy cache so that only VLANs are allowed to resolve.
4. On the firewalls SNS_EVA1_V4_x, configure a router object, which will be your default gateway, directed at the
instructor’s two gateways – 11.1.x0.254 and 11.1.x1.254, in load balancing mode on SNS_EVA1_V4_A, and as a backup
gateway on SNS_EVA1_V4_B.
5. On each firewall, configure the return routes for each link where necessary.
6. On each firewall, copy the Pass all policy in a blank slot and configure translation rules to enable Internet
access.
510
Advanced Labs
7. On the firewall SNS_Trainer, configure filter rules to block traffic on VLANs x0 or x1, by leaving these rules
disabled.
8. On the firewall SNS_EVA1_V4_A, test the Internet access in connection-based load balancing mode. In the
monitoring menus, check whether this load balancing mode has been applied by opening the same web page several
times in separate tabs in the browser on your machine GRAPHICAL_CLIENT_A.
9. On the firewalls SNS_EVA1_V4_B, test the Internet access in backup gateway mode and check whether the
expected switch takes place when the main link is shut down. This fault can be simulated by enabling the filter rule
Block VLAN_x0 on the firewall SNS_TRAINER.
10. While still in connection-based load balancing mode, test the application of different weights on both links so
that 2/3 of traffic goes through the main link, and check the monitoring menus.
Note:
Before moving on to another exercise, disable VLAN interfaces on each firewall, as well as any return routes that were
created, and enable the out interface again. Replace the router object that was created with a host object
192.36.253.254.
511
Advanced Labs
3. Outgoing: the SMTP server in the DMZ is allowed to reach the public IP address of the neighbor’s SMTP server,
allow Network_in to do so as well
5. As Trainee A, test the mail server on the public IP address of B’s SMTP server with Telnet, as shown in the
example below:
telnet 192.36.253.23 25
(server data)
HELO myhostname
(server data)
MAIL FROM: <user@a.net>
(server data)
RCPT TO: <user@b.net>
(server data)
DATA
(server data)
Subject: test1
6. Change the Telnet test by using HELLO , which is not recognized in the RFC. What do you observe? Do you see
logs relating to this operation on A’s and B’s firewalls?
10. Prohibit the SMTP server from relaying external messages to your mail domain
11. Change the Telnet test that Trainee A conducted by using a prohibited e-mail address (source or destination),
e.g. user@b.net as the source or user@c.net as the destination
12. What logs do you see in Trainee A’s and B’s logs when you attempt this spoofing operation?
13. What if you implemented an outgoing SMTP policy on Trainee A’s firewall?
14. In the incoming filter rule on firewall B, enable the antivirus analysis, then check that the firewall's signature
database is up to date. Next, switch to firewall A and get the text file named eicar.com.txt found on A’s web server.
Send a message from A using its Debian webmail server (http://172.16.1.11:808). Send a message to user@b.net by
adding this file as an attachment and check whether:
15. Configure the antispam policy on firewall B based on the following criteria:
• DNS RBL analysis is enabled, and the domain a.net is blacklisted (check that the DNS RBL database is up
to date)
16. Enable the antispam policy on B, and switch to the Trainee A’s webmail to send a message to user@b.net ,
then check whether:
513
Advanced Labs
• Company: Othercompany
3. Create an authentication policy and profile, and configure the captive portal for temporary accounts, which will
log in to Network_in.
5. All temporary accounts are logged in to Network_in. Only Internet access to news websites is available to them
with antivirus and URL filtering. The antivirus can be tested on eicar.org, which also has to be allowed, or on one of the
public addresses of site B’s web servers. Test Internet access with John Smith and check the authentication method
shown in monitoring.
6. Change the date on your computer, moving forward by one day, and synchronize your firewall with the date and
time of your workstation. Check the users that appear in the list of temporary accounts.
7. After this test, set your computer back to the right time.
514
Advanced Labs
You must configure sponsorship so that external users can access resources, after an internal sponsor has confirmed
their requests. As the sponsored user is on the host GRAPHICAL_CLIENT_B, and the sponsor is on
GRAPHICAL_CLIENT_A, the sponsored user will therefore connect on the out branch of firewall A.
Before you begin, to ensure that this lab exercise goes smoothly, connect to the Debian server on A and in the command
prompt, type:
Without this required step, the SMTP server will not receive e-mail notifications from the firewall.
1. Add static routes to allow users on site B to reach the network lan_dmz1_A.
2. Configure an internal LDAP directory (a.net) and create an account (user) that is allowed to confirm sponsorship
requests.
3. Create an internal authentication policy and profile, and the captive portal for the sponsor, who will log in via the
IN interface.
4. Create an external authentication policy and profile, configure e-mails via SMTP and configure the captive portal
for sponsored users, who will log in via the out interface.
5. As a sponsored user, submit a sponsorship request. As a sponsor, use the user@a.net account found on your
SMTP server to accept sponsored users (use webmail to display your mailbox).
6. Configure rules to allow sponsored users to send pings to the dmz1 on A, and check that the pings are
successful.
7. Force the sponsored user to log out, and ensure that the ping no longer works.
515
Advanced Labs
You will also set up a site-to-site IPSec VPN tunnel with the instructor’s firewall.
The SSL VPN client must be able to access resources on site A and those available via IPSec VPN on the instructor’s
firewall, according to this path: GRAPHICAL_CLIENT_B => SSL VPN tunnel => firewall A => IPSec VPN tunnel =>
instructor’s firewall => host or local network.
1. Create a loopback interface on the instructor’s firewall, named loopvpn with the IP address 10.255.255.1/32.
2. Configure an IPSec tunnel with Strong encryption profiles and the Keep alive function enabled, according to
the following topology:
3. After you have checked that your IPSec VPN tunnel works, add rules to allow communication between the local
networks chosen as traffic endpoints. Check by pinging 10.255.255.1 from the graphical client on site A.
4. Enable the SSL VPN server on site A to let the SSL VPN client contact all networks (any), and test access to
resources from site B using a user account created in the LDAP directory for this purpose.
5. Configure filter rules to allow the SSL VPN client to ping loopvpn on the instructor’s firewall. Modify the IPsec
VPN topology where necessary.
516
Advanced Labs
1. Create the child VLAN interfaces of the out interface on sites A and B. Assign the IP addresses as shown in the
diagram.
2. Create two VPN tunnels between the head office (site A) and the agency (site B) using VTIs (IPpub1_A to
IPpub1_B and IPpub2_A to IPpub2_B).
3. Use a router object at the head office and the agency to reach resources located on the networks of the remote
site, with 50-50 load balancing. Make the necessary changes to the configuration to enable communications.
4. All traffic must be encrypted between the IN and DMZ networks at the head office and the agency.
5. On the instructor’s firewall, simulate an Internet access failure at the head office, and check what impact the
failure had on network traffic between sites A and B. Then, revert to the normal operating mode.
Operational tunnels Load balancing Fault tolerance Advantages of router object Disadvantages of router object
517
Advanced Labs
1. Enable Bird dynamic routing. After reading the tests in Appendix 2, create static routes on each site to reach
resources located on the network LAN_IN_x on the remote site. For each test, compare the Bird routing table with the
firewall’s routing table to determine which routes were added.
2. For functional tests, use the instructor’s firewall to simulate an Internet access failure at the head office, for
example by disabling a VLAN interface. Check what impact the failure had on network traffic between sites A and B,
then revert to the normal operating mode.
Load balancing Fault tolerance Advantages of Bird static routing Disadvantages of Bird static routing
Variations of scenario 2
1. From site A, you must allow access not only to the remote network LAN_IN_B 192.168.2.0/24, but also to a
network LAN_IN_B2 192.168.3.0/24 (configure a second IP address for the IN interface on firewall B), without changing
the number of static routes that Bird injected in the system.
2. Set up the configuration to observe the results, and indicate your conclusions.
518
Advanced Labs
1. Enable OSPF dynamic routing with Bird. After reading and applying the tests in Appendix 3, ideally, you should
have dynamic routes on each site to reach resources located on the networks LAN_IN_x and LAN_DMZ1_x on the remote
site. For each test, check the routes that OSPF injected in the system and check the resulting routing table on the
firewalls to determine which routes were added. Use filters to view only routes to networks that you want to observe.
2. For functional tests, use the instructor’s firewall to simulate an Internet access failure at the head office, for
example by disabling a VLAN interface. Check what impact the failure had on network traffic between sites A and B,
then revert to the normal operating mode.
Load balancing Fault tolerance Advantages of Bird dynamic routing Disadvantages of Bird dynamic routing
519
Advanced Labs
4. Enable Syslog on the firewall to send all logs to SVC in TCP (RFC 5424).
5. Log in to the SVC's web interface and check that the logs have indeed been received.
6. Edit an SNS log view and use display filters to familiarize yourself with the administration interface.
520
Solutions – Advanced Labs
SOLUTIONS
ADVANCED LABS
521
Solutions – Advanced Labs
2. Under Parameters, add the domain name as well as a DNS server (the object "srv_dns" created during the
previous exercise).
3. Through the Address range section, add the address range requested in the exercise, and delete the default
range (named dhcp_range). Enter "Firewall_in" as the gateway for your address range.
4. Edit the object "pc_admin" to include your host's MAC address (you will find this address in the results of the
command "ipconfig /all" on your Windows system, or "ifconfig" if you are using a Linux system).
5. Select the object "pc_admin" in the Reservation section of the configuration menu in the DHCP module. To test
whether the new IP address was assigned, ensure that your machine is in DHCP mode, and unplug/plug in the network
cable that connects it to the UTM.
522
Solutions – Advanced Labs
• On firewall B:
Configure routing in CONFIGURATION => NETWORK => ROUTING; your default gateway must be Firewall_in_router if
you are a DHCP client on this interface.
The command system ping host=8.8.8.8 confirms that Internet access functions.
The command system nslookup host=www.stormshield.com makes it possible to confirm that name resolution
functions properly. If it fails (e.g., your ISP does not recognize the servers dns1.google.com and dns2.google.com),
check the following points:
• In the Advanced DHCP properties window of the IN interface, the checkbox Request domain name
servers from the DHCP server and create host objects is selected,
523
Solutions – Advanced Labs
• In CONFIGURATION => SYSTEM => CONFIGURATION, NETWORK SETTINGS tab, REMOVE THE SERVERS
dns1.google.com and dns2.google.com from the list of DNS servers that the firewall uses, and add the
server Firewall_in_dns1. The resolution test must now be functional.
3. The menu CONFIGURATION => NETWORK => DNS PROXY CACHE must look like this, respectively on firewalls
A and B, then on TRAINER:
4. On the firewalls SNS_EVA1_V4_x, go to CONFIGURATION => OBJECTS => NETWORK OBJECTS to create a router
object on A as follows:
The object created on B is identical but with the host GW_TRAINER_VLAN_20 as the main gateway and
GW_TRAINER_VLAN_21 as the backup gateway.
524
Solutions – Advanced Labs
However, return routes are not necessary on the firewalls SNS_EVA1_V4_x, unless you want to publish a server in a DMZ
so that it can be reached from one or both links. In this case, you can create return routes as follows (example of
SNS_EVA1_V4_A):
5. Go to MONITORING => SECURITY POLICY => FILTER - NAT. Add the following translation rules in the slot used,
respectively for A and SNS_TRAINER:
525
Solutions – Advanced Labs
6. On the firewall SNS_Trainer, add block rules to simulate a failure with the ISP:
You can also go to MONITORING => LOGS – AUDIT LOGS => Network traffic to check whether connections alternate
between two different routes:
526
Solutions – Advanced Labs
8. After generating traffic from GRAPHICAL_CLIENT_B, check on the firewall SNS_EVA1_V4_B whether all traffic
takes a single route:
• After the block rule is enabled on the firewall SNS_TRAINER, all traffic will take the backup route:
9. Go back to the firewall SNS_EVA1_V4_A after you have disabled the block rule on the firewall SNS_TRAINER,
and change the router object as follows:
10. You will see that load balancing is 2/3 – 1/3 in the monitoring menus.
527
Solutions – Advanced Labs
2. When HELLO, which is not recognized in the RFC, is used, the server replies:
4. In IDS inspection mode, the logs are plugin logs and firewall B shows an application alarm, but allows
the traffic. In IPS mode, the application alarm invalid SMTP protocol (BadCmdWaitingHeloEhlo) appears
and the Telnet connection is shut down:
5. To set up an incoming SMTP policy, go to Configuration > Security policy > SMTP filtering:
• Rule 1 prohibits address spoofing on your mail domain, since external users are not allowed to
use internal addresses,
• Rule 2 accepts only messages that are intended for you. The implicit Block all rule, which cannot be seen
but is active, prohibits your SMTP server from relaying external messages to your mail domain.
6. This SMTP policy must now be applied to the incoming filter rule, which must also be modified to add
the translation directive in the filter rule so that the "proxy operation will applied correctly. Go to
528
Solutions – Advanced Labs
Edit the properties of the SMTP protocol in the Proxy tab in Configuration > Application protection >
Protocols > SMTP:
7. When you run Telnet from the client workstation, the firewall may block your access and raise a
Possible DNS rebinding attack alarm. You can also run Telnet directly from the Debian machine, first with
an illegal recipient, then an illegal sender. The Telnet output resembles:
Do note that the firewall did not shut down the connection, but the illegal users were blocked.
8. The SMTP proxy logs on firewall B show that two successive operations were blocked: Default policy: recipient
is blocked , then Sender is blocked .
9. To implement an outgoing SMTP policy in firewall A, go to Configuration > Security policy >
SMTP filtering:
Apply this policy to the outgoing SMTP filter rule then go to Configuration > Security policy > SMTP
filtering (smtp_01 profile), click on Go to global configuration and select Apply the NAT rule on
529
Solutions – Advanced Labs
scanned traffic :
You will now see an attempt to spoof an e-mail address via Telnet in firewall A’s logs: Default policy: sender
is blocked .
10. Apply the antivirus analysis to the incoming filter rule on firewall B:
11. In the monitoring tab, check whether the signature database is up to date, and if it is not, force
an update:
On Trainee A’s workstation, open http://172.16.1.11/Virus, right-click on eicar.com.txt and save the file on your
computer. Log in to Trainee A’s webmail, attach this file to an e-mail and send it. You will immediately receive a code
530
Solutions – Advanced Labs
The SMTP proxy logs on firewall B will show that this e-mail was blocked.
On firewall B, go to Configuration > Application protection > Antispam and apply the same configurations:
12. Enable the antispam analysis to the incoming filter rule on firewall B:
531
Solutions – Advanced Labs
Next, check whether the DNS RBL database is up to date, then on firewall A, send a message to
user@b.net from your webmail; you will receive a non-delivery notification immediately.
The SMTP proxy logs show that the e-mail was blocked with the message Message not sent due to antispam
policy .
532
Solutions – Advanced Labs
3. Create an authentication policy via the menu CONFIGURATION => USERS => AUTHENTICATION =>
Authentication policy tab:
Configure the interface corresponding to the authentication profile in the menu CONFIGURATION => USERS =>
AUTHENTICATION => CAPTIVE PORTAL tab:
4. To allow Internet access conditions to be displayed, go to the menu CONFIGURATION => USERS =>
AUTHENTICATION => CAPTIVE PORTAL PROFILES tab and select the relevant option:
533
Solutions – Advanced Labs
Use the object any@voucher_users.local.domain in rule 4 to define a user with a temporary account.
On the host GRAPHICAL_CLIENT_A, test access to www.eicar.org. You will be redirected to the captive portal on which
you log in as jean.dupont with the password indicated earlier. The Internet access conditions appear:
534
Solutions – Advanced Labs
When you accept the terms at the bottom of the page (select I have read the terms and click on I accept ), you will be
redirected to the website. Go to MONITORING => MONITOR => USERS to view the properties of the connected user:
In the browser on GRAPHICAL_CLIENT_A that displays the welcome page of eicar.org, click on Download anti-malware
test file and download the file for the HTTP protocol, and observe the results in the alarm log.
You can also test news websites (www.euronews.com) or other categories in HTTP to check whether your URL filter
has been applied.
6. After the temporary account expires - which you can simulate by changing the date on the firewall - the
temporary account created will disappear.
535
Solutions – Advanced Labs
2. The configuration of the internal directory on firewall A is the same as the configuration in the CSNA course.
The only difference is in CONFIGURATION => USERS => AUTHENTICATION => Captive portal profiles tab. Select the
checkbox Enable sponsorship:
3. Go to CONFIGURATION => USERS => AUTHENTICATION, Authentication policy tab to create the following
policy for the sponsor:
536
Solutions – Advanced Labs
Create an internal authentication policy and profile, and configure the captive portal for the sponsor, who will log in via
the IN interface.
A link to the configuration of the firewall’s SMTP server (making it possible to send the request to the sponsor) is
highlighted; click on it to configure the service:
537
Solutions – Advanced Labs
Use the Testing the SMTP configuration button to test user@a.net, and on GRAPHICAL_CLIENT_A, check whether this
test is effective, by logging in to the webmail:
Go back to CONFIGURATION => USERS => AUTHENTICATION, Authentication policy tab. Create the following policy:
5. As a sponsored user, log in from GRAPHICAL_CLIENT_B to site A’s captive portal, and fill in your sponsorship
request:
538
Solutions – Advanced Labs
Use the user@a.net account found on your SMTP server to accept sponsored users (use webmail to display your
mailbox):
You will be asked to authenticate as a sponsor on the captive portal if you have not already done so; the sponsorship
request is successful:
539
Solutions – Advanced Labs
6. In CONFIGURATION ⇒ SECURITY POLICY ⇒ FILTER - NAT on firewall A, add the following rules:
(The logged in sponsored user belongs to any@any). Pings from the sponsored user’s workstation were successful.
540
Solutions – Advanced Labs
3. At this stage, the tunnel is mounted. This is the view of the logs on A:
541
Solutions – Advanced Labs
After you have checked that your IPSec VPN tunnel works, add the following filter rules, respectively on A and TRAINER:
4. The SSL VPN tunnel is enabled in the same way as in the CSNA course, with the user jdupont:
Likewise for filter rules (allow SSL VPN clients to access internal resources).
542
Solutions – Advanced Labs
Jean Dupont logs in as an SSL VPN client, can access resources on site A, but not the loopback interface on the Trainer
firewall, even though using any in accessible networks includes the loopback interface available via IPSec VPN.
5. The IPsec VPN topology must be modified to create a route between the SSL VPN client network and the
loopback interface on Trainer (from the instructor’s point of view):
As soon as the filter rules are defined on the Trainer site and on site A, the SSL VPN client can ping the loopback interface
on Trainer (via IPSec VPN) through the SSL VPN tunnel:
543
Solutions – Advanced Labs
1. The firewall on site A uses a router object to access the Internet, so you can check whether load balancing
works in Monitoring => Logs => Network traffic, show the column Translated source address. In the example below,
we opened four tabs to the same website on GRAPHICAL_CLIENT_A, in which we clearly see alternating translated
source addresses on both VLAN interfaces on site A:
2. Go to Configuration => Network => Virtual interfaces, IPSec interfaces (VTI) tab, and create the interfaces as
shown below, respectively on A and B:
Create host objects that represent remote VTIs on sites A and B, in Configuration => Objects => Network objects, Add
button:
Create host objects as well that represent each public IP address on the remote site:
Create static routes respectively on A and B that make it possible to reach remote public IP addresses, in
Configuration => Network => Routing, IPv4 static routes tab:
544
Solutions – Advanced Labs
Return routes are already configured in the .na files provided, but you can check them. You would have created such
files in a configuration that was fully set up.
In Configuration => VPN => IPSec VPN, Peers tab, create the following peers on site A:
Then on site B:
In the Encryption policy - Tunnels tab, Site-to-site (Gateway- Gateway) sub-tab, click on Add > Site-to-site tunnel., and
create the following tunnels respectively on A and B:
The Keep alive option is enabled on one of the firewalls (A in this example) to force tunnels to be set up.
You can check VPN logs or tunnel monitoring at this stage (example given from A):
546
Solutions – Advanced Labs
Note:
Before going on to point 3, back up the configuration of firewalls A and B. This will save you time for the other scenarios
in this document.
547
Solutions – Advanced Labs
3. Create router objects respectively on A and B in Configuration => Objects => Network objects, Add button:
Reminder: router objects can be used as default gateways or for policy-based routing (PBR). Go to Configuration =>
Security policy => Filter - NAT, and create the following rules respectively on A and B:
When PBR is used with VTIs, you must create return routes on each firewall (the first two return routes in the examples
below were in the .na files) in Configuration => Network => Routing, IPv4 return routes tab:
548
Solutions – Advanced Labs
On GRAPHICAL_CLIENT_A, try to open the web page of the server Debian-Training-Webmail_B four times with its private
IP address, and display the connection logs to check whether load balancing is functioning (show the column
Destination interface on firewall A):
4. Traffic is encrypted between the networks of the head office and the agency as soon as it goes through a VTI.
When the corresponding router object is being created, the value Do not route is already configured for the parameter
If no gateways are available. There is nothing else to configure.
5. Two disabled filter rules on the instructor’s firewall make it possible to simulate an ISP failure. Enable rule 1:
The route monitoring menu illustrates this problem (from A’s point of view in this example):
549
Solutions – Advanced Labs
However, nothing has changed in the IPSec VPN tunnel monitoring menu or IPSec VPN logs, which is normal because
when peers are configured, the advanced Liveness option in IKEv2 (DPD in IKEv1) did not change, and its default value
is Passive (IKE will not send messages to detect the validity of its phase 1 key). Set peers to Low on one of the sides (A
or B):
550
Solutions – Advanced Labs
Repeat the test on GRAPHICAL_CLIENT_A, i.e., opening the web page of the server Debian-Training-Webmail_B several
times with its private IP address, and display the connection logs (show the column Destination interface on firewall A):
When access simulating the ISP1 on the firewall TRAINER is enabled again, and access for ISP2 is disabled, VPN logs
now show the issue (the message Remote seems to be dead appears for the disabled link) since the detection of phase
1 validity was enabled in the meantime.
6. You now have all the information you need to fill in the table:
Operational tunnels Load balancing Fault tolerance Advantages of router Disadvantages of router object
object
YES YES YES Prorating possible, Can only be used through
do not forget to depending on the filter rules, cannot be seen in
enable DPD and real bandwidth on the proprietary FreeBSD
keep alive links routing table, incompatible
with third-party vendors
Note:
Attempts to add links to a peer already used in the topology (e.g., a link between the second public IP address on A to
the first address on B, with VTI interfaces) will fail. Moreover, if you attempt to create a new peer (on an existing public
IP address and with the same parameters as the previous one), the peer will encounter an error whether you use PSK or
certificates, because it will be considered a duplicate.
• Site A: 2 Internet connections, site B: 1 Internet connection; 1 tunnel via VTI from B to A1, another from B
to A2.
• Site A: 2 Internet connections, site B: 2 Internet connections; 4 tunnels in all, from A1 to B1, from A1 to B2,
from A2 to B1, from A2 to B2.
Generally speaking, since an IPsec VPN peer is associated with a single public IP address, for full fault tolerance and
several tunnels up simultaneously, VTIs must be used with Stormshield firewalls, and on both sites, there must be as
many public IP addresses as the desired number of simultaneous tunnels.
551
Solutions – Advanced Labs
Solution to scenario 2
All screen captures in this solution are from A’s point of view.
1. Begin by testing whether load balancing works; the screen captures below represent the Bird configuration and
the result in command line:
The show static command shows that the routes have the same weight, but are not injected into the system routing
table. During routing, IP packets are routed, so sending one packet via the first route and the next packet via a second
route is not compatible with firewalls that must manage sessions, so load balancing is not an option.
Only the route with the highest preference will be injected into the system table, which is somewhat logical.
Since the test was successful, il will be implemented in the next point.
552
Solutions – Advanced Labs
Note:
Comments that begin with # in the Bird configuration have been removed from the screen captures in this solution to
make the configuration easier to read, but keep them in the actual configuration so that administrators who share the
firewall management role with you can refer to them.
The routing table is the same as the previous one; a frame capture using the command tcpdump –ni enc1 port 3784
(and on the second link with enc2) shows BFD in action:
2. Routing without BFD is tested first, by disabling the interface vlan_10 on the firewall TRAINER:
On the firewall on site A, the route monitoring menu shows that the first link is unavailable:
553
Solutions – Advanced Labs
IPSec VPN logs also show that tunnel 1 is unavailable, but because it was idle for too long (this corresponds to the
frequency of Liveness tests to detect the validity of the phase 1 key):
The route to the network LAN_IN_B 192.168.2.0/24 has not changed, and is associated with the traffic endpoint VTI of
the tunnel that is down, and therefore no longer valid!
The show interfaces Bird command shows that both enc1 and enc2 are active:
The observations made here are logical, because the routing table is supposed to change only if one of the interfaces
is down. But you will notice that even when an IPSec VPN tunnel with VTIs is down, the VTIs remain active - this makes
it easier for the tunnel to resume operation quickly.
The check link option used in the Bird configuration file at the beginning of the protocol static section is therefore
unnecessary.
Applying the same tests as before (interface vlan_10 disabled on the firewall TRAINER), BFD frames no longer travel
over the link vti1 (a capture with tcpdump –ni enc1 port 3784 remains mute).
554
Solutions – Advanced Labs
This time, the output of the system routing table shows that the route is operational:
As soon as normal operations resume (the interface vlan_10 enabled on the firewall TRAINER), the system routing table
will point back very quickly to the route with the highest priority.
You can send a test ping from Graphical_client_A to the IP address 192.168.2.254, and repeatedly enable/disable the
interface of the firewall TRAINER; it takes so little time to switch that it is almost not noticeable. BFD can be configured
with detection intervals in milliseconds (the default value is 100 ms), but this is not necessary in our case, since the
renegotiation of the tunnel will only take a few seconds.
Load balancing Fault tolerance Advantages of Bird static routing Disadvantages of Bird static routing
1. The networks 192.168.2.0/24 and 192.168.3.0/24 can be aggregated by changing the mask to a single line:
192.168.2.0/23 192.168.2.0-192.168.3.255); the configuration of dynamic routing on site A therefore becomes:
Note:
Whether or not there is a firewall, smart rules that minimize the contents of the routing table remain in force. On each
site, it is preferable that you use contiguous networks and route aggregation by using masks of varying lengths.
555
Solutions – Advanced Labs
Solution to scenario 3
1. Modify the file presented in the first test in Appendix 3 for A and B as follows:
#On A: #On B:
556
Solutions – Advanced Labs
Switch to command line to see site A’s point of view, for example, routes injected into the kernel from Bird:
Filtering that involves the default gateway 0.0.0.0/0 and the network 192.36.253.0/24 was effective, but OSPF also sees
networks connected on the OUT interface of the remote firewall, and host addresses in /32.
Modify the existing filter so that you do not see these networks:
• 11.1.0.0/16+ makes it possible to ignore any network beginning with 11.1, for any mask higher than
or equal to 16.
• 0.0.0.0/0{32,32} makes it possible to ignore the mask /32, regardless of the IP address.
filter network {
if net ~ [ 192.168.56.0/24, 0.0.0.0/0, 11.1.0.0/16+, 0.0.0.0/0{32,32} ] then reject;
else accept;
}
After you modify the configuration file in Configuration => Network => Routing, IPv4 dynamic routing tab, save the
changes and in command line, view the injected routes as seen earlier:
Only the internal networks on the remote site will now be imported into the routing table on A as a type 2 external route.
The routes in question were indeed imported in OSPF by the pseudo-protocol kernel on firewall B. OSPF therefore does
not learn them directly, as a type 2 external route is supposed to be redistributed in OSPF by an ASBR router, which is
an OSPF router connected to other routers that do not use OSPF to exchange external routes inside and outside the
OSPF domain, which is somewhat the case here.
The output via the command netstat –rn shows the path taken to reach the remote networks:
557
Solutions – Advanced Labs
Since timers were not configured for Hello messages, they must adopt the default values in OSPF; display them so that
you can predict the average time before a failure is detected:
During a failure on VTI1, if the firewall does not receive any Hello messages for 40 seconds, the system will switch to
the second link.
On the firewall on site A, you must wait for about 40 seconds before the changes to the routing table are applied (switch
to VTI2):
After normal operations resume (the interface on TRAINER enabled again), the route to the remote networks does not
change (no reply on interface enc1), unless link 2 is disabled on TRAINER.
Load balancing Fault tolerance Advantages of Bird dynamic routing Disadvantages of Bird dynamic routing
NO* YES Standard OSPF protocol that Switch time depends on the OSPF
implements fault detection Dead Timer, set to 40 seconds by
mechanisms default
Note:
There is a parameter in the Bird configuration called ECMP (Equal Cost Multiple Paths) that you can test to set up fault
tolerance, but you will arrive at the same conclusions as the ones in scenario 2. Since routing on layer 3 implements
packet-based load balancing, it is not compatible with a firewall that must analyze sessions (all packets relating to a
connection must go through the same interfaces).
558
Solutions – Advanced Labs
2. To enable syslog on the firewall, go to Configuration => Notifications => Logs – Syslog - >IPFIX. Open the
SYSLOG tab and enable a profile by specifying the IP address, protocol and port of the syslog server.
559
Lab - Exercices
training@stormshield.eu
560