Further reading

Session and user privileges



Privileges assigned

Logs (R) 

Log consultation

base, log_read

Filter (R) 

Filter policy consultation

base, filter_read


VPN configuration consultation

base, vpn_read

Logs (W) 

Privilege to modify log configuration

modify, base, log

Filter (W) 

Privilege to modify filter policy configuration

modify, base, filter


Privilege to modify VPN configuration

modify, base, vpn


Privilege to modify the configuration from Stormshield Network Real-Time Monitor

modify, base, mon_write

Content filtering 

Privilege for URL filtering, Mail, SSL and antivirus management

modify, base, contentfilter


Privilege to modify PKI

modify, base, pki


Privilege to modify Object database 

modify, base, object 


Privilege to modify Users

modify, base, user


Privilege to modify network configuration (interfaces, bridges, dialups, VLANs and dynamic DNS configuration)

modify, base, network


Privilege to modify routing (default route, static routes and trusted networks)

modify, base, route


Privilege to perform maintenance operations (backups, restorations, updates, Firewall shutdown and reboot, antivirus update, modification of antivirus update frequency, High Availability modification and RAID-related actions in Real-Time Monitor)

modify, base, maintenance

Intrusion prevention

Privilege to modify Intrusion prevention (IPS) configuration

modify, base, asq

Vulnerability manager

Privilege to modify vulnerability management configuration (Stormshield Network Vulnerability Manager)

modify, base, pvm 

Objects (global)

Privilege to access global objects

modify, base, globalobject

Filter (global)

Privilege to access the global filter policy

modify, base, globalfilter

The base privilege is assigned to all users systematically. This privilege allows reading the whole configuration except filtering, VPN, logs and content filtering. The modify privilege is assigned to users who have write privileges. The user who has logged on as admin will obtain the admin privilege. This is the only privilege that allows giving other users administration privileges or removing them.

SA states




The SA is in the process of being negotiated or has not been completely negotiated.


The SA has been established and is available; the VPN tunnel has been correctly set up.


The SA will soon expire; A new SA is in the progress of being negotiated.


The SA has expired and cannot be used; The tunnel has not been set up and is therefore no longer active.


A problem has occurred, in general this status means that the tunnel has been set up in only one direction.