HTTP

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

This mechanism allows excluding websites, documents or images that are explicitly inappropriate or undesirable from the results of web searches conducted on the main search engines (Google, Bing, Yahoo)

In this field, the type of restriction to be placed on results of video searches on the YouTube platform can be selected:

• "strict" means that inappropriate videos can be filtered,
• "moderate" will return the most relevant results and may therefore allow the display of inappropriate videos.

This option allows restricting access to Google services and accounts by entering only authorized domains in this list.

Enter the domain with which you have signed up to Google Apps, as well as any secondary domains you might have added to it. Users accessing Google services from an unauthorized account will be redirected to a Google block page.

The way this option works is the firewall intercepts SSL traffic toward Google and adds the HTTP header “X-GoogApps-Allowed-Domains” to it, the value of which is the list of authorized domain names, separated by commas. For more information, please refer to the following link:

FR https://support.google.com/a/answer/1668854?hl=fr

EN https://support.google.com/a/answer/1668854?hl=en

NOTE 

SSL inspection has to be enabled in the filter policy for this feature to work.

Any page containing HTML content that is likely to be malicious will be blocked.

Maximum number of bytes for an attribute of a HTML tag (Min : 128; Max: 65536).

In order to prevent malicious content from damaging dynamic and interactive web pages that use JavaScript programming, a scan will be conducted in order to detect them.

In the same way as for the option Inspect HTML code, if this option is selected, a page containing JavaScript content that is likely to be malicious will be blocked.

Instead of prohibiting the TCP connection, the scan will erase the malicious content (e.g. attribute, HTML marker) and allow the rest of the HTML page to pass through.

Example of malicious behavior: Redirection without your knowledge, to a website other than the site you had intended to visit.

NOTE

Selecting this checkbox will disable the Enable on-the-fly data decompression option.

When HTTP servers present compressed pages, enabling this option will allow decompressing data and inspecting it as and when it passes through the firewall. Since no data will be rewritten, this operation will not cause any additional delay.

NOTE

Selecting this checkbox will disable the Automatically delete malicious content option

If this option is selected, you will be enabling user authentication via the HTTP "Authorization" header. The HTTP plugin will therefore be capable of extracting the user and comparing it against the list of users authenticated on the firewall.

When no authenticated users match, the packet will be blocked.

Maximum size of a URL, domain name and path inclusive [128 – 4096 bytes]

Maximum size of a parameter in a URL [128 – 4096 (bytes)]

Maximum number of bytes for the full query:

http://URLBuffer ?QueryBuffer [128 – 4096] (bytes)]

Maximum number of parameters in a URL (Min: 0 ; Max: 512).

Maximum number of lines (or headers) that a request can contain, from the client to the server (Min:16; Max: 512).

Maximum number of ranges that a response can contain, from the server to the client (Min: 0; Max: 1024).

Maximum number of lines (or headers) that a response can contain, from the server to the client (Min: 16; Max: 512).

Maximum number of bytes for the AUTHORIZATION field, including formatting attributes. (Min: 128; Max: 4096).

Maximum number of bytes for the CONTENTTYPE field, including formatting attributes. (Min: 128; Max: 4096).

Maximum number of bytes for the HOST field, including formatting attributes. (Min: 128; Max: 4096).

Maximum number of bytes for the COOKIE field, including formatting attributes. (Min: 128; Max: 8192).

Maximum number of bytes for others field, including formatting attributes. (Min: 128; Max: 4096).

Set to 30 seconds by default (Max: 600 seconds).

This option allows transporting sound over HTTP.

Examples: Webradio, webtv.

This option allows adding writing and locking features to HTTP, and also allows securing HTTPS connections more easily.

When this option is selected, the scan of the HTTP protocol will be disabled and traffic will be authorized if the filter policy allows it

Enables or disables the logging of POP3 requests.

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.

If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

The choice is either Pass or Block.If a URL has not been listed in a URL category, this action will determine whether access to the site will be authorized.

An option allows authorizing or denying the use of IP addresses in the URL, meaning access to a website by its IP address instead of its domain name. Such a method may be an attempt to bypass URL filtering.

If the option has not been selected and the URL queried (containing an IP address) cannot be classified by the URL filtering system, its access will be blocked. However, this option has been designed to be applied after the evaluation of the filter.

As a result, internal servers that are contacted by their IP addresses will not be blocked if their access has been explicitly authorized in the filter policy (different from the pass all policy). Such access can be authorized via the firewall’s basic Network objects (RFC5735) or the “Private IP” group in the EWC URL database.

WebDAV is a set of extensions to the HTTP protocol concerning the edition and collaborative management of documents. If this option has been selected, the WebDav protocol will be authorized in the Stormshield Network Firewall.

The CONNECT method allows building secure tunnels through proxy servers.

If this option has been selected, the CONNECT method will be authorized in the Stormshield Network Firewall.

The Add button allows you to add services objects database.

To modify a service, select the line to be modified and make changes.

Use the Delete button to delete the selected service.

By selecting this option, the filter policy cannot be bypassed.

If the external HTTP proxy requires user authentication, the administrator can select this option to send data regarding the user (collected by the firewall’s authentication module) to the external proxy.

The browser will prompt the user to authenticate through a message window and the connection information will be relayed to the firewall via the HTTP header.

NOTE

The "Proxy-Authorization" (HTTP 407) authentication method via the browser does not allow the SSL (certificates) and SPNEGO methods as they do not involve the authentication portal, even though it needs to be enabled.

For further information, refer to the help for the Authentication module, in the section “Transparent or explicit HTTP proxy and Multi-user networks”

Each client request to a website is sent to the ICAP server.

Indicates the ICAP server.

Indicates the ICAP port.

Indicates the name of the service to set up. This information varies according to the solution used, the ICAP server as well as the port used.

This option allows using information relating to the LDAP base (especially the logins of authenticated users).

This option allows using IP addresses of HTTP clients who send requests to Adapter (object used for translating between the ICAP format and the requested format).

Adds hosts, networks or address ranges whose details will not be sent to the ICAP server. These items can be deleted from the list at any time.

When a download is incomplete, for example, due to a connection failure during a file download via HTTP, the user can continue to download from where the error occurred, instead of having to download the whole file again. This is called a partial download – the download does not correspond to a whole file.

The option Partial download allows defining the behavior of the firewall’s HTTP proxy towards this type of download.

• Block: partial downloads are prohibited
• Block if antivirus has been enabled: partial downloads are allowed except if the traffic corresponds to traffic that is inspected by a rule with an antivirus scan.
• Pass: partial downloads are authorized but there will not be any antivirus scan.

When files downloaded off the internet via HTTP get too huge, they can deteriorate the internet bandwidth for quite a long stretch of time.

To avoid this situation, indicate the maximum size (in KB) that can be downloaded by HTTP.

A URL category or category group can be excluded from the antivirus scan. By default, there is a URL group named antivirus_bypass in the object database containing Microsoft update sites.

Indicates whether a file is active or inactive. 2 positions are available: “Enabled” or “Disabled”.

Indicates the action to be taken for the file in question, out of 3 possibilities:

• Detect and block viruses: The file will be scanned in order to detect viruses that may have infected the files. These viruses will be blocked.
• Pass without analyzing files: The file can be downloaded freely without any antivirus scans being performed.
• Block: The download is prohibited.

Indicates the file content type. This could be text, an image or a video, to be defined in this field.

Examples:

“text/plain*”

“text/*”

“application/*”

This field corresponds to the maximum size of files that will be scanned.

The default size depends on the firewall model:

• S model (U30S, U70S, SN150, SN160(W), SN200, SN210(W), SN300 and SN310): 4000 Ko.
• M model (U150S, U250S, V50, V100, SN500, SN510, SN700, SN710 and SNi40): 8000 Ko.
• L model (U500S, U800S, SN900 and SN910): 16000 Ko.
• XL model (VS5, VS10, VS-VU, SN2000, SN2100, SN3000, SN3100, SN6000 and SN6100): 32000 Ko.

This field contains 2 options. By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the antivirus will send the file in its original form.

This option defines the behavior of the antivirus module if the analysis of the file it is scanning fails.

Example:

The file could not be scanned as it has been locked.

If Block has been specified, the file being scanned will not be sent.

If Pass without scanning has been specified, the file being scanned will be sent.

This option defines the behavior of the antivirus module when certain events occur. It is possible to Block traffic when information retrieval fails, or Pass without scanning.

If the hard disk has reached its capacity, information will not be downloaded.

This column displays the status (Enabled/Disabled) of sandboxing for the corresponding file type. Double-click on it to change its status.

The sandboxing option allows scanning four types of files:

• Archive: these include the main types of archives (zip, arj, lha, rar, cab, etc)
• Office document (Office software): all types of documents that can be opened with the MS Office suite.
• Executable: files that can be run in Windows (files with the extension ".exe",".bat",".cmd",".scr", etc).
• PDF: files in Portable Document Format (Adobe).
• Flash (files with the extension ".swf").
• Java (compiled java files. Example: files with a ".jar" extension).