“Filtering” tab

Stormshield Network’s intrusion prevention technology includes a dynamic packet filtering engine (“stateful inspection”) with rule treatment optimization that allows the application of filter policies safely and effectively.

The implementation of filter functions is based on the comparison of the attributes of each IP packet received against the criteria of each rule in the active filter policy. Filtering applies to all packets without any exceptions.

As for the user or user group authorized by the rule, from the moment a user identifies himself and authenticates successfully from a given host, the firewall will take note of it and will attribute this user’s login name to all IP packets using this host’s address as its source IP address.

As a result, rules which specify user authentication, even without specifying the restrictions placed on authorized users, can only apply to IP packets transmitted from a host on which a user has already authenticated beforehand. A check action (see Action column) can be specified in each filter rule.

Filtering consists of two parts. The strip at the top of the screen allows choosing the filter policy, activating it, editing it and seeing its last modification. The filter table is dedicated to the creation and configuration of rules.

Checking the policy in real time

The firewall’s filter policy is one of the most important elements for the security of the resources that the firewall protects. Although this policy is constantly changing to adapt to new services, new threats and new user demands, it has to remain perfectly coherent so that loopholes do not appear in the protection provided by the firewall.

The art of creating an effective filter policy is in avoiding the creation of rules that inhibit other rules. When a filter policy is voluminous, the administrator’s task becomes even more crucial as the risk increases. Furthermore, during the advanced configuration of very specific translation rules, the multiplicity of options may give rise to the creation of a wrong rule that does not meet the administrator’s needs.

To prevent this from happening, the filter rule edit window has a Check policy field (located under the filter table), which warns the administrator whenever a rule inhibits another or an error has been created on one of the rules.

Example: [Rule 2] This rule will never be applied as it is covered by Rule 1.

Actions on filter policy rules

Search

This field allows performing searches by occurrence, letter or word.

Example: If you enter “Network_internal” in the field, all filter rules containing “Network_internal” will be displayed in the table.

New rule

Inserts a predefined line or a blank line after the selected line.

 

5 choices are available: authentication, SSL inspection and explicit HTTP proxy rules will be defined via a wizard in a separate window:

 

  • Single rule: This option allows creating a blank rule that will leave the administrator the possibility of entering different fields in the filter table.
  • Separator – rule grouping: This option allows inserting a separator above the selected line.
  • This separator allows to group rules that apply to traffic going to different servers and helps to improve the filter policy’s readability and visibility by indicating a comment.

    Separators indicate the number of grouped rules and the numbers of the first and last rules in the form: “Rule name (contains the total number of rules, from first to last)”.

    You can collapse or expand the node of the separator in order to show or hide the rule grouping. You can also copy/paste a separator from one location to another.

  • Authentication rule: The aim of this is to redirect unauthenticated users to the captive portal. By selecting it, an authentication wizard will appear.
  • You will need to select the Source (displays “Network_internal” by default) and the Destination (displays “Internet” by default) of your traffic from the drop-down list of objects, and then click on Finish. As the port cannot be selected, the HTTP port is chosen automatically.

    You can specify as the Destination URL categories or groups that are exempt from the rule, and therefore accessible without authentication (the web object authentication_bypass contains by default Microsoft update sites). Access to these sites without authentication can therefore also benefit from the firewall’s security inspections.

  • SSL inspection rule: The aim of this wizard is to create rules that inspect the encrypted SSL traffic. You are strongly advised to go through this wizard to generate the two rules needed for the SSL proxy to run correctly.
  • You will need to define the Profile of traffic to be encrypted by indicating the Source hosts (“Network_internal” by default), Incoming interface (“any” by default), the Destination (“Internet” by default) and the Destination port (“ssl _srv” by default) from the drop-down list of objects.

    In order to Inspect encrypted traffic through the second zone in the wizard window, you will need to define the configuration of the Inspection profile, by selecting one of those you have defined earlier, or leave it in “Auto” mode. This automatic mode will apply the inspection relating to the source of the traffic (cf Application protection>Inspection profile).

    You can also enable the Antivirus or Antispam and select the URL, SMTP, FTP or SSL filter policies (checks the CN field of the certificate presented).

  • Explicit HTTP proxy rule: This option allows enabling the explicit HTTP proxy and defining who can access it. You will need to choose a Host object and an Incoming interface in the Source field. Next, define the Inspection of transmitted traffic by indicating whether you wish to enable the Antivirus and select the URL filter policies.
  • NOTE

    To allow a policy on a firewall hosted in the cloud to be similar to a policy on physical appliance, the listening port of an explicit HTTP proxy can be configured on a port other than the default port (8080/TCP).

     

    Click on Finish.

Delete

Deletes the selected line.

Move up

Places the selected line before the line just above it.

Move down

Places the selected line after the line just below it.

Expand all

Expands all rules in the tree.

Collapse all

Collapses all folders in the directory.

Cut

Cuts a filter rule in order to paste it.

Copy

Copies a filter rule in order to duplicate it.

Paste

Duplicates a filtering rule after having copied it.

Search in logs

Whenever a filter rule rule is selected, click on this button to automatically search for the name of the rule in the "All logs" view (Logs > Audit logs > Views module). If the selected rule has not been named, a warning message will indicate that the search cannot be performed.

Search in monitoring Whenever a filter rule is selected, click on this button to automatically search for the name of the rule in the connection monitoring module.
Reset rules statistics Clicking on this button will reinitialize the digital and graphical counters showing how filter rules are used, located in the first column of the table.
reset columns

When you click on the arrow on the right in the field containing a column’s name (example: Status), you will be able to display additional columns or remove columns so that they will not be visible on the screen, by ticking or unticking them.

 

Example: Tick the options “Name” and “Src port” which are not displayed by default.

 

By clicking on reset columns, your columns will be reset to their original settings, before you selected any additional columns. As such, “Name” and “Src port” will be hidden again.

NOTE 

If you click quickly 10 times on the “Up” button, you will see that the rule moves up but the waiting window will only appear when you leave the button for 2 or 3 seconds. And at the end, only a single command will be executed. Rules can be moved more much fluidly as such.

Interactive features

Some operations listed in the taskbar can be performed by right-clicking on the table of filter rules:

  • New rule (Single rule, Separator - Rule grouping, Authentication rule, SSL inspection rule, Explicit HTTP proxy rule),
  • Delete,
  • Cut,
  • Copy,
  • Paste,
  • Search in logs,
  • Search in monitoring.

Explanations regarding symbols appearing in the configuration of filter rules

Mathematical comparison

Each time you come across a drop-down list of objects in the columns (except “Status” and “Action”) a mathematical operator icon will appear (). It can only be used if an object other than “Any” has been selected.

You can therefore customize the parameters of your traffic using the following icon in 4 different ways:

  • “=" (or ): the value of the attribute corresponds to what is selected.
  • “!="  (or ) the value of the attribute is different from what has been selected.
  • "<" (or ; can only be used for source ports, destination ports and host reputation scores): the value of the attribute is lower than what has been selected.
  • ">" (or ; can only be used for source ports, destination ports and host reputation scores): the value of the attribute is higher than what has been selected.

Adding/modifying objects

Certain drop-down lists offer the button, which leads to a pop-up menu:

  • Create an object: new objects can be created directly from the Filter/NAT module
  • Edit object: when an object is in a field, it can be edited directly to modify it (name, IP address for a host, adding the object to a group, etc.), except for read-only objects ("Any", "Internet", etc).

Filter table

This table allows you to define the filter rules to apply. The firewall will execute rules in their order of appearance on the screen (numbered 1, 2, etc) and will stop once it finds a a rule that matched the IP packet. Place them in the right order so that you obtain a coherent result.

It is therefore important to define rules from the most restrictive to the most general.

Reorganizing rules

In every security policy, every rule can be dragged and dropped so that the policy (filter or NAT) can be reorganized easily. The symbol as well as the "Drag and drop to reorganize" tool tip appear when you scroll over the beginning of the rule.

Statistics on the use of rules 

In the active security policy, each activated filter and NAT rule also displays a counter that shows the number of times the rule has been used. When scrolling over the icon with a mouse, a tooltip will indicate the exact number of times the rule has been executed. The 4 levels of use correspond to the following values, according to the percentage on the counter of the rule most frequently used:

 

0%

  1

from 0 to 2%

  2 from 2 to 20% (from 2 to 100% if the counter is lower than 10 000)
  3 from 20 to 100 %, with a minimum of 10 000 times (otherwise the previous level will be displayed)

To obtain a new indicator, clicking on “Reset rule statistics” will start a new count. This counter will be reinitialized if:

  • One of the parameters in the rule has been modified (except for comments),
  • Another policy has been enabled,
  • The firewall has been rebooted.

If no icons are displayed, this means that the information is unavailable.

Status

This column shows the status of the rule: On /Off . Double-click on it to change its status. By doing this once, you will enable the filter rule. Repeat the operation to disable it.

General menu in the filter rule editing window

General

Status Select On or Off to respectively enable or disable the rule being edited.
Comments

You can enter comments in this area; they will be displayed at the end of the rule when the filter policy is displayed.

Advanced properties

Rule name You can assign a name to the filter rule; this name will be used in logs and facilitates identification of the filter rule during searches in logs or views (Logs - Audit logs menu).

Action

This zone refers to the action applied to the packet that meets the selection criteria of the filter rule. To define the various parameters of the action, double-click in the column. A window containing the following elements will appear:

“General” tab

General

Action

5 different actions can be performed:

 

Pass: The Stormshield Network firewall allows the packet corresponding to this filter rule to pass. The packet stops moving down the list of rules.

 

 

Block: The Stormshield Network firewall silently blocks the packet corresponding to this filter rule: the packet is deleted without the sender being informed. The packet stops moving down the list of rules.

 

 

Decrypt: This action allows decrypting the encrypted traffic. Decrypted traffic will continue to move down the list of rules. It will be encrypted again after the analysis (if it is not blocked by any rule).

 

 

Reinit. TCP/UDP: This option mainly concerns TCP and UDP traffic:

 

For TCP traffic, a “TCP reset” packet will be sent to its sender.

For UDP traffic, a “port unreachable” ICMP packet will be sent to its sender.

 

As for other IP protocols, the Stormshield Network firewall will simply block the packet corresponding to this filter rule.

 

If you are editing the global filter policy, a sixth option will appear: "Delegate".

This option makes it possible to stop comparing the traffic against the rest of the global policy, but to compare it directly with the local policy.

 

If your policy contained rules with the action Log only, you will see log only (deprecated) whenever you edit these rules.

Log level

The value is set to none by default, so no logs are recorded. Several log levels are possible:

Standard (connection log): No logs will be kept in filter logs if the packet corresponds to this rule. However, ended connections can be logged (connection logs) depending on the connection of the protocol associated with the rule, which is the case in a factory configuration.

 

NOTE

This option is not available if you have selected the “Log” action in the previous field.

 

Verbose (filter log): If you select this option, a log from each connection matching the rule will be added to the filter logs.

This option is not recommended on "Deny All" filter rules (except for debugging) as it will then generate a large amount of logs.

 

Minor alarm: As soon as this filter rule is applied to a connection, a minor alarm will be generated. This alarm is recorded in the logs, and can be sent via Syslog (Logs – Syslog – IPFIX) or by e-mail (see module E-mail alerts).

 

Major alarm: As soon as this filter rule is applied to a connection, a major alarm will be generated. This alarm is recorded in the logs, and can be sent via Syslog (Logs – Syslog – IPFIX) or by e-mail (see module E-mail alerts).

 

To fully disable logs, you need to disable the Disk, Syslog server and IPFIX collector checkboxes in the Log destination for this rule field (Advanced properties tab in the rule editing window).

 

Scheduling

Select or create a time object.

 

You will then be able to define the period/ day of the year / day of the week / time/ recurrence of rule validity.

 

Objects can be created or modified directly from this field by clicking on

 

Routing

Gateway – router

This option is useful when specifying a particular router that will allow directing traffic that corresponds to the rule to the defined router. The selected gateway may be a host or router object.

 

Objects can be created or modified directly from this field by clicking on

IMPORTANT

If routers are specified in filter rules (Policy Based Routing), the availability of these routers will then be tested systematically by sending ICMP echo request messages. When a router that has been detected as uncontactable is a host object, the default gateway entered in the Routing module will be selected automatically. If it is a router object, the action taken will depend on the value selected for the field If no gateways are available during the definition of this object (see the section Network objects).

For more technical information, refer to the technical support’s Knowledge Base (article "How does the PBR hostcheck work?").

 

Click on Ok to confirm your configuration.

“Quality of service” tab

The QoS module, built into Stormshield Network’s intrusion prevention engine, is associated with the Filtering module in order to provide Quality of Service features.

When a packet arrives on an interface, it will first be treated by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.

 

QoS

Queue

This field offers you the choice of several queues that you have defined earlier in the Quality of service module, in the Security policy menu.

Fairness

No fairness: If you select this option, no particular amount of bandwidth will be assigned and each user/host/connection will use it according its needs.

 

User fairness: bandwidth will be distributed evenly between users.

 

Host fairness: bandwidth will be distributed evenly between hosts.

 

Connection fairness: bandwidth will be distributed evenly between connections.

 

Connection threshold

The Stormshield Network firewall may limit the maximum number of connections accepted per second for a filter rule. The desired number can be defined for protocols corresponding to the rule (TCP, UDP, ICMP and some application requests). This option also allows you to prevent a denial of service which hackers may attempt: you may limit the number of requests per second addressed to your servers.

 

Once this threshold has been exceeded, received packets will be blocked and ignored.

WARNING

The restriction only applies to the corresponding rule.

Example: If you create an FTP rule, only a TCP restriction will be taken into account.

REMARK

If the option is assigned to a rule containing an object group, the restriction applies to the whole group (total number of connections).

 

If threshold is reached

Do not do anything: no restrictions will be placed on the number of connections or requests per second (c/s).

 

Protect against SYN Flood: this option allows protecting servers from TCP SYN packet flooding (“SYN flooding”) attacks. The SYN proxy instead of the server will respond and will assess the reliability of the TCP request before transmitting it.

You can limit the number of TCP connections per second for this filter rule in the field below.

 

Raise associated alarm: Depending on the maximum number of connections per second that you assign to the protocols below, the traffic will be blocked once the defined number has been exceeded. The identifiers of these alarms are: 28 ICMP /  29 UDP / 30 TCP SYN / 253 TCP/UDP.

TCP (c/s)

Maximum number of connections per second allowed for the TCP protocol.

UDP (c/s)

Maximum number of connections per second allowed for the UDP protocol.

ICMP (c/s)

Maximum number of connections per second allowed for the ICMP protocol.

Application requests (r/s)

Maximum number of Application requests per second allowed for the HTTP and DNS protocol.

Click on Ok to confirm your configuration.

 

DSCP

DSCP (Differentiated Services Code Point) is a field in the IP packet header. The purpose of this field is to allowing differentiating services contained in a network architecture. It will specify a mechanism for classifying and controlling traffic while providing quality of service (QoS).

Impose value

By selecting this option, you will enable the field below and allow access to the DSCP service.

 

This option allows rewriting the packet with the given value, so that the next router will know the priority to apply to this packet.

New DSCP value

This field allows defining traffic differentiation. Through this field, it is possible to determine which service a type of traffic belongs to, thanks to a pre-established code. This DSCP service, used in the context of Quality of Service, allows the administrator to apply QoS rules according to the service differentiation that he has defined.

Click on Ok to confirm your configuration.

“Advanced properties” tab

Redirect

Service

None: This option means that none of the following services will be used: the user will not go through the HTTP proxy and will not be redirected to the authentication page.

 

HTTP proxy: If you select this option, the HTTP proxy will intercept user connections and scan traffic.

This service will be selected when rules are created by the explicit HTTP proxy wizard.

 

Authentication: If you select this option, unauthenticated users will be redirected to the captive portal when they connect.

This service will be selected when rules are created by the authentication wizard.

Redirect incoming SIP calls (UDP)

This option allows the Stormshield Network firewall to manage incoming SIP-based communications to internal hosts masked by address translation (NAT).

URLs without authentication

This field becomes accessible if the previous option Service redirects traffic to the authentication portal (authentication rule).

It allows specifying URL categories or groups that are exempt from authentication; the listed sites therefore become accessible without authentication, which is useful for example in accessing update websites. The firewall’s security inspections can therefore be applied to such access. There is by default in the web objects database a URL group named authentication_bypass containing Microsoft update websites.

Logs

Log destination for this rule

This option makes it possible to define one or several methods for storing logs generated by the rule:

  • Disk: Local storage.
  • Syslog server: the Syslog profile(s) including Filter policy logs must be defined in the SYSLOG tab of the menu Notifications > Logs - Syslog - IPFIX.
  • IPFIX collector: the IPFIX collector(s) must be defined in the IPFIX tab of the menu Notifications > Logs - Syslog - IPFIX.

Each log will contain details of connections evaluated through the rule.

Advanced properties

Count

If you select this option, the Stormshield Network firewall will count the number of packets that correspond to this filter rule and will generate a report.

It will therefore be possible to obtain volume information on a desired traffic type.

Force source packets in IPSec When this option is selected, for this filter rule, you will force packets from the network or source hosts to go through an active IPSec tunnel to reach their destination.
Force return packets in IPSec When this option is selected, for this filter rule, you will force return packets (responses) to go through an active IPSec tunnel in order to contact the host that initiated the traffic.

Click on Ok to confirm your configuration.

Source

This field refers to the source of the treated packet, and is used as a selection criterion for the rule. Double-click in this zone to select the associated value in a dedicated window.

This window contains three tabs:

“General” tab

General

User

The rule will apply to the user that you select in this field.

You can filter the display of users according to the desired method or LDAP directory by clicking on . Only enabled directories and methods (Available methods tab in the Authentication module and LDAP directories defined in the Directory configuration module) will be presented in this filter list.

 

Depending on the authentication method, several generic users will be suggested:

  • "Any user@any": refers to any authenticated user, regardless of the directory or authentication method used.
  • "Any user@guest_users.local.domain": refers to any user authenticated via the "Guest" method.
  • "Any user@voucher_users.local.domain": refers to any user authenticated via the "Temporary accounts" method.
  • "Any user@sponsored_users.local.domain": refers to any user authenticated via the "Sponsorship" method.
  • "Any user@none": refers to any user authenticated via a method that does not rely on an LDAP directory (e.g.: Kerberos).

  • Unknown users”: refers to any unknown or unauthenticated user.

NOTE

In order for unauthenticated users to be automatically redirected to the captive portal, at least one rule must be defined, applying to the object “unknown users”. This rule will also apply when an authentication expires.

 

Source hosts

The rule will apply to the object or the user (created beforehand in the dedicated menu: Objects>Network objects that you select in this field. The source host is the host from which the connection originated.

You can Add or Delete objects by clicking on the icon

 

Objects can be created or modified directly from this field by clicking on

Incoming interface

Interface on which the filter rule applies, presented in the form of a drop-down list. By default, the firewall selects it automatically according to the operation and source IP addresses.

It can be modified to apply the rule to another interface. This also allows specifying a particular interface if “Any” has been selected as the source host.

Click on Ok to confirm your configuration.

NOTE

Filter rules with a user@object source type (except any or unknown@object), and with a protocol other than HTTP, do not apply to Multi-user Objects (Authentication> Authentication policy). This behavior is inherent in the packet treatment mechanism used by the intrusion prevention engine.

"Geolocation/Reputation" tab

Geolocation

Select a region

This field allows applying the filter rule to hosts with a public IP address belonging to a country, continent or group of regions (group of countries and/or continents) defined beforehand in the Objects > Network objects module.

Public IP address reputation

Select a reputation category

This field allows applying the filter rule to hosts whose public IP addresses have been classified in one of the predefined reputation categories:

  • anonymizer: proxies, IPv4 to IPv6 converters.
  • botnet: infected hosts running malicious programs.
  • malware: hosts distributing malicious programs
  • phishing: compromised mail servers.
  • scanner: hosts that conduct port scanning or launch brute force attacks.
  • spam: compromised mail servers.
  • tor exit node: endpoint servers of the Tor network.
  • Bad: groups all of the above categories.

NOTE

Since the reputation of a public IP address may border on two categories (botnet and malware), and this field only allows selecting one category, you are advised to use the "bad" group for optimum protection.

 

Other host categories are also available to facilitate the setup of filter rules for Microsoft Online solutions:

  • Exchange online: servers that host the corporate mail application.
  • Microsoft Identity and authentication: authentication servers used for accessing Microsoft Office 365.
  • Office 365: servers that host the Microsoft Office 365 storage and office tools solution.
  • Office online: servers that host the free online office tools solution Microsoft Office 365.
  • Sharepoint online: servers that host the online collaborative solution Microsoft Sharepoint.
  • Skype Enterprise Online: servers that host the professional version of the instant messaging solution Skype.
  • Microsoft: groups all categories of machines that host Microsoft services online.

Host reputation

Enable filtering based on reputation score

Select this checkbox in order to enable filtering based on the reputation score of hosts on the internal network.

 

To enable host reputation management and to define the hosts affected by the calculation of a reputation score, go to the Application protection > Host reputation module.

Reputation score

This field allows selecting the reputation score above which () or below which () the filter rule will apply to the monitored hosts.

 

Click on Ok to confirm your configuration.

“Advanced properties” tab

Advanced properties

Source port

This field allows specifying the port used by the source host, if it has a particular value.

By default, the "Stateful" module memorizes the source port used and only this port will then be allowed for return packets.

 

Objects can be created or modified directly from this field by clicking on

Via

Any: This option implies that none of the following services will be used – the connection will not go through the HTTP proxy, will not be redirected to the authentication page and will not go through an IPSec VPN tunnel.

Explicit HTTP proxy: Traffic originates from the HTTP proxy.

SSL proxy: Traffic originates from the SSL proxy.

IPSec VPN tunnel: Traffic comes from an IPsec VPN tunnel.

SSL VPN tunnel: Traffic comes from an SSL VPN tunnel.

Source DSCP

This field allows filtering according to the value of the DSCP field of the packet received.

Authentication

Authentication method

This field allows restricting the application of the filter rule to the selected authentication method.

Click on Ok to confirm your configuration.

Destination

Destination object used as a selection criterion for the rule. Double-click in this zone to select the associated value in a dedicated window. This window contains two tabs:

“General” tab

General

Destination hosts

Select the destination host of the traffic from the object database in the drop-down list. You can Add or Delete objects by clicking on  .

 

Objects can be created or modified directly from this field by clicking on .

Click on Ok to confirm your configuration.

"Geolocation/Reputation" tab

Geolocation

Select a region

This field allows applying the filter rule to hosts with a public IP address belonging to a country, continent or group of regions (group of countries and/or continents) defined beforehand in the Objects > Network objects module.

Public IP address reputation

Select a reputation category

This field allows applying the filter rule to destination hosts whose IP addresses have been classified in one of the predefined reputation categories:

  • anonymizer: proxies, IPv4 to IPv6 converters.
  • botnet: infected hosts running malicious programs.
  • malware: hosts distributing malicious programs
  • phishing: compromised mail servers.
  • scanner: hosts that conduct port scanning or launch brute force attacks.
  • spam: compromised mail servers.
  • tor exit node: endpoint servers of the Tor network.
  • Bad: groups all of the above categories.

NOTE

Since the reputation of a public IP address may border on two categories (botnet and malware), and this field only allows selecting one category, you are advised to use the "Bad" group for optimum protection.

Host reputation

Enable filtering based on reputation score

Select this checkbox in order to enable filtering based on the reputation score of hosts on the internal network.

 

To enable host reputation management and to define the hosts affected by the calculation of a reputation score, go to the Application protection > Host reputation module.

Reputation score

This field allows selecting the reputation score above which () or below which () the filter rule will apply to the monitored destination hosts.

 

Click on Ok to confirm your configuration.

“Advanced properties” tab

Advanced properties

Outgoing interface

This option allows choosing the packet’s outgoing interface, to which the filter rule applies.

By default, the firewall selects it automatically according to the operation and destination IP addresses. Filtering by a packet’s outgoing interface is possible.

 

NAT on the destination

Destination

If you wish to translate the traffic’s destination IP address, select one from the objects in the drop-down list. Otherwise, leave the field empty, i.e. “None” by default.

 NOTE

As this traffic has already been translated by this option, the other NAT rules in the current policy will not be applied to this traffic.

 

Objects can be created or modified directly from this field by clicking on .

ARP publication

This option has been added so that an ARP publication can be specified when a filter rule with a NAT operation is used on the destination. It must be enabled if the destination public IP address (before applying NAT) is a virtual IP address and does not belong to the UTM.

 NOTE

Another way to set up this publication would be to add the virtual IP address of the affected interface in the Interfaces module.

Click on Ok to confirm your configuration.

Port - Protocol

The destination port represents the port on which the “source” host opens a connection to the “destination” host. The protocol to which the filter rule applies can also be defined in this window.

Port

Destination Port

Service or service group used as a selection criterion for this rule. Double-click on this zone to select the associated object. 

Examples: Port 80: HTTP service / Port 25: SMTP service

 

You can Add or Delete objects by clicking on the icon 

 

Objects can be created or modified directly from this field by clicking on .

Protocol type

Depending on the protocol type that you choose here, the following field that appears will vary:

Automatic protocol detection (default)

If this option is selected, a field with the same name will appear below with the following data:

Application protocol: Based on default port or content

IP protocol: All

Application protocol

The advantage of this choice is being able to apply an application analysis on a port other that the default port. If this option is selected, a field with the same name will ask you to choose:

Application protocol: Select the desired protocol from the drop-down list.

IP protocol: All

IP protocol

If this option is selected, the field will offer a drop-down list of the various IP protocols.

 NOTE

The status of IP connections can be tracked for protocols other than TCP, UDP or ICMP.

Status tracking (stateful)

If you select “IP Protocol”, a “stateful” option will be available.

This option is selected by default for any IP protocol other than TCP, UDP, ICMP and IGMP.

 NOTE

For example, connection status tracking (stateful mode) can be enabled for the GRE protocol, which is used in PPTP tunnels. Thanks to this tracking tool, the source (map), destination (redirection) or both (bimap) can be translated.

However, it will be impossible to differentiate 2 connections that share the same source and destination addresses. In concrete terms, this means that when the firewall translates a source N -> 1 (map), only one simultaneous connection to a PPTP server can be made.

 

For the translation of a selected destination, an additional option is available:

Translated port

Translated destination port

Translated port to which packets are going. Network packets received will be redirected from a given port on a host or a network device to another host or network device. If you wish to translate the traffic’s destination port, select one from the objects in the drop-down list.

Otherwise, leave the field empty, i.e. “None” by default. In this case, the Destination port field remains unchanged.

Security inspection

Inspection type

General

Inspection level

IPS (Detect and block)

If this option is selected, Stormshield Network’s IPS (Intrusion Prevention System) will detect and block intrusion attempts, from the Network level to the Application level in the OSI model.

IDS (Detect)

If this option is selected, Stormshield Network’s IDS (Intrusion Detection System) will detect intrusion attempts on your traffic, without blocking them.

Firewall (Do not inspect)

This option only provides access to basic security functions and will merely filter your traffic without inspecting it.

Inspection profile

Depending on the direction of the traffic, IPS_ 00 to 09

You can customize the configuration of your security inspection by assigning a predefined policy to it, which will appear in the filter table.

Numbered configurations can be renamed in the menu Application protection > Inspection profiles.

NOTE

The value suggested by default (Depending on the direction of the traffic) uses the IPS_00 profile for incoming traffic and the profile IPS_01 for outgoing traffic.

Application inspection

Antivirus

The On / Off buttons allow you to enable or disable the antivirus in your filter rule.

 NOTE

Antivirus analyses will only be run on HTTP, FTP, SMTP, POP3 protocols and on their variants in SSL. They can be configured for each of these protocols in the menu Application protection > Protocols.

Sandboxing

The On/ Off buttons allow you to enable or disable sandboxing (malicious files) in your filter rule.

NOTE

Enabling this option requires the use of the Kaspersky antivirus.

NOTE

Antivirus analyses will only be run on HTTP, FTP, SMTP, POP3 protocols and on their variants in SSL. They can be configured for each of these protocols in the menu Application protection > Protocols.

Antispam

The On/ Off buttons allow you to enable or disable the antispam in your filter rule.

 NOTE

This analysis is only run on SMTP, POP3 protocols and on their variants in SSL. They can be configured for each of these protocols in the menu Application protection > Protocols.

HTTP Cache

On/ Off buttons allow you to enable or disable the HTTP cache in your filter rule.

 

This feature makes it possible to memorize all types of resources when visiting websites, so that they do not need to be downloaded again from the internet during new visits, even for different clients. However, this mode is recommended only for internet links with low bandwidth or for which access is restricted to a limited number of websites. This feature is available only for models equipped with a hard disk.

 NOTE

This option only applies to HTTP and HTTPS traffic if SSL inspection has been enabled.

 

The total amount of data that can be memorized is 100 MB on the disk and 1MB in RAM.  The maximum size of a resource that can be memorized is 32 KB. The tracking of memorized resources and cache management can be viewed in Realtime Monitor (Dashboard).

 

URL filtering

To enable this filtering method, select a URL filter profile from the suggested profiles.

SMTP Filtering

To enable this filtering method, select an SMTP filter profile from the suggested profiles.

 NOTE

Selecting the SMTP filter policy also enables the POP3 proxy in the event the filter rule allows the POP3 protocol.

FTP Filtering

The On/ Off buttons allow you to enable or disable FTP filtering in your filter rule, corresponding to the FTP commands defined in FTP plugin (Protocols module).

SSL filtering

To enable this filtering method, select an SSL filter profile from the suggested profiles.

Comments

You can add a description that will allow distinguishing your filter rule and its characteristics more easily.

Comments on new rules indicate the date on which they were created and the user who created them, if the rules were not created by the "admin" account, in the form of "Created on {date} by {login} ({IP address)}". This automatic information may be disabled by unselecting the option "Comments about rules with creation date (Filtering and NAT)" found in the Preferences module.