Modifying a bridge

To modify the parameters of a bridge, click on its name in the left side of the window. Three tabs allow the modification of the bridge’s parameters.

“General” tab

Name (mandatory)

Name of the interface. (See warning in the introduction to the section on Interfaces)

Comments

Allows you to enter comments regarding the interface.

Bridge members

Physical ports

List of Ethernet ports in the bridge (Example: (Port2)

Interfaces (physical and logical)

List of interfaces contained in the bridge (Example: in)

Address range

Dynamic IP (obtained by DHCP)

The assigned IP address can be matched to a domain name via a DNS service provider (dyndns.org for example) in order to contact this firewall without having to know its IP address. This option is used when your firewall does not have a static IP address (e.g., your service provider, or DHCP renews its IP address regularly).

 

This feature can be enabled by selecting a dynamic DNS account that you would have configured earlier. The configuration of dynamic DNS clients is explained further in the document Dynamic DNS module.

 

This field allows specifying to the firewall that the configuration of the bridge (IP address and mask) is defined by DHCP. In this case, the “DHCP” zone in the Advanced properties tab will be enabled.

Fixed IP (static)

Your firewall has a static (fixed) IP address.

 

List of the bridge’s IP addresses

This table appears if the option Fixed IP (static) has been selected.

IP address

IP address assigned to the bridge. (All interfaces contained in the bridge will have the same IP address).

Net Mask

Network mask of the sub-network to which the bridge belongs. The various interfaces that are part of the bridge have the same IP address so all networks connected to the firewall are part of the same address range. The network mask provides the firewall with information about the network to which it belongs.

Comments

Allows adding comments regarding the bridge’s address.

Here, several associated IP addresses and network masks may be defined for the same bridge (the need to create aliases, for example). These aliases may allow you to use this Stormshield Network firewall as a central routing point. As such, a bridge can be connected to various sub-networks with a different address range. To add or remove them, simply use the Add and Delete buttons located above the fields in the table.

Several IP addresses (aliases) can be added in the same address range on an interface. In this case, these addresses must all have the same mask. Reloading the network configuration will apply this mask on the first address and a mask /32 on the following addresses.

“Advanced properties” tab

MTU

Maximum length (in bytes) of frames transmitted on the physical support (Ethernet) so that they are sent at one go (without fragmentation).

Physical (MAC) address

Warning

This option is not accessible for firewalls in high availability.

 

This window allows you to specify a MAC address for an interface instead of using the address assigned by the firewall. This allows you to better facilitate the integration of the Stormshield Network firewall in transparent mode into your network (by specifying your router’s MAC address instead of having to reconfigure all the workstations using this MAC address).

 

When the MAC address is assigned to the bridge, all interfaces contained in this bridge will then have the same MAC address.

This address consists of 6 bytes in hexadecimal separated by :

DHCP

NOTE

This field will be indicated as “disabled” if the option Dynamic IP (obtained by DHCP) was not selected in the General tab, and options will be grayed out.

 

DNS name (optional)

Name of the DNS server (FQDN) for the connection.

 

This optional field does not identify the DHCP server but the firewall. If this field has been entered and the external DHCP server has the option of automatically updating the DNS server, the DHCP server will automatically update the DNS server with the name and the IP address provided by the firewall.

 

This name consists of 6 bytes in hexadecimal separated by ":"

Requested lease time (seconds)

Period during which the IP address is kept before renegotiation.

Request domain name servers from the DHCP server and create host objects

If this option is selected, the firewall will retrieve DNS servers from the DHCP server it contacts (access provider, for example) to obtain its IP address.

 

Two objects will be dynamically created in the object database upon the selection of this option: Firewall_<interface name>_dns1 and Firewall_<interface name_dns2. They can then be used in the configuration of the DHCP service. So, if the Firewall provides the users on its network with a DHCP service, the users will also benefit from the DNS servers given by the access provider.

Loops detection (Spanning Tree)

This section allows activating the use of a network loop detection protocol (Spanning Tree) on the selected bridge. This feature is only available on SN510, SN710, SN910, SN2000, SN2100, SN3000, SN3100, SN6000 and SN6100 models.

Disable Spanning Tree protocols

This option disables the use of Spanning Tree protocols (RSTP and MSTP) in the bridge. It is selected by default.

Enable Rapid Spanning Tree protocol (RSTP)

This option allows activating the Rapid Spanning Tree protocol on the bridge.

Enable Multiple Spanning Tree protocol (MSTP)

This option allows activating the Multiple Spanning Tree protocol on the bridge.

When MSTP is enabled, additional fields need to be filled in:

Region name (MSTP region)

Indicate the name of the MSTP region in which the firewall is located. The name of the region has to be the same in the MSTP configuration on all network appliances belonging to this region.

Format selector

This field specifies the information needed for defining a region. Its default value is 0, indicating that a region’s properties are:

  • Its name,
  • Revision number,
  • Fingerprint calculated based on MST instance numbers and VLAN identifiers included in these instances.

The format selector has to be the same in the MSTP configuration on all network appliances belonging to this region.

Revision number

Select a revision number for the region. The revision number has to be the same in the MSTP configuration on all network appliances belonging to this region.

NOTE

In order to ensure that modifications can be tracked more easily, the revision number may be incremented manually when the configuration of the region changes. In this case, the changed revision number must be applied to all appliances for the affected region..

REMARK

On Stormshield Network firewalls, an MSTP configuration can only define one region.

Table of MSTP instances

This table allows defining the various instances declared in the MSTP configuration:

Instance

This unique identifier is incremented automatically whenever an instance is added to the MSTP configuration.

VLAN IDs

Indicate the various VLAN identifiers (list of identifiers separated by commas) included in the selected instance.

Priority

This field allows setting the priority of an MSTP instance in relation to the root bridge , which has the lowest priority.

NOTE

You are advised against declaring the firewall as the root bridge of an MSTP instance. This may create unnecessarily high network traffic on the firewall’s interfaces.

“Bridge members” tab

Another way to include interfaces in a bridge, apart from dragging and dropping, is to use the panel in this tab. (bridge members).

To move an available interface to the bridge, drag and drop it or use the red arrow in between both tables or double-click on the interface you wish to move.

To remove an interface from a bridge, do the exact opposite.