The various types of objects

Host

Select a host to view or edit its properties. Each host has a name, an IP address and a DNS resolution (“Automatic” or “None (static IP)”) by default.

Name of the object

Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.


The icon to the right of the checkbox allows the object’s IP address to be obtained, which can be seen in the “IP address” field.


To obtain it, the object’s full URL must be entered.

IPv4 address

IP address of the selected host.

DNS resolution

The DNS (Domain Name System) resolution matches IP addresses with a domain name.

 

Two choices are possible:

 

None (static IP): The selected object has a fixed IP address that will be used every time.

 

Automatic: If this option is selected, the firewall will submit DNS requests every 5 minutes in order to determine the IP address of the selected object.

MAC address

Media Access Control address. This address corresponds to the physical address of a network interface or of a network card, allowing the identification of a host on a local network.

 

Example

5E:FF:56:A2:AF:15.

Comments

Description of the selected host.

Network

Select a network to view or edit its properties. Each network has a name, IP address and network mask.

Name of the object

Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.

Comments

Description of the selected network.

IP address

IP address of the selected network. The address is followed by a "/" and the associated network mask.

IP address range

Select an IP address range to view or edit its properties.

Name of the object

Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.

Start

First IP address of the range.

End

Last IP address of the range.

Comments

Description of the selected IP address range.

Port – port range

Select a port or port range to view or edit its properties.

Name of the object

Name of the service used. This field is grayed out and cannot be modified.

Port

Number of the port associated with the selected service.

Port range

By selecting this option, you will assign a port range to the selected service and enable the two checkboxes below it.

From If the Port range checkbox has been selected, this field will be enabled. It corresponds to the first port included in the selected port range.
Up to

If the Port range checkbox has been selected, this field will be enabled. It corresponds to the last port included in the selected port range.

Protocol

Select the IP protocol that your service uses:

 

TCP: Transmission Control Protocol. Transport protocol operating in connected mode and made up of three phases: establishment of the connection, data transfer, end of the connection.

 

UDP: User Datagram Protocol. This protocol allows data to be transferred easily between two entities, each of them having been defined by an IP address and a port number.

 

SCTP: Stream Control Transmission Protocol, is a protocol that is defined in RFC 4960 (an introduction is provided in RFC 3286).

As a transport protocol, SCTP is in a certain way equivalent to TCP or UDP.

While TCP is traffic-oriented, (the sequence of bytes contained in a packet does not have a conceptual beginning or end, but belongs to the stream of traffic that makes up the connection), SCTP — like UDP — is message-oriented (it sends messages in a traffic stream with a beginning and an end, which can be segmented over several packets).

 

Any protocol: The selected service can use any IP protocol.

Comments

Description of the selected port or port range.

IP protocol

Name of the object

Name of the selected IP protocol. This field is grayed out and cannot be modified.

Protocol number

Number associated with the selected IP protocol and provided by the IANA (Internet Assigned Numbers Authority).

Comments

Description of the selected IP protocol.

Group

In this screen, you will be able to aggregate your objects according to your network topology, for example.

Name of the object

Name given to the object group during its creation.

Objects in “read only” mode will be grayed out and cannot be modified.

Comments

Description of the object group.

Edit this group

This button contains a dialog box for adding objects to the group.

Two columns will appear:

 

The left column contains the list of all the network objects that you may add to your group. The right column contains the objects that are already in the group.

 

To add an object to the group, you need to move it from one column to the other:

Select the item(s) to add.

Click on this arrow. The object will move to the right column and become a part of your group (at the top of the list).

To remove an object from the group, select it in the right column and click on this arrow.

 NOTE

By clicking on the button “Edit this group”, you will be able to change the name of the group and add comments to it and also search for objects and include new objects in the group.

Objects in this group

The network objects in your group will be shown in a table.

To add or modify objects, refer to the previous field.

Port group

This screen will allow you to aggregate your ports by category.

Example

A “mail” group that groups “imap”, “pop3” and “smtp” ports.

Name of the object

Name given to the port group during its creation.

Comments

Description of the port group.

Edit this group

This button contains a dialog box for adding ports to the group.

By clicking on it, you will be able to change the name of the group and add comments to it and also search for ports and include new ports in the group.

 

Two columns will appear:

 

The left column contains the list of all the ports that you may add to your group.

The right column contains the ports that are already in the group.

 

To add a port to the group, you need to move it from one column to the other:

Select the item(s) to add.

Click on this arrow. The object will move to the right column and become a part of your group (at the top of the list).

To remove an object from the group, select it in the right column and click on this arrow.

 NOTE

By clicking on the button “Edit this group”, you will be able to change the name of the group and add comments to it and also search for objects and include new objects in the group.

Objects in this group

The ports in your group will be shown in a table.

To add or modify objects, refer to the previous field.

Router

Router objects can be used:

  • As the firewall’s default gateway,
  • For specifying the type of routing in filter rules  (PBR: Policy Based Filtering).

Router objects are defined by a name and at least a gateway used. They may contain one or several gateways used and backup gateways. A mechanism that tests the availability of these gateways makes it possible to provide redundancy – if no responses are received from one or several main gateways, one or several backup gateways will then take over.

Select a router to view or edit its properties.

Name of the object

Name given to the router object when it was created.

Comments

Description associated with the router object.

Button bar

Add

Adds a gateway.

Delete

Deletes the selected gateway.

Move to the list of backups/Move to the list of main gateways

Allows switching from one gateway in the main table to the backup table or vice versa.

 

Apply

Sends the router’s configuration.

Copy

Allows creating a new router object by duplicating the same characteristics as the edited router.

Cancel

Cancels the router’s configuration.

Tables of gateways used and backup gateways

Both of these tables contain the following columns:

Host (Mandatory)

Clicking on this column will open the objects database to allow selecting a host that acts as the router.

Device(s) for testing availability (Mandatory)

Host or host group to ping in order to determine the connectivity of the gateway. The value selected may be the gateway itself (Test the gateway directly), a host or a group of third-party hosts. The availability test may be disabled for the selected gateway by selecting the value No availability testing.

Description: C:\Documents and Settings\admin\My Documents\My Doc-To-Help Projects\Clipperton v1\Media\info.png NOTE

If the value No availability testing has been selected for all gateways, the function enabling a switchover to backup gateways will then be disabled.

Weight

Allows assigning a priority between the various gateways for the load balancing mechanism. A gateway with a higher weight will therefore be used more often when balancing traffic load.

(Optional) Comments

Any text.

NOTE

Parameters that define the interval between two availability tests (“frequency”), the maximum waiting time for a response (“wait”) and the number of tests to perform before declaring the gateway uncontactable (“tries”) can only be configured via CLI command:
CONFIG OBJECT ROUTER NEW name=<router name> [tries=<int>] [wait=<seconds>] [frequency=<seconds>] update=1.
The default values suggested are 15 seconds for the “frequency” parameter, 2 seconds for the “wait” parameter and 3 for the "tries" parameter.

Advanced properties

Load balancing

The firewall allows distributed routing between the various gateways used through several methods:

  • No load balancing: only the first gateway defined in the "Used gateways" and "Backup gateways" tables will be used for routing.
  • By connection: all gateways defined in the "Used gateways" table will be used. The load balancing algorithm is based on the source (source IP address, source port) and the destination (destination IP address, destination port) of the traffic. The rate at which the various gateways are used will be related to their respective weights.
  • By source IP address: all gateways defined in the "Used gateways" table will be used. An algorithm allows balancing routing based on the source of the routed traffic. The rate at which the various gateways are used will be related to their respective weights.
Enable backup gateways

When all gateways cannot be reached: the backup gateway(s) will only be enabled when all the gateways used cannot be contacted.

 

When at least one gateway cannot be reached: the backup gateway(s) will be enabled as soon as a gateway used cannot be contacted. This option is grayed out when a single gateway is entered in the table of used gateways.

 

When the number of gateways that can be reached is lower than: the backup gateway(s) will be enabled as soon as the number of contactable gateways used falls below the number indicated. This option is grayed out when a single gateway is entered in the table of used gateways.

Enable all backup gateways when unavailable

If this option is selected, all backup gateways will be enabled as soon as the condition for enabling them has been met. If it is not selected, only the first backup gateway listed will be enabled.

If no gateways are available

Select the behavior that the firewall must adopt if all the gateways defined in the router object cannot be contacted:

 

Default route: the routes (static or dynamic) defined in the firewall’s routing table will be applied.

 

Do not route: the firewall will not manage packets passing through.

Region group

In this screen, you will be able to aggregate countries or continents in a single group.

Name of the object

Name given to the group of regions during its creation.

Comments

Description of the region group.

Edit this group

This button contains a dialog box for adding countries or continents to the group.

By clicking on it, you will be able to change the name of the group and add comments to it and also search for ports and include new countries or continents in the group.

 

Two columns will appear:

 

The left column contains the list of all the countries or continents that you may add to your group.

The right column contains the countries or continents that are already in the group.

 

To add a country or continent to the group, you need to move it from one column to the other:

Select the item(s) to add.

Click on this arrow. The object will move to the right column and become a part of your group (at the top of the list).

To remove an object from the group, select it in the right column and click on this arrow.

 NOTE

By clicking on the button “Edit this group”, you will be able to change the name of the group and add comments to it and also search for objects and include new objects in the group.

Objects in this group

The countries or continents in your group will be shown in a table.

To add or modify objects, refer to the previous field.

DNS name (FQDN)

DNS name objects are dynamic objects that represent DNS (FQDN) names that can be resolved on several IP addresses. These objects can either be defined in IPv4 or IPv6 and can only be used as the source or destination of a filter rule. They cannot be included in groups.

Select a DNS name to view or edit its properties.

Name of the object

Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.

IP address

IP address of the selected object.

Comments

Description of the selected DNS name.

Time object

Name of the object

Name given to the port group during its creation.

Comments

Description of the port group.

Description

This dynamic field will be entered automatically based on the parameters selected for the definition of the time object.

 

Example:

For an ad hoc event: from <date> at <time> to <date> at <time>

Fixed event

This field allows defining “From” when the event takes place and until when it will continue. A day has to be defined from the calendar presented.

You will also need to define a time by entering the empty “to” field.

Day of the year

By default, this field indicates the date 01: 01. You can click on Add a date range and enter a start date and an end date for your event, by selecting the month and the day.

Day(s) of the week

The days affected by the event are marked with this icon . If you wish to remove a day, click once on it. If you wish to apply an additional day, such as a Saturday, for example, click once on the checkbox “Sat”. It will then be marked by the same icon described above and your event will affect this day.

Time slots

You can define time slots using these buttons:

Add a time slot, to add a time slot and to define the start and end time of your event.

To delete it.

New information regarding the time slot(s) will appear in the field Description.