Global protocol configuration

The button “Go to global configuration” applies to all the profiles of the selected protocol.

This option is offered for every protocol except IP, RTP, RTCP and S7.

Protocol: list of default TCP or UDP ports

This option defines the list of ports (TCP or UDP) scanned by default by the plugin of the protocol that is being configured. You can Add or Delete ports by clicking on the respective buttons.

Secure protocol: list of default TCP ports

The ports added to the list of secure protocols will first be analyzed by the SSL plugin, then by the plugin of the configured protocol if the traffic is encrypted. You can Add or Delete ports by clicking on the respective buttons.

This selection is available for the protocols HTTPS, SMTPS, FTPS, POP3S, OSCAR over SSL, NetBios CIFS over SSL, NetBios SSN over SSL and SIP over SSL.

 

Example

Choosing the HTTPS port in the list "HTTPS: list of default TCP ports" will set off two successive scans:

  • The HTTPS traffic will be scanned by the SSL plugin
  • The traffic decrypted by the SSL proxy will be analyzed by the HTTP plugin

Proxy

This option is enabled in the global configuration of the HTTP, SMTP, POP3 and SSL protocols. It applies to all the inspection profiles.

Apply the NAT rule on scanned traffic

By default, traffic scanned by an implicit proxy will be re-sent with the address of the firewall’s outgoing interface.

If this option is selected in the case of a NAT policy, address translation will be applied to the traffic leaving the proxy scan. This option will not be applied on translations of the destination.

Global configuration of the TCP/UDP protocol

IPS tab

Denial of Service (DoS)

Max no. of ports per second

In order to avoid port scans, this value is the limit to the number of the various ports (between 1 and 1024) accessible within 1 second for a given protected destination. This number has to be between 1 and 16 ports.

Purge session table every (seconds) 

Once the connection/session table is full, the purge of inactive connections will be scheduled. Define the maximum time gap between two purges of the session table between 10 and 172800 seconds to avoid overloading the appliance.

 

Connection

Allow half-open connections (RFC 793 section 3.4)

This option makes it possible to avoid denials of service that may take place within so-called “normal” connections.

http://tools.ietf.org/html/rfc793#section-3.4

Support

Log every TCP connection

Option for enabling log generation for TCP connections.

Log every UDP pseudo-connection

Option for enabling log generation for UDP connections

Global configuration of the SSL protocol

Proxy tab

Generate certificates to emulate the SSL server

C.A (signs the certificates)

Select the sub-authority used for signing the certificates generated by the SSL proxy. You must first import it in the Certificate module (Object menu).

Certificate authority password

Enter the password of the selected certificate authority.

Certificate lifetime (days):

This field indicates the Validity (days) of the certificates generated by the proxy.

SSL: list of default TCP ports

This option is offered for the list of default TCP ports. The default ports of the added protocols will be analyzed by the SSL plugin.

Proxy

This option applies to all the inspection profiles. It will not be applied on translations of the destination.

Apply the NAT rule on scanned traffic

By default, traffic scanned by an implicit proxy will obtain the address of the firewall’s outgoing interface on its way out.

 

If this option is selected in the case of a NAT policy, address translation will be applied to the traffic leaving the proxy scan. This option will not be applied on translations of the destination.

Customized certificate authorities

Add the list of customized CAs to the list of trusted authorities

This option enables the feature for importing certificate authorities that are not public. These CAs will be considered trusted authorities. Certificates issued by such customized CAs will therefore be considered trustworthy.

It is possible to Add or Delete certificate authorities by clicking on the corresponding buttons.

Public certificate authorities

A public certificate authority can be disabled by double-clicking on the status icon, enabled by default. You may also choose to Enable all or Disable all these public CAs by clicking on the corresponding buttons.

In order to improve monitoring, these root certificate authorities are kept up to date in the firewall’s list via Active Update.

Trusted certificates

These are whitelisted certificates to which content inspection processes (self-signed certificates, expired certificates, etc) defined in the Proxy tab in the SSL profile configuration will not be applied.

In this window, you may Add or Delete trusted certificates by clicking on the relevant button.

Global configuration of the ICMP protocol

IPS tab

IPS

Maximum global rate of ICMP error packets (packets per second and per core)

Whenever the number of ICMP error packets exceeds this limit (25000 by default), the firewall will ignore additional packets before applying filter rules. This option allows protecting the firewall from Blacknurse attacks.