Initial connection to the appliance

A security procedure must be followed if the initial connection to the appliance takes place through an untrusted network. This operation is not necessary if the administration workstation is plugged in directly to the product.

Access to the administration portal is secured through the SSL/TLS protocol. This protection allows authenticating the portal via a certificate, thereby assuring the administrator that he is indeed logged in to the desired appliance. This certificate can either be the appliance’s default certificate or the certificate entered during the configuration of the appliance (Authentication > Captive portal). Depending on the model, it is signed by default by the authority with the name:

  • NETASQ: CN=serial number of the appliance, O=Secure Internet Connectivity, OU=NETASQ firewall Certification Authority.
  • Stormshield: CN=Stormshield Products Root CA, O=Stormshield, OU=Cloud Services, C=FR, L=Issy-Les-Moulineaux.

To confirm a secure access, the browser must trust the certification authority that signed the certificate used, which must belong to the browser’s list of trusted certification authorities. Therefore, to confirm the integrity of the appliance, before the initial connection, you need to add the authority to the list of the browser's trusted authorities. Depending on the model, the corresponding authority is available on these links:
http://pki.stormshieldcs.eu/netasq/root.crt
http://pki.stormshieldcs.eu/products/root.crt

If a certificate signed by another authority has been configured on the appliance, this authority will need to be added instead of the default authority.

As a result, the initial connection to the appliance will no longer raise an alert in the browser regarding the trusted authority. However, a message will continue to warn the user that the certificate is not valid. This is because the certificate defines the Firewall by its serial number instead of its IP address. To stop this warning from appearing, you will need to indicate to the DNS server that the serial number is associated with the IP address of the Firewall.

For further information, refer to the SNS firewall Installation and first-time configuration guide.