Filter table

This table allows you to define the filter rules to apply. The firewall will execute rules in their order of appearance on the screen (numbered 1, 2, etc) and will stop once it finds a a rule that matches the IP packet. Place them in the right order so that you obtain a coherent result.

It is therefore important to define rules from the most restrictive to the most general.

In every security policy, every rule can be dragged and dropped so that the policy (filter or NAT) can be reorganized easily. The symbol as well as the "Drag and drop to reorganize" tool tip appear when you scroll over the beginning of the rule.

In the active security policy, each activated filter and NAT rule also displays a counter that shows the number of times the rule has been used. When scrolling over the icon with a mouse, a tooltip will indicate the exact number of times the rule has been executed. The 4 levels of use correspond to the following values, according to the percentage on the counter of the rule most frequently used:

  0%
  1 from 0 to 2%
  2 from 2 to 20% (from 2 to 100% if the counter is lower than 10 000)
  3 from 20 to 100 %, with a minimum of 10 000 times (otherwise the previous level will be displayed)

To obtain a new indicator, clicking on “Reset rule statistics” will start a new count. This counter will be reinitialized if:

  • One of the parameters in the rule has been modified (except for comments),
  • Another policy has been enabled,
  • The firewall has been restarted.

If no icons are displayed, this means that the information is unavailable.

This column shows the status of the rule: On /Off . Double-click on it to change its status. By doing this once, you will enable the filter rule. Repeat the operation to disable it.

General tab

General section

Status Select On or Off to respectively enable or disable the rule being edited.
Comments You can enter comments in this area; they will be displayed at the end of the rule when the filter policy is displayed.

Advanced properties

Rule name You can assign a name to the filter rule; this name will be used in logs and facilitates identification of the filter rule during searches in logs or views (Logs - Audit logs menu).

This zone refers to the action applied to the packet that meets the selection criteria of the filter rule. To define the various parameters of the action, double-click in the column. A window containing the following elements will appear:

General tab

General section

Action 5 different actions can be performed:
  • Pass: The Stormshield Network firewall allows the packet corresponding to this filter rule to pass. The packet stops moving down the list of rules.
  • Block: The Stormshield Network firewall silently blocks the packet corresponding to this filter rule: the packet is deleted without the sender being informed. The packet stops moving down the list of rules.
  • Decrypt: This action decrypts encrypted traffic. Decrypted traffic will continue to move down the list of rules. It will be encrypted again after the analysis (if it is not blocked by any rule).
  • Reinit. TCP/UDP: This option mainly concerns TCP and UDP traffic:
    For TCP traffic, a “TCP reset” packet will be sent to its sender.
    For UDP traffic, a “port unreachable” ICMP packet will be sent to its sender.
    As for other IP protocols, the Stormshield Network firewall will simply block the packet corresponding to this filter rule.
  • If you are editing the global filter policy, a fifth option will appear: "Delegate".
    This option makes it possible to stop comparing the traffic against the rest of the global policy, but to compare it directly with the local policy.

If your policy contained rules with the action Log only, you will see log only (deprecated) whenever you edit these rules.
Log level The value is set to Standard (connection log) by default, so no logs are recorded. Several log levels are possible:
  • Standard (connection log): No logs will be kept in filter logs if the packet corresponds to this rule. However, ended connections can be logged (connection logs) depending on the connection of the protocol associated with the rule, which is the case in a factory configuration.
    Do note that this option is not available if you have selected the “Log” action in the previous field.
  • Advanced (connection log and filtering log): In addition to logs in Standard mode, logs from all traffic that matches this rule will be captured. This option is not recommended on "Deny All" filter rules (except for debugging) as it will then generate a large amount of logs.
  • Minor alarm: As soon as this filter rule is applied to a connection, a minor alarm will be generated. This alarm is recorded in the logs, and can be sent via Syslog (Logs – Syslog – IPFIX) or by e-mail (see module E-mail alerts).
  • Major alarm: As soon as this filter rule is applied to a connection, a major alarm will be generated. This alarm is recorded in the logs, and can be sent via Syslog (Logs – Syslog – IPFIX) or by e-mail (see module E-mail alerts).

To fully disable logs, you need to disable the Disk, Syslog server and IPFIX collector checkboxes in the Log destination for this rule field (Advanced properties tab in the rule editing window).
Scheduling Select or create a time object.
You will then be able to define the period/ day of the year / day of the week / time/ recurrence when rules will be valid.

Objects can be created or modified directly from this field by clicking on

Routing section

Gateway – router This option is useful when specifying a particular router that will redirect traffic matching the rule to the defined router. The selected gateway may be a host or router object.

Objects can be created or modified directly from this field by clicking on

IMPORTANT
If routers are specified in filter rules (Policy Based Routing), the availability of these routers will then be tested systematically by sending ICMP echo request messages. When a router that has been detected as unreachable is a host object, the default gateway entered in the Routing module will be selected automatically. If it is a router object, the action taken will depend on the value selected for the field If no gateways are available during the definition of this object (see the section Network objects).
For more technical information, refer to the technical support’s Knowledge Base (article "How does the PBR hostcheck work?").

Click on Ok to confirm your configuration.

Quality of service tab

The QoS module, built into Stormshield Network’s intrusion prevention engine, is associated with the Filtering module in order to provide Quality of Service features.

When a packet arrives on an interface, it will first be treated by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.

QoS section

Queue

This field offers you the choice of several queues that you have defined earlier in the Security policy module, in the Quality of Service menu.

This operation does not apply (grayed out) to traffic going through the SSL proxy (Source menu > Advanced properties > Via field).
ACK queue

This field offers you the choice of several queues that you have defined earlier for TCP ACK traffic in Security policy > Quality of Service.

This operation does not apply (grayed out) to traffic going through the SSL proxy (Source menu > Advanced properties > Via field).
Fairness
  • No fairness: If you select this option, no particular amount of bandwidth will be assigned and each user/host/connection will use it according their needs.
  • User fairness: bandwidth will be distributed evenly between users.
  • Host fairness: bandwidth will be distributed evenly between hosts.
  • Connection fairness: bandwidth will be distributed evenly between connections.

Connection threshold section

The Stormshield Network firewall may limit the maximum number of connections accepted per second for a filter rule. The desired number can be defined for protocols corresponding to the rule (TCP, UDP, ICMP and some application requests). This option also allows you to prevent a denial of service which hackers may attempt: you may limit the number of requests per second addressed to your servers.

Once this threshold has been exceeded, received packets will be blocked and ignored.

WARNING
The restriction only applies to the corresponding rule.

EXAMPLE
If you create an FTP rule, only a TCP restriction will be taken into account.

REMARKS
If the option is assigned to a rule containing an object group, the restriction applies to the whole group (total number of connections).

If threshold is reached
  • Do not do anything: no restrictions will be placed on the number of connections or requests per second (c/s).
  • Protect against SYN Flood: this option makes it possible to protect servers from TCP SYN packet flooding (“SYN flooding”) attacks. The SYN proxy instead of the server will respond and will assess the reliability of the TCP request before transmitting it.
    You can limit the number of TCP connections per second for this filter rule in the field below.
  • Raise associated alarm: Depending on the maximum number of connections per second that you assign to the protocols below, the traffic will be blocked once the defined number has been exceeded. The identifiers of these alarms are: 28 ICMP /  29 UDP / 30 TCP SYN / 253 TCP/UDP.
TCP (c/s) Maximum number of connections per second allowed for the TCP protocol.
UDP (c/s) Maximum number of connections per second allowed for the UDP protocol.
ICMP (c/s) Maximum number of connections per second allowed for the ICMP protocol.
SCTP (c/s) Maximum number of connections per second allowed for the SCTP protocol.

Application requests (r/s)

Maximum number of application requests per second allowed for the HTTP and DNS protocol.

Click on Ok to confirm your configuration.

DSCP section

DSCP (Differentiated Services Code Point) is a field in the IP packet header. The purpose of this field is to allow services contained in a network architecture to be differentiated. It will specify a mechanism for classifying and controlling traffic while providing quality of service (QoS).

Impose value By selecting this option, you will enable the field below and allow access to the DSCP service.
This option makes it possible to rewrite the packet with the given value, so that the next router will know the priority to apply to this packet.
New DSCP value This field allows defining traffic differentiation. Through this field, it is possible to determine which service a type of traffic belongs to, thanks to a pre-established code. This DSCP service, used in the context of Quality of Service, allows the administrator to apply QoS rules according to the service differentiation that he has defined.

Click on Ok to confirm your configuration.

Advanced properties tab

Redirection section

Service
  • None: This option means that none of the following services will be used: the user will not go through the HTTP proxy and will not be redirected to the authentication page.
  • HTTP proxy: If you select this option, the HTTP proxy will intercept user connections and scan traffic.
    This service will be selected when rules are created by the explicit HTTP proxy wizard.
  • Authentication: If you select this option, unauthenticated users will be redirected to the captive portal when they connect.
    This service will be selected when rules are created by the authentication wizard.
Redirect incoming SIP calls (UDP) This option allows the Stormshield Network firewall to manage incoming SIP-based communications to internal hosts masked by address translation (NAT).
URLs without authentication This field becomes accessible if the previous option Service redirects traffic to the authentication portal (authentication rule).
It allows specifying URL categories or groups that are exempt from authentication; the listed sites therefore become accessible without authentication, which is useful for example in accessing update websites. The firewall’s security inspections can therefore be applied to such access. There is by default in the URL objects database a URL group named authentication_bypass containing Microsoft update websites.

Logs section

Log destination for this rule This option makes it possible to define one or several methods for storing logs generated by the rule:
  • Disk: local storage.
  • Syslog server: the Syslog profile(s) including Filter policy logs must be defined in the SYSLOG tab of the menu Notifications > Logs - Syslog - IPFIX.
  • IPFIX collector: the IPFIX collector(s) must be defined in the IPFIX tab of the menu Notifications > Logs - Syslog - IPFIX.

Each log will contain details of connections evaluated through the rule.

Advanced properties section

Count If you select this option, the Stormshield Network firewall will count the number of packets that correspond to this filter rule and generate a report.
Volume information on a desired traffic type can therefore be obtained.
Force source packets in IPsec When this option is selected, for this filter rule, you will force packets from the network or source hosts to go through an active IPsec tunnel to reach their destination.
Force return packets in IPsec When this option is selected, for this filter rule, you will force return packets (responses) to go through an active IPsec tunnel in order to contact the host that initiated the traffic.
Synchronize this connection between firewalls (HA) When the firewall belongs to a cluster, this option enables or disables the synchronization of the connection corresponding to the rule between two cluster members.
This option is enabled by default.

Click on Ok to confirm your configuration.

This field refers to the source of the treated packet, and is used as a selection criterion for the rule. Double-click in this zone to select the associated value in a dedicated window.

This window contains three tabs:

General tab

General section

User The rule will apply to the user that you select in this field.
You can filter the display of users according to the desired method or LDAP directory by clicking on . Only enabled directories and methods (Available methods tab in the Authentication module and LDAP directories defined in the Directory configuration module) will be presented in this filter list.

Depending on the authentication method, several generic users will be suggested:
  • "Any user@any": refers to any authenticated user, regardless of the directory or authentication method used.
  • "Any user@guest_users.local.domain": refers to any user authenticated via the "Guest" method.
  • "Any user@voucher_users.local.domain": refers to any user authenticated via the "Temporary accounts" method.
  • "Any user@sponsored_users.local.domain": refers to any user authenticated via the "Sponsorship" method.

  • "Any user@none": refers to any user authenticated via a method that does not rely on an LDAP directory (e.g.: Kerberos).

  • Unknown users”: refers to any unknown or unauthenticated user.

NOTE
In order for unauthenticated users to be automatically redirected to the captive portal, at least one rule must be defined, applying to the object “unknown users”. This rule will also apply when an authentication expires.
Source hosts The rule will apply to the object or the user (created beforehand in the dedicated menu: Objects>Network objects that you select in this field. The source host is the host from which the connection originated.

You can Add or Delete objects by clicking on the icon

Objects can be created or modified directly from this field by clicking on
Incoming interface Interface on which the filter rule applies, presented in the form of a drop-down list. By default, the firewall selects it automatically according to the operation and source IP addresses.
It can be modified to apply the rule to another interface. This also allows specifying a particular interface if “Any” has been selected as the source host.

Click on Ok to confirm your configuration.

NOTE
Filter rules with a user@object source type (except any or unknown@object), and with a protocol other than HTTP, do not apply to Multi-user Objects (Authentication> Authentication policy). This behavior is inherent in the packet treatment mechanism used by the intrusion prevention engine.

Geolocation/Reputation tab

Geolocation section

Select a region This field allows applying the filter rule to hosts with a public IP address belonging to a country, continent or group of regions (group of countries and/or continents) defined beforehand in the Objects > Network objects module.

Public IP address reputation section

Select a reputation category This field allows applying the filter rule to hosts whose public IP addresses have been classified in one of the predefined reputation categories:
  • anonymizer: proxies, IPv4 to IPv6 converters.
  • botnet: infected hosts running malicious programs.
  • malware: hosts distributing malicious programs
  • phishing: compromised mail servers.
  • scanner: hosts that conduct port scanning or launch brute force attacks.
  • spam: compromised mail servers.
  • tor exit node: endpoint servers of the Tor network.
  • Bad: groups all of the above categories.

NOTE
Since the reputation of a public IP address may border on two categories (botnet and malware), and this field only allows one category to be selected, you are advised to use the "bad" group for optimum protection.


Other host categories are also available to facilitate the setup of filter rules for Microsoft Online solutions:
  • Exchange online: servers that host the corporate mail application.
  • Microsoft Identity and authentication: authentication servers used for accessing Microsoft Office 365.
  • Office 365: servers that host the Microsoft Office 365 storage and office tools solution.
  • Office online: servers that host the free online office tools solution Microsoft Office 365.
  • Sharepoint online: servers that host the online collaborative solution Microsoft Sharepoint.
  • Skype Enterprise Online: servers that host the professional version of the instant messaging solution Skype.
  • Microsoft: groups all categories of machines that host Microsoft services online.

Host reputation section

Enable filtering based on reputation score Select this checkbox in order to enable filtering based on the reputation score of hosts on the internal network.
To enable host reputation management and to define the hosts affected by the calculation of a reputation score, go to the Application protection > Host reputation module.
Reputation score This field allows selecting the reputation score above which () or below which () the filter rule will apply to the monitored hosts.

Click on Ok to confirm your configuration.

Advanced properties tab

Advanced properties section

Source port This field allows specifying the port used by the source host, if it has a particular value.
By default, the "Stateful" module memorizes the source port used and only this port will then be allowed for return packets.

Objects can be created or modified directly from this field by clicking on
Via
  • Any: This option implies that none of the following services will be used – the connection will not go through the HTTP proxy, will not be redirected to the authentication page and will not go through an IPsec VPN tunnel.
  • Explicit HTTP proxy: Traffic originates from the HTTP proxy.
  • SSL proxy: Traffic originates from the SSL proxy.
  • IPsec VPN tunnel: Traffic comes from an IPsec VPN tunnel.
  • SSL VPN tunnel: Traffic comes from an SSL VPN tunnel.
Source DSCP This field makes it possible to filter by the value of the DSCP field of the packet received.

Authentication section

Authentication method This field allows restricting the application of the filter rule to the selected authentication method.

Click on Ok to confirm your configuration.

Destination object used as a selection criterion for the rule. Double-click in this zone to select the associated value in a dedicated window. This window contains two tabs:

General tab

General section

Destination hosts Select the destination host of the traffic from the object database in the drop-down list.
You can Add or Delete objects by clicking on the icon .

Objects can be created or modified directly from this field by clicking on .

Click on Ok to confirm your configuration.

Geolocation/Reputation tab

Geolocation section

Select a region This field makes it possible to apply the filter rule to hosts with a public IP address belonging to a country, continent or group of regions (group of countries and/or continents) defined beforehand in the Objects > Network objects module.

Public IP address reputation section

Select a reputation category This field allows applying the filter rule to destination hosts whose IP addresses have been classified in one of the predefined reputation categories:
  • anonymizer: proxies, IPv4 to IPv6 converters.
  • botnet: infected hosts running malicious programs.
  • malware: hosts distributing malicious programs
  • phishing: compromised mail servers.
  • scanner: hosts that conduct port scanning or launch brute force attacks.
  • spam: compromised mail servers.
  • tor exit node: endpoint servers of the Tor network.
  • Bad: groups all of the above categories.

NOTE
Since the reputation of a public IP address may border on two categories (botnet and malware), and this field only allows selecting one category, you are advised to use the "Bad" group for optimum protection.

Host reputation section

Enable filtering based on reputation score Select this checkbox in order to enable filtering based on the reputation score of hosts on the internal network.
To enable host reputation management and to define the hosts affected by the calculation of a reputation score, go to the Application protection > Host reputation module.
Reputation score This field allows selecting the reputation score above which () or below which () the filter rule will apply to the monitored destination hosts.

Click on Ok to confirm your configuration.

Advanced properties tab

Advanced properties section

Outgoing interface This option allows choosing the packet’s outgoing interface, to which the filter rule applies.
By default, the firewall selects it automatically according to the operation and destination IP addresses. A packet’s outgoing interface can be used as a filtering criterion.

NAT on the destination section

Destination If you wish to translate the traffic’s destination IP address, select one from the objects in the drop-down list. Otherwise, leave the field empty, i.e. “None” by default.

NOTE
As this traffic has already been translated by this option, the other NAT rules in the current policy will not be applied to this traffic.


Objects can be created or modified directly from this field by clicking on .

ARP publication on external destination (public)

 This option has been added so that an ARP publication can be specified when a filter rule with a NAT operation is used on the destination. It must be enabled if the destination public IP address (before applying NAT) is a virtual IP address and does not belong to the UTM.

NOTE
Another way to set up this publication would be to add the virtual IP address of the affected interface in the Interfaces module.

Click on Ok to confirm your configuration.

The destination port represents the port on which the “source” host opens a connection to the “destination” host. The protocol to which the filter rule applies can also be defined in this window.

Port section

Destination Port Service or service group used as a selection criterion for this rule. Double-click on this zone to select the associated object.

EXAMPLES
Port 80: HTTP service
Port 25: SMTP service


You can Add or Delete objects by clicking on the icon

Objects can be created or modified directly from this field by clicking on .

Protocol section

Depending on the protocol type that you choose here, the following field that appears will vary:

Protocol type Select the desired protocol type. The value of the following fields varies according to your choice.
  • Automatic protocol detection (default),
  • Application protocol,
  • IP protocol.
  • Ethernet protocol.
Application protocol The advantage of this choice is being able to apply application analysis on a port other that the default port. When this protocol type is selected:
  • Application protocol: Select the desired protocol from the drop-down list.
  • IP protocol: the IP protocols concerned will change according to the selected application protocol.
IP protocol When this protocol type is selected:
  • Application protocol: No application analysis.
  • IP protocol: Select the desired protocol from the drop-down list. Additional fields may appear depending on the protocol selected.
  • Stateful tracking: Select the checkbox to track the status of IP connections. This option is selected by default for TCP, UDP and ICMP protocols.
Ethernet protocol When this protocol type is selected, select the desired Ethernet protocol from the drop-down list.

NOTE
For example, connection status tracking (stateful mode) can be enabled for the GRE protocol, which is used in PPTP tunnels. Thanks to this tracking tool, the source (map), destination (redirection) or both (bimap) can be translated.
However, it will be impossible to differentiate 2 connections that share the same source and destination addresses. In concrete terms, this means that when the firewall translates a source N -> 1 (map), only one simultaneous connection to a PPTP server can be made.

Translated port section

This section is available when NAT on the destination is selected.

Translated destination port Translated port to which packets are going. Network packets received will be redirected from a given port on a host or a network device to another host or network device. If you wish to translate the traffic’s destination port, select one from the objects in the drop-down list.
Otherwise, leave the field empty, i.e. “None” by default. In this case, the Destination port field remains unchanged.

General section

Inspection level field

IPS (Detect and block) If this option is selected, Stormshield Network’s IPS (Intrusion Prevention System) will detect and block intrusion attempts, from the Network level to the Application level in the OSI model.
IDS (Detect) If this option is selected, Stormshield Network’s IDS (Intrusion Detection System) will detect intrusion attempts on your traffic, without blocking them.
Firewall (Do not inspect) This option only provides access to basic security functions and will merely filter your traffic without inspecting it.

Inspection profile

Depending on the direction of the traffic, IPS_ 00 to 09 You can customize the configuration of your security inspection by assigning a predefined policy to it, which will appear in the filter table.
Numbered configurations can be renamed in the menu Application protection > Inspection profiles.
The value suggested by default (Depending on the direction of the traffic) uses the IPS_00 profile for incoming traffic and the profile IPS_01 for outgoing traffic.

Application inspection section

Antivirus The On / Off buttons allow you to enable or disable the antivirus in your filter rule.

Antivirus analyses will only be run on HTTP, FTP, SMTP, POP3 protocols and on their variants in SSL. They can be configured for each of these protocols in the menu Application protection > Protocols.
Sandboxing The On /Off buttons allow you to enable or disable sandboxing (malicious files) in your filter rule.
Do note that advanced antivirus must be used when this option is enabled.

Antivirus analyses will only be run on HTTP, FTP, SMTP, POP3 protocols and on their variants in SSL. They can be configured for each of these protocols in the menu Application protection > Protocols.
Antispam The On/ Off buttons allow you to enable or disable the antispam in your filter rule.

This analysis is only run on SMTP, POP3 protocols and on their variants in SSL. They can be configured for each of these protocols in the menu Application protection > Protocols.
URL filtering To enable this filtering method, select an URL filter profile from the suggested profiles.
SMTP filtering To enable this filtering method, select an SMTP filter profile from the suggested profiles.
Selecting the SMTP filter policy also enables the POP3 proxy in the event the filter rule allows the POP3 protocol.
FTP filtering The On/ Off buttons allow you to enable or disable FTP filtering in your filter rule, in line with the FTP commands defined in FTP plugin (Protocols module).
SSL filtering To enable this filtering method, select an SSL filter profile from the suggested profiles.

You can add a description that will allow distinguishing your filter rule and its characteristics more easily.

Comments on new rules indicate the date on which they were created and the user who created them, if the rules were not created by the "admin" account, in the form of "Created on {date} by {login} ({IP address)}". This automatic information may be disabled by unselecting the option "Comments about rules with creation date (Filtering and NAT)" found in the Preferences module.