General configuration tab
NOTE
Refer to the section Allowed names to find out which characters are allowed and prohibited in various fields.
General configuration
Firewall name | This name is displayed in the firewall’s main window and is used in alarm e-mails sent to the administrator. It can also be used as the DNS name of the captive portal if it was enabled and the option Use firewall name was selected. The maximum supported length of the firewall name is 127 characters. |
Firewall language (logs) |
Choice of language that the firewall uses for logs, syslog and the CLI configuration. The available languages are: French and English. |
Keyboard (console) | Type of keyboard that the firewall supports. The available languages are: English, French, Italian, Polish or Swiss. |
Cryptographic settings
Enable regular retrieval of certificate revocation lists (CRL) | If this option is selected, the firewall will check every 6 hours the validity of each CRL downloaded from the distribution points specified in the PKI. When a CRL is close to its expiry date or has expired, an alarm will then be generated. |
Enable "Diffusion Restreinte (DR)" 2021 version compliance mode | The Enable "Diffusion Restreinte (DR)" 2021 version compliance mode option forces the firewall to comply with the ANSSI’s (French national information security agency) recommendations on the use of coprocessors and cryptographic accelerators on products to be qualified. It is an imperative on networks that fall under the “Restricted” classification. This mode relies in particular on the use of software versions for asymmetric and symmetric cryptographic algorithms and random key generation algorithms. As for symmetric encryption algorithms, "AES-NI" instructions available on certain products are exempt as they are made up only of “simple acceleration instructions” of certain cryptographic operations. When “ANSSI Diffusion Restreinte (DR)" mode is enabled in SNS 4.8.4, the following will occur:
IMPORTANT NOTE |
Password policy
The indicated parameters apply to all passwords and pre-shared keys defined on the firewall (PPTP VPN, IPsec VPN, internal LDAP directory, etc.).
Minimum password length | Indicate the minimum number of characters required for each password defined on the firewall. NOTE |
Mandatory character types | Select the mandatory types of characters to be included in each password:
|
Minimum entropy | Entropy is a parameter that makes it possible to define the required robustness of a password. Higher entropy means that the password must be more robust. When it is defined, it will be factored into the calculation of randomly generated passwords, e.g., for temporary accounts, as well as manually defined passwords. Entropy takes into account the length of the password and the number of different characters in the password. The formula to calculate it is as follows: Entropy = (Length of password)*(Log(Number of different characters in the password )/Log(2)). The entropy value suggested by default is: 20. When its value is 0, entropy will be ignored when passwords are automatically generated or manually defined. |
Date/Time settings
Manual mode | With this option, the firewall’s date and time can be manually set. |
Synchronize with your machine | This option makes it possible to set the firewall’s date and time according to your computer’s settings. |
Synchronize firewall time (NTP) |
This option makes it possible to synchronize the firewall's local clock through NTP (Network Time Protocol) servers. Complete this configuration by referring to List of NTP servers and List of NTP keys. |
Date | This field appears only if the Manual mode option was selected. Select the desired date from the calendar. |
Time | This field appears only if the Manual mode option was selected. Enter the desired time in HH:MM:SS format. |
Time zone | Time zone defined for the firewall (GMT by default). The firewall must be restarted if the time zone is changed. |
NOTE
The date and time set on your Stormshield Network firewall are important: they allow you to locate events in the log files. They are also useful in scheduling configurations.
List of NTP servers
IMPORTANT
The NTP servers used must be compatible with NTPv4.
This grid appears only if the option Synchronize firewall time (NTP) was selected.
NTP servers (host or group-address range) (max 15) | Shows the NTP servers used to synchronize the firewall's local clock. To add an NTP server, click on Add and select from the drop-down list the object representing the NTP server that you wish to add. If this object does not exist, click on the object creation icon to create it. To delete an NTP server from the list, select it and click on Delete. |
Authentication key (ID) |
You can enter a key if access to an NTP server requires one for authentication. In this field, select an authentication key from the list of NTP keys already created. Each ID is associated with a value representing the NTP authentication key. To create a new key ID, or to view the list of NTP keys already created, refer to List of NTP keys. |
List of NTP keys
This grid appears only if the option Synchronize firewall time (NTP) was selected.
Authentication key (ID) |
Shows the list of NTP authentication keys. These IDs can be selected in the Authentication key (ID) column in the List of NTP servers. To add an NTP key ID, click on Add and give it a unique ID between 1 and 15 inclusive. To delete an ID from the list, select it and click on Delete. |
Value |
Shows the value of NTP keys. If you add a new NTP key ID, enter the value of its key in this field (maximum 8 characters). Double-click on an existing value to change it. |
Key type | Shows the algorithm used for the NTP key. You can change this option by selecting the desired algorithm from the drop-down list. |
Advanced properties
Idle timeout monitoring (watchdog)
Idle timeout timer (watchdog) |
This device tests the activity of the firewall’s system. This test is conducted on the:
The frequency of tests is defined by this timeout. |
Captive portal
Telemetry
NOTE
When the administrator who looks up this module is logged in with an account other than the admin (super administrator) account, this section will be grayed out and named Telemetry (require admin privilege).
Allow usage data to be sent to Stormshield (anonymous) |
When this checkbox is selected, your firewall will send usage data to Stormshield's cloud (over port 443) for statistics:
By sending such data, which is completely anonymous, you will be helping Stormshield to refine the parameters of the proxy’s performance and the dimensions and restrictions on future hardware platforms and SNS versions. |
SSH command prompt
Bypass - Industrial firewalls and firewalls equipped with an 8-port 1Gbps copper module - 4 bypass devices (NA-EX-CARD-BP-8xG-C)
Industrial firewalls (SNi20 and SNi40 models)
To ensure service continuity in an industrial setting, SNi20 and SNi40 model firewalls are equipped with a hardware bypass function. When it is enabled, and if the firewall breaks down, it allows network traffic to pass through without being analyzed.
- This mechanism cannot be enabled on firewalls in a high availability configuration,
- This mechanism can only be enabled on the first two interfaces of the firewall.
Firewalls equipped with an 8-port 1Gbps copper module - 4 bypass devices (NA-EX-CARD-BP-8xG-C)
Similarly to industrial firewalls, to ensure service continuity without resorting to high availability, SN-M-Series-520, SN-M-Series-720, SN-M-Series-920 and SN1100 model firewalls can accommodate an 8-port 1Gbps copper module that can manage up to 4 bypass devices (NA-EX-CARD-BP-8xG-C).
Do note that using the bypass function on SN1100 model firewalls requires the module to be inserted in the firewall's left extension slot.
On the 8-port 1Gbps copper module - 4 bypass devices (NA-EX-CARD-BP-8xG-C), interfaces are associated vertically in pairs in bypass mode: this association is set in the hardware and cannot be changed. These pairs are also referred to as "bypass segments".
When bypass mode is enabled on an interface in a bypass segment, this interface and its associated interface has to be grouped in the same bridge.
A warning appears if this is not the case.
- On the above firewall models, the bypass mechanism can only be enabled on the interfaces of the 8-port 1Gbps copper module - 4 bypass devices (NA-EX-CARD-BP-8xG-C).
- This mechanism cannot be enabled on firewalls in a high availability configuration, or on interfaces in this module that are part of an aggregate.
Operating and enabling bypass mode
Two of the firewall's operating modes are available:
- Security mode: this mode prioritizes network security and protection. The bypass mechanism cannot be enabled. This is the firewall's default operating mode.
- Safety mode: this mode prioritizes service continuity. The bypass mechanism will be enabled whenever the firewall breaks down or there is a power outage.
Whenever Safety mode is enabled, one of three types of bypass may be activated:
- SystemOff bypass: activated when the firewall experiences an electrical failure or when there is a power outage.
- JustOn bypass: it will be activated when the appliance is restarted and will then be disabled.
- OnTimer bypass: when the product has to handle too many connections, this bypass will be activated after a period defined in the configuration of Safety mode. Once the bypass is activated, the firewall administrator can then reset Safety mode.
IMPORTANT
The proper operation of network traffic must be verified immediately after a manual reset. The firewall will not recognize connections initiated during the active bypass phase and will reject them every time.
When bypass is activated, the firewall interfaces in question will be represented as follows:
Enable safety mode | When this option is selected, you will be enabling the firewall's bypass mechanism. All three activation modes will be automatically available. |
Safety mode timeout | Select the period after which the OnTimer bypass must be activated. The various possible values are:
|
Reset safety mode | When the OnTimer bypass is activated, you can click on this button in order to disable it and return the firewall to Safety mode. |