General configuration tab

NOTE
Refer to the section Allowed names to find out which characters are allowed and prohibited in various fields.

General configuration

Firewall name	This name is displayed in the firewall’s main window and is used in alarm e-mails sent to the administrator. It can also be used as the DNS name of the captive portal if it was enabled and the option Use firewall name was selected. The maximum supported length of the firewall name is 127 characters.
Firewall language (logs)	Choice of language that the firewall uses for logs, syslog and the CLI configuration. The available languages are: French and English.
Keyboard (console)	Type of keyboard that the firewall supports. The available languages are: English, French, Italian, Polish or Swiss.

Cryptographic settings

Enable regular retrieval of certificate revocation lists (CRL)

If this option is selected, every 6 hours, the firewall will check the validity of each CRL downloaded from the distribution points that were specified in the PKI. When a CRL is close to its expiry date or has expired, an alarm will then be generated.

Enable "Diffusion Restreinte (DR)" 2021 version compliance mode

The Enable "Diffusion Restreinte (DR)" 2021 version compliance mode option forces the firewall to comply with the ANSSI’s (French national information security agency) recommendations on the use of coprocessors and cryptographic accelerators on products to be qualified. It is an imperative on networks that fall under the “Restricted” classification.
This mode relies in particular on the use of software versions for asymmetric and symmetric cryptographic algorithms and random key generation algorithms. As for symmetric encryption algorithms, "AES-NI" instructions available on certain products are exempt as they are made up only of “simple acceleration instructions” of certain cryptographic operations.

When “ANSSI Diffusion Restreinte (DR)" mode is enabled in SNS 4.8.9, the following will occur:

IPsec: only certificate-based authentication is allowed.
IPsec: the certificates used (from the end user certificate to the common trusted CA) must comply with the following specifications: ECDSA or ECSDSA signature on an SECP or Brainpool curve, SHA256 as the hash algorithm, and key size of 256 bits.
IPsec: the module will check whether the firewall is using version 2 of the IKE protocol.
IPsec: the module will check whether the Peer ID has been entered.
IPsec: the module will check whether the encryption algorithms used belong to DH19 and DH28 groups (SECP and Brainpool 256).
IPsec: the module will check whether the encryption algorithm used is either AES_GCM_16 (AEAD: Authenticated Encryption with Associated Data; AES_GCM_16 is therefore not associated with any authentication algorithm), or AES_CTR, which must be associated with SHA256.
IPsec: the verification of certificate revocation must be enabled.
IPsec: the size of the anti-replay window must not be zero.
IPsec: the Pseudo-Random Function (PRF) algorithm must be SHA256.

IMPORTANT
If any of the above conditions is not met, the non-compliant IPsec configuration will be disabled and the following message appears:
“ANSSI ‘Diffusion Restreinte' mode disabled the non-compliant IPsec VPN configuration”.
The aim of this message is to prompt the administrator to modify the IPsec policy so that the configuration can be enabled.

On firewalls equipped with Intel processors, the “ANSSI Diffusion Restreinte (DR)" mode will allow the use of the coprocessor's cryptographic hardware instruction sets. On firewalls equipped with other types of processors, the “ANSSI Diffusion Restreinte (DR)" mode will force such instruction sets to be disabled, causing performance to slow down during encryption.
The “ANSSI Diffusion Restreinte (DR)" mode restricts the encryption suites that can be used on the authentication portal and on SSL VPN: only AES, SHA256, SHA384 and GCM encryption suites are allowed.

NOTE
Enabling the “ANSSI Diffusion Restreinte (DR)” mode requires rebooting the firewall.

Password policy

The indicated parameters apply to all passwords and pre-shared keys defined on the firewall (PPTP VPN, IPsec VPN, internal LDAP directory, etc.).

Minimum password length	Indicate the minimum number of characters required for each password defined on the firewall. NOTE The value defined by default is 1 for the purpose of compatibility in the event existing configurations are migrated to version 2.
Mandatory character types	Select the mandatory types of characters to be included in each password: None: the password is not required to contain any alphanumeric or special characters, Alphanumeric: the password must contain at least an alphabetical character and a number, Alphabetical and special: the password must contain at least an alphanumeric character and a special character (‘#’, ‘@’, etc…)
Minimum entropy	Entropy is a parameter that makes it possible to define the required robustness of a password. Higher entropy means that the password must be more robust. When it is defined, it will be factored into the calculation of randomly generated passwords, e.g., for temporary accounts, as well as manually defined passwords. Entropy takes into account the length of the password and the number of different characters in the password. The formula to calculate it is as follows: Entropy = (Length of password)*(Log(Number of different characters in the password )/Log(2)). The entropy value suggested by default is: 20. When its value is 0, entropy will be ignored when passwords are automatically generated or manually defined.

Date/Time settings

Manual mode	With this option, the firewall’s date and time can be manually set.
Synchronize with your machine	This option makes it possible to set the firewall’s date and time according to your computer’s settings.
Synchronize firewall time (NTP)	This option makes it possible to synchronize the firewall's local clock through NTP (Network Time Protocol) servers. Complete this configuration by referring to List of NTP servers and List of NTP keys.
Date	This field appears only if the Manual mode option was selected. Select the desired date from the calendar.
Time	This field appears only if the Manual mode option was selected. Enter the desired time in HH:MM:SS format.
Time zone	Time zone defined for the firewall (GMT by default). The firewall must be restarted if the time zone is changed.

NOTE
The date and time set on your Stormshield Network firewall are important: they allow you to locate events in the log files. They are also useful in scheduling configurations.

List of NTP servers

IMPORTANT
The NTP servers used must be compatible with NTPv4.

This grid appears only if the option Synchronize firewall time (NTP) was selected.

NTP servers (host or group-address range) (max 15)	Shows the NTP servers used to synchronize the firewall's local clock. To add an NTP server, click on Add and select from the drop-down list the object representing the NTP server that you wish to add. If this object does not exist, click on the object creation icon to create it. To delete an NTP server from the list, select it and click on Delete.
Authentication key (ID)	You can enter a key if access to an NTP server requires one for authentication. In this field, select an authentication key from the list of NTP keys already created. Each ID is associated with a value representing the NTP authentication key. To create a new key ID, or to view the list of NTP keys already created, refer to List of NTP keys.

List of NTP keys

This grid appears only if the option Synchronize firewall time (NTP) was selected.

Authentication key (ID)

Shows the list of NTP authentication keys. These IDs can be selected in the Authentication key (ID) column in the List of NTP servers.

To add an NTP key ID, click on Add and give it a unique ID between 1 and 15 inclusive. To delete an ID from the list, select it and click on Delete.

Value

Shows the value of NTP keys. If you add a new NTP key ID, enter the value of its key in this field (maximum 8 characters). Double-click on an existing value to change it.

Key type

Shows the algorithm used for the NTP key. You can change this option by selecting the desired algorithm from the drop-down list.

Advanced properties

Idle timeout monitoring (watchdog)

Idle timeout timer (watchdog)

This device tests the activity of the firewall’s system. This test is conducted on the:

Virtual firewall (EVA) software,
Physical firewall hardware and software.

The frequency of tests is defined by this timeout.
When the system is idle, this watchdog will reboot the firewall and raise a system event (24).
To stop monitoring, select Disable.

Hardware

The Hardware section shows only firewalls that have the bypass function.

When the bypass function is enabled (ready to be triggered), during critical hardware and software failures, network traffic can be channeled through the SNS firewall without being analyzed. This function therefore enables service continuity in sensitive environments.

Enable safety mode

When this option is selected, you will be enabling the bypass mechanism's Safety mode. When this mode is enabled:

The bypass mechanism is enabled (ready to be triggered) on all bypass segments configured to use it (relevant interfaces grouped together in a bridge). A list indicates the bypass segments on which Safety mode will be enabled.
When a triggering event occurs (critical hardware or software failure), the bypass mechanism will be triggered, and network traffic on the relevant bypass segments will then pass through the SNS firewall without being analyzed. Depending on the failure, the bypass mechanism will either be triggered immediately or after a countdown times out.
Once the bypass mechanism is triggered, the only way for the SNS firewall to analyze traffic again is to reset the mechanism.

Safety mode cannot be enabled on SNS firewalls in high availability.

Do note that as long as Safety mode is not enabled, bypass will remain permanently disabled, even when a critical failure occurs.

Safety mode timeout

During a software failure, especially when the SNS firewall’s operating system is not responding or is saturated, the bypass mechanism will be triggered after the timeout of a countdown with an initial duration that corresponds to the Safety mode timeout.

Select the desired timeout. The selectable values range from 1 to 4 minutes.

Reset safety mode

Once the bypass mechanism is triggered, the only way for the SNS firewall to analyze traffic again is to reset the mechanism. Click on this button to reset the bypass mechanism.

IMPORTANT
After a manual reset, check whether network traffic is functioning properly, as connections that are initiated during the active phase of the bypass mechanism will be shut down, and have to be set up again by remote devices.

For more information on how bypass works on firewalls and network modules that are equipped with bypass, and on how to configure it, refer to the Technical note - Managing bypass on SNS firewalls.

Captive portal

Redirect to the captive portal

This option allows you to choose the name of the firewall used when generating URIs that redirect to the captive portal. There are four possible values:

Use firewall's IP address
Use firewall's name.
This refers to the name indicated in the Firewall name field in the General configuration section or the firewall's serial number if no name was specified in this field.
Use the captive portal's certificate.
This refers to the name of the firewall specified in the portal's certificate.
Specify a domain name (FQDN).

Domain name (FQDN)

Enter a fully qualified DNS name for the firewall (e.g.: firewall.company.org). This field can only be accessed when the Specify a domain name (FQDN) value was selected in the previous field.

Telemetry

NOTE
When the administrator who looks up this module is logged in with an account other than the admin (super administrator) account, this section will be grayed out and named Telemetry (require admin privilege).

Allow usage data to be sent to Stormshield (anonymous)

When this checkbox is selected, your firewall will send usage data to Stormshield's cloud (over port 443) for statistics (list below):

By sending such data, which is completely anonymous, you will be helping Stormshield to refine the parameters of the proxy’s performance and the dimensions and restrictions on future hardware platforms and SNS versions.

List of usage data for statistics:

Number of lines generated in each log file ,
Size of each log file ,
CPU consumption ,
Memory use ,
Number of connections managed by the proxy, by protocol ,
Number of degraded connections managed by the proxy, by protocol ,
Maximum number of simultaneous connections managed by the proxy, by protocol ,
Maximum number of simultaneous degraded connections managed by the proxy, by protocol ,
Number of objects in the object database, by type ,
Number of filter and NAT rules ,
Number of simultaneous connections through the firewall ,
Number of hosts known to the firewall ,
Number of authentications by type ,
Number of antivirus scans performed ,
Number of users connected for each authentication method ,
Number of TS agents connected ,
Statistics on memory consumption by sockets,
Log partition usage information ,
Statistics on memory and CPU consumption by daemons ,
Information on whether the TPM is used ,
Statistics on the PKI (number of CAs, certificates and identities protected by the TPM),
Number of URLs matching the "Compromised URLs" category ,
Information on whether the Extended Web Control (EWC) URL classification solution is used ,
Number of URL classification requests ,
Number of site-to-site IPsec tunnels configured and enabled in the active IPsec policy ,
Maximum number of site-to-site IPsec tunnels set up ,
Number of mobile IPsec tunnels configured and enabled in the active IPsec policy ,
Maximum number of mobile IPsec tunnels set up ,
Number of IKE v1 IPsec tunnels configured in the active IPsec policy ,
Number of IKE v2 IPsec tunnels configured in the active IPsec policy ,
Number of IPsec tunnels with pre-shared key authentication configured in the active IPsec policy ,
Number of IPsec tunnels with certificate authentication configured in the active IPsec policy ,
Number of IPsec tunnels with certificate and XAUTH authentication configured in the active IPsec policy ,
Number of IPsec tunnels with EAP-GTC authentication configured in the active IPsec policy ,
Number of IPsec tunnels with certificate and EAP-GTC authentication configured in the active IPsec policy ,
Number of entries in the TLS 1.3 cache,
Number of entries with a timeout error in the TLS 1.3 cache,
Number of times the TLS 1.3 cache was purged after being filled up ,
Number of stop signals indicating that a process ended abnormally ,
Date of the last stop signal indicating that a process ended abnormally ,
Number of failures while sending files to sandboxing during the analyzed period .

SSH command prompt

System node name

In this field, you can set an additional name that will be concatenated with the name of the firewall. The name of this system node is particularly useful in high availability configurations, as it easily identifies the member of the cluster on which you are connected when you open a session in console mode, for example.

When this system node name is configured, it appears in parentheses in the upper banner of the web administration interface, after the serial number of the firewall.