“General configuration” tab

The General configuration tab allows the following parameters to be modified:

General configuration

Refer to the section Allowed names to find out which characters are allowed and prohibited in various fields.

Firewall name This name is used in alarm e-mails sent to the administrator and is displayed in the firewall’s main window. It can also be used as the DNS name of the captive portal if it was enabled and the option “Use firewall name or certificate CN as FQDN” was selected.
The maximum supported length of the firewall name is 127 characters.
Firewall language (logs) Choose the language of the firewall: French or English.
This language is used for logs, syslog and the CLI configuration.
Keyboard (console) Type of keyboard that the firewall supports. Five layouts are available: English, French, Italian, Polish and Swiss.

Cryptographic settings

Enable regular retrieval of certificate revocation lists (CRL) If this option is selected, the firewall will regularly check the validity of each CRL downloaded from the distribution points specified in the PKI. When a CRL is close to its expiry date or has expired, an alarm will then be generated.
Enable “ANSSI Diffusion Restreinte (DR)” mode The Enable “ANSSI Diffusion Restreinte (DR)” mode option forces the firewall to abide by the ANSSI’s (French national information security agency) guidelines on the use of coprocessors and cryptographic accelerators on products to be qualified. It is an imperative on networks that fall under the “Restricted” classification.
This mode relies in particular on the use of software versions for asymmetric and symmetric cryptographic algorithms and random key generation algorithms. As for symmetric encryption algorithms, "AES-NI" instructions available on certain products are exempt as they are made up only of “simple acceleration instructions” of certain cryptographic operations.

When “ANSSI Diffusion Restreinte (DR)" mode is enabled in SNS 4.2.2, the following will occur:
  • IPSec: only certificate-based authentication is allowed.
  • IPSec: the certificates used (from the end user certificate to the common trusted CA) must comply with the following specifications: ECDSA or ECSDSA signature on a SECP or Brainpool curve, and SHA256 as the hash algorithm.
  • IPSec: the module will check whether the firewall is using version 2 of the IKE protocol.
  • IPSec: the module will check whether the Peer ID is entered.
  • IPSec: the module will check whether the encryption algorithms used belong to DH19 and DH28 groups (SECP and Brainpool).
  • IPSec: the module will check whether the encryption algorithm used is either AES_GCM_16 (AEAD: Authenticated Encryption with Associated Data; AES_GCM_16 is therefore not associated with any authentication algorithm), or AES_CTR, which must be associated with SHA256.
  • IPSec: the verification of certificate revocation must be enabled.
  • IPSec: the size of the anti-replay window must not be zero.
  • IPSec: the Pseudo-Random Function (PRF) algorithm must be SHA256.
  • IMPORTANT
    If any of the above conditions is not met, an error will appear, asking the administrator to modify the IPSec policy so that it can be enabled.

  • On firewalls equipped with Intel processors, the “ANSSI Diffusion Restreinte (DR)" mode will impose the use of the coprocessor's cryptographic hardware instruction sets. On firewalls equipped with other types of processors, the “ANSSI Diffusion Restreinte (DR)" mode will force such instruction sets to be disabled, causing performance to slow down during encryption.
  • The “ANSSI Diffusion Restreinte (DR)" mode restricts the encryption suites that can be used on the authentication portal and on SSL VPN: only AES, SHA256, SHA384 and GCM encryption suites are allowed.

NOTE
Enabling the “ANSSI Diffusion Restreinte (DR)” mode requires rebooting the firewall.

Password policy

The indicated parameters will apply to all passwords and pre-shred keys defined on the firewall (VPN PPTP, IPSec VPN, internal LDAP directory, etc.). The parameters are:

Minimum password length Indicate the minimum number of characters required for each password defined on the firewall.

NOTE
The value defined by default is 1 for the purpose of compatibility in the event existing configurations are migrated to version 2.

Mandatory character types Select the mandatory types of characters to be included in each password:
  • None: the password is not required to contain any alphanumeric or special characters,
  • Alphanumeric: the password must contain at least an alphabetical character and a number,
  • Alphabetical and special: the password must contain at least an alphanumeric character and a special character (‘#’, ‘@’, etc…)

NOTE
Refer to the section Allowed names to find out which characters are allowed and prohibited in various fields.

Minimum entropy Entropy is a parameter that makes it possible to define the required robustness of a password. Higher entropy means that the password must be more robust.
When it is defined, it will be factored into the calculation of randomly generated passwords, e.g., for temporary accounts, as well as manually defined passwords.
Entropy takes into account the length of the password and the size of the character set used.

The formula to calculate it is as follows:
Entropy = (length of password)*(Log(Size of character set)/Log(2)).

The entropy value suggested by default is: 20.
When its value is 0, entropy will be ignored when passwords are automatically generated or manually defined.

Date/Time settings

Manual mode When this checkbox is selected, three fields appear:
  • Date: Select the date from the calendar.
  • Time: Enter the firewall time.
  • Time zone: Time zone defined for the firewall (GMT by default). The firewall must be restarted if the time zone is changed.
Synchronize with your machine By clicking on this button, the firewall will synchronize its time with your computer’s time.
Synchronize firewall time (NTP) NTP (Network Time Protocol) is a protocol that makes it possible to synchronize the local clock on your computers with a time reference via your network.
If this option is selected, your firewall will automatically be synchronized with the local time.
Time zone Time zone defined for the firewall (GMT by default). The firewall must be restarted if the time zone is changed.

NOTE
The date and time set on your Stormshield Network firewall are important: they allow you to locate events in the log files. They are also useful in scheduling configurations.

List of NTP servers

This table will only be accessible if you have selected the option Synchronize firewall time (NTP). If you have not done so, the list of NTP servers will be grayed out.

NTP servers (host or group-address range) (max 15) The NTP server represents the remote clock with which your firewall will be synchronized.
You can Add or Delete servers by clicking on the relevant buttons.
When you click on Add, a new line will be added to the list of NTP servers. You may select an object from the drop-down list or create one by clicking on . A host, an IP address range or a group can then be created.
Click on Apply after you have entered the data for the new object.
Password (ASCII) Even though this is optional, you can enter a password for your NTP server which you can use for authentication.

Advanced properties

Hardware

The option for monitoring hardware activity Watchdog is available on all physical "S" model firewalls in the U Series.

Other firewalls in the U Series can benefit from this tool, which can improve troubleshooting and help. This mechanism is implemented by default but has to be enabled via the BIOS system. Please refer to the technical support department’s Knowledge Base for the full procedure.

Hardware monitoring timeout (watchdog) This device tests the activity of the firewall’s system. The frequency of tests is defined by this timeout. When the system is idle, this watchdog will reboot the firewall and raise a system event (24).
To stop monitoring, select Disable.

Captive portal

Redirect to the captive portal This option allows you to choose the name of the firewall used when generating URIs that redirect to the captive portal. There are four possible values:
  • Use firewall's IP address.
  • Use firewall's name

NOTE
This refers to the name indicated in the Firewall name field in the General configuration section or the firewall's serial number if no name was specified in this field.

 
  • Use the captive portal's certificate

NOTE
This refers to the name of the firewall specified in the portal's certificate.

 
  • Specify a domain name (FQDN)
Domain name (FQDN) Enter a fully qualified DNS name for the firewall (e.g.: firewall.company.org). This field is only accessible when the "Specify a domain name (FQDN)" value was selected in the Redirect to the captive portal field.

Telemetry

Allow usage data to be sent to Stormshield (anonymous) When this checkbox is selected, your firewall will send usage data to Stormshield's cloud for statistics: CPU consumption, memory use, number of log lines generated, size of log lines generated.
All this data is anonymous.

SSH command prompt

System node name

In this field, you can set an additional name that will be concatenated with the name of the firewall. The name of this system node is particularly useful in high availability configurations, as it easily identifies the member of the cluster on which you are connected when you open a session in console mode, for example.

When this system node name is configured, it appears in parentheses in the upper banner of the web administration interface, after the serial number of the firewall.

Industrial firewalls only (SNi20 and SNi40 models)

To ensure service continuity in an industrial setting, SNi20 and SNi40 model firewalls are equipped with a hardware bypass function, which when enabled, allows network traffic to pass through without being analyzed.

Do note that:

  • This mechanism cannot be enabled on firewalls in a high availability configuration,
  • This mechanism can only be enabled on the first two interfaces of the firewall.
 

Two of the firewall's operating modes are available:

  • Security mode: this mode prioritizes network security and protection. The bypass mechanism cannot be enabled. This is the firewall's default operating mode.
  • Safety mode: this mode prioritizes service continuity. The bypass mechanism will be enabled whenever the firewall breaks down or there is a power outage.
 

Whenever Safety mode is enabled, one of three types of bypass may be activated:

  • SystemOff bypass: activated when the firewall experiences an electrical failure or when there is a power outage.
  • JustOn bypass: it will be activated when the appliance is restarted and will then be disabled.
  • OnTimer bypass: when the product has to handle too many connections, this bypass will be activated after a period defined in the configuration of Safety mode. Once the bypass is activated, the firewall administrator can then reset Safety mode.

IMPORTANT
The proper operation of network traffic must be verified immediately after a manual reset. The firewall will not recognize connections initiated during the active bypass phase and will systematically reject them.

 

When bypass is activated, the first two interfaces of the firewall will be represented as follows:

 
Enable safety modeWhen this option is selected, you will be enabling the firewall's bypass mechanism. All three activation modes will be automatically available.
Safety mode timeoutSelect the period after which the OnTimer bypass must be activated. The various possible values are:
  • 1 min
  • 1 min 30 sec
  • 2 min
  • 2 min 30 sec
  • 3 min
  • 3 min 30 sec
  • 4 min
Reset safety modeWhen the OnTimer bypass is activated, you can click on this button in order to disable it and return the firewall to safety mode.