Action
This zone refers to the action applied to the packet that meets the selection criteria of the filter rule. To define the various parameters of the action, double-click in the column. A window containing the following elements will appear:
General tab
General section
Action | 5 different actions can be performed:
If your policy contained rules with the action Log only, you will see log only (deprecated) whenever you edit these rules. |
Log level | The value is set to Standard (connection log) by default, so no logs are recorded. Several log levels are possible:
To fully disable logs, you need to disable the Disk, Syslog server and IPFIX collector checkboxes in the Log destination for this rule field (Advanced properties tab in the rule editing window). |
Scheduling | Select or create a time object. You will then be able to define the period/ day of the year / day of the week / time/ recurrence when rules will be valid. Objects can be created or modified directly from this field by clicking on |
Routing section
Gateway – router | This option is useful when specifying a particular router that will redirect traffic matching the rule to the defined router. The selected gateway may be a host or router object. Objects can be created or modified directly from this field by clicking on |
IMPORTANT
If routers are specified in filter rules (Policy Based Routing), the availability of these routers will then be tested systematically by sending ICMP echo request messages. When a router that has been detected as unreachable is a host object, the default gateway entered in the Routing module will be selected automatically. If it is a router object, the action taken will depend on the value selected for the field If no gateways are available during the definition of this object (see the section Network objects).
For more technical information, refer to the technical support’s Knowledge Base (article "How does the PBR hostcheck work?").
Click on Ok to confirm your configuration.
Quality of service tab
The QoS module, built into Stormshield Network’s intrusion prevention engine, is associated with the Filtering module in order to provide Quality of Service features.
When a packet arrives on an interface, it will first be treated by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.
QoS section
Queue |
This field offers you the choice of several queues that you have defined earlier in the Security policy module, in the Quality of Service menu. This operation does not apply (grayed out) to traffic going through the SSL proxy (Source menu > Advanced properties > Via field). |
ACK queue |
This field offers you the choice of several queues that you have defined earlier for TCP ACK traffic in Security policy > Quality of Service. This operation does not apply (grayed out) to traffic going through the SSL proxy (Source menu > Advanced properties > Via field). |
Fairness |
|
Connection threshold section
The Stormshield Network firewall may limit the maximum number of connections accepted per second for a filter rule. The desired number can be defined for protocols corresponding to the rule (TCP, UDP, ICMP and some application requests). This option also allows you to prevent a denial of service which hackers may attempt: you may limit the number of requests per second addressed to your servers.
Once this threshold has been exceeded, received packets will be blocked and ignored.
WARNING
The restriction only applies to the corresponding rule.
EXAMPLE
If you create an FTP rule, only a TCP restriction will be taken into account.
REMARKS
If the option is assigned to a rule containing an object group, the restriction applies to the whole group (total number of connections).
If threshold is reached |
|
TCP (c/s) | Maximum number of connections per second allowed for the TCP protocol. |
UDP (c/s) | Maximum number of connections per second allowed for the UDP protocol. |
ICMP (c/s) | Maximum number of connections per second allowed for the ICMP protocol. |
SCTP (c/s) | Maximum number of connections per second allowed for the SCTP protocol. |
Application requests (r/s) |
Maximum number of application requests per second allowed for the HTTP and DNS protocol. |
Click on Ok to confirm your configuration.
DSCP section
DSCP (Differentiated Services Code Point) is a field in the IP packet header. The purpose of this field is to allow services contained in a network architecture to be differentiated. It will specify a mechanism for classifying and controlling traffic while providing quality of service (QoS).
Impose value | By selecting this option, you will enable the field below and allow access to the DSCP service. This option makes it possible to rewrite the packet with the given value, so that the next router will know the priority to apply to this packet. |
New DSCP value | In this field, traffic differentiation can be defined. Through this field, it is possible to determine which service a type of traffic belongs to, thanks to a pre-established code. This DSCP service, used in the context of Quality of Service, allows the administrator to apply QoS rules according to the service differentiation that he has defined. |
Click on Ok to confirm your configuration.
Advanced properties tab
Redirection section
Service |
|
Redirect incoming SIP calls (UDP) | This option allows the Stormshield Network firewall to manage incoming SIP-based communications to internal hosts masked by address translation (NAT). |
URLs without authentication | This field becomes accessible if the previous option Service redirects traffic to the authentication portal (authentication rule). It allows specifying URL categories or groups that are exempt from authentication; the listed sites therefore become accessible without authentication, which is useful for example in accessing update websites. The firewall’s security inspections can therefore be applied to such access. There is by default in the URL objects database a URL group named authentication_bypass containing Microsoft update websites. |
Logs section
Log destination for this rule | This option makes it possible to define one or several methods for storing logs generated by the rule:
Each log will contain details of connections evaluated through the rule. |
Advanced properties section
Count | If you select this option, the Stormshield Network firewall will count the number of packets that correspond to this filter rule and generate a report. Volume information on a desired traffic type can therefore be obtained. |
Force source packets in IPsec | When this option is selected, for this filter rule, you will force packets from the network or source hosts to go through an active IPsec tunnel to reach their destination. |
Force return packets in IPsec | When this option is selected, for this filter rule, you will force return packets (responses) to go through an active IPsec tunnel in order to contact the host that initiated the traffic. |
Synchronize this connection between firewalls (HA) | When the firewall belongs to a cluster, this option enables or disables the synchronization of the connection corresponding to the rule between two cluster members. This option is enabled by default. |
Click on Ok to confirm your configuration.