Action

This zone refers to the action applied to the packet that meets the selection criteria of the filter rule. To define the various parameters of the action, double-click in the column. A window containing the following elements will appear:

General tab

General section

Action 5 different actions can be performed:
  • Pass: The Stormshield Network firewall allows the packet corresponding to this filter rule to pass. The packet stops moving down the list of rules.
  • Block: The Stormshield Network firewall silently blocks the packet corresponding to this filter rule: the packet is deleted without the sender being informed. The packet stops moving down the list of rules.
  • Decrypt: This action decrypts encrypted traffic. Decrypted traffic will continue to move down the list of rules. It will be encrypted again after the analysis (if it is not blocked by any rule).
  • Reinit. TCP/UDP: This option mainly concerns TCP and UDP traffic:
    For TCP traffic, a “TCP reset” packet will be sent to its sender.
    For UDP traffic, a “port unreachable” ICMP packet will be sent to its sender.
    As for other IP protocols, the Stormshield Network firewall will simply block the packet corresponding to this filter rule.
  • If you are editing the global filter policy, a fifth option will appear: "Delegate".
    This option makes it possible to stop comparing the traffic against the rest of the global policy, but to compare it directly with the local policy.

If your policy contained rules with the action Log only, you will see log only (deprecated) whenever you edit these rules.
Log level The value is set to Standard (connection log) by default, so no logs are recorded. Several log levels are possible:
  • Standard (connection log): No logs will be kept in filter logs if the packet corresponds to this rule. However, ended connections can be logged (connection logs) depending on the connection of the protocol associated with the rule, which is the case in a factory configuration.
    Do note that this option is not available if you have selected the “Log” action in the previous field.
  • Advanced (connection log and filtering log): In addition to logs in Standard mode, logs from all traffic that matches this rule will be captured. This option is not recommended on "Deny All" filter rules (except for debugging) as it will then generate a large amount of logs.
  • Minor alarm: As soon as this filter rule is applied to a connection, a minor alarm will be generated. This alarm is recorded in the logs, and can be sent via Syslog (Logs – Syslog – IPFIX) or by e-mail (see module E-mail alerts).
  • Major alarm: As soon as this filter rule is applied to a connection, a major alarm will be generated. This alarm is recorded in the logs, and can be sent via Syslog (Logs – Syslog – IPFIX) or by e-mail (see module E-mail alerts).

To fully disable logs, you need to disable the Disk, Syslog server and IPFIX collector checkboxes in the Log destination for this rule field (Advanced properties tab in the rule editing window).
Scheduling Select or create a time object.
You will then be able to define the period/ day of the year / day of the week / time/ recurrence when rules will be valid.

Objects can be created or modified directly from this field by clicking on

Routing section

Gateway – router This option is useful when specifying a particular router that will redirect traffic matching the rule to the defined router. The selected gateway may be a host or router object.

Objects can be created or modified directly from this field by clicking on

IMPORTANT
If routers are specified in filter rules (Policy Based Routing), the availability of these routers will then be tested systematically by sending ICMP echo request messages. When a router that has been detected as unreachable is a host object, the default gateway entered in the Routing module will be selected automatically. If it is a router object, the action taken will depend on the value selected for the field If no gateways are available during the definition of this object (see the section Network objects).
For more technical information, refer to the technical support’s Knowledge Base (article "How does the PBR hostcheck work?").

Click on Ok to confirm your configuration.

Quality of service tab

The QoS module, built into Stormshield Network’s intrusion prevention engine, is associated with the Filtering module in order to provide Quality of Service features.

When a packet arrives on an interface, it will first be treated by a filter rule, then the intrusion prevention engine will assign the packet to the right queue according to the configuration of the filter rule’s QoS field.

QoS section

Queue

This field offers you the choice of several queues that you have defined earlier in the Security policy module, in the Quality of Service menu.

This operation does not apply (grayed out) to traffic going through the SSL proxy (Source menu > Advanced properties > Via field).

ACK queue

This field offers you the choice of several queues that you have defined earlier for TCP ACK traffic in Security policy > Quality of Service.

This operation does not apply (grayed out) to traffic going through the SSL proxy (Source menu > Advanced properties > Via field).

Fairness
  • No fairness: If you select this option, no particular amount of bandwidth will be assigned and each user/host/connection will use it according their needs.
  • User fairness: bandwidth will be distributed evenly between users.
  • Host fairness: bandwidth will be distributed evenly between hosts.
  • Connection fairness: bandwidth will be distributed evenly between connections.

Connection threshold section

The Stormshield Network firewall may limit the maximum number of connections accepted per second for a filter rule. The desired number can be defined for protocols corresponding to the rule (TCP, UDP, ICMP and some application requests). This option also allows you to prevent a denial of service which hackers may attempt: you may limit the number of requests per second addressed to your servers.

Once this threshold has been exceeded, received packets will be blocked and ignored.

WARNING
The restriction only applies to the corresponding rule.

EXAMPLE
If you create an FTP rule, only a TCP restriction will be taken into account.

REMARKS
If the option is assigned to a rule containing an object group, the restriction applies to the whole group (total number of connections).

If threshold is reached
  • Do not do anything: no restrictions will be placed on the number of connections or requests per second (c/s).
  • Protect against SYN Flood: this option makes it possible to protect servers from TCP SYN packet flooding (“SYN flooding”) attacks. The SYN proxy instead of the server will respond and will assess the reliability of the TCP request before transmitting it.
    You can limit the number of TCP connections per second for this filter rule in the field below.
  • Raise associated alarm: Depending on the maximum number of connections per second that you assign to the protocols below, the traffic will be blocked once the defined number has been exceeded. The identifiers of these alarms are: 28 ICMP /  29 UDP / 30 TCP SYN / 253 TCP/UDP.
TCP (c/s) Maximum number of connections per second allowed for the TCP protocol.
UDP (c/s) Maximum number of connections per second allowed for the UDP protocol.
ICMP (c/s) Maximum number of connections per second allowed for the ICMP protocol.
SCTP (c/s) Maximum number of connections per second allowed for the SCTP protocol.

Application requests (r/s)

Maximum number of application requests per second allowed for the HTTP and DNS protocol.

Click on Ok to confirm your configuration.

DSCP section

DSCP (Differentiated Services Code Point) is a field in the IP packet header. The purpose of this field is to allow services contained in a network architecture to be differentiated. It will specify a mechanism for classifying and controlling traffic while providing quality of service (QoS).

Impose value By selecting this option, you will enable the field below and allow access to the DSCP service.
This option makes it possible to rewrite the packet with the given value, so that the next router will know the priority to apply to this packet.
New DSCP value In this field, traffic differentiation can be defined. Through this field, it is possible to determine which service a type of traffic belongs to, thanks to a pre-established code. This DSCP service, used in the context of Quality of Service, allows the administrator to apply QoS rules according to the service differentiation that he has defined.

Click on Ok to confirm your configuration.

Advanced properties tab

Redirection section

Service
  • None: This option means that none of the following services will be used: the user will not go through the HTTP proxy and will not be redirected to the authentication page.
  • HTTP proxy: If you select this option, the HTTP proxy will intercept user connections and scan traffic.
    This service will be selected when rules are created by the explicit HTTP proxy wizard.
  • Authentication: If you select this option, unauthenticated users will be redirected to the captive portal when they connect.
    This service will be selected when rules are created by the authentication wizard.
Redirect incoming SIP calls (UDP) This option allows the Stormshield Network firewall to manage incoming SIP-based communications to internal hosts masked by address translation (NAT).
URLs without authentication This field becomes accessible if the previous option Service redirects traffic to the authentication portal (authentication rule).
It allows specifying URL categories or groups that are exempt from authentication; the listed sites therefore become accessible without authentication, which is useful for example in accessing update websites. The firewall’s security inspections can therefore be applied to such access. There is by default in the URL objects database a URL group named authentication_bypass containing Microsoft update websites.

Logs section

Log destination for this rule This option makes it possible to define one or several methods for storing logs generated by the rule:
  • Disk: local storage.
  • Syslog server: the Syslog profile(s) including Filter policy logs must be defined in the SYSLOG tab of the menu Notifications > Logs - Syslog - IPFIX.
  • IPFIX collector: the IPFIX collector(s) must be defined in the IPFIX tab of the menu Notifications > Logs - Syslog - IPFIX.

Each log will contain details of connections evaluated through the rule.

Advanced properties section

Count If you select this option, the Stormshield Network firewall will count the number of packets that correspond to this filter rule and generate a report.
Volume information on a desired traffic type can therefore be obtained.
Force source packets in IPsec When this option is selected, for this filter rule, you will force packets from the network or source hosts to go through an active IPsec tunnel to reach their destination.
Force return packets in IPsec When this option is selected, for this filter rule, you will force return packets (responses) to go through an active IPsec tunnel in order to contact the host that initiated the traffic.
Synchronize this connection between firewalls (HA) When the firewall belongs to a cluster, this option enables or disables the synchronization of the connection corresponding to the rule between two cluster members.
This option is enabled by default.

Click on Ok to confirm your configuration.