Destination

Destination object used as a selection criterion for the rule. Double-click in this zone to select the associated value in a dedicated window. This window contains two tabs:

General tab

General

Destination hosts Select the destination host of the traffic from the object database in the drop-down list.
You can Add or Delete objects by clicking on the icon .

Objects can be created or modified directly from this field by clicking on .

Web Services and IP Reputations

Select a service or an IP reputation category

This field makes it possible to apply the filter rule to hosts with public IP addresses classified under one of the categories below:

  • Official web services (list updated dynamically via Stormshield Active Update),
  • Malicious (list updated dynamically via Stormshield Active Update):
    • anonymizer: proxies, IPv4 to IPv6 converters.
    • botnet: infected hosts running malicious programs.
    • exploit: IP addresses known for having been at the source of vulnerability exploits.
    • malware: hosts distributing malicious programs
    • tor entry node: inbound endpoint servers of the Tor network.
    • tor exit node: outbound endpoint servers of the Tor network.
    • phishing: compromised mail servers.
    • scanner: hosts that conduct port scanning or launch brute force attacks.
    • spam: compromised mail servers.
    • suspicious: groups hosts and IP addresses that do not appear very trustworthy, and which are likely to cause false positives. This category is not included in bad by default.
  • Groups:
    • Official web services grouped by function (remote access, web conferencing, etc.) or by provider (Apple, Google, etc.),
    • Bad: groups all malicious reputation categories except suspicious,
    • Malicious: groups bad and two malicious external URL databases.
    • Tor nodes: groups tor entry nodes and tor exit nodes.

NOTE
Since the reputation of a public IP address may border on two categories (botnet and malware), and this field only allows one category to be selected, you are advised to use the "bad" group for optimum protection.

Click on OK to confirm your configuration.

Geolocation/Reputation tab

Geolocation

Select a region This field makes it possible to apply the filter rule to hosts with a public IP address belonging to a country, continent or group of regions (group of countries and/or continents) defined beforehand in the Objects > Network objects module.

Host reputation

Enable filtering based on reputation score Select this checkbox in order to enable filtering based on the reputation score of hosts on the internal network.
To enable host reputation management and to define the hosts affected by the calculation of a reputation score, go to the Application protection > Host reputation module.
Reputation score This field allows selecting the reputation score above which () or below which () the filter rule will apply to the monitored destination hosts.

Click on OK to confirm your configuration.

Advanced properties tab

Advanced properties

Outgoing interface This option allows choosing the packet’s outgoing interface, to which the filter rule applies.
By default, the firewall selects it automatically according to the operation and destination IP addresses. A packet’s outgoing interface can be used as a filtering criterion.

NAT on the destination

Destination If you wish to translate the traffic’s destination IP address, select one from the objects in the drop-down list. Otherwise, leave the field empty, i.e. “None” by default.

NOTE
As this traffic has already been translated by this option, the other NAT rules in the current policy will not be applied to this traffic.


Objects can be created or modified directly from this field by clicking on .

ARP publication on external destination (public)

 This option has been added so that an ARP publication can be specified when a filter rule with a NAT operation is used on the destination. It must be enabled if the destination public IP address (before applying NAT) is a virtual IP address and does not belong to the UTM.

NOTE
Another way to set up this publication would be to add the virtual IP address of the affected interface in the Interfaces module.

Click on OK to confirm your configuration.