Source

This field refers to the source of the treated packet, and is used as a selection criterion for the rule. Double-click in this zone to select the associated value in a dedicated window.

This window contains three tabs:

General tab

General

User

The rule will apply to the user that you select in this field.
You can filter the display of users according to the desired method or LDAP directory by clicking on

. Only enabled directories and methods (Available methods tab in the Authentication module and LDAP directories defined in the Directory configuration module) will be presented in this filter list.

Depending on the authentication method, several generic users will be suggested:

"Any user@any": refers to any authenticated user, regardless of the directory or authentication method used.
"Any user@guest_users.local.domain": refers to any user authenticated via the "Guest" method.
"Any user@voucher_users.local.domain": refers to any user authenticated via the "Temporary accounts" method.
"Any user@sponsored_users.local.domain": refers to any user authenticated via the "Sponsorship" method.
"Any user@none": refers to any user authenticated via a method that does not rely on an LDAP directory (e.g.: Kerberos).
“Unknown users”: refers to any unknown or unauthenticated user.

NOTE
In order for unauthenticated users to be automatically redirected to the captive portal, at least one rule must be defined, applying to the object “unknown users”. This rule will also apply when an authentication expires.

Source hosts

The rule will apply to the object or the user (created beforehand in the dedicated menu: Objects>Network objects that you select in this field. The source host is the host from which the connection originated.

You can Add or Delete objects by clicking on the icon

Objects can be created or modified directly from this field by clicking on

Incoming interface

Interface on which the filter rule applies, presented in the form of a drop-down list. By default, the firewall selects it automatically according to the operation and source IP addresses.
It can be modified to apply the rule to another interface. This also allows a particular interface to be specified if “Any” has been selected as the source host.

Web Services and IP Reputations

Select a service or an IP reputation category

This field makes it possible to apply the filter rule to hosts with public IP addresses classified under one of the categories below:

Official web services (list updated dynamically via Stormshield Active Update),
Malicious (list updated dynamically via Stormshield Active Update):
- anonymizer: proxies, IPv4 to IPv6 converters.
- botnet: infected hosts running malicious programs.
- exploit: IP addresses known for having been at the source of vulnerability exploits.
- malware: hosts distributing malicious programs
- tor entry node: inbound endpoint servers of the Tor network.
- tor exit node: outbound endpoint servers of the Tor network.
- phishing: compromised mail servers.
- scanner: hosts that conduct port scanning or launch brute force attacks.
- spam: compromised mail servers.
- suspicious: groups hosts and IP addresses that do not appear very trustworthy, and which are likely to cause false positives. This category is not included in bad by default.
Groups:
- Official web services grouped by function (remote access, web conferencing, etc.) or by provider (Apple, Google, etc.),
- Bad: groups all malicious reputation categories except suspicious,
- Malicious: groups bad and two malicious external URL databases.
- Tor nodes: groups tor entry nodes and tor exit nodes.

NOTE
Since the reputation of a public IP address may border on two categories (botnet and malware), and this field only allows one category to be selected, you are advised to use the "bad" group for optimum protection.

Click on Ok to confirm your configuration.

NOTE
Filter rules with a user@object source type (except any or unknown@object), and with a protocol other than HTTP, do not apply to Multi-user Objects (Authentication> Authentication policy). This behavior is inherent in the packet treatment mechanism used by the intrusion prevention engine.

Geolocation/Reputation tab

Geolocation

Select a region

This field allows the filter rule to be applied to hosts with a public IP address belonging to a country, continent or group of regions (group of countries and/or continents) defined beforehand in the Objects > Network objects module.

Host reputation

Enable filtering based on reputation score	Select this checkbox in order to enable filtering based on the reputation score of hosts on the internal network. To enable host reputation management and to define the hosts affected by the calculation of a reputation score, go to the Application protection > Host reputation module.
Reputation score	This field makes it possible to select the reputation score above which () or below which () the filter rule will apply to the monitored hosts.

Click on Ok to confirm your configuration.

Advanced properties tab

Advanced properties

Source port	This field makes it possible to specify the port used by the source host, if it has a particular value. By default, the "Stateful" module memorizes the source port used and only this port will then be allowed for return packets. Objects can be created or modified directly from this field by clicking on
Via	Any: This option implies that none of the following services will be used – the connection will not go through the HTTP proxy, will not be redirected to the authentication page and will not go through an IPsec VPN tunnel. Explicit HTTP proxy: Traffic originates from the HTTP proxy. SSL proxy: Traffic originates from the SSL proxy. IPsec VPN tunnel: Traffic comes from an IPsec VPN tunnel. SSL VPN tunnel: Traffic comes from an SSL VPN tunnel.
Source DSCP	This field makes it possible to filter by the value of the DSCP field of the packet received.

Authentication

Authentication method

In this field, the application of the filter rule can be restricted to the selected authentication method.

Click on Ok to confirm your configuration.