Filtering

Network objects (hosts, networks and IP address ranges) may have addresses in IPv6, or in a hybrid mode (IPv4 and IPv6). Filter policies can therefore be applied to IPv6 objects and can use the security inspection feature (customizable inspection profiles).

However, application inspection (Antivirus, Antispam and URL, SMTP, FTP and SSL filtering) and address translation (NAT) features are not available for IPv6 objects in this version (the NAT tab is renamed “NAT IPv4” when IPv6 is enabled).

“Filtering” tab

Filtering consists of two parts. The strip at the top of the screen allows choosing the filter policy, activating it, editing it and seeing its last modification. The filter table is dedicated to the creation and configuration of rules.

Actions on filter policy rules

The available actions are the same as those for rules including IPv4 or IPv6 objects.

REMARK
NDP (Neighbour Discovery Protocol) traffic will never be blocked, even in the case of a “block all” filter policy. This concerns NS (Neighbour Solicitation) and NA (Neighbour Advertisement) messages.

In Stormshield Network 1.0, certain actions that can only apply to IPv4 traffic will generate warnings ( icon) or errors ( icon) in the field “Checking the policy” if IPv6 objects are included in the filter rules.

Standard rule including objects with different IP versions in the source and destination [Rule X] Source and Destination objects do not use the same IP addressing version (IPv4/IPv6).
Authentication rule including IPv6 objects [Rule X] Redirection to services will only be performed on IPv4 traffic.
Inspection SSL rule including IPv6 objects [Rule X] The action “decrypt” will only apply to IPv4 traffic.
Explicit HTTP proxy rule including IPv6 objects

[Rule X] Cannot apply proxy or NAT on IPv6 traffic.
Rule with NAT on the destination including IPv6 objects [Rule X] NAT on destination will only apply to IPv4 traffic.
Rule including IPv6 objects and using application inspections (Antivirus, Antispam, URL filtering, SMTP filtering, FTP filtering or SSL filtering) [Rule X] Application inspections will only apply to IPv4 traffic.