Modifying a GRETAP interface

Double-click on the GRETAP interface that you wish to modify - the control panel of the interface will open.

“General configuration” tab

Status

ON / OFF Set the switch to ON / OFF to enable / disable the interface.
Disabled interfaces cannot be used. You can disable interfaces that are not active, but which you intend to use in the future. An interface which has been disabled because it is not in use is an additional security measure against intrusions.

General Settings

Name (mandatory) Name given to the GRETAP interface. (See warning in the introduction to the section on Interfaces)
Comments Allows you to enter comments regarding the interface.
This interface is An interface can either be “internal (protected)” or “external (public)”.
If you select “internal (protected)”, you are indicating that this interface is protected. This protection includes remembering machines that have logged on to this interface, conventional traffic security mechanisms (TCP) and implicit rules for services offered by the firewall such as DHCP (see the section Implicit rules). Protected interfaces are represented by a shield ().
If you select “external (public)”, you are indicating that this part of the network is linked up to the internet. In most cases, the external interface, linked up to the internet, has to be in external mode. The shield icon disappears when this option is selected.

GRETAP tunnel address

Tunnel source Select the network object that corresponds to the bridge that supports the GRETAP interface.
Tunnel destination Select (or create) the network object that corresponds to the public address of the appliance that hosts the remote GRETAP interface.

Address range

Address range inherited from the bridge If the interface is part of a bridge, the address range of the bridge can be retrieved. When this checkbox is selected, a Bridge field makes it possible to select the parent bridge of the interface.
Dynamic / Static Select this checkbox if the IP address of the interface must be static or obtained via DHCP.

When it is selected, the IPv4 address field will appear; you can then choose this address type.

Dynamic IP (obtained by DHCP) This field allows specifying to the firewall that the configuration of the bridge (IP address and mask) is defined by DHCP. In this case, "Advanced DHCP properties" will be enabled.
Fixed IP (static) By selecting this option, the interface will have a static address range. In this case, its IP address and subnet mask must be indicated.

Here, several associated IP addresses and network masks may be defined for the same interface (the need to create aliases, for example). These aliases may allow you to use this Stormshield Network firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range. To add or remove them, simply use the Add and Delete buttons located above the fields in the table.

Several IP addresses (aliases) can be added in the same address range on an interface. In this case, these addresses must all have the same mask. Reloading the network configuration will apply this mask on the first address and a mask /32 on the following addresses.

Advanced DHCP properties

These properties can be accessed only when Dynamic IP (obtained by DHCP) has been selected for the interface.

DNS name (optional) In this case, you can enter a fully qualified DHCP host name (FQDN) for the connection (DNS name (optional) field).
If this field has been entered and the external DHCP server has the option of automatically updating the DNS server, the DHCP server will automatically update the DNS server with the name and the IP address provided by the firewall as well as the allocated time (mandatory).
The duration for which the IP address is kept before renegotiation (Requested lease time (seconds) field) must also be indicated.
Requested lease time (seconds) Period during which the IP address is kept before renegotiation.
Request domain name servers from the DHCP server and create host objects If this option is selected, the firewall will retrieve DNS servers from the DHCP server (access provider, for example) that provided its IP address.
Two objects will be dynamically created in the object database upon the selection of this option: Firewall_<interface name>_dns1 and Firewall_<interface name_dns2. They can then be used in the configuration of the DHCP service. So, if the Firewall provides the users on its network with a DHCP service, the users will also benefit from the DNS servers given by the access provider.

NOTE
This option will be disabled if the option Dynamic IP (obtained by DHCP) was not selected in the Configuration of the interface tab.

“Advanced properties” tab

Other settings

MTU Maximum length (in bytes) of frames transmitted on the physical support (Ethernet) so that they are sent at one go (without fragmentation). This option is not available for interfaces contained in a bridge.
Physical (MAC) address Since the GRETAP interface is contained in a bridge, it will have the same MAC address as the bridge.

Routing without analysis

NOTE
This panel does not appear if the option Address range inherited from the bridge was not selected in the General configuration tab.

 

Authorize without analyzing Allows IPX (Novell network), Netbios (on NETBEUI), AppleTalk (for Macintosh), PPPoE or IPv6 packets to pass between the bridge’s interfaces. No high-level analysis or filtering will be applied to these protocols (the firewall will block or pass).

Routing by interface

NOTE
This panel does not appear if the option Address range inherited from the bridge was not selected in the General configuration tab.

 

Keep initial routing This option will ask the firewall to not modify the destination in the Ethernet layer when a packet goes through it. The packet will be resent to the same MAC address from which it was received. The purpose of this option is to facilitate the integration of firewalls transparently into an existing network, as this makes it possible to avoid the need for modifying the default route of machines on the internal network.

KNOWN LIMITATIONS
Features on a firewall that inserts or modifies packets in sessions may fail to function correctly. The affected features are:

  • Connection reinitialization caused by an alarm,
  • SYN proxy (enabled in filtering),
  • Requests to resend packets that were dropped in order to speed up analysis,
  • Rewriting of packets by application analyses (SMTP, HTTP and web 2.0, FTP and NAT, SIP and NAT).

Keep VLAN IDs This option enables the transmission of tagged frames without the firewall having to be the VLAN endpoint. The VLAN tag on these frames is kept so that the Firewall can be placed in the path of a VLAN without the firewall interrupting this VLAN. The Firewall runs seamlessly for this VLAN.
This option requires the activation of the previous option "Keep initial routing".
Gateway address This field is used for routing by interface. All packets that arrive on this interface will be routed via a specified gateway.