Global protocol configuration

The button “Go to global configuration” applies to all the profiles of the selected protocol.

This option is offered for every protocol except IP, RTP, RTCP and S7.

Protocol: list of default TCP or UDP ports

This option defines the list of ports (TCP or UDP) scanned by default by the plugin of the protocol that is being configured. You can Add or Delete ports by clicking on the respective buttons.

Protocol over SSL: list of default TCP ports

The ports added to the list of secure protocols will first be analyzed by the SSL plugin, then by the plugin of the configured protocol if the traffic is encrypted. You can Add or Delete ports by clicking on the respective buttons.

This selection is available for the protocols HTTPS, SMTPS, FTPS, POP3S, OSCAR over SSL, NetBios CIFS over SSL, NetBios SSN over SSL and SIP over SSL.

EXAMPLE
Choosing the HTTPS port in the list "HTTPS: list of default TCP ports" will activate two analyses:
  • The HTTPS traffic will be scanned by the SSL plugin.
  • The traffic decrypted by the SSL proxy will be analyzed by the HTTP plugin.

Proxy

This option is enabled in the global configuration of the HTTP, SMTP, POP3 and SSL protocols. It applies to all the inspection profiles.

Apply the NAT rule on scanned traffic By default, traffic scanned by an implicit proxy will be re-sent with the address of the firewall’s outgoing interface.
If this option is selected for a NAT policy, address translation will be applied to the traffic leaving the proxy analysis. This option will not be applied on translations of the destination.

Global configuration of the TCP/UDP protocol

IPS tab

Denial of Service (DoS)

Max no. of ports per second In order to avoid port scans, this value is the limit to the number of the various ports (between 1 and 1024) accessible within 1 second for a given protected destination. This number has to be between 1 and 16 ports.
Purge session table every (seconds) Once the connection/session table is full, the purge of inactive connections will be scheduled. Define the maximum time gap between two purges of the session table between 10 and 172800 seconds to avoid overloading the appliance.

Connection

Allow half-open connections (RFC 793 section 3.4) This option makes it possible to avoid denials of service that may take place within so-called “normal” connections.

http://tools.ietf.org/html/rfc793#section-3.4

Support

Log every TCP connection Option to enable log generation for TCP connections
Log every UDP pseudo-connection Option to enable log generation for UDP connections

Global configuration of the SSL protocol

Proxy tab

Generate certificates to emulate the SSL server

C.A (signs the certificates) Select the sub-authority used for signing the certificates generated by the SSL proxy. You must first import it in the Certificate module (Object menu).
Certification authority password Enter the password of the selected certification authority.
Certificate lifetime (days) This field indicates the Validity (days) of the certificates generated by the proxy.

SSL: list of default TCP ports

This option is offered for the list of default TCP ports. The default ports of the added protocols will be analyzed by the SSL plugin.

Proxy

This option applies to all the inspection profiles. It will not be applied on translations of the destination.

Apply the NAT rule on scanned traffic By default, traffic scanned by an implicit proxy will obtain the address of the firewall’s outgoing interface on its way out.
If this option is selected for a NAT policy, address translation will be applied to the traffic leaving the proxy analysis. This option will not be applied on translations of the destination.

Customized certification authorities tab

Add the list of customized CAs to the list of trusted authorities This option enables the feature for importing certification authorities that are not public. These CAs will be considered trusted authorities. Certificates issued by such customized CAs will therefore be considered trustworthy.

It is possible to Add or Delete certification authorities by clicking on the respective buttons.

Public certification authorities tab

A public certification authority can be disabled by double-clicking on the status icon, enabled by default. You may also choose to Enable all or Disable all these public CAs by clicking on the respective buttons.

In order to improve monitoring, these root certification authorities are kept up to date in the firewall’s list via Active Update.

Trusted certificates tab

These are whitelisted certificates to which content inspection processes (self-signed certificates, expired certificates, etc) defined in the Proxy tab in the SSL profile configuration will not be applied.

In this window, you may Add or Delete trusted certificates by clicking on the relevant button.

IPS tab

Certificate analysis

Certificate cache timeout (TTL)

To optimize the analysis of server certificates, a cache mechanism has been implemented to avoid retrieving a certificate when the intrusion prevention engine already knows it.

This mechanism therefore defines how long, in seconds, cache entries will be kept.
When a cached certificate reaches the maximum duration, the corresponding entry will be automatically deleted.

Global configuration of the ICMP protocol

IPS tab

IPS

Maximum global rate of ICMP error packets (packets per second and per core) Whenever the number of ICMP error packets exceeds this limit (25000 by default), the firewall will ignore additional packets before applying filter rules. This option allows protecting the firewall from Blacknurse attacks.