Requirements and operation

Compatible SNS versions with web services

  • SNS 4.5 and higher versions

DNS traffic in plaintext

The SNS firewall must be able to view in plaintext (unencrypted) the DNS traffic that passes through it, as FQDN recognition is the basis for identifying web services. If this is not the case, the SNS firewall will not be able to identify web services based on FQDNs.

DNS protocol analysis must be enabled on DNS traffic (IPS or IDS inspection level).

Blocking DoH and DoT protocols

By default, the SNS firewall blocks the encrypted DNS protocols DoH and DoT to force a fallback to the standard DNS protocol with the purpose of viewing DNS traffic in plaintext.

This fallback occurs only if it is allowed on the web browser used, and after a certain number of successive tries, which may cause latency until the requested web page appears. Do note that the number of tries and duration of latency depend on the web browser and cannot be configured on the SNS firewall.

DoH and DoT can be blocked on the SNS firewall by using context-based signature detection (Configuration > Application protection > Applications and protections). DoT can also be blocked when it is detected in the ALPN extension of TLS (Configuration > Application protection > Protocols > SSL, IPS tab, Application-Layer Protocol Negotiation (ALPN) section).

IMPORTANT
These protocols must remain blocked so that web services can be correctly identified.

Using public IP addresses

Only public IP addresses can be used in the databases of official and custom web services. Private IP addresses cannot be used.

Dependency of web services

Some web services may be dependent on other web services, for example, when a provider hosts its service with another provider, or when a provider offers several services.

When web services are used in the SNS firewall's configuration, and to avoid mistakenly blocking or allowing certain web traffic, we recommend that you first check whether a web service is dependent on any other, or whether any web services depend on it. Known dependencies are listed on the Stormshield Security Portal.