Professional Documents
Culture Documents
CSNA v4 Training Book With Virtual Labs and Appendices 2021-12-21-1
CSNA v4 Training Book With Virtual Labs and Appendices 2021-12-21-1
ADMINISTRATOR
TRAINING
STORMSHIELD
NETWORK
SECURITY
2
Network configuration 143
Configuration modes 144
Types of interfaces 150
Lab – Network configuration: interfaces 165
System routing 167
Advanced routing 172
Order of routing types 185
Lab – Network configuration: routing 189
Appendix 191
Modem interfaces 192
Wi-Fi interfaces 195
Dynamic DNS 201
DHCP 205
Static multicast routing 210
DNS proxy cache 213
Bird static routing 216
Bird dynamic routing 219
Address translation 222
Overview 223
Dynamic translation 225
Static translation by port 228
Static translation 231
"NAT" Menu 236
Order of application of NAT rules 247
Lab – Address translation 251
Appendix 253
Advanced properties 254
Filtering 262
Overview 263
The "stateful" concept 265
Sequencing of filter and translation rules 267
“Filtering” Menus 269
Policy analyzer 286
Lab - Filtering 290
Appendix 293
Advanced properties 294
3
Application protection 299
Enabling proxy mode 300
HTTP proxy 303
HTTPS proxy 316
Antivirus analysis 323
Breach Fighter analysis 328
Intrusion prevention module and security inspection 331
Lab - Content filtering (HTTP and HTTPS) 337
Appendix 339
SMTP filtering and antispam 340
Host reputation 348
Users & authentication 354
Introduction 355
Linking to a directory 357
Managing users 367
Captive portal 371
Authentication methods 385
Authentication policy 389
Filter rules for authentication 393
Defining new administrators 397
Lab – Authentication 402
Appendix 404
Guest method 405
VPN 408
Types of virtual private networks 409
IPsec VPN – Concepts and overview 411
IPsec VPN – Configuration of a site-to-site tunnel 417
IPsec VPN – Configuration of multiple site-to-site tunnels 431
IPsec VPN - Virtual Tunneling Interface 437
Lab – IPsec VPN (site-to-site) 447
Appendix 449
Point-to-Point Tunneling Protocol 450
IPsec VPN – Dynamic peers 454
SSL VPN 465
Concepts and overview 466
Configuring a tunnel 473
Lab – SSN VPN 487
4
Appendix - Troubleshooting 489
Introduction 490
Before creating an incident 492
Essential elements 495
Additional information 498
Access to the firewall 502
All images in this document are for representation only, actual products may
differ.
5
TRAINING AND
CERTIFICATION COURSE
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
The topics in this module will not be evaluated in Stormshield certification exams.
6
Training and certification course
CSMCE
Certified Stormshield Network Certified Stormshield Network Certified Stormshield Network
Administrator Expert Troubleshooting & Support
FSNOT CSNOT
Fundamental / Certified
Stormshield Network
Operational Technology
7
Training and certification course
Apart from the FSNOT course, each course level concludes with a certification that
trainees obtain by taking a test on our e-learning platform at
https://institute.stormshield.eu
Trainees are allowed two attempts for each exam from their Institute accounts.
Access to the exam automatically begins the day after the end of the course and
remains open for three weeks for CSNA, CSNE and CSMCE, CSNOT exams, and six
months for the CSNTS exam. If trainees fail their first attempt or are unable to sit for
the exam within this time frame, they will be entitled to a second and final attempt,
which will open with immediate effect for an additional week. The minimum score
required for all exams in order to obtain the certification is 70%.
For all levels, trainees must score at least 70% in order to be certified.
Stormshield certifications are valid for three years, during which trainees can attend
classroom-based courses to validate certification at a higher level. When trainees
obtain certification at a higher level, lower-level certifications will be automatically
renewed.
Trainees can also remotely renew their last certification obtained by ordering a
recertification kit.
8
STORMSHIELD:
PRESENTATION OF THE
COMPANY AND ITS
PRODUCTS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
The topics in this module will not be evaluated in Stormshield certification exams.
9
Stormshield: presentation of the company
and its products
STORMSHIELD:
PRESENTATION OF THE
COMPANY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
10
Stormshield: presentation of the company
and its products
1998 NETASQ
Creation of Netasq (FR)
ARKOON 2000 First firewall that embedded an IPS
Creation of Arkoon (FR)
First UTM on the market
2013
Acquisition and Merger
Fully owned subsidiary of Airbus CyberSecurity
STORMSHIELD 2014
Launch of the brand and product range
11
Stormshield: presentation of the company
and its products
STORMSHIELD DATA
SECURITY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
➔ Stormshield Data Security
Stormshield Endpoint Security
Stormshield Network Security
Standard and optional features in SNS
12
Stormshield: presentation of the company
and its products
Stormshield Data Security lets users stay in control of their data in Microsoft environments by
offering the following possibilities:
• Transparent encryption of local or shared folders with Disk and Team, including USB devices,
• Integration with mail applications, such as Microsoft Outlook and Lotus Notes, to encrypt
and/or sign e-mails with Mail,
• Secured collaborative data with Team,
• Easier paperless administrative and sales procedures with Sign, which signs all types of files,
• Safe destruction of files and folders with Shredder,
• Administration through Powershell commandlets or business APIs with Connector,
• Centralized administration with Authority Manager.
Stormshield Data Security Enterprise version 9.1.2 was awarded EAL3+ certification for its
transparent file encryption feature in September 2016.
13
Stormshield: presentation of the company
and its products
STORMSHIELD
ENDPOINT SECURITY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
✔ Stormshield Data Security
➔ Stormshield Endpoint Security
Stormshield Network Security
Standard and optional features in SNS
14
Stormshield: presentation of the company
and its products
Application flaw/vulnerability
Endpoint Security blocks suspicious behavior
in system calls
Hijacking of routines
Illegal access to memory on the operating system
Endpoint Security provides Endpoint Security offers protection
in-memory intrusion against the most sophisticated
prevention through a set of attack techniques.
techniques.
Whitelisting
Endpoint Security restricts
Keylogging
Endpoint Security prevents certain file extensions from
Stormshield Endpoint Security version 7.2.6 was awarded EAL3+ certification for its
surface encryption functional module,
15
Stormshield: presentation of the company
and its products
STORMSHIELD
NETWORK SECURITY
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
✔ Stormshield Data Security
✔ Stormshield Endpoint Security
➔ Stormshield Network Security
Standard and optional features in SNS
16
Stormshield: presentation of the company
and its products
FIREWALL HARDWARE
LARGE CORPORATIONS,
DATACENTERS
INDUSTRY
The Stormshield Network Security product range consists mainly of two large categories
illustrated in the figure above: physical appliances (SN range) and virtual appliances (EVA).
The technology on all Stormshield Network products is based on a proprietary IPS (Intrusion
Prevention System) engine embedded in a FreeBSD kernel.
17
Stormshield: presentation of the company
and its products
VIRTUAL APPLIANCES
EVA
10
Virtual appliances for the cloud are available from AWS (Amazon web services) and Microsoft
Azure providers, making it possible to protect your servers hosted with them.
Stormshield also offers the Stormshield Pay As You Go range, which caters to private cloud
providers that offer hosted services and/or Internet access, either in the form of SaaS or IaaS.
When these appliances are deployed in your virtual infrastructure, you will be able to offer your
clients a network security service that can be billed monthly based on the number and size of
virtual firewalls used.
18
Stormshield: presentation of the company
and its products
11
Use cases
• SN160(W): Remote site connected via VPN, unified security for small
structures. Two separate WiFi networks can be created with the SN160W.
• SN210(W): Remote site connected via VPN, unified security for small
structures with a DMZ or dual WAN access. With the SN210, two trusted
zones can be created on the internal network, and Internet access link
redundancy can be set up. The SN210W also makes it possible to create
two separate WiFi networks.
• SN310: Unified security for small structures requiring continuity (high
availability) and safety zones. The SN310 offers 8 physical ports and
supports high availability.
Log storage is limited by default on this appliance range, but can be extended with
the use of SD cards.
19
Stormshield: presentation of the company
and its products
12
Use cases
• SN510: Mid-size organizations that need to archive logs locally. With the
SN510, logs can be stored locally and archived on the hard disk.
• SN710: Mid-size organizations that require network modularity, offering a
combination of copper ports (up to 16) and 10-gigabit Ethernet fiber ports.
• SN910: Mid-size organizations that require flexibility in order to enhance
performance. The SN910 can also support 8 Ethernet ports, 10 1G fiber
ports or 4 10G fiber ports.
20
Stormshield: presentation of the company
and its products
Number of 10/100/1000
8/24 2-26 2-26 8-64
interfaces
Number of 1/ 10/ 40 Gb fiber
0-16/2-10 0-24/0-12/0-6 0-24/0-12/0-6 0-64/0-34/0-16
interfaces
IPS throughput (Gbps) 18 35 55 68
IPsec VPN throughput (Gbps
7.5 10 10 20.5
AES)
Concurrent connections 1800000 2,500,000 5000000 20000000
256 GB SSD
256 GB SSD 512 GB SSD
Hard disk drive 512 GB SSD (with RAID 1 as an
(RAID 1) (RAID 1)
option)
Redundant power supply (option) (option) Yes yes
13
Use cases
• SN1100: Multi-site organizations and businesses with complex
infrastructures. Modularity, performance and security are the catchwords
of this product, which meets network protection requirements.
• SN2100: Organizations with high performance and scalability
requirements. The SN2100 offers a high level of modularity thanks to
optional network extension modules.
• SN3100: Organizations with critical architectures. The SN3100 embeds
redundant hardware components to ensure better availability: SSD hard
disks in RAID1 and redundant power supply. It supports the same network
configurations as the SN2100.
• SN6100: Large organizations and datacenters. The SN6100 offers unrivaled
network modularity and can support up to 64 copper or fiber ports. It
offers firewall performance of up to 170Gbps and hardware component
monitoring via IPMI.
21
Stormshield: presentation of the company
and its products
INDUSTRY
5 via MIL-
Number of 10/100/1000 DTL-38999
interfaces
2-4 5 micro
connectors
Number of 1G SFP fiber
interfaces
0-2 0-2 -
14
22
Stormshield: presentation of the company
and its products
VIRTUAL APPLIANCES
15
“tor shield’s Elastic Virtual Appliance range offers organizations a full range of
security features without the need for an initial investment, only subscriptions to
services that include system updates and various protections.
The performance of these products automatically adapts to the resources that the
hypervisor allocates. This means that you can monitor your operating costs
whenever you need to expand your infrastructure.
“tor shield’s Elastic Virtual Appliance also protects virtual servers and virtual
networks in clouds hosted by Amazon Web Services or Microsoft Azure. This is easy
to set up, simply by including SN firewalls in the cloud pro ider’s Marketplace.
23
Stormshield: presentation of the company
and its products
Main
LTSB
1 year support minimum
16
Major or i or ersio s la eled LT“B are o sidered ersio s that ill e sta le
over a long term, and will be supported for at least 12 months. These versions are
recommended for clients whose priority is stability instead of new features and
optimizations.
24
Stormshield: presentation of the company
and its products
CENTRALIZED ADMINISTRATION
17
25
Stormshield: presentation of the company
and its products
STANDARD AND
OPTIONAL FEATURES IN
SNS
STORMSHIELD: PRESENTATION OF THE
COMPANY AND ITS PRODUCTS
✔ Introduction to Stormshield
✔ Stormshield Data Security
✔ Stormshield Endpoint Security
✔ Stormshield Network Security
➔ Standard and optional features in SNS
26
Stormshield: presentation of the company
and its products
Application
Mobile
control
device
Extended control
DDoS Web Control
Antivirus protection
Antivirus
Antivirus
Antimalware
URL
filtering
Firewall
Transparent
authentication
Filtering features
Antispam Collaborative
Antiphising Security Industrial
protocols Microsoft
Security features Web 2.0
protection
Scheduling
of rules
Services
Firewall
Filtering by
IDS/IPS user Internal
Application and external
Content
inventory PKI
control
SSL Vulnerability
decryption detection
Detection of
Protocol Interactive Physical link
Dynamic
analysis connections redundancy
Site-to-site routing
(LACP)
or mobile
IPsec VPN WAN
Transparent Link
routed/hybrid redundancy
Stormshield PPTP
mode
IPsec VPN remote access
Client
HTTP cache
Quality of
proxy
Encryption Support for
Service
Secure
IPsec IPv4/IPv6 High
availalbility Network features
Publication Policy-based
of web routing
applications
Standard features
Optional features
19
You will find all product datasheets and features available in the SNS range on
Stormshield.com.
27
APPENDIX –
STORMSHIELD:
PRESENTATION OF THE
COMPANY AND ITS
PRODUCTS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
28
Stormshield: presentation of the company
and its products
Appendix
STANDARD FEATURES
STANDARD AND OPTIONAL FEATURES
Program
➔ Standard features
Security packs and software options
Hardware options
29
Stormshield: presentation of the company
and its products
Appendix
STANDARD FEATURES
• Protocol analysis:
• IP, ICMP, TCP, UDP, HTTP, FTP, SIP, RTSP, etc Yes Yes Yes Yes Yes
• Industrial (SCADA): MODBUS, S7
• Context-based patterns Yes Yes Yes Yes Yes
Antispam
SYSTEM
• RAID 1 - - - Yes -
• IPS Protocol Analysis: includes all the checks applied on network (IP, TCP,
UDP, etc.) and application (HTTP, FTP, etc) protocols to ensure their
compliance. From version 2.3 onwards, this analysis will also make it
possible to check two industrial protocols (SCADA): MODBUS and S7.
• IPS contextual signatures: an attack database used in addition to the
protocol analysis to rapidly detect known attacks.
• Antispam:
o Heuristic engine: allows the firewall to qualify an email as spam by
using a specific algorithm that determines the degree of legitimacy
of emails.
o Reputation based detection (DNS RBL: Real time Blackhole List):
based on RBL servers that indicate if an email is spam, based on
the reputation of the sender. The list of RBL servers is constantly
updated.
• ClamAV Antivirus: open-source antivirus engine designed to detect
viruses, Trojans and malware. Its library provides different file format
detection mechanisms and tools that operate in conjunction with
compressed files and archives.
• Stormshield URL Filtering: proprietary URL database used for web
filtering. The URLs are classified into 16 categories.
30
Stormshield: presentation of the company
and its products
Appendix
• System:
o RAID 1 (Redundant Array of Independent Disks): Ensures the
reliability of data storage by placing a copy of the data on two
separate hard drives.
o Double system partition (main and backup): Allows storage of two
firmware versions.
o High availability: Ensures the continuity of services by using two
firewalls: one in active mode and the other in passive mode. If the
active firewall is no longer reachable, the passive firewall switches
to active mode to guarantee the transmission and protection of
data. This feature monopolizes a network interface on each
firewall.
31
Stormshield: presentation of the company
and its products
Appendix
STANDARD FEATURES
The table above presents the services available on Stormshield Network Security
products. Do note that local log storage is native on all products except SN160(w),
SN210(w) and SN310 models because they do not have a built-in hard disk drive.
However, with the E ternal storage license option, which is enabled by default on
models in v4 and above, logs can be stored locally on a removable SD card.
32
Stormshield: presentation of the company
and its products
Appendix
Program
✔ Standard features
➔ Security packs and software options
Hardware options
33
Stormshield: presentation of the company
and its products
Appendix
7
SECURITY PACKS
Certain additional features are available with a subscription to specific security packs:
• Stormshield Network Vulnerability Manager: identifies and reports vulnerabilities
and weaknesses on applications and services used on protected networks in real
time. To do so, SNVM works in collaboration with the IPS to collect and archive
information relating in particular to the operating system, various activities and the
various versions of applications installed. These may be client applications (Firefox)
or networked services (Apache, Bind, OpenSSH, etc). NVM reports the vulnerabilities
it detects by identifying the hosts involved, and suggests possible fixes as well.
• Kaspersky antivirus: developed and integrated by Kaspersky Labs, it represents one
of the best antivirus solutions currently available on the market. Its engine analyzes
incoming and outgoing mail, web traffic as well as files in real time to detect and
eliminate all viral intrusions on protected networks. To ensure optimum protection,
the virus pattern database is constantly updated. The advantages of this antivirus
include its support for many archive formats, its better processing performance
compared to ClamAV, and the enhanced performance of its heuristic analysis
engine.
• Extended Web Control web filtering: relies on a cloud-hosted URL database
provider. The base references several hundred million URLs classified into 65
thematic categories: shopping, education, banking, etc. The main advantage of this
new option is the quick update of the URL database, which is no longer downloaded
on the firewall.
• Log storage on the "external storage" SD card: allows firewalls with SD memory
card slots to store logs on such cards. On SN160(w), SN210(w) and SN310 products,
SD cards make it possible to generate all activity reports (without an SD card, only
five reports can be used).
• Breach Fighter: makes it possible to run an analysis in the cloud in addition to the
one run by Kaspersky antivirus to block sophisticated attacks, with the support of a
dedicated security team.
34
Stormshield: presentation of the company
and its products
Appendix
8
SECURITY PACKS
35
Stormshield: presentation of the company
and its products
Appendix
36
Stormshield: presentation of the company
and its products
Appendix
HARDWARE OPTIONS
STANDARD AND OPTIONAL FEATURES
Program
✔ Standard features
✔ Security packs and software options
➔ Hardware options
37
Stormshield: presentation of the company
and its products
Appendix
HARDWARE OPTIONS
11
The high range appliances (SN710, SN910, SN2000, SN3000 and SN6000) offer
incomparable network modularity on the market thanks to optional copper or fiber
modules:
• SN910 embeds 8 10/100/1000 ports + 2 SFP+ 10Gbps ports and can support an
additional 8 10/100/1000 ports, 6 SFP 1Gbps ports or 2 SFP+ 10Gbps ports (1
extension module).
• SN1100 embeds 8 10/100/1000 ports + 2 SFP+ 10Gbps ports and can support an
additional 8 10/100/1000 ports, 4 10Gbps copper or 8 1Gbps fiber or 4 10Gbps
fiber ports (2 extension modules).
• SN2100 and SN3100 embed 2 10/100/1000 ports in the standard version and can
support an additional 24 10/100/1000 ports, 24 SFP 1Gbps ports, 12 SFP+ 10Gbps
ports (3 extension modules) or 6 40 Gbps ports.
• SN6100 embeds 8 10/100/1000 ports in the standard version and can support an
additional 62 10/100/1000 ports, 64 SFP 1Gbps ports, 34 SFP+ 10Gbps ports (7
extension modules) or 16 40 Gbps ports.
38
GETTING STARTED WITH
THE FIREWALL
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
39
Getting started with the firewall
REGISTERING THE
FIREWALL AND
ACCESSING
DOCUMENTATION
GETTING STARTED WITH THE FIREWALL
40
Getting started with the firewall
https://mystormshield.eu
In your MyStormshield personal area, you will be able to track and manage the life
cycle of your Stormshield products through two types of accounts: client and
partner.
With a client account, you can register all the Stormshield products belonging to a
single company.
With a partner account, you can oversee managed services for partner accounts, if
such services have been set up.
When you create a MyStormshield account, you need to enter information about
your company or your client’s company.
When you receive a Stormshield product, you need to register it in your or your
client’s account in order to activate the maintenance contract.
41
Getting started with the firewall
42
Getting started with the firewall
43
Getting started with the firewall
STOP/START/RESET
GETTING STARTED WITH THE FIREWALL
44
Getting started with the firewall
STOP/START/RESET
SD card
slot LEDs
Power supply
Connectors are similar throughout the UTM range, but may have a different location
depending on the product:
• On/Off button,
• Three status LEDs:
o The first LED, in orange, indicates that the firewall is powered on (power
cable plugged),
o The second LED, in green, indicates that the firewall’s operating system is
running,
o The third LED, in green, indicates that the firewall has finished booting and
is running,
• SD card slot: to add memory cards on the firewall,
• PS2 keyboard port and VGA or HDMI video connector: to connect a keyboard and
screen to the firewall and access console mode,
• Serial port or USB port connected internally to a serial adapter: to connect a serial
console on the firewall,
• Reset button: to restore the firewall's factory settings,
• USB port: to connect a USB key or a 3G modem,
• Network interfaces: type and number of interfaces depend on the firewall model.
NOTE: The memory card must be at least Class 10, SDHC standard with a maximum
capacity of 32 GB (2 TB for SN160(W), SN210(W), and SN310).
45
Getting started with the firewall
46
Getting started with the firewall
CONNECTING TO THE
FIREWALL
GETTING STARTED WITH THE FIREWALL
47
Getting started with the firewall
Default configuration
Bridge → . . . /8
DHCP → [ . . . – 10.0.0.100]/8
10
In the default configuration, the first interface of the firewall is named "OUT", the
second "IN" and the remaining interfaces "DMZx". The "out" interface is an external
interface used to connect the firewall to the Internet. The other interfaces are
internal and are mainly used to connect the firewall to local networks.
Keeping internal/external interfaces separate ensures that you are protected from IP
address spoofing attacks.
All interfaces are included in a bridge with the address 10.0.0.254/8. A DHCP server
is enabled on all interfaces of the bridge and distributes IP addresses between
10.0.0.10 and 10.0.0.100 inclusive.
NOTE: With the default configuration, when a host connects to the external interface
then to an internal interface, the firewall will consider this an IP address spoofing
attempt on the bridge, and will then block all traffic generated by this machine. The
firewall must be rebooted to work around this situation.
48
Getting started with the firewall
https://10.0.0.254/admin
Mozilla Firefox
Google Chrome
Microsoft Edge
11
You can access the firewall’s administration interface through a browser in HTTPS at
"https://10.0.0.254/admin". In order for this interface to operate optimally, you are
advised to use the latest versions of Microsoft Edge, Google Chrome and Mozilla
Firefox.
In the advanced options, the administrator can select the language of the
configuration menus and read-only access, which prevents the configuration from
being modified.
49
Getting started with the firewall
ADMINISTRATION
INTERFACE
GETTING STARTED WITH THE FIREWALL
50
Getting started with the firewall
Header
13
When you click on the user name, you will be able to:
• Access the Preferences menu to configure parameters relating to the
administration interface. The most important are:
o Idle time before logging the user out of the administration interface (30
minutes by default),
o Display options in the menus (always show advanced configurations,
number of filter rules per page, etc.),
o External links to Stormshield sites.
• Obtain or release write permissions. Note that at any given time, only one user
can have the write permission on the firewall.
• Access private data.
• Log out the user.
51
Getting started with the firewall
2. Menus (red box): configuration and monitoring menus, and shortcuts in the form
of expandable lists. Menus are classified under two categories: the Monitoring
tab for anything that relates to monitoring, logs or the status of the firewall; the
Configuration tab for objects and the configuration of various features.
3. Menu contents (blue box): displays the contents of the selected menu.
4. Administration interface logs (brown box): displays the list of web interface logs,
which can be customized. For example, you can choose to show only NSRPC
commands executed by the web interface, reported errors, warnings, etc.
52
Getting started with the firewall
DASHBOARD
GETTING STARTED WITH THE FIREWALL
53
Getting started with the firewall
DASHBOARD
16
The dashboard includes all information and indicators regarding the firewall:
• Status of Active Update
• Alarms,
• License (expiry date of each module),
• Properties (serial number, active policies, date and time, etc),
• Interfaces (list of configured network interfaces),
• Status of various services.
54
Getting started with the firewall
SYSTEM
CONFIGURATION
GETTING STARTED WITH THE FIREWALL
55
Getting started with the firewall
18
1. GENERAL CONFIGURATION:
• Name of the firewall, which is the serial number by default,
• Language of the firewall for logs: English or French,
• Layout of the keyboard used for direct console access: English, French, Italian,
Polish or Swiss.
• Cryptography settings offer two options which relate to certificates (covered in
the Expert course) and the AN““I Diffusion restreinte D‘ mode respectively.
• The password policy defines the minimum length and mandatory characters for
passwords created in the firewall's various menus (e.g., user passwords in the
internal directory (LDAP), passwords that protect backup files or passwords of
certificates created on the firewall). By default, the minimum length is one
character and no characters are mandatory. However, the administrator may
impose alphanumeric passwords only or alphanumeric with special characters,
and change the minimum value of password entropy.
NOTE: Entropy determines the robustness of the password. Higher entropy means
that the password must be more robust. It takes into account the length of the
password and the size of the character set used.
56
Getting started with the firewall
19
• Time settings: date, time and time zone. These parameters are crucial for
functions such as logs and authentication. The firewall must be restarted if the
time zone is changed.
• To allow the firewall to automatically synchronize its clock with an NTP server,
simply select Synchronize firewall time (NTP). By default, two NTP servers
belonging to Stormshield are preconfigured in the list of servers, which may be
modified.
57
Getting started with the firewall
20
2. FIREWALL ADMINISTRATION:
• The "admin" account’s permission to access the administration interface can be
withdrawn. This means that a new administrator with the right permissions must
be created. Otherwise, you will permanently lose access to the firewall’s
administration interface.
• The port used to access the firewall’s administration interface can be a port other
than the standard HTTPS (443/TCP), which is defined by default. The access URL
then becomes: https://firewall_@IP:port/admin.
• By default, the firewall's administration interface uses a certificate issued by the
firewall's certification authority. The link "Configure the SSL certificate for access
to the administration interface" will lead to the menu that allows you to modify
this certificate.
• An idle timeout can be set for all administrators, who can configure when to log
out an idle user in their preferences (menu can be accessed by clicking on the
name of the user), if the duration is lower than or equal to the maximum
connection duration configured.
• Protection from brute force attacks on the administration interface can be
enabled/disabled; the number of attempts and the interval between attempts (in
minutes) can be configured. By default, after 3 unsuccessful attempts, access from
the IP address in question will be blocked for 1 minute.
58
Getting started with the firewall
59
Getting started with the firewall
22
3. NETWORK PARAMETERS:
• When a firewall goes through a proxy to access the internet, the pro ’s
parameters have to be configured in this menu.
• One or several DNS servers may be added. The firewall contacts these servers to
resolve names that it sends or relays. These names have to be resolved for
features such as Active Update which queries update servers in order to download
databases (context-based patterns, antivirus, Vulnerability Manager, etc). These
DNS servers will also be used when the DNS cache service is enabled in
transparent mode (see the Appendix on the DNS proxy cache).
60
Getting started with the firewall
61
Getting started with the firewall
24
As long as the factory configuration password has not been changed, a critical error
will appear in the header of the administration interface (red boxes).
The password of the ad in account must be changed in the ADMIN ACCOUNT tab
in the CONFIGURATION ⇒ SYSTEM ⇒ Administrators menu. The password must
contain at least 5 characters and comply with the password policy defined in the
CONFIGURATION menu.
The strength of the password indicates its level of security: Very weak, weak,
moderate, good, excellent. You are strongly advised to use uppercase letters and
special characters to increase the level of security.
The Export the private key and Export the public key buttons on the firewall make it
possible respectively to download the private key and the public key of the admin
account. These keys make it possible to connect to the firewall in SSH.
62
Getting started with the firewall
LICENSE
GETTING STARTED WITH THE FIREWALL
63
Getting started with the firewall
LICENSE: GENERAL
26
1. GENERAL:
At the top of the tab, a button allows you to search for new licenses directly on
Stormshield update servers and another button allows you to install licenses. These
buttons are followed by information on the duration of the license’s validity and the
various options available. The section Install from a file makes it possible to install a
license from the .license file stored on the PC.
The section Advanced configuration makes it possible to configure the frequency
with which the firewall will look for updates and automatically install them.
NOTE: A warning shown in orange means that the license option in question is about
to expire within fewer than 90 days.
64
Getting started with the firewall
27
2. LICENSE DETAILS:
The buttons that allow you to search for and install licenses are also found in this
section. Use the search bar to find out whether an option or service is available in
the license.
The rest of the page sets out the contents of the license with validity durations of
various options.
65
Getting started with the firewall
MAINTENANCE
GETTING STARTED WITH THE FIREWALL
66
Getting started with the firewall
29
1. System update:
This tab allows the administrator to update the version of the system (firmware). The
".maj" update file can be downloaded from the Stormshield client account or the
firewall can automatically retrieve it when you click on “earch for new updates .
The diagram above illustrates the update of the partition system. The new version of
the system "x+1" will replace the older version "x" located on the active partition
while keeping the same configuration "y". The administrator can choose whether to
create a backup of the active partition on the backup partition (red box) before the
update, using the option Back up the active partition on the backup partition before
updating the firewall" (if the option has been selected, the older version of the
system "x-1" and the configuration "y-1" will be permanently lost).
67
Getting started with the firewall
30
2. BACKUP:
In this tab, the administrator can manually back up the firewall’s configuration,
downloaded and saved beforehand in a .na encrypted file format. The items that
are backed up in the file include:
68
Getting started with the firewall
31
The administrator can also enable the automatic backup of the configuration file.
Two options are available:
• Cloud backup: By enabling this option, the configuration file will be stored on a
server hosted in a service infrastructure called a cloud backup ser ice managed
by Stormshield. Backups may be performed every day, every week or every
month. In advanced configuration this frequency can be configured and the
configuration can be protected with a password thanks to the Backup
fre uenc and Backup file password parameters. Backups are secured via an
HTTPS connection and certificate-based authentication. A maximum of 5
configuration files per firewall can be saved on the cloud’s servers. Beyond that,
new files will overwrite older files. These files can be accessed from
“tor shield’s client area.
69
Getting started with the firewall
• Customized server: with this option, configuration files will be stored on a server
that has an IP address entered in the Backup ser er parameter. Several
parameters can be configured in advanced configuration:
o Server port: listening port of the backup server,
o Communication protocol: HTTP or HTTPS,
o Server certificate: active only if HTTPS has been selected. It specifies the
certificate presented by the server on which the configuration backup will
be sent. The aim of this option is for the firewall to be able to confirm the
identity of the server before sending the backup file to it,
o Access path: specifies the folder in which configuration files will be
stored,
o Sending method: selects the HTTP sending method: basic authentication
(auth basic), digest authentication (auth digest) or POST,
o Login and password: used with the sending methods auth asic and
auth digest ,
o POST – control name: used with the POST sending method,
o Backup frequency: frequency with which backups are sent – set by
default to one week,
o Backup file password: protects backup files with a password.
70
Getting started with the firewall
33
3. RESTORE:
A configuration may be restored from a .na file stored on the host. If the
configuration file is password-protected, the administrator will need to enter it in the
ad anced configuration section.
Partial restorations are possible. In this case, in Advanced properties, select the
necessary module(s). In all cases, you are advised to restart the firewall after a
restoration (you will be asked to restart after a full restoration).
NOTE: As the ad in user’s password is not saved in the configuration file, it will
not be restored or backed up.
71
Getting started with the firewall
34
Configurations can also be restored from the latest automatic backup from the date
indicated as Date of last backup. If the backup is password-protected, the
administrator will need to enter it in the ad anced configuration section.
72
Getting started with the firewall
MAINTENANCE: CONFIGURATION
Active Passive
partition Main partition Main
Passive Active
partition Backup Backup
partition
35
4. CONFIGURATION:
All physical Stormshield Network UTM appliances hold two fully independent
partitions that make it possible to store various firmware versions. Each partition has
its own configuration. It is therefore important to distinguish between main/backup
partitions and active/passive partition. There are two possible scenarios as
illustrated above: (1) active partition => main and passive partition => backup or (2)
active partition => backup and passive partition => main.
The administrator can select the partition that will become active the next time the
firewall is started (main or backup). The other partition will then automatically
become the passive partition.
The "Back up active partition button" allows the contents of the active partition
(configuration + firmware) to be copied onto the passive partition.
The last maintenance options allow you to reboot or shut down the firewall and
download the system report, a text file that shows the firewall’s status and many
other indicators that will help technical support with their diagnosis.
73
Getting started with the firewall
36
The CONFIGURATION ⇒ SYSTEM ⇒ Active Update menu allows you to monitor the
automatic updates of the following modules:
The administrator can enable or disable the update of a single module or of all
modules at once using the buttons Allow all or ‘eject all .
The lists of update servers for the various modules and the URL database can be
accessed in ad anced configuration . The administrator can modify, add or delete
servers.
NOTE: The application protocol used for the update can be HTTPS or HTTP. If HTTPS
is used, the CA of the server must be added so that the certificate presented can be
validated.
74
Getting started with the firewall
RECOMMENDATIONS
37
As SSH access requires the use of the admin account, access must be occasional and
monitored. When not in use, SSH must be disabled to minimize the attack surface.
Preferably, use an SSH key pair, otherwise a password that is frequently changed.
An internal NTP server ensures the consistency of dates in logs, which is an absolute
necessity when logs need to be correlated.
With a controlled DNS, you can:
- Resolve the names of local and public objects,
- Speed up resolution.
The firewall must be managed from a protected, identified network and kept
separate from production environments.
Users must understand the languages used to avoid mistakes when handling the
product.
75
Getting started with the firewall
38
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
76
LOGS AND MONITORING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.2
Training program
77
Logs and monitoring
LOG CATEGORIES
LOGS AND MONITORING
➔ Log categories
Configuring and viewing logs
Monitoring and history graphs
Notifications and additional reports
Lab – Introduction to the Lab platform
Lab – Getting started with the firewall and logs
78
Logs and monitoring
LOG CATEGORIES
Connections
POP3 proxy Administration
connections
The features and services on Stormshield Network firewalls generate events that are
stored locally in log files (on the hard disk) or on an SD memory card for smaller
firewalls that have the "external storage" option. Log files are organized in several
categories as described below:
• Administration: events relating to firewall administration. Therefore all
changes made to the firewall’s configuration are logged.
• Authentication: events relating to the authentication of users on the
firewall.
• Network connections: all events relating to TCP/UDP connections going
through or to the firewall that are not processed by an application plugin.
• System events: all events relating directly to the system: shutting
down/starting up the firewall, system errors, switching on/off an interface,
high availability, Active Update, etc.
• Alarms: all events relating to intrusion prevention features (IPS) and
events that have been logged with a minor or major alarm level in the
filter and NAT policy.
• HTTP proxy: all events relating to connections going through the HTTP
proxy.
79
Logs and monitoring
80
Logs and monitoring
CONFIGURING AND
VIEWING LOGS
LOGS AND MONITORING
✔ Log categories
➔ Configuring and viewing logs
Monitoring and history graphs
Notifications and additional reports
Lab – Introduction to the Lab platform
Lab – Getting started with the firewall and logs
81
Logs and monitoring
Log are rotated, i.e., older log entries will be overwritten by newer logs. This is the
default selection.
82
Logs and monitoring
• Viewing logs
The AUDIT LOGS menu in MONITORING displays logs saved locally on firewalls that
are equipped with a hard disk or SD memory card with the external storage option,
grouped by log family: network traffic, alarms, web, etc. E.g.: the Network traffic
family concatenates the following logs: Network connections, filtering, FTP proxy,
application connections, POP3 proxy, SMTP proxy, SSL proxy, HTTP proxy, VPN SSL.
Logs can be restricted to a predefined time range (last hour, today, last week or last
month) or customized and are shown from the most recent at the top of the list to
the oldest.
The default number of columns displayed is limited. However, all columns can be
displayed in one click using the option Expand all the elements in the Actions menu
(red box). To manually add one column at a time, click on the arrow framed in blue
and then on Colu ns .
To see all data relating to a log, highlight a row and click on the Log line details
(green box).
83
Logs and monitoring
A simple search field makes it possible to filter logs by searching for a character
string in all columns of all logs. In the above example the search criteria are part of
the name of an ICMP filter rule. The results of the search are displayed regardless of
whether the column containing the information is visible on the screen.
When you right-click on an item in a log, a window appears with shortcuts to several
features that vary depending on the type of item selected, as shown in the example
above:
• Several actions can be performed with URL objects, e.g., adding a URL list
defined by the administrator (blue box, then green box).
• ICMP (red box) can be added as a search criterion, which will replace the
verbose criterion in the example above. In this case, the corresponding filter rule can
be highlighted directly in the active security policy.
These operations mean that the administrator can rely on logs to refine their
security policies, enrich the objects database on the firewall and check
configurations intuitively.
84
Logs and monitoring
Criterion 1: Criterion 2:
Result:
85
Logs and monitoring
10
In order to apply the new European regulation on personal data, the GDPR (General
Data Protection Regulation), access to logs on SNS firewalls is restricted by default
for all administrators.
The ad in super administrator and all administrators who hold the Access to
private data privilege can gain full access to logs simply by clicking on Logs:
restricted access.
86
Logs and monitoring
11
Administrators who do not hold the Access to private data privilege can still obtain
full access using a temporary access code generated by another administrator who
holds the Manage ent of access to private data permission.
87
Logs and monitoring
MONITORING AND
HISTORY GRAPHS
LOGS AND MONITORING
✔ Log categories
✔ Configuring and viewing logs
➔ Monitoring and history graphs
Notifications and additional reports
Lab – Introduction to the Lab platform
Lab – Getting started with the firewall and logs
88
Logs and monitoring
13
The MONITORING menu shows graphs and data in real time organized in 12 sub-
menus:
89
Logs and monitoring
14
In addition to real-time graphs, four history graphs are also available if the History
curves button is set to ON in CONFIGURATION ⇒ NOTIFICATIONS ⇒ Report
configuration. History graphs show:
• CPU consumption,
• Bandwidth use for each interface,
• Bandwidth use for each QoS queue,
• Host reputation.
Like reports, history graphs can also be viewed over a configurable period: last hour,
specific day, last 7 days or last 30 days.
Additional reports are available and can be enabled individually in LIST OF REPORTS.
Warning: enabling reports may affect the firewall's performance.
90
Logs and monitoring
• Monitoring configuration
15
91
Logs and monitoring
16
NOTE: Activity reports and history graphs are available on firewalls that do not have
local log storage. However, they are limited to 5 reports and graphs in total with a
maximum history of 7 days.
92
Logs and monitoring
NOTIFICATIONS AND
ADDITIONAL REPORTS
LOGS AND MONITORING
✔ Log categories
✔ Configuring and viewing logs
✔ Monitoring and history graphs
➔ Notifications and additional reports
Lab – Introduction to the Lab platform
Lab – Getting started with the firewall and logs
93
Logs and monitoring
18
Details on these four features are covered in the appendix of the Logs and
monitoring module.
94
Logs and monitoring
RECOMMENDATIONS
19
A strong log policy ensures that logs will not be altered, and can be easily accessed
for debugging.
Logs must be stored locally for appliances to be debugged effectively. The external
server secures access to logs and protects them from attempts to alter them when
the appliance is compromised.
SNMP must be used to monitor the appliance while keeping a high level of security,
by applying specific firewall rules to such traffic.
95
Logs and monitoring
20
96
Logs and monitoring
Lab
LAB - INTRODUCTION TO
THE LAB PLATFORM
LOGS AND MONITORING
✔ Log categories
✔ Configuring and viewing logs
✔ Monitoring and history graphs
✔ Notifications and additional reports
➔ Lab – Introduction to the Lab platform
Lab – Getting started with the firewall and logs
97
Logs and monitoring
Lab
ARCHITECTURE
TRAINEE B
TRAINEE A
192.168.1.254 192.168.2.254
192.36.253.10 192.36.253.20
WAN
172.16.1.254 172.16.2.254
192.36.253.1
DNS: 172.16.1.10
WEB: 172.16.1.11 DNS: 172.16.2.10
FTP: 172.16.1.12 WEB: 172.16.2.11
MAIL: 172.16.1.13 FTP: 172.16.2.12
MAIL: 172.16.2.13
Debian Virtual
Machine Debian Virtual
Machine
Lab exercises will be carried out in VirtualBox. The platform for these exercises is
presented above, consisting of two sites (Trainee A and Trainee B) linked up with each
other via an external network "192.36.253.0/24".
Each site has a virtual SNS firewall (EVA1) and a Debian virtual machine (abbreviated as
VM) that embeds four servers (DNS, WEB, FTP and MAIL).
A graphical client machine, to which a user account has been assigned and allows
Internet access, makes it possible to change network parameters.
The trainee is free to choose the graphical virtual machine:
• Virtual machine provided by Stormshield (recommended): all exercises can be done
in fully virtualized configuration mode, which simplifies the network configuration
with VirtualBox and offers the possibility of assigning a graphical virtual machine to
each site.
• Trainee’s host workstation (not recommended): the network configuration must
allow the host workstation to act as a PC on either Network A or B.
Two private networks are configured on each site: IN "192.168.x.0/24" and DMZ: "
172.16.x.0/24". The Debian virtual machine is connected to the DMZ private network.
98
Logs and monitoring
Lab
TRAINEE A TRAINEE B
Internal Network Internal Network
LAN_DMZ1_A Debian LAN_DMZ1_B Debian
NatNetwork
NOTE: The NatNetwork VirtualBox network must be created and configured before
starting the virtual machines.
The Internal_Networks networks are deployed by importing OVAs.
REQUIREMENTS: The full virtual infrastructure described above requires at least 11.5
GB of disk space (the VMs provided have dynamic disk allocation) and 4.2 GB of
RAM. Use a host with at least 8 GB of RAM for best results.
99
Logs and monitoring
Lab
TRAINEE A TRAINEE B
Internal Network Internal Network
LAN_DMZ1_A Debian LAN_DMZ1_B Debian
Bridged adapter
(Physical Ethernet interface)
NOTES:
• All "Virtual Host-only Ethernet Adapter #X" VirtualBox interfaces must be created
and configured before starting the virtual machines.
• In the following lab exercises, the pu lic network behind the bridge interface
replaces the network 192.36.253.0/24 ; on this network, every firewall must
have an IP address, and the physical network card must not have a default
gateway (otherwise, the physical host will use this gateway instead of going
through one of the firewalls and a firewall will need to be created for each virtual
Host-only Ethernet adapter).
• Since Stormshield provides a VM that allows you to do all lab exercises in full
virtualization mode, we will not explain the use of the physical host in this
module.
100
Logs and monitoring
Lab
1. Install Virtualbox.
3. Only if you are not using the graphical VM provided by Stormshield, create the
two "Virtual Host-only Ethernet Adapter #X" interfaces (X=2-3) from VirtualBox
by clicking on Global Tools ⇒ Host Network Manager ⇒ Create and configure
their IP addresses as follows:
101
Logs and monitoring
Lab
6. Check or configure the network interfaces of the SNS, Debian and graphical
VMs by following the diagram on page 4 (or the diagram on page 5 if you are
using your physical host). These VMs are on Trainee A’s site; rename them
where necessary.
8. Change the network interfaces for all three VMs: LAN_IN_A and LAN_DMZ1_A
are renamed LAN_IN_B and LAN_DMZ1_B respectively.
102
Logs and monitoring
Lab
10. When you run a terminal, you can check whether the IP address of your
network card is correct by using the command ip address show (short format
ip a , and pinging 10.0.0.254 (the connection with the SNS is confirmed).
103
Logs and monitoring
Lab
✔ Log categories
✔ Configuring and viewing logs
✔ Monitoring and history graphs
✔ Notifications and additional reports
✔ Lab – Introduction to the Lab platform
➔ Lab – Getting started with the firewall and logs
104
Logs and monitoring
Lab
1. Take a snapshot of each VM before you begin the lab exercises (with Oracle
VirtualBox, take the snapshot when the VM is off).
3. Change your preferences so that you will never be disconnected from the
interface when idle. Preferences are listed in the drop-down menu, which you
can access by clicking on the arrow next to the user name, at the top on the
right side of the header.
4. Set the language (logs and keyboard) and time zone of your firewall. Restart
the firewall to apply the new time zone (icon at the top on the right). Then set
your firewall to the correct time after rebooting.
6. Check the validity of your license and any available options, and in the
advanced options, configure a weekly check for the automatic update of your
license.
8. Check that local log storage has been enabled on the hard disk of the VM.
Allocate the disk space quota for the POP3 proxy category to the Network
connections category, then disable it. Enable all other logs.
NOTES:
• For each lab exercise to run smoothly, you need to apply the required
configurations to site A, then on Site B.
• If you raise the alarm Possi le attack on capacity connection during a lab
exercise, this means that you have reached the maximum number of connections
allowed by the trainee VM license. When this happens, all new connections will
be blocked, so wait for a few minutes until the connection table clears and returns
to normal.
105
APPENDIX
– LOGS AND
MONITORING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
106
Logs and monitoring
Appendix
Program
107
Logs and monitoring
Appendix
Syslog Client
Syslog servers
Stormshield Network firewalls embed a SYSLOG client that can be enabled to send
logs to external SYSLOG servers. Up to four Syslog servers can be enabled at the
same time by customizing the transmission protocol, format and log categories for
each server.
108
Logs and monitoring
Appendix
NOTE:
• The Certification authority, Server certificate and Client certificate parameters are
enabled only if the TLS protocol has been selected.
• The Backup server and Backup port parameters can only be used if TCP or TLS
have been selected.
109
Logs and monitoring
Appendix
STORMSHIELD VISIBILITY
CENTER (SVC)
LOGS AND MONITORING
Program
110
Logs and monitoring
Appendix
Network parameters and the keyboard language can be manually configured when
the virtual machine starts up by holding down any key for 5 seconds. Otherwise, the
network interface will be in DHCP by default and the keyboard configuration will be
"US". During startup as well, a password must be entered for the "root" and "log"
users. The "root" user makes it possible to log in to the virtual machine's console,
whereas the "log" user allows access to the web interface.
Once the user has logged on to the console of the virtual machine, the command
svc-configurator allow him to view and configure several parameters: data, network,
database, password, keyboard language, date, etc.
111
Logs and monitoring
Appendix
Logs can be viewed through a web interface that can be accessed in HTTPS on the
virtual machine's IP address. The home page consists of several panels:
• Global - Menu: groups the home screens of each Stormshield product and the
operations that allow configuring the link between a Stormshield product and the
SVC server.
• Global - Events: number of entries reported by Stormshield products.
• Events – By category: provides an overview of logs by category.
112
Logs and monitoring
Appendix
Default views can be used for SNS firewalls, but the interface makes it possible to
define other fully customized lines and sections.
Dashboards are displayed by default for a limited duration - the icon at the top right
of the web interface makes it possible to change it to a predefined or customizable
duration.
Display filters can also be used. For example, in the above view showing SNS logs,
windows containing graphs have been removed from the view and a filter makes it
possible to display log lines that contain a specific destination port.
113
Logs and monitoring
Appendix
STORMSHIELD LOG
SUPERVISOR (SLS)
LOGS AND MONITORING
Program
114
Logs and monitoring
Appendix
10
For more information on SLS, refer to the user manual and our deployment guides
for OVA or Hyper-V VHD on “tor shield’s technical documentation web at
https://documentation.stormshield.eu
115
Logs and monitoring
Appendix
E-MAIL NOTIFICATIONS
LOGS AND MONITORING
Program
116
Logs and monitoring
Appendix
NOTIFICATIONS BY E-MAIL
12
Start by configuring the users and/or groups that will receive notifications.
The RECIPIENTS tab allows creating and configuring mailing lists. Recipients in a
group can be e-mail addresses or users saved in the LDAP base. In this case, ensure
that users have entered their e-mail addresses in their LDAP identities.
117
Logs and monitoring
Appendix
NOTIFICATIONS BY E-MAIL
13
118
Logs and monitoring
Appendix
NOTIFICATIONS BY E-MAIL
14
119
Logs and monitoring
Appendix
NOTIFICATIONS BY E-MAIL
15
In the TEMPLATES tab, you can customize the body text in e-mails sent for various
events, except alarm management (seen earlier). The body text of messages may
contain parameters ($URL, $UID, etc) that will be replaced with values depending on
the context of the event.
120
Logs and monitoring
Appendix
REPORTS
LOGS AND MONITORING
Program
121
Logs and monitoring
Appendix
REPORTS
17
Reports are calculated based on log files and are stored in a database. These
calculations only take into account logs that were recorded since reports were
enabled; log history is not factored in.
Next, you will be able to select which reports to enable/disable in the LIST OF
REPORTS tab by double-clicking on the Status field in a report.
122
Logs and monitoring
Appendix
REPORTS
18
Reports calculate the 50 most important events during the selected time range (i.e.,
last hour, day, last 7 days or last 30 days). However, the page only displays the first 10
events (top 10) out of these 50. The rest of the events (11th to 50th) are grouped in
the Others category.
123
Logs and monitoring
Appendix
19
124
OBJECTS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
125
Objects
OVERVIEW
OBJECTS
➔ Overview
Network objects
Lab – Objects
126
Objects
OVERVIEW
• An object:
– Represents/bears a value (IP address, URL, time-based event, etc).
– Has a name and description
The configuration menus for Stormshield Network firewalls use objects to represent
values, e.g., IP addresses, network addresses, URLs, events, etc. There are two major
advantages in using objects instead of values:
1. The administrator deals with names, which are more recognizable than
values.
2. Whenever a value changes, only the object needs to be modified without
going into all the menus in which the object is used.
In this module, we will focus mainly on network objects. Web objects will be covered
in the "application protection" module. As for the segment on certificates and PKI, it
will be covered in the CSNE course.
127
Objects
OVERVIEW
The names of objects created by the administrator have to follow the syntax
restrictions defined in the table above. Names are not case-sensitive.
NOTE: Several objects bearing the same value can be created. However, we advise
against it in order to simplify the display of configuration menus (mainly filter and
NAT rules) and object databases, and of course, to simplify their maintenance.
128
Objects
NETWORK OBJECTS
OBJECTS
✔ Overview
➔ Network objects
Lab – Objects
129
Objects
NETWORK OBJECTS
The network object database can be accessed from the menu CONFIGURATION ⇒
OBJECTS ⇒ Network objects. It includes the following categories of objects:
• Host: an IP address
• DNS name (FQDN): all IP addresses associated with an FQDN name by DNS
resolution
• Network: A network address
• IP address range: an address range
• Port – port range: a port or a port range. It can be restricted to a particular
transport protocol (TCP or UDP),
• IP protocol: the ID of the IP protocol,
• Group: a group of objects with one or several IP addresses: hosts, IP address
ranges, networks or other groups,
• Port group: a group of objects containing ports or port ranges as well as other
port groups,
• Region group: a group of countries or continents. This type of object can be used
in the geolocation of IP addresses,
• Router: makes it possible to enter one or several gateways for a load balancing
route with or without backup gateways. This object will be covered in detail in the
Routing section of the Network Configuration module,
• Time: an event with a set time (ad hoc, day of the year, day(s) of the week or time
slot(s)).
130
Objects
NETWORK OBJECTS
131
Objects
NETWORK OBJECTS
There are two other particular categories of objects in addition to those that can be
created by the administrator:
• Implicit objects: these are created automatically by the firewall and depend on
the network configuration. These objects are in read-only mode and the
administrator can neither modify nor delete them. For example, the object
Firewall_out , created automatically when an IP address is associated with the
OUT interface or the object Network_internals , groups all networks
accessible via the internal interfaces.
• Preconfigured objects: these are present by default in the list of objects. They
represent values of standardized network parameters (ports, protocols,
networks) and the values needed for the firewall to run (IP addresses of
Stormshield servers for updates). The diagrams above represent ICMP and the
Internet object, which groups all hosts that are not part of internal networks.
NOTE: We recommend that you use implicit and pre-configured objects and refrain
from creating other objects with the same values.
132
Objects
NETWORK OBJECTS
• Creating an object
• Selecting the object category
• Name of the object
• Corresponding value
The window comprises several tabs, one for each category of object to be created.
In most cases, to create an object, two mandatory fields – name and the value –
must be defined. The comments field is optional.
You can either "create" or "create and duplicate" the object. The second button will
create the object and keep the creation window open in order to facilitate the
creation of a new object of the same category.
133
Objects
NETWORK OBJECTS
10
The screen captures above illustrate the creation of FQDN, host and IP address range
objects.
The firewall resolves dynamic host and FQDN objects every five minutes.
The firewall keeps the last resolved IP address for the host object.
The firewall keeps a set of resolved IP addresses in the object database for the FQDN
object. These settings are adapted for domain names that use load balancing via
DNS.
NOTE: When you create an FQDN or dynamic host object, click on the magnifying
glass to resolve the name of the object and retrieve a default address. If you still do
not have access to a DNS server that can resolve addresses, enter any IP address – it
will change when it is resolved.
134
Objects
NETWORK OBJECTS
11
The screen captures above illustrate the creation of port and time objects.
135
Objects
NETWORK OBJECTS
12
To add one or several objects to the group, simply select the object and move it from
the list on the left to the list on the right by clicking on the → button. Delete objects
from a group by doing the opposite with the ← button.
You can search for objects by typing partial names or the values of the desired
objects in the search field.
136
Objects
NETWORK OBJECTS
13
137
Objects
NETWORK OBJECTS
14
Object databases can be exported to a CSV file by clicking on "Export". You will then
be asked if you wish to download the file locally. The CSV file will contain host, IP
address range, network, FQDN, port - port range, protocol, group and port group
objects.
Objects are arranged by category, separated by lines that contain the names of
parameters: #type, #name, #IP, etc. (parameters differ according to object
categories). Object attributes are separated by commas.
138
Objects
NETWORK OBJECTS
15
Objects can be imported from a CSV file in the same format as the exported file.
To do so, click on Import , and a window will open to enter the CSV file containing
the objects. Click on Transfer to start importing the file. A progress bar shows how
long the import will take. Once it is complete, a report will show the number of
objects imported by type.
If there is an error during the import, the object database will not be modified.
NOTE: Objects in the file will overwrite the firewall’s objects if they have the same
name. Other objects are not affected.
139
Objects
RECOMMENDATIONS
• Avoid duplicates
16
if an object group contains all the administration IP addresses and networks, it can
be used in all filter rules relating to administration, ensuring consistency and making
it easier to modify groups.
Dynamic objects such as FQDNs and dynamic hosts generate DNS requests regularly,
requiring network and firewall resources. Use this feature only when necessary.
Unused objects, often forgotten and created again, will occupy unnecessary space.
To avoid any duplicates from being created in the first place, you are advised to avoid
keeping specific objects that will not be used in the configuration.
Duplicates have to be identified and deleted, as they can potentially cause errors
when filter rules are modified. For example, if an object with a duplicate is modified,
the changes will not be applied to all the filter rules that contain it, creating a
security flaw.
140
Objects
Lab
LAB – OBJECTS
OBJECTS
✔ Overview
✔ Network objects
➔ Lab – Objects
141
Objects
Lab
Lab – Objects
Note: In the next steps, "x" needs to be replaced with the letter representing the
company A⇒1, B⇒2.
2. Add a new TCP- ased ser ice called we ail operating o er port 808
Bonus:
• Based on the format of this file, create another CSV file containing two host
objects:
• "srv_ftp_pub": 192.36.253.x2
• "srv_mail_pub": 192.36.253.x3
142
NETWORK
CONFIGURATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Course program
143
Network configuration
CONFIGURATION MODES
NETWORK CONFIGURATION
➔ Configuration modes
Types of interfaces
Lab – Network configuration: interfaces
System routing
Advanced routing
Order of routing types
Lab – Network configuration: routing
144
Network configuration
CONFIGURATION MODES
3- Hybrid Mode
There are three configuration modes on all models of the Stormshield Network
Security range:
• Transparent mode or bridge mode,
• Advanced mode or router mode,
• Hybrid mode.
Do note that there is no configuration wizard for these modes. Each mode can be
implemented when needed, by configuring network interfaces and translation rules.
145
Network configuration
CONFIGURATION MODES
Address range:
192.168.0.x/24
Default router:
192.168.0.1
Internet
access gateway
With transparent mode, the Stormshield Network firewall can be integrated easily
into an existing network without having to modify its configuration.
This mode is particular in that all of the firewall’s interfaces are included in a bridge
that bears the IP address of the local network (IP that was used to access the
firewall’s administration interface). This makes it possible to obtain several physical
networks (one network per interface) sharing the same logical network.
Physical networks and the Internet access gateway communicate in bridge mode
(level 2) but the firewall continues to monitor traffic between interfaces (filtering,
ASQ analysis, etc).
In the diagram above, the local network uses a private address range 192.168.0.0/24
and accesses the Internet via a gateway that performs address translations. The
Stormshield Network firewall acts on connections between hosts in the local
network and the Internet access gateway.
146
Network configuration
CONFIGURATION MODES
Default router:
172.16.1.1
Address range:
192.168.0.x/24
Internal address
range
192.168.0.1
Address translation
In advanced mode, the firewall acts as a router by managing several logical networks
(network addresses). Each interface is configured with a particular IP network, so
that the network can be physically and logically segmented.
In the image above, the local network is made up of two logical networks: a network
for internal hosts and a network for servers in the DMZ. Each network is connected
to the firewall via an interface with a specific IP address range. The public IP address
is configured directly on an external interface of the firewall.
In this mode, the Stormshield Network firewall must manage the address translation
mechanisms to provide Internet access from local networks.
147
Network configuration
CONFIGURATION MODES
Address range:
192.168.0.x/24
Default router:
192.168.0.1
Internet
access gateway
Public addresses
195.36.253.1
Address translation
Hybrid mode is a combination of the bridge and advanced modes. The purpose of
this combination is to have several interfaces in a bridge (same address range) and
other independent interfaces with different address ranges.
In this mode there are two possible scenarios. The first is illustrated here. The
network of the internal hosts and the network of servers in the DMZ share the same
address range and they are connected to the firewall via interfaces belonging to the
same bridge. Address translation has to be configured on the firewall in order for the
local network (network of the bridge) to access the Internet via the external
interface, configured with a public IP address.
148
Network configuration
CONFIGURATION MODES
Address range:
195.36.253.x/28
Address range:
192.168.0.x/24
Default router:
192.168.0.1 IP address range of the
bridge
195.36.253.1
Internet
access gateway
Internal address
range
192.168.0.1
Address translation
The second scenario is illustrated above. The network of servers in the DMZ is
configured with a public IP address range. Each server will therefore have its own
public IP address.
This network is connected to the firewall by an interface in the same bridge as the
external interface that leads to the Internet access router. The servers in the DMZ
access the Internet via the bridge and no address translation is needed (connections
will still go through filter rules and other application analyses on the UTM).
The network of internal hosts has a private address range. which is connected to the
firewall via an interface that does not belong to the bridge. As a result, address
translation has to be configured in order to allow the network to access the internet.
149
Network configuration
TYPES OF INTERFACES
NETWORK CONFIGURATION
✔ Configuration modes
➔ Types of interfaces
Lab – Network configuration: interfaces
System routing
Advanced routing
Order of routing types
Lab – Network configuration: routing
150
Network configuration
TYPES OF INTERFACES
Modem
3G/4G USB
PPPoE PPTP
modem
151
Network configuration
TYPES OF INTERFACES
10
NOTE: the icon in the screen capture above means that the administrator is logged in
to the firewall from the corresponding interface.
152
Network configuration
TYPES OF INTERFACES
11
153
Network configuration
TYPES OF INTERFACES
Internal External
interface interface
.1
192.168.1.0/24 Internet
Spoofing
detected, source External Pass from 192.168.2.0/24 port
IP unknown on interface any to 192.168.1.0/24 port any
the interface
.1
Wrongly 192.168.2.0/24
configured
host Internal network connected to a
10.0.0.1 wrongly configured interface 12
Internal (protected) interfaces only accept packets coming from networks that are known on
this interface. Either the network is directly connected and therefore deduced from the address
of the interface, or the network is known via a static route leaving from this interface.
External (unprotected) interfaces accept all packets except those from protected networks
(known on an internal interface).
If the interface is wrongly configured, lax filter rules that do not specify an incoming interface
would allow illegal traffic to pass through the firewall.
The example above illustrates this configuration issue. The network in green (192.168.2.0/24) is
linked to an external interface, so it is not added to the table of protected networks. A hacker on
another external interface will then be able to send packets with a spoofed IP address belonging
to the green network. The anti-spoofing mechanism will consider this packet legitimate.
154
Network configuration
TYPES OF INTERFACES
13
Every physical interface has at least one static or dynamic IP address (blue box), with
the following parameters:
• Status: enabled or disabled
• Name: the interface must be given a logical name that is different from the
interface’s system name,
• Comments: optional parameter to add remarks regarding the selected interface,
• This interface is:
• internal (protected): a protected interface only accepts packets coming
from a known address range, such as a directly connected network or a
network defined by a static route. This protection includes the registration
of hosts connected to this interface (thereby protecting against IP address
spoofing), and allows implicit filter rules to be generated during the
activation of certain services on the firewall (for example SSH). An icon
representing a shield appears on all protected interfaces.
• external (public): indicates that the interface does not benefit from the
protection of a protected interface and can therefore receive packets
coming from any address range (which are not assigned to internal
interfaces). This type of interface is used mainly to connect the firewall to
the Internet.
155
Network configuration
TYPES OF INTERFACES
14
NOTE: configurations will not be saved if they are not applied using the Apply
button.
156
Network configuration
TYPES OF INTERFACES
15
157
Network configuration
TYPES OF INTERFACES
16
158
Network configuration
TYPES OF INTERFACES
17
159
Network configuration
TYPES OF INTERFACES
18
160
Network configuration
TYPES OF INTERFACES
…To SERVER
VLAN ID 10 & 20
SERVER FIREWALL
802.1q Untagged ports 802.1q Router mode
Tagged 2 VLAN interfaces:
port - VLAN10
- VLAN20
C C
Ethernet Ethernet VLAN
From PC1… header IP DATAGRAM R
header header
IP DATAGRAM R
C C
VLAN ID 20
C C
Ethernet VLAN
…To SERVER Ethernet
header IP DATAGRAM R header header
IP DATAGRAM R
C C
VLAN ID 10 19
VLANs (Virtual Local Area Networks) introduce the concept of virtual segmentation
which makes it possible to create logical sub-networks within the same physical network
architecture. All network devices belonging to the same VLAN can communicate with
each other and make up a broadcast domain. The use of VLANs in a network
architecture therefore enhances performance by restricting broadcasts, and offers
better security by separating logical networks.
Stormshield manages IEEE 802.1q VLANs, for which an additional 4-byte header is:
• Added by a manageable switch or the firewall to an outgoing Ethernet frame over an
802.1q port,
• Removed by a manageable switch or the firewall to an incoming Ethernet frame over
an 802.1q tagged port,
This header includes the VLAN id (VID) field, which identifies the VLAN to which the
frame belongs. This field is coded in 12 bits and allows up to 4094 different VLANs to be
defined (VLANID=0 means that the frame does not belong to any VLAN and
VLANID=4095 is reserved). The header also includes the 3-bit Priority or CoS (Class of
Service) field which indicates the priority of the packet defined by the IEEE 802.1p
standard.
161
Network configuration
20
NOTE:
• The MTU value of the interface can be changed in the ADVANCED
PROPERTIES tab of a VLAN,
• In the above example, even though the parent interface of the VLAN is
disabled, the VLAN interface can still be created and run properly.
162
Network configuration
TYPES OF INTERFACES
VLAN ID 20
VLAN 20
PC FIREWALL
802.1q Tagged port Bridge mode
2 VLAN interfaces:
- VLAN20_1
C
VLAN C - VLAN20_2
From PC… Ethernet
header IP DATAGRAM R
Ethernet
header IP DATAGRAM R
C header C
SWITCH 2
VLAN ID 20
VLAN 20
SERVER
802.1q Tagged port
C C
Ethernet Ethernet VLAN
…To SERVER header IP DATAGRAM R
header IP DATAGRAM R
C header C
21
The example above shows what happens when a firewall is added between two
switches in bridge mode, and linked up via a 802.1q tagged link. The switches
continue to behave the same way despite the addition, but the firewall will analyze
traffic on the VLAN.
163
Network configuration
TYPES OF INTERFACES
22
The consistency of the network configuration is analyzed in real time. You can view it
by clicking on the arrow at the bottom of the screen.
Even when a warning appears, the configuration can still be backed up. However,
errors will prevent backups from being performed (the Apply button is grayed out).
164
Network configuration
Lab
LAB - NETWORK
CONFIGURATION:
INTERFACES
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
➔ Lab – Network configuration: interfaces
System routing
Advanced routing
Order of routing types
Lab – Network configuration: routing
165
Network configuration
Lab
For the remaining lab exercises, you must select and enable the filter policy (10) Pass
all in the menu CONFIGURATION ⇒ SECURITY POLICY ⇒ Filter - NAT that will allow
all traffic through or from the firewall.
• Interface configuration:
1. Configure your firewall's OUT, DMZ1 and IN interfaces as follows:
• OUT: 192.36.253.x0/24
• DMZ1: 172.16.x.254/24
• IN: 192.168.x.254/24
• IP address: 192.168.x.2/24
166
Network configuration
SYSTEM ROUTING
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
✔ Lab – Network configuration: interfaces
➔ System routing
Advanced routing
Order of routing types
Lab – Network configuration: routing
167
Network configuration
SYSTEM ROUTING
212.13.25.120/30
Default
out
dmz1
in
Traffic that does not match any route in the routing table will be sent back to the
default gateway, regardless of route type: standard (static or dynamic routing) or
Stormshield proprietary (policy-based routing).
168
Network configuration
SYSTEM ROUTING
The default gateway can be entered in the IPV4 STATIC ROUTES tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing, Default gateway (router) parameter, and
can be one of the following values:
• Host object: specifies a single default gateway without availability testing, load
balancing or backup gateways (example above),
• Router object: the various gateways configured in the router object make it
possible to conduct availability and load balancing tests and to use backup
gateways. Such objects will be explained later in this chapter.
NOTE: on interfaces that obtain their IP addresses dynamically via DHCP, when the
DHCP lease is obtained, an object named Firewall_<interface_na e>_router will
be created, and can be used as the default gateway.
For example, since the address range of your out interface is dynamic, you can enter
the object Firewall_out_router in the Default gateway (router) parameter.
169
Network configuration
SYSTEM ROUTING
Remote site B
192.168.2.0/24
Router B
Router C
in out
Remote site D
192.168.4.0/24
Static routing consists of manually entering the remote gateway to which packets
will be sent in order to reach a remote network. In the figure above, three static
routes are needed to reach the remote networks B, C and D via the outgoing
interface named sites", then routers Router B, Router C and Router D.
170
Network configuration
SYSTEM ROUTING
When a configuration
contains inconsistencies
Static routes can be configured in the section IPV4 STATIC ROUTES in the first tab of
the menu CONFIGURATION ⇒ NETWORK ⇒ Routing.
The section contains a search bar and two buttons to add or delete routes. It also
contains a window that lists all the static routes and their parameters. The Add
button adds entries to the list. Mandatory parameters for this line are:
• Status: On / off
• Destination network: may be a host, network or group object.
• Gateway: host object representing the IP address of the gateway that
makes it possible to reach the destination network.
• Interface: outgoing interface to reach the gateway. Based on the
parameters of the interface, the firewall automatically fills in the address
range. The selection of the interface is justified for bridges that may
contain protected and unprotected interfaces. You can find out whether
the network needs to be considered protected only when you select the
interface. When the address range of the interface is different from the
gateway’s address range, an error message will indicate that the gateway
is not routable .
171
Network configuration
ADVANCED ROUTING
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
✔ Lab – Network configuration: interfaces
✔ System routing
➔ Advanced routing
Order of routing types
Lab – Network configuration: routing
172
Network configuration
ADVANCED ROUTING
• Dynamic routing
BIRD
Remote site B
RIP BGP OSPF 192.168.2.0/24
Router B
Router C
OSPF
in sites
Remote site D
192.168.4.0/24
In dynamic routing, routes are learned automatically through a routing protocol. SNS
firewalls use BIRD to implement dynamic routing. BIRD implements 3 routing
protocols - RIP, OSPF and BGP - the supported versions of which are entered in the
knowledge base. In the figure above, the OSPF routing protocol is enabled on the
sites interface on the firewall to allow the firewall to learn the routes that access
networks remote B, remote C and remote D.
173
Network configuration
ADVANCED ROUTING
• Dynamic routing
Dynamic routing can be configured in the IPV4 DYNAMIC ROUTING tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing.
Destination networks that were added to the routing table by a dynamic protocol
can be added to the table of protected networks.
174
Network configuration
ADVANCED ROUTING
• Policy-based routing
ISP 1 ISP 2
Other Outgoing
traffic mail
isp1
dmz1 isp2
in
In the above example, outgoing e-mail traffic is redirected to the gateway "ISP2"
while the rest of the traffic is redirected to the gateway "ISP1", which is the default
gateway.
175
Network configuration
ADVANCED ROUTING
10
176
Network configuration
ADVANCED ROUTING
ISP 1 ISP 2
Connections Connections
isp1
dmz1 isp2
in
11
Router objects group several gateways so that they can be used simultaneously.
When a router object is created, a single route is created in the routing table. Router
objects also make it possible to conduct availability and load balancing tests and to
use backup gateways.
With load balancing, connections can be shared among several gateways. Traffic may
be shared equally or weighted so that each gateway receives a specific percentage of
the overall traffic. How traffic is shared may be based on the source IP address or the
parameters of a connection, i.e., source and destination IP addresses and port
numbers.
The figure above provides an example in which all outgoing connections will be
shared between the gateways I“P1 and I“P2 according to the chosen load
balancing mode (by source or by connection).
By using router objects, load balancing can be applied to traffic sent to the default
gateway or even to a particular type of traffic via policy-based routing. In the first
case, the router object has to be specified as the firewall's default gateway (see slide
2), whereas in the second case, the router object has to be entered in the gateway
parameter of the Action field in a filter rule (see slide 10).
177
Network configuration
ADVANCED ROUTING
12
Routing by load balancing can be configured in a router object. The various gateways
have to be added in the LIST OF GATEWAYS USED tab. Each line makes it possible to
enter:
• The gateway with a host object
• Availability testing: tests the availability of the gateway using pings. This
parameter may have several values:
• No availability testing: the availability of the gateway will not be tested.
• Test the gateway directly: pings will be sent directly to the gateway to test
its availability.
• A host or host group located behind the gateway, to which pings will be
sent to test the gateway's availability and operational status.
By default, the status of each gateway will be checked every 15 seconds by sending a
ping to each host entered. If no response is received after 2 seconds, the firewall will
try again three more times before considering the gateway unavailable. Gateway
statuses can be see in the route monitoring menu.
178
Network configuration
ADVANCED ROUTING
13
The weight (red box) determines how much of the traffic managed by the router
object will be assigned to a gateway, based on the following calculation:
� � ℎ � ℎ � ���
� �� % = ×
� ℎ � � ℎ � � � ���
The algorithm used (blue box) for load balancing can be configured in the Load
balancing (Advanced configuration) parameter:
• No load balancing: traffic will be sent exclusively to the first gateway that
appears in the list.
• By connection: balances traffic according to source and destination IP
addresses and port numbers. This algorithm is recommended as it allows
connections from the same host to be balanced equally.
• By source IP address: balances traffic according to the source address.
This ensures that traffic from a particular host will always be sent to the
same gateway.
179
Network configuration
ADVANCED ROUTING
14
When a filter rule uses a router object (policy-based routing) and none of the
object’s gateways can be reached, the behavior of the firewall can be configured in
the If no gateways are available parameter:
• Default route: traffic is sent to the default router.
• Do not route: traffic will be blocked by the firewall.
180
Network configuration
ADVANCED ROUTING
• Backup gateways
ISP 1 ISP 2
Connections Connections
Connections Connections
isp1
dmz1 isp2
in
15
A router object also makes it possible to specify a list of backup gateways that will be
used in the event one, several or all main gateways are unavailable.
In the example illustrated above, the gateway "ISP2" is considered a backup gateway
that will be used for all traffic only when "IPS1" is no longer available.
Do note that router objects make it possible to use backup gateways for traffic sent
to the default gateway or only for a particular type of traffic using policy-based
routing.
181
Network configuration
ADVANCED ROUTING
16
• If one or all backup gateways must be enabled: by default, only the first
contactable backup gateway in the list will be used unless the option
Enable all backup gateways when unavailable is selected.
182
Network configuration
ADVANCED ROUTING
• Return route
isp1
2 dmz1 isp2
3
in
17
The return route specifies the outgoing interface to reach a remote gateway. Such
routes are used to force outgoing traffic from an incoming connection to go through
the connection's incoming interface.
The image above illustrates an example in which we have two WAN access points.
The "ISP1" access point is reserved exclusively for mail traffic (incoming and
outgoing). The "ISP2" access point is used as the default exit point for other traffic.
Without a return route, responses from incoming e-mail connections via "ISP1" can
be redirected through "ISP2".
183
Network configuration
ADVANCED ROUTING
18
Return routes can be configured in the RETURN ROUTE tab in the menu
CONFIGURATION ⇒ NETWORK ⇒ Routing. A row needs to be added for each route,
in which the gateway and the interface allowing it to be accessed have to be
specified.
184
Network configuration
ORDER OF ROUTING
TYPES
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
✔ Lab – Network configuration: interfaces
✔ System routing
✔ Advanced routing
➔ Order of routing types
Lab – Network configuration: routing
185
Network configuration
IP packet
Return route
P Policy-based routing
R
I Static routing
O
R Dynamic Routing
I
T
Load balancing and/or
Y backup gateways
- Default route
20
The figure shown above illustrates the order in which the various types of routing
will be applied.
NOTE: When a router object is used in policy-based routing and no gateways can be
contacted, two options are possible: either routing can be delegated to the default
route or the firewall can block the traffic. These options are not possible if the router
object is used in the default route.
186
Network configuration
RECOMMENDATIONS
21
If an interface is not in use, you are advised to disable it to prevent any traffic from
arriving on it.
In order to recognize networks that can be reached from an interface, they must be
known to the firewall. For this, you will need a route that leads from a protected
interface to these networks. On the other hand, any unreachable network defined in
the routing table may hinder the anti-spoofing mechanism, which is why you should
never leave unnecessary routes in the routing table.
187
Network configuration
22
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
188
Network configuration
Lab
LAB - NETWORK
CONFIGURATION:
ROUTING
NETWORK CONFIGURATION
✔ Configuration modes
✔ Types of interfaces
✔ Lab – Network configuration: interfaces
✔ System routing
✔ Advanced routing
✔ Order of routing types
➔ Lab – Network configuration: routing
189
Network configuration
Lab
Routing configuration:
1. Configure the default gateway of your firewall as "192.36.253.1".
The firewall intercepts DNS requests heading to the Internet, and queries the DNS
server configured in lab 2, point 9.
If the requested name is in its cache, the firewall will respond directly to the request
based on the information that it has.
• The object allowed to use this cache is your DNS server on the DMZ (172.16.x.10).
Add it to the List of clients allowed to used the DN“ cache .
190
APPENDIX - NETWORK
CONFIGURATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
191
Network configuration
Appendix
MODEM INTERFACES
NETWORK CONFIGURATION
Program
➔ Modem interfaces
Wi-Fi interfaces
Dynamic DNS
DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
192
Network configuration
Appendix
MODEM INTERFACES
NOTE: in the ADVANCED PROPERTIES tab of a PPTP or PPPoE modem, you can
specify whether connectivity is permanent or on demand.
193
Network configuration
Appendix
MODEM INTERFACES
Before you create the modem interface, you must configure a profile according to
the parameters that the modem vendor provided. For more details, see the technical
note: Configuring a 3G/4G modem on “N“ . The technical note explains which
parameters need to be entered in the profile.
After you have created the profile, you need to restart the firewall.
After the restart, create the interface and attach the profile, which you configured
earlier, to this interface.
194
Network configuration
Appendix
WI-FI INTERFACES
NETWORK CONFIGURATION
Program
✔ Modem interfaces
➔ Wi-Fi interfaces
Dynamic DNS
DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
195
Network configuration
Appendix
WI-FI INTERFACES
PublicAP
PrivateAP
SN160W and SN210W firewalls build in an 802.11 a/b/g/n Wi-Fi card that makes it
possible to configure two separate WLAN access points to connect wireless
equipment over 2.4 GHz or 5 GHz frequency ranges.
196
Network configuration
Appendix
WI-FI INTERFACES
• General configuration:
• Scan frequency: select or create a time object to define when to enable
the Wi-Fi card.
• Mode: select the transmission standard that the Wi-Fi card uses:
o 802.11b, 802.11g or 802.11g/n in the 2.4 GHz range.
o 802.11a or 802.11a/n in the 5 GHz range.
197
Network configuration
Appendix
WI-FI INTERFACES
Available channels:
in 2.4 GHz in 5
GHz
• Channel configuration:
• Country: select the country in which the firewall is installed so that the Wi-
Fi transmission complies with the country's regulations. This choice will
determine the available communication channels and signal strength.
• Channel: select the channel that the Wi-Fi card uses. The channels offered
depend on the selected country and mode.
• Tx power: set the transmission strength of the Wi-Fi card. The strengths
offered depend on the selected country.
NOTES:
• the above parameters are the same for both WLAN access points.
• If you have other Wi-Fi access points in your company, refrain from using identical
or overlapping channels so that you can restrict interference on your wireless
network:
• In the 2.4 GHz frequency range, only channels 1, 6 and 11 do not overlap.
• In the 5 GHz frequency range, none of the channels overlap.
198
Network configuration
Appendix
WI-FI INTERFACES
After the Wi-Fi card is activated, you can configure both access points in
CONFIGURATION ⇒ NETWORK ⇒ Interfaces.
Both access points correspond to the WLAN interfaces PrivateAP andPublicAP,
disabled by default. They can be enabled simultaneously with different
configurations, making it possible to have two separate WLAN networks that can be
managed separately in other modules: DHCP, filtering, translation, authentication,
etc.
199
Network configuration
Appendix
NOTES:
• After having configured a WLAN interface, you need to configure the DHCP server
to automatically assign IP addresses to devices that log in to the WLAN. Refer to
the chapter on DHCP in this module to find out how to do so.
• WLAN interfaces can belong to a bridge.
• VLAN interfaces cannot have a WLAN interface as their parent interface.
200
Network configuration
Appendix
DYNAMIC DNS
NETWORK CONFIGURATION
Program
✔ Modem interfaces
✔ Wi-Fi interfaces
➔ Dynamic DNS
DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
201
Network configuration
Appendix
Server
Client
Client
Client
2 Updates IP address
1 New IP address
12
Dynamic DNS makes it possible to match a domain name to a firewall that does not
have a static public IP address. This means that the firewall can always be reached
when its domain name is used. This feature relies on a DNS service provider;
Stormshield Network firewalls support two providers: DynDNS and No-IP.
The way Dynamic DNS works is illustrated in the diagram above. It involves two
entities: a client integrated into the Stormshield Network firewall, which sends IP
address updates to a server maintained by the DNS service provider. The domain
name is associated with an interface. Updates are performed every time the IP
address of the interface changes. If the address never changes, updates will take
place by default every 28 days.
202
Network configuration
Appendix
13
203
Network configuration
Appendix
• User name and Password: the ID and password used to authenticate the
client with the DNS service provider.
• Dynamic DNS server: indicates the DNS service pro ider’s server in the
form of a host object with an automatically resolved name (see the
Object module).
• Dynamic DNS Service: indicates the service subscribed with the DNS
service provider.
204
Network configuration
Appendix
DHCP
NETWORK CONFIGURATION
Program
✔ Modem interfaces
✔ Wi-Fi interfaces
✔ Dynamic DNS
➔ DHCP
Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
205
Network configuration
Appendix
Broadcast/Unicast
DHCP DISCOVER
DHCP OFFER
Server
DHCP DHCP REQUEST
DHCP ACK
DHCP OFFER
DHCP OFFER
DHCP
DHCP DHCP REQUEST
DHCP REQUEST
DHCP ACK
DHCP ACK
16
The firewall cannot simultaneously manage DHCP server and relay features.
206
Network configuration
Appendix
17
• DHCP server:
The Parameters section defines the elements sent by default to DHCP clients:
Domain name, Default gateway, Primary DNS Server and Secondary DNS
server. This information can be customized for each address range defined in
the ADDRESS RANGE section. Ranges must comply with the following
conditions:
• An address range must belong to the same addressing scheme as the
protected interface’s scheme.
• IP address ranges must not overlap.
• The gateway specified for a range has to be in the same addressing
scheme.
207
Network configuration
Appendix
18
Still in the same menu, the RESERVATION section makes it possible to reserve
static IP addresses for hosts in the LAN, identified by their MAC address.
Addresses can be reserved by adding a row in the list using the Add button. A
host object must be entered in the Reservation field. This object must
contain the IP address that will be assigned to the client and the MAC
address of the host that will obtain this IP address. If the host object entered
does not contain a MAC address, a error appears to indicate that a MAC
address could not be found for the host. A specific gateway can be entered
for the reserved IP address in the GATEWAY field.
208
Network configuration
Appendix
19
• DHCP relay
If the option Relay DHCP requests for all interfaces is selected, the firewall
will listen to client requests on all of its network interfaces (the list that
follows will then be grayed out).
Otherwise, the list will make it possible to specify interfaces for which
requests must be relayed.
209
Network configuration
Appendix
STATIC MULTICAST
ROUTING
NETWORK CONFIGURATION
Program
✔ Modem interfaces
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
➔ Static multicast routing
DNS proxy cache
Bird static routing
Bird dynamic routing
210
Network configuration
Appendix
Group1: 239.0.0.100
Group2: 239.0.0.200 Group2: 239.0.0.200
DMZ1
LAN2
Group1: 239.0.0.100
LAN1
21
Unlike a unicast transmission in which a copy of the traffic is sent to each recipient, a
multicast transmission distributes a single copy of the traffic to a group of recipients
identified by a multicast IP address (class D 224.0.0.0/8 to 239.255.255.255/8). This
transmission mode is used mainly to distribute real-time multimedia traffic (radio,
TV, conferences, etc). To receive a stream of traffic, the user must subscribe to the
multicast group using IGMP (Internet Group Management Protocol). IGMP requests
are received on the access router which manages multicast groups (subscription,
unsubscription, checking the presence of subscribers) in the internal network and
retrieves multicast traffic, by using a multicast routing protocol (PIM-SM, PIM-DM,
PIM-BIDIR, PIM-SSM, DVMRP and MOSPF) with the other routers.
Note:
• For the moment, multicast groups cannot be managed with IGMP on SNS
firewalls, which do not implement multicast routing protocols.
211
Network configuration
Appendix
22
To add a route, simply click on Add which will launch a wizard; in the first window,
enter the source interface and multicast address or network. Destination interfaces
are indicated in the second window.
Routing must be enabled by selecting the parameter Enable static multicast routing.
212
Network configuration
Appendix
Program
✔ Modem interfaces
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
➔ DNS proxy cache
Bird static routing
Bird dynamic routing
213
Network configuration
Appendix
DNS cache
Domain name IP address
DNS server
www.google.com . 9 . . , . 9 . .99, …
DNS response
DNS response . 9 . . , . 9 . .99, …
. 9 . . , . 9 . .99, …
DNS response
. 9 . . , . 9 . .99, …
24
The DNS proxy cache feature makes it possible to memorize the IP addresses of
names resolved by DNS requests. This saves bandwidth by preventing multiple
resolutions of the same name. This feature can be implemented in two situations:
• When the local network uses the firewall as a DNS server. The firewall
receives the DNS request and checks for the presence of the name in the
cache. If the name does not exist, the firewall will resolve it using its DNS
servers; it will add the name accompanied by the IP addresses to the
cache and sends a DNS response to the local network. If the name exists
in the cache, the firewall will send a DNS response based on available
information.
• When the local network uses any DNS server. The DNS request intended
for server X is intercepted by the firewall which begins by checking for the
name in the cache. If the name does not exist, the firewall will resolve it
using its servers instead of server X; it will add the name accompanied by
the IP addresses to the cache and sends a DNS response to the local
network by spoofing the IP address of server X, leading the local network
to believe that the name was resolved by this server. If the name exists in
the cache, the firewall will send a DNS response based on available
information, also by spoofing the IP address of server X.
214
Network configuration
Appendix
25
In CONFIGURATION ⇒ Network ⇒ DNS Proxy cache, the DNS cache can be enabled.
Objects that are allowed to use this cache must be explicitly added to the List of
clients allowed to use the DNS cache . These objects can be hosts, networks, address
ranges or groups.
215
Network configuration
Appendix
Program
✔ Modem interfaces
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
✔ DNS proxy cache
➔ Bird static routing
Bird dynamic routing
216
Network configuration
Appendix
Route injection
Bird makes it possible to inject routes into the FreeBSD system routing table, and in
return, learn routes that are already in the routing table, so that they can be
redistributed via dynamic routing protocols, for example.
The Bird configuration file shown by default in the graphical interface is:
The sections seen in this file (pseudo-protocols) determine the interactions between
Bird and the system, in the following order:
• Protocol direct: routes to networks directly connected to the firewall's
local interfaces can be exported to Bird.
• Protocol kernel: the Bird routing table can be synchronized with the
syste ’s routing table.
• Protocol device: statuses of links on interfaces are monitored, e.g., when
an interface is disabled, routes that must go through this interface will be
deleted from the system routing table.
Bird commands
To view information on routes, the status of interfaces or other information about
Bird, you can use the following commands after you have enabled dynamic routing in
the web interface:
217
Network configuration
Appendix
Test the show interfaces command, for example, which is particularly useful in
viewing the status of each interface, its system name and usual name. Also, when
you have pushed a configuration, regularly compare the Bird routing table (show
route) with the FreeBSD routing table (netstat –rn).
Fault tolerance
Stormshield firewalls support the use of two links with different priorities:
Fault detection depends on the status of interfaces, among other factors. But this
aspect does not apply to VTIs, since firewalls always consider them active. To force a
quick switch when a link fails, BFD (Bidirectional Forwarding Detection) can be used.
This is not a routing protocol, but an independent feature, which also works with
dynamic routing. BFD makes it possible to detect faults on links by monitoring
sessions that were created by sending UDP packets (port 3784). As soon as a BFD
instance is created, it must be attached to the corresponding static route.
protocol bfd {
interface "enc1"{
interval 1 s; #frequency of sending BFD control
messages for established BFD session
multiplier 3; #failure detection
idle tx interval 1 s; #frequency of sending BFD control
messages for not established BFD session
};
}
218
Network configuration
Appendix
Program
✔ Modem interfaces
✔ Wi-Fi interfaces
✔ Dynamic DNS
✔ DHCP
✔ Static multicast routing
✔ DNS proxy cache
✔ Bird static routing
➔ Bird dynamic routing
219
Network configuration
Appendix
Introduction
Before you configure OSPF, several important factors must be taken into account,
based on the network topology:
• The links over which OSPF will be used, such as point-to-point links.
• Routes that do not need to be exported to OSPF, such as default gateways specific
to each site, networks with the same network pool on all sites, etc..
• Interfaces on which OSPF traffic does not need to be enabled, such as the internal
interfaces of a site.
The command show route export kernel1 will be particularly useful in verifying the
routes that Bird injects into the kernel, and modifying import-export filters as a
result.
220
Network configuration
Appendix
221
ADDRESS TRANSLATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
222
Address translation
OVERVIEW
ADDRESS TRANSLATION
➔ Overview
Dynamic translation
Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
Lab – Address translation
223
Address translation
OVERVIEW
Address translation mechanisms have been developed to deal with the shortage of
public IP addresses. Basically, private IP addresses – defined by the IANA (Internet
Assigned Numbers Authority) and entered by RFC 1918 (table above) – are used for
local corporate and private networks. These networks are then connected to the
Internet via a single public IP address.
224
Address translation
DYNAMIC TRANSLATION
ADDRESS TRANSLATION
✔ Overview
➔ Dynamic translation
Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
Lab – Address translation
225
Address translation
DYNAMIC TRANSLATION
@pub_fw
1 2
4 3
Address translation
Original packet 1 Translated packet 2
Source Source Destination Destination Source Source Destination Destination
address port address port address port address port
@privA xxxx @Web 80 @pub_fw 20000 @Web 80
The diagram above illustrates how this type of translation works when the host
pri A" accesses a web server "@web" over the internet. The IP packet sent by the
host " @privA " to the server " @web " is intercepted by the firewall which replaces
the source IP address source " @privA " with the firewall’s public IP address "
@pub_fw " and the source port " xxxx " (this port is chosen by the operating system
of the host " @privA ") with a port in the range [20000-59999]. The firewall
memorizes the translated match between (the IP address "@privA" /source port
"xxxx" ) and (the IP address "@pub_fw" /source port 20000). This match is used in
translating responses from the web server by replacing (the IP address destination
"@pub_fw" /destination port 2000) with (the IP address destination "@privA"
/destination port " xxxx " ).
226
Address translation
DYNAMIC TRANSLATION
HTTP connections
@pub_fw
Address translation
The modification of the source port is warranted mainly when two hosts "@privA"
and "@privC" use the same source port to set up a connection to the same web
server. If the source port is not modified by the firewall, the web server will receive
two connection requests coming from the same public IP address "@pub_fw" and
same source port. This may cause a malfunction on both connections and ambiguity
in the translation of responses with regard to the firewall, which will not know to
which host it needs to send the responses received from the server.
When the ephe eral_fw object is used as the Source port of traffic after
translation, the source ports will be chosen from a predefined range [20000-59999].
By default, they will be chosen in sequence from the range. There is however an
option available to make this selection random.
227
Address translation
STATIC TRANSLATION BY
PORT
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
➔ Static translation by port
Static translation
"NAT" Menu
Order of application of NAT rules
Lab – Address translation
228
Address translation
@pub_fw
2 1
3 4 HTTP connection
The diagram above illustrates the example of a local web server "@priv_web"
accessible from the Internet over the firewall’s public IP address "@pub_fw". A
translation rule is created on the firewall to match (the destination public IP address
"@pub_fw" /destination port 80) and (the IP address of the local server
"@priv_web" /destination port 80).
As such, the packet sent by the host "@client" to the IP address "@pub_fw" on port
80 will be modified before being sent to the web server on the same port. The
response sent by this server will also be modified as a result before being sent to the
host "@client" . It is important to note that destination ports before and after
translation may differ.
229
Address translation
@pub_fw
Address translation
A single public IP address may provide access to services hosted on several local
servers as shown in the diagram above. Servers are differentiated only by the port
number of the service.
230
Address translation
STATIC TRANSLATION
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
➔ Static translation
"NAT" Menu
Order of application of NAT rules
Lab – Address translation
231
Address translation
STATIC TRANSLATION
3 4 SMTP connection
Address translation
Translated packet 2 Original packet 1
Source Source Destination Destination Source Source Destination Destination
address port address port address port address port
@client xxxx @priv_mail 25 @client xxxx @pub_mail 25
11
Static translation must be two-way, meaning that the local server can be accessed by
all incoming connections from the Internet with its public IP address. Outgoing
connections initiated by this server to the Internet must have the same public IP
address as its source. This is reflected in two translation rules: a rule for incoming
connections and another rule for outgoing connections.
The diagram above shows the changes made to the packets of an incoming
connection to a local mail server based on the translation rule that matches (the
destination public IP address "@pub_mail") to (the IP address of the local server
"@priv_mail).
The packet sent by the mail server "@internet" to the IP address "@pub_mail" will
therefore be modified in order to be sent to the mail server. The response sent by
this server will also be modified as a result before being sent to the mail server
"@internet" . It is important to note that source ports before and after translation
may be restricted to a particular port number and may differ.
232
Address translation
STATIC TRANSLATION
@priv_mail
@pub_fw
+ @pub_mail
1 2
4 3
Address translation
Original packet 1 Translated packet 2
12
The diagram above shows the changes made to the packets of an outgoing
connection, initiated by the local web server, to a server over the Internet based on
the translation rule that matches (source private IP address "@ priv_mail") to (the
source public IP address "@pub_mail").
As such, the packet sent by the server "@priv_mail" to an IP address over the
Internet will be modified to replace the source address "@priv_mail" with the source
address "@pub_mail". The response sent by the external server will also be modified
as a result before being sent to the local mail server. It is important to note that
source ports before and after translation may be restricted to a particular port
number and may differ.
233
Address translation
STATIC TRANSLATION
Address translation
13
234
Address translation
STATIC TRANSLATION
Src IP Dst IP
IP packet
ARP broadcast (who has): @pub_mail?
@pub_ftp ⇒ @MAC_fw
@pub_mail ⇒ @MAC_fw 1
Ethernet Frame
Given that virtual public IP addresses are not configured on the firewall’s external
interface, the firewall will not respond to ARP requests to resolve these IP addresses
to the firewall’s MAC address.
To resolve this issue, the ARP broadcast of virtual public IP addresses is needed so
that static translation will work. This means that entries can be added to the
firewall’s ARP table to match each virtual public IP address to the MAC address of
the external interface. The firewall will be able to respond to ARP requests to resolve
these IP addresses and receive all packets going to these address, as shown in the
diagram above.
235
Address translation
"NAT" MENU
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
✔ Static translation
➔ "NAT" Menu
Order of application of NAT rules
Lab – Address translation
236
Address translation
"NAT" MENU
1) 2) (3) 4) 5) 6) 7) 8) 9) 10)
Block all High Medium Low Filter 05 Filter 06 Filter 07 Filter 08 Pass all High Pass all
NAT NAT
Filtering NAT
16
On Stormshield Network firewalls, filter and NAT rules (address translation) are
grouped in the same policy. Up to 10 different policies can be defined but only one
policy may be active at a given time, identified by the icon:
237
Address translation
"NAT" MENU
17
Filter and NAT rules can be configured in the menu CONFIGURATION ⇒ SECURITY
POLICY ⇒ Filtering and NAT.
The menu header makes it possible to:
• Select the filter and NAT policy using the drop-down list.
• Edit:
• Rename: changes the name of the policy.
• Reinitialize: resets to default filter and NAT rules. Be careful as this
operation may be irreversible.
• Copy to: copies from one policy to another.
• Export: exports filter/NAT rules from the selected policy to a CSV file,
which will then be used to retrieve rules on a Stormshield Management
Center (SMC) server.
The rest of the menu is made up of two tabs:
• Filtering: configures filter rules.
• NAT: configures address translation rules.
238
Address translation
"NAT" MENU
18
239
Address translation
240
Address translation
"NAT" MENU
20
The use indicator (blue box) indicates the number of times processed traffic matched
the criteria of the translation rule. The digital counter appears when you scroll over
the indicator. It can display four colors, and shows the results of an equation
between the number of hits for this rule and the maximum number of hits reached
by a rule in the same slot:
• White (blank): the rule has never been applied.
• Blue: the value displayed is between 0% and 2% of the maximum number
of hits.
• Green: the value displayed is between 2% and 20% of the maximum
number of hits.
• Orange: the value displayed is higher than or equal to 20% of the
maximum number of hits and exceeds 10,000 hits.
To save a policy, click on Apply. The policy is saved immediately. A new window
opens, allowing you to enable or disable the policy by clicking on YES, ACTIVATE THE
POLICY or LATER.
241
Address translation
"NAT" MENU
• Column display
21
The display of columns in the window may be customized by clicking first on the icon
indicated by the blue arrow above then on the columns. Simply select a column for it
to be displayed.
NAT rules can be moved in the window by dragging and dropping by clicking on the
rule number on the left.
NOTE: When searches are performed in logs or monitoring, they rely on the name of
the rule, so you can display the Name column. Do note that a rule always has a
default name, which the administrator can change.
242
Address translation
"NAT" MENU
• Parameters of a rule
22
The parameters of a rule may be entered directly in the rule window or in a new
window that appears by double-clicking on any parameter of this rule. This window
also enables access to advanced configuration parameters.
Since the values of the parameters are objects, they can be copied from one rule to
another by dragging and dropping.
243
Address translation
"NAT" MENU
• Dynamic translation
23
Dynamic NAT rules can be created with the button New rule ⇒ source address
sharing rule (masquerading) which automatically adds the port range
ephemeral_fw as the src port in the traffic after translation.
The diagram above sets out an example of a dynamic NAT rule with the main
parameters that need to be entered. In the section original traffic (before
translation), the source represents the internal network Network_in accessible from
the "in" interface which wants to access any destination on any destination port. In
the section traffic after translation, the source is modified by the public IP address
of the "out" interface and the source port is translated into a port number in the
range ephemeral_fw.
You are advised to select the option Choose a random translated source port which
allows randomly choosing a port number in the range ephemeral_fw for new
connections. This option provides protection from certain attacks by making the
translated port less predictable.
244
Address translation
"NAT" MENU
24
The static NAT rule by port is created from a standard rule. An example is given in
the diagram above.
In the section on original traffic, the source represents any host on the public
network going to the firewall’s public IP address on port 80 (HTTP). In the section on
traffic after translation, the destination IP address is replaced with the ser er’s
private IP address and port number 80 (HTTP) is kept as the destination port. It is
important to note that destination ports before and after translation may differ.
245
Address translation
"NAT" MENU
• Static translation
25
Static NAT rules can be created with New rule ⇒ static NAT rule (bimap) which
launches a wizard to enter the following information:
• Private host(s): the private IP address of the internal server
• Virtual host(s): the virtual public IP address dedicated to the internal
server
• Only on the interface: external interface from which the server can be
accessed with its virtual public IP address.
• Only for ports: the static NAT rule allows all ports to be translated,
however it can be restricted by specifying one port or a port range in this
parameter. You are advised to leave this value as Any and to restrict the
port directly in the filter rules.
• ARP publication: enables ARP broadcast for the public IP address.
The example illustrated in the diagram above statically translates an internal SMTP
server identified by a private IP address srv_mail_priv and a dedicated virtual public
IP address srv_mail_pub.
The wizard adds two translation rules: the first rule for the translation of the internal
server’s outgoing traffic toward the public network and the second for incoming
traffic going to the virtual public IP address. Both rules can be modified separately
later.
246
Address translation
ORDER OF APPLICATION
OF NAT RULES
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
✔ Static translation
✔ "NAT" Menu
➔ Order of application of NAT rules
Lab – Address translation
247
Address translation
27
The order in which translation rules appear in the list is very important, as it defines
the order in which new connections will be compared against translation rules.
Therefore, a new connection will be compared against the rules starting from the
first in the list to the last. When the connection matches a rule, the translation
defined by this rule will be applied and the connection will no longer be analyzed by
the rules that follow.
This mode of operation may cause overlaps if rules are not in a logical sequence. An
example is illustrated in the diagram above – the second translation rule will never
be used because a more general rule above it in the list will override it (the networks
in the group IP_PUB are included in the object Internet).
The firewall has a built-in checker that detects such overlaps, which will be indicated
to the administrator through an alert that appears at the bottom of the window.
NOTE: A simple solution to this example is to reverse the order of both translation
rules.
248
Address translation
SECURITY RECOMMENDATIONS
28
To make filter policies easier to read, you are advised to give them clear names with
a specific naming system.
Never let rules overlap. Besides them being unnecessary, doing so would create
entry points when the current rule is removed.
Every unnecessary rule is a potential entry point and increases the attack surface, so
they must be identified and deleted regularly.
249
Address translation
29
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
250
Address translation
Lab
LAB - ADDRESS
TRANSLATION
ADDRESS TRANSLATION
✔ Overview
✔ Dynamic translation
✔ Static translation by port
✔ Static translation
✔ "NAT" Menu
✔ Order of application of NAT rules
➔ Lab – Address translation
251
Address translation
Lab
172.16.1.254 172.16.2.254
192.36.253.1
For this lab exercise, we will consider the inter-company external network a public network in which
no private IP addresses are allowed.
1. Disable static routes added in the previous lab exercise.
2. Copy the Filter/NAT policy (10) Pass all to policy nu er 4. Rena e policy nu er 4 La _4 .
Next, enable this policy.
3. Add a NAT rule so that your internal networks can access the Internet without revealing their
private IP addresses. Next, test access to the external network and Internet access from your
workstation.
4. You have two additional public IP addresses "192.36.253.x2" and "192.36.253.x3" reserved
respectively for your FTP and MAIL servers in the DMZ. Add static NAT (bimap) rules that make
it possible to reach each server from the external network using its public IP address.
5. Add a port-based static NAT rule so that your Web server in the DMZ can be reached via a port
redirection through the public IP address of your firewall "192.36.253. x0".
6. With the other company, test access to all the resources (the mail server can be tested using a
telnet command).
Bonus:
• Add a NAT rule so that internal hosts can access your servers in the DMZ without revealing their
private IP addresses.
• What are the advantages and disadvantages of translating addresses from your internal network
to your DMZ, which is itself an internal network?
252
APPENDIX - ADDRESS
TRANSLATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
253
Address translation
Appendix
ADVANCED PROPERTIES
ADDRESS TRANSLATION
Program
➔ Advanced properties
254
Address translation
Appendix
In a NAT rule, you can specify the incoming interface of traffic that the rule must
match. This advanced configuration, which applies to the source field of a rule,
accommodates several use cases.
The first case presented above consists of translating two physical networks (in and
dmz1) belonging to the same logical network (network_bridge) to two public IP
addresses Firewall_out and IP_pub_virtual. The only way to differentiate both
physical networks is by specifying the incoming interface.
255
Address translation
Appendix
In the second use case, the various network aliases used by an interface are
translated to the firewall’s public IP address.
When additional IP addresses are configured using the same interface, the firewall
creates additional objects.
In the above example, when three IP addresses are configured in different
addressing schemes, three host objects are created: Firewall_in, Firewall_in_1 and
Firewall_in_2, followed by three corresponding network objects.
In this case, all networks that match the aliases, or a group containing them, should
be added to the rule. Specifying an interface in a translation rule makes it possible to
use Any as the source network to translate all the aliases of this interface. Be careful,
as this rule will also be applied to networks that arrive on this interface, but which
do not necessarily belong to the networks that this interface transports, such as
traffic arriving from a router located on one of the networks passing through the
interface.
256
Address translation
Appendix
In a NAT rule, you can also specify the outgoing interface that the rule must match.
This applies to the destination field of the traffic before translation, thereby making
it possible to restrict the translation rule to only this interface’s outgoing traffic. This
interface is determined beforehand through the routing function that sets the MAC
address of the remote gateway as the destination MAC address of the packet.
The diagrams above illustrate the use of the outgoing interface when the firewall has
access to two WAN networks and when load balancing must be set up on both links.
257
Address translation
Appendix
The advanced configuration settings for translation rules allow the distribution of
redirected connections for both incoming and outgoing connections:
• Load balancing of outgoing connections: (rule 1): This consists of
translating outgoing connections with several source IP addresses.
• Load balancing of incoming connections over several servers or ports
(services). There are several types:
• Load balancing over several hosts (rule 2): This option consists of
redirecting incoming connections to several hosts by entering a
group made up of several IP addresses as the traffic destination
after translation. It can be used when a service is hosted on several
servers.
• Load balancing over several ports (rule 3): This option consists of
redirecting incoming connections to several destination ports on a
single host by specifying a port range for traffic after translation. It
is used when several instances of the same application are hosted
on the workstation. Each of these instances listens on a particular
port from the destination port range.
• Load balancing over several hosts and several ports (rule 4): This
option represents a combination of the two previous load balancing
modes. It allows incoming traffic to be distributed over the various
destination ports of several hosts.
258
Address translation
Appendix
The various types of load balancing can be based on four types of algorithms:
• Round-robin: Connections alternate between IP addresses and port
numbers.
• Source IP hash: A hash of the source IP address of the connection before
translation is calculated in order to choose the IP address or port number.
This algorithm guarantees that connections from the same host will always
be associated with the same IP address or the same port number.
• Connection hash: A hash of the connection parameters before translation
(source IP, source port, destination IP, destination port), is calculated in
order to choose the IP address or port number. This algorithm makes it
possible to distribute connections originating from the same host over
several IP addresses or several port numbers.
• Random: the IP address or port number is randomly selected.
NOTE: The accessibility of the chosen IP address or port number will not be verified
(even if they are not accessible, the firewall will continue to send traffic to them).
259
Address translation
Appendix
260
Address translation
Appendix
Network
network
LAN
NOTE: It is also possible to use the translation exception for a specific host on a
translated network.
261
FILTERING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
262
Filtering
OVERVIEW
FILTERING
➔ Overview
The concept of "stateful"
Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
Lab – Filtering
263
Filtering
OVERVIEW
With the filter policy, the administrator can define rules that make it possible to allow or
block traffic going through the Stormshield Network firewall. Depending on the type of
traffic, certain security inspections (antivirus scan, antispam scan, URL filtering, etc) can
be enabled. These will be covered in detail in the Applicatio protectio module. The
defined filter rules must be in line with the co pa y’s security policy.
A filter rule relies on many criteria in order to define a traffic type, thereby offering
higher granularity. Some of the criteria that can be specified include:
• Source and/or destination IP address,
• The reputation and location of the source and/or destination IP address,
• Incoming and/or outgoing interface,
• Source and/or destination network address,
• Source and/or destination FQDN,
• Value of the DSCP field,
• TCP/UDP/SCTP service (destination port number),
• IP-based protocol – for ICMP, the type of ICMP message can be specified,
• Users or user groups requiring authentication.
The number of active filter rules in a policy is limited. This restriction depends on the
model of the firewall. The first packet belonging to each new traffic stream received by
the firewall is compared against the filter rules from the first to the last line. You are
therefore advised to arrange your rules in the order of the most restrictive to the most
permissive.
By default, any traffic that is not explicitly allowed by a filter rule will be blocked.
264
Filtering
THE CONCEPT OF
"STATEFUL"
FILTERING
✔ Overview
➔ The concept of "stateful"
Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
Lab – Filtering
265
Filtering
query 1
TCP, UDP, and ICMP
TCP, UDP, SCTP and ICMP
2 response
Source Source Destination Destination
address port address port
@privA xxxx @web 80 @web
Stormshield Network firewalls use SPI (Stateful Packet Inspection) technology, which
makes it possible to memorize the status of TCP and SCTP connections and UDP and
ICMP pseudo-connections to keep track of them and detect potential anomalies or
attacks. The direct consequence of this stateful tracking is that filter rules only
allow traffic in the direction in which the connection was initiated; replies that are
part of the same connection will be implicitly allowed. There is therefore no need for
an additional filter rule to allow response packets for connections that were set up
through the firewall.
266
Filtering
SEQUENCING OF FILTER
AND TRANSLATION
RULES
FILTERING
✔ Overview
✔ The concept of "stateful"
➔ Sequencing of filter and translation rules
Filteri g menus
Policy analyzer
Lab – Filtering
267
Filtering
N/A
Block Global Pass
1
filter
P
R N/A
I Block
2
Local Pass
filtering
O
R Block
N/A
Implicit Applicable rule
3
I NAT
T N/A
Y
NAT Applicable rule
4
Global
N/A
On Stormshield Network firewalls, filter and NAT rules are organized in various levels
called slots represented in their order of priority in the diagram above:
• Implicit filtering: groups filter rules that have been pre-configured or
added dynamically by the firewall in order to allow or block certain types
of traffic after a service is enabled. For example, an implicit rule allows
connections going to the UTM’s internal interfaces on the HTTPS port
(443/TCP) in order to ensure constant access the web administration
interface. In another example, as soon as the SSH service is enabled, a set
of implicit rules will be added to allow these connections from all hosts on
internal networks.
• Global filtering: groups filter rules that have been inserted on the firewall
from the "Stormshield Management Server" (SMC) administration tool or
after global policies have been displayed.
• Local filtering: represents filter rules added by the administrator from the
administration interface.
• Implicit NAT: groups NAT rules that the firewall adds dynamically. These
rules are used mainly when high availability is enabled.
• Global NAT: like global filtering, it groups NAT rules that have been
inserted on the firewall from the "Stormshield Management Server" (SMC)
administration tool or after global policies have been displayed.
• Local NAT: groups NAT rules that the administrator has added from the
administration interface.
268
Filtering
“FILTERING” MENUS
FILTERING
✔ Overview
✔ The concept of "stateful"
✔ Sequencing of filter and translation rules
➔ Filteri g menus
Policy analyzer
Lab – Filtering
269
Filtering
“FILTERING” MENUS
NOTE: Modifying the statuses of these rules will directly affect how services run on
the firewall. To ensure that the affected service continues to run correctly, first,
confirm whether lower-priority rules, such as global or local rules, allow such traffic.
270
Filtering
“FILTERING” MENUS
10
To display global rules, select Display global policies (Filtering, NAT, VPN IPsec and
Objects) in the Preferences menu that can be accessed directly from the header icon
in the red box. This option will display in the header of the menu CONFIGURATION
⇒ SECURITY POLICY ⇒ Filtering and NAT a drop-down list allowing global or local
policies to be selected. By default, there are no filter or NAT rules in the global slots.
271
Filtering
“FILTERING” MENUS
• Creation of a rule
• Selection of columns to display
11
Filter rules are part of a policy, as explained earlier in the "Address translation"
module.
The "FILTERING" tab is made up of a header to manage filter rules:
• New rule:
• Single rule: adds a standard filter rule. By default, a new rule is
disabled and all its criteria are set to "Any".
• Separator – rule grouping: adds a separator which groups all rules
located under it (or until the next separator). This simplifies the
display of a policy containing a large number of rules. The separator
may be customized with a specific color and comments.
• Authentication rule: opens a wizard that adds a rule created
specifically to direct the connections of unauthenticated users to
the captive portal (see the Users and Authe ticatio module for
more details on the subject).
• SSL inspection rule: opens a wizard that adds rules to enable the
SSL proxy.
• Explicit HTTP proxy rule: opens a wizard that adds rules to enable
the explicit HTTP proxy.
• Delete: deletes a rule.
• Up / Down: moves selected rules up or down the list.
272
Filtering
“FILTERING” MENUS
• Naming rules
• Header options
12
NOTE: When searches are performed in logs or monitoring, they rely on the name of
the rule. You will see in the above example that a rule always has a default name,
which the administrator can change.
273
Filtering
“FILTERING” MENUS
13
274
Filtering
“FILTERING” MENUS
14
The parameters of a rule may be entered directly in the rule window or in a new
window (omnibox) that appears by double-clicking on any parameter of this rule.
Since the values of the parameters are objects, they can be copied from one rule to
another by dragging and dropping. This also allows filter rules to be moved by
clicking on the rule number. Rules added have to be saved and manually enabled
with the Save and enable button.
275
Filtering
“FILTERING” MENUS
15
The ACTION menu is made up of several tabs, but we will focus on the GENERAL tab,
which makes it possible specify the following parameters:
• Action: defines the action to apply to the packet that matches the filter
rule:
• Pass: allows the packet,
• Block: blocks the packet,
• Decrypt: sends the packet to the SSL proxy,
• reinit. TCP/UDP: in the case of TCP traffic, the firewall will send
back a TCP R“T packet to the sender. In the case of UDP traffic,
the firewall will send an ICMP port u reacha le notification to
the sender.
276
Filtering
“FILTERING” MENUS
16
• Log level: logs traffic processed by the rule. It can have different levels:
• standard (connection log): this is the default value; only
established connections that use a TCP/UDP transport layer are
logged:
• In the Network co ectio s or Applicatio co ectio s
log, if a plugin performs an application analysis in IPS or IDS
mode,
• Connections with a Block action will not be logged.
• advanced (filtering log): Traffic is logged in the Filteri g log. This
option is only useful when you log:
• Traffic directly above the IP layer (ICMP, GRE, ESP, etc.),
• Traffic blocked by a Block action.
• minor alarm: the connection will be logged in the alar s log
with a minor alarm.
• major alarm: the connection will be logged in the alar s log with
a major alarm.
277
Filtering
“FILTERING” MENUS
17
278
Filtering
“FILTERING” MENUS
18
The SOURCE > GENERAL menu groups parameters that identify the source of the
traffic affected by the filter rule:
• User: indicates the user or user group at the source of the traffic. This
parameter works in authentication systems based on user directories (see
the Users and Authe ticatio module).
• Source hosts: indicates the IP address, Fully Qualified Domain Name
(FQDN) or network address of the traffic. The icons = or ≠ mean that
the parameter may be equal to or different from the value specified. It is
also possible to enter a list of objects by clicking on Add. If the top left
corner of an object name is red, this means that the added object has not
yet been saved.
• Incoming interface: specifies the traffic's incoming interface. This
parameter comes in useful when there are bridges in which the interfaces
share the same address range.
279
Filtering
“FILTERING” MENUS
19
NOTE: The reputation score of internal hosts, which can be configured in this menu,
makes it possible to specify the score above or below which the filter rule will be
applied to monitored hosts.
280
Filtering
“FILTERING” MENUS
20
The Destination menu groups the parameters that identify the traffic’s destination.
In the GENERAL tab, the Destination hosts parameter indicates the traffic's
destination IP address, network address or FQDN. It is also possible to choose
whether the parameter needs to be equal to or different from the value and to enter
a list of objects.
Location, public IP address reputation and host reputation information can also be
used as destination settings in the GEOLOCATION / PUBLIC IP ADDRESS
REPUTATION tab.
NOTE: when the destination object is an FQDN object, it must be the only object in
the rule.
281
Filtering
“FILTERING” MENUS
21
NOTE: For rules that allow incoming traffic, you are advised against entering the
outgoing interface because the path to the traffic’s destination is not yet known.
282
Filtering
“FILTERING” MENUS
22
In the PORT / protocol menu, the Destination port can be entered with the
possibility of selecting whether it has to be equal to, different from, higher than or
lower than the value selected. A list of destination ports can also be entered.
283
Filtering
“FILTERING” MENUS
23
In the PORT - Protocol , the ID of the IP protocol that will be affected by the filter
rule can also be entered. To do so, select the Protocol type parameter and select the
value IP protocol, then specify the protocol in the IP protocol field. If ICMP has
been selected, the ICMP message parameter will automatically appear so that the
filter can be refined by selecting the type of ICMP notification relevant to the filter
rule.
NOTE: Stateful inspection, which memorizes and tracks connections going through
the firewall, is enabled and cannot be modified only on TCP, UDP and ICMP
protocols. For other protocols (GRE, ESP, etc), you will need to select this option to
enable tracking.
284
Filtering
“FILTERING” MENUS
24
NAT can be applied to the destination (DNAT) in a filter rule unless it contains an
FQDN object or geolocation
and/or reputation items.
285
Filtering
POLICY ANALYZER
FILTERING
✔ Overview
✔ The concept of "stateful"
✔ Sequencing of filter and translation rules
✔ Filteri g menus
➔ Policy analyzer
Lab – Filtering
286
Filtering
POLICY ANALYZER
26
Stormshield Network firewalls have a built-in checker that detects any overlaps or
inconsistencies created in the filter policy. When this happens, a warning message
will appear at the bottom of the menu.
Three examples are shown in the screen captures above:
• In rule no. 1, the HTTP destination port is incompatible with UDP as the
HTTP application protocol uses the TCP transport protocol,
• Rule no. 3 will never be used as rule no. 2 overrides it,
• Rule no. 4 indicates that traffic arrives on an object with an IP address that
may change (dynamic IP associated with the out branch) and that the in
interface (source field) needs to be specified.
NOTE: Messages indicated with a red cross prevent the policy from being saved and
enabled.
287
Filtering
RECOMMENDATIONS
27
Anti-spoofing has its limits and does not block all private networks that arrive
through the Internet. To ensure full protection, you need to define block rules that
cater to the topology of the network. For example, you can block IP RFC5735 on
public networks.
Since implicit rules are read before other rules, they can negate rules that the
administrator created. Ensure that you define web interface access rules carefully to
maintain control over the firewall. As SSH access to SNS is allowed by default on all
internal interfaces, this is the ideal moment to restrict it.
Object groups make it easier to modify rules, and you are advised to use groups
instead of creating lists of hosts in rules. This also makes rules easier to read.
Never let rules overlap. Likewise, regularly keep track of and delete all unused rules.
The name column, hidden by default, allows you to identify a rule by its name. It is
very useful when searching for a rule or monitoring its behavior during debugging.
288
Filtering
28
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
289
Filtering
Lab
LAB – FILTERING
FILTERING
✔ Overview
✔ The concept of "stateful"
✔ Sequencing of filter and translation rules
✔ Filteri g e us
✔ Policy analyzer
➔ Lab – Filtering
290
Filtering
Lab
Lab – Filtering
Copy the Filter/NAT policy (4) Lab_4 to policy number 5. Rename policy number 5
Lab_5 , then enable it. Delete the rule Pass any any any and add filter rules that
comply with the following specifications:
Internal traffic:
2. Your internal network must be able to browse Internet websites in HTTP and
HTTPS, except for South Korean websites (test with www.visitkorea.or.kr).
3. Access to https://www.cnn.com must be blocked from the internal network
using an FQDN object.
4. A new trainee in the company is prohibited from making any FTP requests. The
IP address of his host (pc_200) is 192.168.y.200.
5. Your internal network must be able to contact the I ter et’s FTP and Web
servers.
6. Your internal network must be able to ping any destination.
7. Your internal network must be able to connect to firewalls on the other sites in
SSH.
8. Only your internal DNS server (172.16.y.10) is allowed to send DNS requests to
the outside.
9. Your mail server can send messages to any external mail server.
Incoming traffic:
10. External networks can contact your Web and FTP servers; these events must be
logged.
11. External mail servers are allowed to send messages to your mail server.
12. External networks are allowed to ping your firewall's out interface; this type
of event must raise a minor alarm.
291
Filtering
Lab
13. External networks can connect to your firewall via the web interface and in SSH.
This type of event must raise a major alarm.
14. Test outgoing traffic and make the neighbors test incoming traffic. When you
read your logs, confirm that:
NOTE: You can use the webmail service to send and receive e-mails in SMTP: the
following information is needed for the configuration (replace with the letter
representing the company: a or b, and with its value: 1 or 2):
292
APPENDIX –
FILTERING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.2.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
293
Filtering
Appendix
ADVANCED PROPERTIES
FILTERING
Program
➔ Advanced properties
294
Filtering
Appendix
Global filter rules, most often used in SMC, the centralized administration server,
offer a new action that delegates the choice of the action to the local filter. So
packets that match a global filter rule set to delegate will continue to be compared
directly with local filter rules.
To see global policies, go to the top of the screen, in Admin > Preferences and select
Display global policies.
Once this rule is enabled, you will see it in console mode when you enter the
command:
sfctl –s filter
This rule contains the action jump followed by the number of rules to ignore to
reach the local filter (1 in the above example, in which only one other global rule
follows the delegation rule).
295
Filtering
Appendix
A filter rule makes it possible to use the source port as a criterion to identify traffic.
This parameter does not appear by default in the rule window but it can be shown
by selecting the corresponding column. It can also be configured in the ADVANCED
PROPERTIES tab in the source field.
296
Filtering
Appendix
The value of the DSCP field can be used as a criterion in a filter rule. It can be
selected in the Source DSCP parameter in the ADVANCED PROPERTIES tab of the
source field, which also offers the possibility of defining a customized non-standard
value.
NOTE: the DSCP field is part of the IP header and indicates the service class (QoS) to
which an IP packet belongs.
297
Filtering
Appendix
Stormshield Network firewalls make it possible to impose the value of the DSCP field
on selected traffic in the Action field of a filter rule. This means that IP packets
belonging to such traffic streams will be tagged with the chosen value of the DSCP
field when they leave the firewall. Tagging can be configured in the DSCP section of
the QUALITY OF SERVICE tab in the Action field.
298
APPLICATION
PROTECTION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
299
Application protection
300
Application protection
• Objectives:
301
Application protection
• Implementation:
When application inspection is enabled (red box) on a filter rule on the firewall, it
will run analyses in transparent proxy mode:
• The firewall acts as the client to the server, and as the server to the client,
NOTE:
• Explicit proxy mode will not be covered in this chapter, as this mode on
Stormshield firewalls offers fewer features than with a transparent proxy. Explicit
proxies are not compatible with multi-directory authentication and the SSL proxy,
for example, since HTTPS traffic cannot be decrypted for antivirus analyses. The
use of the proxy in transparent mode is therefore recommended.
• Analyses of filter rules in IPS mode only do not use proxy mechanisms.
302
Application protection
HTTP PROXY
APPLICATION PROTECTION
303
Application protection
HTTP PROXY
With the URL filtering feature, you can control all of your users’ access to websites.
To do so, the URL filter policy will rely on a list of categorized URL entries or custom
key words.
304
Application protection
HTTP PROXY
As such, the firewall does not need to download the database, preventing disk
saturation issues.
305
Application protection
HTTP PROXY
Filtering applied
4
HTTP request
1
Proxy 2 2
Request for classification
EWC
5 6
Local Classification
Local cache
Caching cache 3
CloudURL servers
As soon as it receives an HTTP connection to a public website, the firewall will send a
request to one of the EWC servers in order to get the categories that contain the
visited website. The results will then be compared to the active URL filter policy.
EWC servers can return up to 5 categories per URL. A URL can therefore
simultaneously be part of a blocked category and an allowed category. If it happens,
the way rules are ordered in the URL filter policy counts the most; be sure to
organize the policy in the most efficient way.
In order to optimize the way it works, and avoid sending many requests to EWC
servers for the same URL, the Extended Web Control feature uses a cache. When an
HTTP request is intercepted, the proxy will query the local cache first. If the URL is
not in the cache, a classification request will then be forwarded to Extended Web
Control servers to know which categories include this URL.
The cache will be updated to remember the decision for the visited URL.
The cache size varies according to appliance and is configured to keep data for one
day of browsing. Its contents cannot be viewed, even in console mode.
The cache is purged when the firewall or the proxy daemon (tproxyd) reboots.
In the object database, Extended Web Control servers (CloudURL) are called
cloudurl[1-5]-sns.stormshieldcs.eu
306
Application protection
HTTP PROXY
Filtering applied
3
HTTP request
1
Proxy 2
EWC
2 6
Local
Local cache
Reading the cache cache
CloudURL servers
The proxy queries the local cache and the URL is in the base. In this case, Extended
Web Control servers will not be queried.
The result applied during the last visit (grant access or block) will also be applied for
this connection.
307
Application protection
HTTP PROXY
10
You can choose the URL database provider from the menu CONFIGURATION ⇒
OBJECTS ⇒ WEB OBJECTS, in the URL Database tab.
Switching from the built-in URL database to EWC will delete the embedded
categories - you will see a warning message.
After the database has been changed, we advise you to check the active URL filter
policy because category names might differ from one base to another.
E.g.: the "Job search" category exists in the Extended Web Control database but does
not exist in the embedded URL database. As such, when this category is used in the
URL filter policy, it will generate a warning when the policy is enabled if you attempt
to return to the embedded database.
308
Application protection
HTTP PROXY
11
In CONFIGURATION ⇒ OBJECTS ⇒ Web objects, in the URL tab, you can create your
own categories. Each category contains a list of URLs, which need to be added by
following the suggestions.
309
Application protection
HTTP PROXY
12
Use the CTRL and SHIFT keys to select several groups before moving them.
310
Application protection
HTTP PROXY
13
These fields are available in the Web Objects menu and in URL filter policies.
311
Application protection
HTTP PROXY
14
From the menu Configuration ⇒ Security Policy ⇒ URL Filtering, choose the policy
to edit (in the above example, policy default00 was renamed Block_prohibited_URL).
The real-time policy checker will show any errors detected in your policy.
312
Application protection
HTTP PROXY
15
This option adds a line with the action BlockPage_00 for each category in the current
URL database. However, this option does not take into account custom groups,
which have to be added manually.
Websites can belong to several categories. When this occurs, the order of the rules
in the filter policy determines the action to apply for the website in question.
313
Application protection
HTTP PROXY
16
Once your URL filter policy is ready, you have to apply it to a filter rule that allows
outgoing HTTP traffic as shown in the above example. In this rule, Network_dmz1
will only have access to websites that are in the News category.
By following this procedure, you can enable more than one URL filter policy at a
time, to handle access for different networks or source hosts.
314
Application protection
HTTP PROXY
17
Changes can be made in the HTML editor, which makes it possible to customize the
page granularly.
315
Application protection
HTTPS PROXY
APPLICATION PROTECTION
316
Application protection
HTTPS PROXY
19
When clients initiate a connection to a website in HTTPS, they send the domain
name of the requested website in plaintext to the server. This is known as Server
Name Indication (SNI), and allows the server to select the right certificate to present
to the client.
Stormshield Network Security relies on this system to control access to these
websites without decrypting traffic.
NOTE: In this chapter, we will cover only SNI verifications and their classifications to
allow or block traffic without decryption. Advanced operations, such as URL filter
policies and antivirus analyses, that are enabled with HTTPS traffic decryption, will
be covered in the CSNE course.
317
Application protection
HTTPS PROXY
20
In Configuration ⇒ Objects ⇒ Web Objects, in the Certificate name (CN) tab, you
can create your own categories. Each category contains a list of CNs that will be
compared with the SNIs of SSL/TLS connections.
318
Application protection
HTTPS PROXY
21
Use the CTRL and SHIFT keys to select several groups before moving them.
319
Application protection
HTTPS PROXY
22
Next, select the SNIs that you intend to Block without decrypting and Pass without
decrypting.
Reminder: the Decrypt action, which enables a thorough analysis of HTTPS traffic,
will be covered in CSNE.
The real-time policy checker will show any errors detected in your policy.
320
Application protection
HTTPS PROXY
23
Once your SSL filter policy is ready, you have to apply it, together with a Decrypt
action, to a filter rule that allows outgoing HTTPS traffic as shown in the above
example.
By following this procedure, you can enable more than one SSL filter policy at a time,
to handle access for different networks or source hosts.
321
Application protection
HTTPS PROXY
24
If the CN of the requested website depends on the Pass without decrypting action,
no changes will be made to the requested web page.
If the CN of the requested website depends on the Block without decrypting action,
the web page will only indicate that the administrator rejects the connection.
322
Application protection
ANTIVIRUS ANALYSIS
APPLICATION PROTECTION
323
Application protection
ANTIVIRUS ANALYSIS
26
You can choose the antivirus engine from the menu Configuration ⇒ Application
protection ⇒ Antivirus.
If you decide to switch engines, a message will prompt you to download the relevant
base. This means that for the entire duration of the download, the antivirus analysis
will not be effective.
NOTE: The "Sandboxing" option, which can only be used with Kaspersky antivirus, is
available if you have subscribed to the additional license option called "Breach
Fighter Sandboxing", which will be covered in the chapter "Breach Fighter analysis".
324
Application protection
ANTIVIRUS ANALYSIS
• Analyzing files
27
You can find additional parameters to be applied to protocols that may be scanned
by the antivirus (see menu Configuration ⇒ Application Protection ⇒ Protocols ⇒
HTTP, SMTP, FTP or POP3 ⇒ Analyzing files)
This menu is the same for FTP, SMTP and POP3 protocols and contains:
• Maximum size for the antivirus analysis,
• Actions to perform on messages.
For HTTP protocols, an additional frame makes it possible to define the antivirus
behavior according to MIME types declared in the HTTP header.
325
Application protection
ANTIVIRUS ANALYSIS
28
From the menu Configuration ⇒ Notifications ⇒ Block messages, you can change
the notifications sent to users when an e-mail or a file downloaded via FTP contains
a virus.
This is a global setting. Messages for incoming traffic and outgoing traffic cannot be
distinguished, for example.
326
Application protection
ANTIVIRUS ANALYSIS
29
NOTE: HTTPS, SMTPS and POP3S must be decrypted by an SSL rule before being
analyzed by the antivirus engine.
327
Application protection
BREACH FIGHTER
ANALYSIS
APPLICATION PROTECTION
328
Application protection
31
BREACH FIGHTER ANALYSIS
31
Breach Fighter is available as an additional software option for subscribers to the security
pack containing Kaspersky antivirus.
This option allows users to counter new threats for which an antivirus and heuristic analysis
no longer suffices (8 out of 10 malware programs manage to evade conventional
antiviruses).
The protocols that the Kaspersky antivirus engine analyzes (FTP, HTTP(s), SMTP(s) and
POP3(s)) are taken into account.
The solution is based on a dedicated Stormshield cloud and offers several layers of analysis
for optimum protection of Windows operating systems:
• Static analysis: a file's hash is compared against existing hashes referenced in the
database shared by the community so that threats can be blocked,
• Heuristic analysis: variants of a malware program will be detected,
• Dynamic analysis: our dedicated team of security researchers implements rules
to detect and protect against new threats,
• Behavioral analysis: the behavior of malware is replayed in virtual Windows
environments to simulate how it is actually used. The environment is called a
"sandbox" and integrates Stormshield Endpoint Security (SES) technologies to
provide zero-day protection.
All files that pass through the appliance are scanned by Kaspersky antivirus. Files that
Kaspersky does not block will be scanned one more time by Breach Fighter.
As soon as an infected file is detected, its hash will be added to the shared database, making
it possible to immediately protect all clients.
The security team dedicated to "Threat Intelligence" contributes to the continuous
optimization of Breach Fighter's capabilities.
329
Application protection
32
BREACH FIGHTER ANALYSIS
32
The Breach Fighter analysis can be enabled on a filter rule using the SECURITY
INSPECTION ⇒ APPLICATION INSPECTION ⇒ SANDBOXING parameter. The antivirus
analysis will automatically be enabled when Breach Fighter is enabled.
Files that undergo a Breach Fighter sandboxing analysis are assigned a score on a
scale of 0 to 100. A score of 0 means that the file is not dangerous.
330
Application protection
INTRUSION PREVENTION
MODULE AND SECURITY
INSPECTION
APPLICATION PROTECTION
331
Application protection
• Definition
– Analyses from the IP layer
Context-based
– Up to the application layer patterns
– Checks the compliance of
protocols
Plugins
Fragmentation
IP
analyses
IPv4/IPv6 analyses
34
ASQ's main role is to ensure that packets comply with the protocols used from the IP
layer up to the application layer (thanks to plugins) and with context-based patterns.
The operation of ASQ and its options are covered in detail in the Expert course.
332
Application protection
35
Each packet that the UTM receives will go through the filter policy. By default, the
IPS analysis will be applied, meaning that the firewall is capable of detecting
anomalies and blocking the corresponding packet(s).
Other inspection modes can be used for tests or out of necessity; for example when
contacting a server that does not comply with the RFCs of the protocols it manages.
These modes have to be selected from the Security Inspection field in the related
filter rule.
• IPS: Detect and block (default choice). ASQ will submit the packet to all the
layers it can analyze and block it when an anomaly occurs.
• IDS: Detect. ASQ performs an analysis similar to the one performed by the
IPS, except that the packet will always be allowed. This is a profile that allows
quick auditing for a given filter rule.
• Firewall: Do not inspect. ASQ will only perform a few analyses on the
received packet. To know which alarms firewall mode does not bypass, refer
to the article "What are the alarms that are not bypassed by Firewall Mode?"
in our knowledge base.
333
Application protection
Despite this configuration, the use of a specific ASQ profile can be forced in the filter
grid from the Security inspection column. Each profile can then be managed from
the menus Protocols and Applications and protections under Configuration ⇒
Application protection.
334
Application protection
RECOMMENDATIONS
37
Depending on how the appliance is used, it may help to disable certain IPS
verifications to free up resources. For example, do not apply IPS filtering to HTTP if
the traffic will be redirected later to a filtering proxy.
IPS is enabled by default on all filter rules in automatic protocol detection mode. For
better traffic inspection, you are advised to manually qualify the type of protocol if a
non-standard port is used. IPS may not detect the application correctly.
If legitimate traffic raises alarms, ASQ parameters must be changed to avoid slowing
down production. In this case, the changes must be very specific, preferably in a
dedicated profile that will be applied to rules that specifically identify the traffic in
question. Feel free to report false positives in the default configuration to technical
support or your Stormshield contact.
335
Application protection
38
336
Application protection
Lab
337
Application protection
Lab
Copy the Filter/NAT policy (5) Lab_5 to policy number 6. Rename policy number 6
͞Lab_6͟, then enable it.
3. Configure a URL filter policy and an SSL filter policy which allow access to all
websites except the websites listed in point 2, ͞shopping͟ and ͞news͟
websites. However, make sure the bbc.com site remains reachable.
4. Attempt to access the website cnn.com and then euronews.com. Why does the
SSL traffic reject page not appear for cnn.com?
338
APPENDIX –
APPLICATION
PROTECTION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
339
Application protection
Appendix
Program
340
Application protection
Appendix
Ten policies are available. Rules are processed in order of appearance (top to bottom).
341
Application protection
Appendix
The SMTP filter policy is applied when application inspection is defined for filter rules that allow
incoming and outgoing SMTP traffic. For incoming mail traffic, an antispam analysis can be
combined with SMTP filtering (recommended).
342
Application protection
Appendix
For SMTP connections translated using a public IP address "SMTP_PUBLIC_IP" dedicated to the
internal mail server "SMTP_PRIVATE_IP" (static translation), certain rules must be observed
before enabling SMTP filtering.
For incoming SMTP traffic, address translation to the internal SMTP server must be applied in
the filter rule that allows the traffic (ARP publication must be enabled for this type of
translation).
For SMTP filtering to be as transparent as possible, the original source IP addresses of incoming
connections will be kept when these connections are sent back over the internal network after
SMTP filtering. This is possible because of the "Keep original source IP address" option which is
enabled by default for incoming traffic in the "Proxy" tab of the SMTP protocol (incoming profile
smtp_00).
343
Application protection
Appendix
For outgoing SMTP traffic (usually smtp_01, but the global configuration applies to all profiles),
the option "Apply the NAT rule on scanned traffic" must be enabled in the global configuration
of the SMTP protocol to force outgoing SMTP connections to go through the NAT rules.
Otherwise, the source IP address of SMTP connections will be the IP address of the firewall
interface they are leaving.
344
Application protection
Appendix
• Antispam module
Spam detection relies on two technologies to provide the most effective protection possible:
• Reputation-based analysis (DNS blacklists – RBL), which consists of checking a list of IP
addresses considered as spam senders or forwarders.
• Heuristic analysis, which relies on a set of mathematic algorithms. These algorithms
can detect abnormal behaviors in e-mails such as the repetition of unwanted characters
or the presence of characteristic words. Once the calculations are done, a score is
applied to the e-mail. Depending on the score, and the parameters of the heuristic
analysis, the e-mail will be considered spam or legitimate.
345
Application protection
Appendix
• Antispam module
346
Application protection
Appendix
The antispam analysis can be applied on SMTP or POP3 traffic. SMTPS and POP3S traffic must be
decrypted beforehand by an SSL inspection rule.
The example above shows an antispam analysis being enabled for incoming SMTP traffic.
347
Application protection
Appendix
HOST REPUTATION
APPLICATION PROTECTION
Program
348
Application protection
Appendix
HOST REPUTATION
11
A feature added in SNS version 3 makes it possible to filter by internal hosts' reputation,
using their reputation score as a criterion in filter rules.
A healthy host that has never generated network traffic therefore has a reputation score of
0.
This feature can be configured in CONFIGURATION ⇒ APPLICATION PROTECTION ⇒ HOST
REPUTATION.
By default, a host's score is likely to increase when traffic involving this host causes:
• an alarm to be raised,
• the detection of a viral load,
• the Breach Fighter Sandboxing tool to detect malware:
o Malicious: the host is infected,
o Suspicious: the host has been connected to potentially infected hosts.
Scores associated with these risks can be changed according to the configuration of your
network, based on the values indicated in square brackets. The scores of hosts are
recalculated and applied every 15 to 30 minutes (logd calculates them every 15 minutes and
ASQ retrieves the scores from logd every 15 minutes).
In an actual production environment, the average score of a host is not necessarily a sign of
trouble, as tests need to be conducted for configured values to be consistent.
The way the reputation score decreases cannot be configured in the web administration
interface., but the reputation score of all monitored hosts can be reset.
After the events that raised the score are fixed, whether the score will decrease depends on
the following factors:
• When a host's score is 100, it will be halved after 6 hours, then quartered after
12 hours.
• A risk will be ignored if it is older than 24 hours.
349
Application protection
Appendix
HOST REPUTATION
12
In the tab where you configure the hosts that need to be monitored, you can select
the hosts or networks that will be part of an inclusion or exclusion list.
Since networks and internal hosts are not all subject to the same threats, you will
need to test various behaviors before applying the protection in a production
environment.
350
Application protection
Appendix
HOST REPUTATION
13
After you have selected the desired duration, move the mouse over a point in the
graph to find out the global reputation score associated with this host at a given
time, as well as the reputation sub-scores by type of risk (alarm, antivirus,
sandboxing, etc.).
351
Application protection
Appendix
HOST REPUTATION
14
A reputation criterion can be added for internal hosts in filter rules at the source or
destination depending on the direction of the traffic.
In the example above, a host from Network_in will be able to contact an SMTP
server via the firewall, only if its reputation score is below 20.
352
Application protection
Appendix
15
353
USERS &
AUTHENTICATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
Training program
354
Users & authentication
INTRODUCTION
USERS & AUTHENTICATION
➔ Introduction
Linking to a directory
Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
Lab – Authentication
355
Users & authentication
INTRODUCTION
• Objective:
To grant users specific access privileges to networks
and services (captive portal, SSL VPN, IPsec VPN,
firewall administration, etc.)
• Steps in the configuration of a Stormshield firewall
356
Users & authentication
LINKING TO A
DIRECTORY
USERS & AUTHENTICATION
✔ Introduction
➔ Linking to a directory
Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
Lab – Authentication
357
Users & authentication
LINKING TO A DIRECTORY
• External:
LDAP TCP/389
LDAPS TCP/636
LDAP client
LDAP protocol
• Microsoft Active Directory
• External LDAP
• PosixAccount external LDAP
• Internal:
Firewalls support four types of directories that fall under two categories:
• Internal LDAP: the LDAP is created on the firewall and hosts users.
Firewalls can support up to five directories simultaneously: an internal LDAP and four
external LDAPs/ADs, or five external LDAPs/ADs. This means that firewalls can
support five different domains at the same time.
NOTE:
• LDAP clients built into the firewall make it possible to log on to any type of
directory (internal or external) using LDAP (or LDAPS to secure connections with
external directories).
• For internal LDAPs, the directory and users are automatically backed up/restored
with the configuration of the firewall.
358
Users & authentication
LINKING TO A DIRECTORY
Default directory
Click on Add a directory to launch the wizard. With the Action button, you can:
• Delete a directory,
• Specify a default directory,
• Check the connection to the directory,
• Check the use of the directory,
• Rename a directory.
The rest of the menu lists all the directories that have been added - the default
directory appears in green. Clicking on a directory will display its settings on the right
side of the page.
359
Users & authentication
LINKING TO A DIRECTORY
360
Users & authentication
LINKING TO A DIRECTORY
Next, the wizard will suggest that you enable authentication profile 0 (internal) on an
interface, if the profile has not yet been enabled. If it was enabled earlier, this step
will not appear.
361
Users & authentication
LINKING TO A DIRECTORY
NOTE: even if a Microsoft Active Directory is in read/write access, users still cannot
be added to or deleted from the firewall. However, certificates for AD users can still
be published.
362
Users & authentication
• Advanced properties:
• Protected characters: defines characters that must be protected with a "\"
in LDAP requests. This is to ensure that these characters are not
considered special characters used by the LDAP server's search engine.
• Password hash: selects the hash algorithm that must be used to save user
passwords to avoid saving them in plaintext.
363
Users & authentication
LINKING TO A DIRECTORY
11
364
Users & authentication
LINKING TO A DIRECTORY
12
365
Users & authentication
LINKING TO A DIRECTORY
13
Once the configuration is complete, certain parameters of the internal LDAP can be
modified:
• Enable user directory: this option makes it possible to start the LDAP
service,
• Password: password that enables a connection to the directory, and can
be modified later.
• Enable unencrypted access (PLAIN): enables unencrypted access to the
directory,
• Enable SSL: enables secure access to the directory; the SSL certificate
issued by the server field must be entered,
• Use the firewall account to check user authentication on the directory: if
this option has not been selected, the user account will be used for
authentication. By default, the user with all privileges on the directory is
cn=NetasqAdmin.
366
Users & authentication
MANAGING USERS
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
➔ Managing users
Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
Lab – Authentication
367
Users & authentication
MANAGING USERS
15
Users and groups from all configured directories can be looked up in the menu
CONFIGURATION⇒ USERS ⇒ Users.
The menu is made up of three sections:
• The menu bar, which offers the following:
• Search bar,
• Filtering the display by object type: groups or users,
• Filtering the display by directory (appears only if several directories have
been configured),
• Adding users,
• Adding groups,
• Deleting users or groups,
• Checking whether users or groups are in use,
• CN: the list of users and groups from all directories. To differentiate directories, a
suffix is added to users and groups to indicate the name of the directory (instead
of the domain name). For example: user6@institute.com
• Parameters of a group or user appear on the right of the page. Users’ settings are
organized in three tabs: information about the user (ACCOUNT), their certificate
(CERTIFICATE) and the groups to which they belong (MEMBER OF THESE
GROUPS).
368
Users & authentication
NOTE: The list of users and groups is always empty when you open this menu. If you
are logged in to a directory that contains many users and groups, displaying all of
them without a filter in the Search field may impact the performance of the
graphical interface.
To see users or groups, you can:
• Click on one of the filters (users or groups),
• Open the firewall preferences menu by clicking on the icon that represents
tools in the header of the web interface, and select the checkbox Display
users at startup of odule .
369
Users & authentication
MANAGING USERS
• Creating users
17
With an internal LDAP, or external LDAP accessible in read/write, users and groups
can be added and deleted in the menu CONFIGURATION ⇒ USERS ⇒ Users.
NOTE:
• Users and groups can be created in the default directory defined in the menu
CONFIGURATION ⇒ USERS ⇒ Directory configuration,
• Users cannot be created once attributes on the firewall have been mapped to the
external LDAP base (see slide 10).
370
Users & authentication
CAPTIVE PORTAL
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
➔ Captive portal
Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
Lab – Authentication
371
Users & authentication
CAPTIVE PORTAL
19
The captive portal or authentication portal is an embedded web page on the firewall
and accessible via a secure connection (HTTPS) from its IP addresses (it can be
enabled on all of the firewall's interfaces).
There are several uses for the captive portal: authenticating users to access the
network, enrolling new users, creating and downloading a certificate, downloading
the SSL VPN client and its configuration, submitting a sponsorship request in order to
access the network, etc.
Users can log in to the portal by using their directory login/password. If several
directories have been configured on the firewall, users can add their domain names
to their logins, for example, j.doe@company-a.com. If no domain names have been
specified, authentication will be carried out with the method or directory defined by
default on the authentication profile.
372
Users & authentication
CAPTIVE PORTAL
20
• SSL Server: makes it possible to change the certificate issued by the captive
portal.
373
Users & authentication
CAPTIVE PORTAL
21
• Conditions of use for Internet access: allows you to add a charter stipulating the
rules that govern the use of access to the network, which users need to accept
once they are authenticated. It can be downloaded in PDF or HTML. The
Reinitialize customization of Conditions of use for Internet access button makes
it possible to delete a charter uploaded earlier.
• Advanced properties:
• Interrupt connections once the authentication period expires,
• Proxy configuration file (.pac),
• Captive portal: changes the port of the captive portal and its appearance:
hide the Stormshield logo on the portal, download a new logo and modify
the style sheet.
374
Users & authentication
CAPTIVE PORTAL
22
• internal, external: they have the same configuration. The first profile is meant to
be attached to internal interfaces and the second to external interfaces by using
any authentication method that uses the captive portal,
375
Users & authentication
CAPTIVE PORTAL
23
The default method or directory used by the profile selected in the previous step
needs to be configured. For an LDAP authentication, this parameter may have one of
the following values:
• LDAP directory (none): This means that there is no default directory. Users
who authenticate on the captive portal will need to enter their logins
followed by their domain, for example, j.smith@institute.com. If the
domain is not indicated, authentication will fail.
• LDAP directory (Domain): This means that the directory of the selected
domain will be used to authenticate users who enter only their logins
(without the domain) on the captive portal, like j.smith, for example. As
for users from other domains, they must enter the domain with the login
in order to be authenticated.
NOTE: the default method or directory does not restrict this profile to only this
method or this directory. Such restrictions can only be placed with an
authentication policy.
• Conditions of use for Internet access: groups all the parameters that control the
display of the conditions of use entered in the Captive portal tab. It also contains
three customizable fields that appear on the authentication portal with the guest
method and which make it possible to retrieve information about the guest user
(first and last names, telephone number, email address, etc.).
376
Users & authentication
CAPTIVE PORTAL
24
• Advanced properties:
• Management of the portal, which includes enabling a profile and enabling
the logoff page,
• Definition of the user password policy,
• Management of user enrollment from the captive portal.
377
Users & authentication
CAPTIVE PORTAL
25
378
Users & authentication
CAPTIVE PORTAL
26
To log off, users need to log in to the captive portal again, click on Login in the menu
on the left, and then on the Logout button.
379
Users & authentication
CAPTIVE PORTAL
27
The administrator can log off users from the web interface in Monitoring > Users.
Right-click on the user, and select Log off this user.
380
Users & authentication
CAPTIVE PORTAL
Enrollment allows users to register themselves from the captive portal. The
registration request is sent to the firewall first for the administrator's approval. Once
the user has been approved, it will be automatically added to the directory.
381
Users & authentication
CAPTIVE PORTAL
• Enrollment form
29
When enrollment has been enabled, users can register by filling in the form obtained
by clicking on New user in the menu on the left. When they have filled in the form,
users can then send their requests by clicking on Submit request.
NOTE: enrollment is ordinarily used to register users from outside your organization
in your directory. The domains of their e-mail addresses are therefore different from
yours.
382
Users & authentication
CAPTIVE PORTAL
• Configuring enrollment
30
On the firewall’s administration interface, enrollment requests are listed in the menu
CONFIGURATION ⇒ USERS ⇒ Enrollment. The administrator can either approve,
reject or ignore the request.
The administrator can first modify the user's login generated automatically in the
default format %F.%L, corresponding to FIRST NAME.LAST NAME (case-sensitive).
Changes must be applied before the first enrollment is confirmed, so that all logins
follow the same rules.
With the user John Doe show in our example:
• %f1.%l: means j.doe (without spaces: first letter of the first name in lowercase,
period, and last name in lowercase),
• %f%L1: means joh D (without spaces: first name in lowercase, first letter of the
last name in uppercase).
The administrator can also enable e-mail notifications when accepting or rejecting
users' requests. To do so, a mail server must be configured on the firewall in the
menu CONFIGURATION ⇒ NOTIFICATIONS ⇒ E-mail notifications.
383
Users & authentication
CAPTIVE PORTAL
• Confirming enrollment
31
On the firewall’s administration interface, enrollment requests are listed in the menu
CONFIGURATION ⇒ USERS ⇒ Enrollment. The administrator can either approve,
reject or ignore the request. When the administrator approves a request, the user’s
login will be automatically generated in the format chosen in the previous step.
384
Users & authentication
AUTHENTICATION
METHODS
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
➔ Authentication methods
Authentication policy
Filter rules for authentication
Defining new administrators
Lab – Authentication
385
Users & authentication
AUTHENTICATION METHODS
33
SNS firewalls implement several authentication methods that fall under two
categories:
• Explicit methods via the captive portal: the user is redirected to the captive
portal to enter a login and password, which the firewall retrieves to verify the
identity of the user depending on the method used:
• LDAP: the user's identity is verified on an internal or external directory
(LDAP/AD)
386
Users & authentication
• Sponsorship: allows users identified by their first and last names to access
the network through the sponsorship of a local user holding the relevant
privileges. Users will first be asked to enter their first and last names on
the captive portal as well as the email address of their sponsor. The
sponsor will then receive an email containing a link to confirm this
request. After the request has been validated, the sponsored user will
automatically be redirected from the captive portal to the requested web
page.
• Guest method: allows users to access the network after they accept the
conditions of use on the authentication portal. This method is very often
used for public places such as hotels, railway stations or public hotspots.
387
Users & authentication
AUTHENTICATION METHODS
35
The authentication methods used by the firewall can be added from the menu
CONFIGURATION ⇒ USERS ⇒ Authentication ⇒ AVAILABLE METHODS tab. Specific
parameters need to be entered for each method.
After the LDAP directory is configured in the example above, the LDAP
authentication method will be automatically entered.
388
Users & authentication
AUTHENTICATION
POLICY
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
➔ Authentication policy
Filter rules for authentication
Defining new administrators
Lab – Authentication
389
Users & authentication
AUTHENTICATION POLICY
37
Since SNS firewalls are able to support several directories and several authentication
methods simultaneously, an authentication policy needs to be defined in order to
indicate the method(s) to be applied according to two criteria: the user or user
group, and the source IP address or incoming interface.
Several authentication methods can be used in a single rule. In this case, the
methods will be applied in the order in which they appear in the rule. If a method
allows a user to authenticate, the methods that follow it will not be tested. For
example, in rule #3, all users on the "institute.com" domain who log in from the
internal network must first authenticate via the SSO agent method. If authentication
fails, the user will be asked to select his certificate. If the SSL method fails (e.g., no
certificate for this user), he will be asked to enter his login and password to
authenticate via the LDAP method.
If no rules match the traffic criteria, the default authentication method will be
applied.
NOTE: whenever it is used in a rule, the SSO agent method will automatically take
priority over all other methods as it authenticates users on the firewall as soon as
they are authenticated on the Active Directory domain.
390
Users & authentication
AUTHENTICATION POLICY
38
To add an authentication rule, click on New rule ⇒ Standard rule. Rules can be
created in a wizard in three steps:
The interface and profile must be selected in the entry. The default method or
directory will be automatically entered depending on the configuration of selected
profile.
For the other methods: guests, temporary accounts and sponsorship, users can be
added through the respective buttons: New rule ⇒ Guest method rule, Temporary
account method rule and Sponsorship method rule.
391
Users & authentication
AUTHENTICATION POLICY
39
In the authentication policy, you can create a policy to determine which networks
and users will use the LDAP method, or define it as the default method.
392
Users & authentication
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
✔ Authentication policy
➔ Filter rules for authentication
Defining new administrators
Lab – Authentication
393
Users & authentication
41
Since the authentication rule only allows unknown users to be redirected to the
captive portal, you must then add other rules that allow authenticated users to
access the network.
When you edit the source of a filter or NAT rule, the User field makes it possible to
specify the user (or the group) that has to be authenticated in order to match the
rule. A few options are listed:
• No User: default choice when you add a new rule. The rule will be applied
without taking the user parameter into account,
• Any user@any: refers to any authenticated user, regardless of the directory
or authentication method used,
• Any user@guest_users.local.domain: refers to any user authenticated via
the guest method,
• Any user@voucher_users.local.domain: refers to any user authenticated
via the temporary account method,
• Any user@sponsored_users.local.domain: refers to any user
authenticated via the sponsorship method.
• Any user@<domain>: refers to any user authenticated via the domain
directory,
• Any user@none: refers to any user authenticated via a method that does
not use a directory, for example, sponsorship, temporary account, etc.
• Unknown users: refers to any user who has not been authenticated. This
value is used mostly in authentication rules.
• The list of all users and groups found in the directories.
The button to the right of the user parameter makes it possible to filter users by
directory or authentication method.
394
Users & authentication
http://www.bbc.com
42
The process of LDAP authentication via the captive portal is described above. The
user opens a browser to access a website in HTTP. The firewall intercepts the HTTP
request and redirects the user to the authentication portal
(https://firewall_IP@/auth). The user then enters his directory login/password,
which will be sent to the firewall through a secure connection (HTTPS). The firewall
authenticates the user on the directory (internal/external LDAP or AD). If the user is
authenticated, the browser will be redirected to the website requested initially.
NOTE: users may be redirected to the captive portal when accessing websites in
HTTPS, but the SSL proxy needs to be enabled - this will be covered in the CSNE
course.
LDAP configuration via the captive portal will be covered in the following slides.
395
Users & authentication
43
To create the authentication rule, click on New rule > Authentication rule. In the
wizard, enter the source network from which users will log on, the destination
network and, if you wish to, a list of URL categories that can be accessed without
authentication.
396
Users & authentication
DEFINING NEW
ADMINISTRATORS
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
✔ Authentication policy
✔ Filter rules for authentication
➔ Defining new administrators
Lab – Authentication
397
Users & authentication
45
Two editing modes are available here - simple view or advanced view (as above)
which provides more detail on granted privileges.
398
Users & authentication
46
399
Users & authentication
RECOMMENDATIONS
47
Only the local administrator account can assign administrator privileges, which is
why we advise assigning privileges to groups. User accounts will then be distributed
in groups, but this operation can be performed from the directory.
An administrator dedicated to a specific task must have only one restricted area of
responsibility, so that risks can be contained if the account is compromised, and
accidental changes to the configuration can be prevented.
Secure and redundant access to the external LDAP directory must be configured. The
account that is used to authenticate the firewall on the directory must hold the basic
privileges (read only) and must be specific.
400
Users & authentication
48
For highly specific situations/questions, refer to the TAC knowledge base at kb.stormshield.eu.
401
Users & authentication
Lab
LAB – AUTHENTICATION
USERS & AUTHENTICATION
✔ Introduction
✔ Linking to a directory
✔ Managing users
✔ Captive portal
✔ Authentication methods
✔ Authentication policy
✔ Filter rules for authentication
✔ Defining new administrators
➔ Lab – Authentication
402
Users & authentication
Lab
Lab – Authentication
Copy the Filter/NAT policy (6) Lab_6 to policy number 7. Rename policy number
7 Lab_7 , then enable it.
▪ Login: jsmith
▪ Password: password
3. Using the enrollment function, create a user "Peter Wood" with the
password: password
5. Change the filter policy to allow pings to be sent from your internal
network to only John Smith. This rule must always raise a minor alarm.
6. Adapt the filter policy so that all users are redirected to the captive portal
when trying to access websites in HTTP, except sites in the it category.
9. Log in to the firewall using the account "jsmith" and confirm access to
various menus. Test the authentication of this account on the captive
portal as well.
403
APPENDIX – USERS &
AUTHENTICATION
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
404
Users & authentication
Appendix
GUEST METHOD
USERS & AUTHENTICATION
Program
➔ Guest method
405
Users & authentication
Appendix
GUEST METHOD
• Enabling guest
method
• Authentication
policy
• Enabling the
captive portal
Guest method can be configured easily and quickly. In the list of available methods,
the only parameter to set is the frequency with which usage conditions will be
displayed – 18 hours by default.
When you edit the authentication policy, a wizard will assist you through the
configuration of the guest method. This wizard asks only for the network or interface
from which client hosts will authenticate. The guest method will then be applied to
all users coming from the selected object or arriving through the interface.
To allow users to accept the Internet access conditions, the captive portal must be
configured.
406
Users & authentication
Appendix
GUEST METHOD
HTML or PDF files describing access conditions to guests are added to the
configuration panel on the captive portal.
Then, write a filter rule that redirects guests to the captive portal.
407
VIRTUAL PRIVATE
NETWORKS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.2
Training program
408
Virtual private networks
TYPES OF VIRTUAL
PRIVATE NETWORKS
VIRTUAL PRIVATE NETWORKS
409
Virtual private networks
410
Virtual private networks
411
Virtual private networks
IP@ FW A IP@ FW B
IP@ A IP@ B
Opening the tunnel
ISAKMP = IKE v1 or v2
Encrypted fields
Authenticated fields
The site-to-site IPsec VPN tunnel enables the connection of two private networks
through a public network while providing the following security services:
The site-to-site IPsec VPN tunnel can be set up between the SNS firewall and any IPsec
VPN-compatible equipment. Tunnels are negotiated through ISAKMP (Internet Security
Association Key Management Protocol), also known as IKE (Internet Key Exchange),
which currently exists in two versions, V1 (RFC 2409) and V2 (RFC 7296).
The negotiation takes place between the tunnel endpoints, which correspond to the
appliance's IP addresses (IP@ FW A and IP@ FW B). The IKE protocol is sent over UDP on
port 500.
412
Virtual private networks
Once a tunnel has been set up between two appliances, the traffic endpoints
corresponding to private networks can communicate via ESP (Encapsulating Security
Payload) which ensures data confidentiality and integrity. The ESP protocol (the IP
protocol number is 50, defined in RFC 4303) is encapsulated directly in an IP packet.
• Policy match (standard operating mode): matches users' IP addresses with the
IPsec policy; this operating mode relies on the [source IP + destination IP] criteria
of these IP packets compared with the policy loaded in the system's IPsec
structures. In this operating mode, the IPsec policy will be evaluated before the
general IP routing instructions. Whether it is applied depends only on whether it
"matches" the policy.
NOTES:
• Stormshield firewalls support versions 1 and 2 of the IKE protocol. From V3.3.0
onwards, you can configure tunnels using IKEv1 and IKEv2 in the same IPsec VPN
policy. The combination of IKEv1 and IKEv2 in the same policy is still under
experiment and must not be used in a production environment.
413
Virtual private networks
• Peer identities:
IP@ FW A IP@ FW B
Firewall A Firewall B
FQDN
IP@ FW A fw.company-b.com
Firewall A Firewall B
During authentication, each endpoint verifies the other endpoint's identity. The
following identities may represent a tunnel endpoint:
Depending on the authentication method used, the identity will be associated with:
• A PSK (pre-shared key): each endpoint will provide proof that it holds the
common PSK.
• A PKI (Public Key Infrastructure): each endpoint will present an X509 digital
certificate that must be signed by a trusted certification authority for the other
peer. The use of certificates for authentication is covered in the CSNE course.
414
Virtual private networks
IKEv1: ISAKMP-SA
Authentication: PSK, PKI
Authentication: PSK, PKI IKEv2: PARENT-SA
There are two phases in the IKE negotiation to set up an IPsec VPN tunnel:
• Phase 1: during this phase, both tunnel endpoints negotiate a Phase 1 encryption
profile that contains encryption/authentication algorithms. In this phase as well,
both endpoints authenticate with a pre-shared key or certificates.
If both endpoints are unable to agree on a common encryption profile or are
unable to authenticate, Phase 1 will fail and the negotiation ends.
Otherwise, an encrypted application dialog, called ISAKMP-SA (Internet Security
Association Key Management Protocol – Security Association) in IKEv1 and
PARENT-SA in IKEv2, will be set up between both endpoints. It will enable the
negotiation of Phase 2, which will be fully encrypted with the Phase 1 ISAKMP-SA
key.
• Phase 2: during this phase, both endpoints negotiate the Phase 2 encryption
profile and the traffic endpoints that can communicate through the IPsec VPN
tunnel.
415
Virtual private networks
If both endpoints are unable to make these parameters match, Phase 2 will fail;
otherwise, two channels will be opened for data transmission (one in each
direction). Each channel will use its own encryption key. They are called ESP-SA1 and
ESP-SA2 in IKEv1 and CHILD-SA1 and CHILD-SA2 in IKEv2. Each endpoint will
therefore have two symmetric keys - one to encrypt sent data and the other to
decrypt received data.
NOTES:
• In IKEv1, Phase 1 may take place in two modes: MAIN or AGGRESSIVE. RFC2409
requires identifiers to be the IP addresses of peers when the negotiation mode is
MAIN and for authentication to be based on a PSK. AGGRESSIVE mode will
therefore be applied as soon as a peer cannot be identified by a static IP address.
• In IKEv1, traffic endpoints must be identical for both peers, otherwise Phase 2 will
fail. However, in IKEv2, this is not mandatory but you are strongly advised to
configure these parameters identically to avoid unpleasant surprises.
• The peer whose local network initiated traffic to the remote network will start the
tunnel negotiation. As a result, if no traffic passes between the tunnel's networks,
the tunnel will not be opened.
416
Virtual private networks
IPSEC VPN –
CONFIGURATION OF A
SITE-TO-SITE TUNNEL
VIRTUAL PRIVATE NETWORKS
417
Virtual private networks
11
Site-to-site IPsec VPN tunnels can be configured in the menu VPN ⇒ IPsec VPN tab
⇒ ENCRYPTION POLICY – TUNNELS tab ⇒ SITE-TO-SITE (GATEWAY – GATEWAY) tab,
by clicking on Add ⇒ Site-to-site tunnel.
418
Virtual private networks
12
A wizard will appear allowing you to enter the main parameters: traffic endpoints
(local networks and remote network) and the remote tunnel endpoint (the peer).
If the peer does not exist, it needs to be created by clicking on Add (blue), and it will
be used for the tunnel negotiation. A new wizard will open to allow you to enter the
peer's parameters: the remote gateway, name and IKE version (1 or 2). By default,
IKE version 1 is used.
In the Remote gateway field, you will be able to enter the host object that has the
peer's IP address.
NOTE: from version 4.2.4 onwards, the default IKE version is IKEv2.
419
Virtual private networks
13
After you click on Next, the wizard will continue, allowing you to configure the
authentication method. If PSK is selected, the pre-shared key specified will be
associated with the peer's identity.
In the last step, all parameters that have been defined will be listed, and if necessary,
a backup gateway can be added. When you click on Finish, you will go back to the
VPN tunnel creation wizard.
420
Virtual private networks
14
When you have defined the three parameters (local network, remote network and
peer), click on Finish. The IPsec VPN tunnel will be added to a separate line in the
policy. The policy that the wizard creates is disabled by default, and must be
manually enabled by setting the Status to ON in the policy.
421
Virtual private networks
15
The Name column can be hidden by default; to make it appear, click on the header
of a column, then select Columns and select the Name option. It displays the names
of policies. In VPN logs (l_vpn), the rulename entry refers to this name.
NOTE: A field that specifies the type of VPN rule (mobile tunnel or site- to-site
tunnel) was added to IPsec VPN logs as well.
422
Virtual private networks
16
The Phase 1 encryption profile, also known as IKE profile, is configured on the peer,
whereas the Phase 2 encryption profile, also known as IPsec profile, is configured on
the VPN tunnel.
423
Virtual private networks
17
424
Virtual private networks
• Keepalive
18
The purpose of the Keepalive function is to keep the tunnel available by sending a
UDP packet to the remote network over port 9 with a set frequency. This will cause
the initial negotiation of the tunnel, and then its periodic renegotiations.
The keepalive column can be hidden by default; to make it appear, click on the
header of a column, then select Columns and select the Keepalive option. It allows
configuring the frequency with which UDP packets will be sent (in seconds).
425
Virtual private networks
19
For site-to-site IPsec VPN tunnels configured with peers’ static addresses, implicit
rules are automatically added when the tunnel is created so that any traffic that is
part of an IPsec VPN tunnel can be received: UDP ports 500 and 4500, and ESP.
These implicit rules only concern incoming traffic as outgoing traffic is already
covered by the firewall's implicit traffic rules.
426
Virtual private networks
20
Traffic that has to be allowed between users of the tunnel must be explicitly defined
in the filter rules:
• The first rule makes it possible to initiate connections from local network
Network_in to remote network NET_IN_B.
• As for the second rule, it allows connections to be initiated from remote network
NET_IN_B to local network Network_in. The via IPsec VPN tunnel instruction was
added to the source of this rule in order to ensure that traffic from the remote
network originates from the IPsec VPN tunnel.
NOTE: These sample rules are really permissive as they do not specify any particular
traffic; in a real situation, it would be better to define a filter policy that will strictly
describe traffic to be allowed in order to cover the communications needed between
the various machines on both sites.
427
Virtual private networks
21
The menu TRACES ⇒ VPN displays events relating to the IKE negotiation process.
Traffic endpoints that were the reason for the negotiations and for which the tunnel
is available appear clearly on the log line relating to the Phase 2 negotiation.
For diagnosis purposes and especially if a warning or an error message was reported,
it is essential to point out the phase to which the event relates.
The columns displayed above have been deliberately kept to the minimum needed
for the example. You can seen more detailed technical information by clicking on the
arrow found in column headers and selecting the columns you would like to add.
428
Virtual private networks
22
In the Monitoring ⇒ IPsec VPN tunnels menu, you can see the active IPsec VPN
policy on the firewall.
429
Virtual private networks
23
In the Tunnels section, you can monitor available tunnels. The current age of the SAs
and the selected algorithms for negotiations are shown.
430
Virtual private networks
IPSEC VPN –
CONFIGURATION OF
MULTIPLE SITE-TO-SITE
TUNNELS
VIRTUAL PRIVATE NETWORKS
431
Virtual private networks
NET_DMZ1_A NET_DMZ1_B
DMZ1_A DMZ1_B
OUT_A OUT_B
IN_A IN_B
NET_IN_A NET_IN_B
25
The goal is to configure an IPsec VPN policy to allow communication between the
local IN and DMZ1 networks on both sites. There are two ways to configure this
policy:
1. One rule for each pair of networks to be linked.
2. One rule for all networks, by using groups.
432
Virtual private networks
26
433
Virtual private networks
27
Regardless of the version of the IKE protocol used, the loaded policy will be the same
and will generate four separate tunnels, meaning four pairs of IPsec-SA tunnels.
434
Virtual private networks
To highlight the difference, add “SPI in” and “SPI out” columns to
the “VPN log” view:
28
The second configuration is more concise and therefore easier to read as long as a
strict and sufficiently descriptive naming system is adopted for group names, in
order to avoid ambiguities or confusion when reading it later.
435
Virtual private networks
29
436
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING
INTERFACE
VIRTUAL PRIVATE NETWORKS
437
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
IP_VTI_A: x.y.z.1/30 IP_VTI_B: x.y.z.2/30
IPSEC VPN
VTI_A VTI-B NET_DMZ1_B
NET_DMZ1_A
DMZ1_A DMZ1_B
NET_IN_A OUT_A OUT_B
NET_IN_B
IN_A IN_B
DMZ2_A DMZ2_B
NET_DMZ2_A NET_DMZ2_B
Routes on A Routes on B
31
There is now another approach available, that uses VTIs dedicated to an IPsec
tunnel.
These particular IPsec interfaces will be passage points for traffic entering and
leaving the IPsec tunnel. They will act as gateways to each other to transport traffic
between networks through the IPsec tunnel.
In the following slides, you will see how to configure a site-to-site IPsec VPN tunnel
using VTIs.
438
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
Creation of the
VTI on Peer A
32
VTIs created on both peers each have a common name and IP address from the
same address range:
To prevent ambiguities with the existing architecture and its future additions, it
would be best to select an address range entirely dedicated to the use of VTIs, in an
officially private and sufficiently original range to avoid overlapping with an existing
network or the remote network of a future interconnection.
NOTE: From V3.3.0 onwards, /31 networks can be used; they are better suited to
point-to-point interfaces as they do not use network and broadcast addresses.
• On Peer A: Firewall_VTI_A.
• On Peer B: Firewall_VTI_B.
439
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
On A, creation of the
host object that has the
IP address of VTI_B.
On B, creation of the
host object that has the
IP address of VTI_A.
33
On each firewall, the object with the IP address of the remote peer's VTI must also
be created.
As with all objects, it is best to give objects clear names to faciliate the use of VTIs on
IPsec VPN architectures with multiple peers. Such a practice would make it easier to
use VTIs on IPsec VPN architectures with multiple peers.
440
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
• On Peer A
• On Peer B
34
441
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
• On Peer B
35
In this operating mode, it is important to ensure that the routing of return packets
coincides with the tunnel taken by outgoing packets.
Below, static routes globally indicate on each peer that the remote networks can be
contacted through the same tunnel.
442
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
36
The use of policy-based (PBR) routing instructions also imposes the routing of return
packets by the same tunnel.
This is why the return route has to be defined via the VTI corresponding to the
tunnel through which outgoing packets arrived.
443
Virtual private networks
IPSEC VPN
- VIRTUAL TUNNELING INTERFACE
37
The via IPsec VPN tunnel instruction must not be used with VTIs. Instead, the VTI
must be used as the incoming interface in the rule allowing incoming traffic from the
tunnel.
444
Virtual private networks
RECOMMENDATIONS
• Use IKEv2
↓ If not available, use main mode in IKEv1
• Configure Keepalive
• Disable PPTP
38
You are strongly advised against using the MD5 hash function, DES encryption, RSA
keys smaller than 2048 bits or ECDSA keys smaller than 200 bits.
We also do not recommend the use of 3DES, SHA-1 and ECDSA with keys smaller
than 256 bits if stronger alternatives are available, such as AES, SHA-2 and ECDSA
with keys of at least 256 bits.
Choose the Diffie-Hellman group carefully. Higher group numbers are preferred (such
as 14 or 15), or elliptic curve groups of at least 256 bits.
To avoid losing packets while waiting for a tunnel to be set up, we recommend that
you enable Keepalive which will keep the tunnel up.
445
Virtual private networks
39
446
Virtual private networks
Lab
447
Virtual private networks
Lab
Copy the Filter/NAT policy (7) Lab_7 to policy number 8. Rename policy number 8
Lab_ , then enable it.
1. Add a Pass any any any filter rule to the top of this policy.
2. Set up an IPsec tunnel with PSK authentication to connect your internal network
" . 6 .x. / 4" to the other co pany’s network using the default encryption
profiles (StrongEncryption).
3. Generate traffic to and from traffic endpoints, and in the logs and the
corresponding monitoring menu, track tunnel activity and the steps in the
negotiation of the tunnel.
4. Change your IPsec policies to connect both your internal networks (IN + DMZ)
with the other co pany’s internal networks IN + DM) .
▪ Enable the keepalive function on your tunnel.
▪ Determine the number of negotiated tunnels in monitoring.
5. After checking whether your tunnels function, disable the Pass any any any filter
rule and add rules so that networks from the remote site you want to reach can
ping your local networks and contact your FTP and WEB servers.
6. Create the following encryption profiles:
▪ IKE Phase 1: Diffie-Hellman (DH15 MODP), Maximum lifetime
(21600s), authentication algorithm (sha2_512) and encryption
algorithm (AES 256bits).
▪ IPSEC Phase 2: PFS (DH15 MODP), Lifetime (3600s), authentication
algorithm (hmac_sha512) and encryption algorithm (AES 256bits).
7. Apply your new encryption profiles to your VPN, then check whether everything
is running properly.
8. Interconnect these networks, but by configuring tunnels based on VTIs, and with
either static routing or policy-based routing (PBR).
448
APPENDIX– VIRTUAL
PRIVATE NETWORKS
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
449
Virtual private networks
Appendix
POINT-TO-POINT
TUNNELING PROTOCOL
VIRTUAL PRIVATE NETWORKS
Program
450
Virtual private networks
Appendix
PPTP: CONCEPTS
451
Virtual private networks
Appendix
• The Host_group object describes hosts that belong to the same addressing scheme
as an interface on the firewall, and can also be an address range.
• The selected DNS and WINS servers will be assigned to the client when the
connection is set up.
The IP address range allocated to PPTP clients must be dedicated to these clients
only; any of these addresses ustn’t be used on another internal host or it would
lead to an IP conflict on the LAN.
452
Virtual private networks
Appendix
• Users allowed to use PPTP will be indicated individually in the VPN UAC.
• A password dedicated to the PPTP connection will be assigned to them.
The PPTP password is independent of the password that the user would usually use
to authenticate on the captive portal.
So when the firewall relies on an Active Directory LDAP or a more general external
LDAP, the PPTP password will not be synchronized with the user’s authentication
password.
453
Virtual private networks
Appendix
Program
454
Virtual private networks
Appendix
Firewall A Firewall B
The anonymous tunnel can be configured via a wizard in the tab ANONYMOUS –
MOBILE USERS, by clicking on Add ⇒ New policy.
455
Virtual private networks
Appendix
CSNAv2.x
8
In the wizard, the remote tunnel and traffic endpoints are not defined, which is why
they are often referred to as Anonymous tunnels. Only the local traffic endpoint
needs to be selected. Above, the machines that need to be contactable through
IPsec are located in Network_in.
The remote traffic endpoint is predefined as All in the wizard (blue box). It is
supposed to be unpredictable, because in the case of mobile users, it depends on
what the client presents in phase 2 based on its configuration and its network
location during negotiation. All therefore means Any as an indefinite IP entity;
meaning any address or address range.
Click on Add to configure remote peers (mobile). A wizard will open to allow you to
create this configuration.
456
Virtual private networks
Appendix
Two consecutive windows from the wizard are shown above, in which you can:
• Choose a name for dynamic peers; note that the firewall already added the prefix
obile_ .
• Select the IKE version.
457
Virtual private networks
Appendix
10
458
Virtual private networks
Appendix
11
Add the identity of a dynamic peer (a firewall with a dynamic IP address). The
identity fw.company-B.net is an FQDN (Fully Qualified Domain Name). The FQDN is
associated with a PSK.
459
Virtual private networks
Appendix
12
460
Virtual private networks
Appendix
13
461
Virtual private networks
Appendix
CSNAv2.x
14
When an FQDN identity is defined in IKEv1, the configuration does NOT switch to
AGGRESSIVE negotiation mode, unlike in previous versions. The Local ID for Firewall
A is optional and has a static IP address.
462
Virtual private networks
Appendix
CSNAv2.x
15
On Firewall B (which has a dynamic IP address), the IPsec VPN tunnel will be a site-
to-site configuration with:
463
Virtual private networks
Appendix
CSNAv2.x
16
Unlike site-to-site tunnels, implicit filter rules are not automatically added, so
tunnels cannot be set up. The filter policy on the firewall with a static public IP
address must explicitly allow negotiations and traffic that make up the tunnel (IKE
and ESP).
Similarly to site-to-site tunnels, filter rules must also be defined to specify which
traffic can go through the IPsec tunnel.
To improve the level of security on the firewall, you are advised to restrict incoming
IKE and ESP traffic by applying a location restriction (in this example, Europe is
allowed).
464
SSL VPN
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 4.2
Training program
465
SSL VPN
CONCEPTS AND
OVERVIEW
SSL VPN
466
SSL VPN
Note:
• Both SSL VPN modes (portal and full) can run simultaneously.
• The SSL VPN portal will not be covered in this course. All references to ““L VPN
in the rest of this document refer exclusively to SSL VPN in full mode.
467
SSL VPN
SSL VPN allows remote users to securely access a company's internal resources.
Communications between the remote user and the firewall are encapsulated and
protected via an encrypted TLS tunnel.
On the firewall, SSL VPN tunnels are managed by the OpenVPN server (freeware)
which is embedded in the firmware as a new service. OpenVPN can run on any TCP
and/or UDP port except for a few, which are used for the firewall’s internal
processes:
• smtp_proxy: 8081/TCP
• ftp_proxy: 8083/TCP
• pop3_proxy:8082/TCP
• ssl_proxy: 8084/TCP
• http_proxy: 8080/TCP
• loopback_proxyssl: 8085/TCP
• firewall_srv: 1300/TCP
• ldap: TCP/389, ldaps TCP/636
• pptp: TCP/1723, TCP/4444, TCP/8087
• smux_tcp: TCP/199.
As for mobile users, the SSL VPN client (Stormshield or standard OpenVPN) manages
the tunnel, which must be installed on the machines. Once the tunnel is set up, the
remote host will retrieve an IP address provided by the SSL VPN server. It will be
deemed to belong to the firewall's (protected) internal networks and the user will be
considered authenticated.
468
SSL VPN
Number
of users 5 20 100 150 400 500 100
Number of
users 100 150 200 250 500
469
SSL VPN
• The Stormshield Network SSL VPN client (based on the OpenVPN client) can be
launched transparently on a Windows user workstation with user privileges
(however, using it requires administrator privileges). This client can be
downloaded for free from your mystormshield.eu secure area and from the
firewall's captive portal after authentication.
• Smartphones and tablets (Android or iOS) can also log in via an SSL VPN with an
OpenVPN Connect client (available in Google Play Store and Apple Store).
470
SSL VPN
SSL VPN clients are part of the same network defined on the firewall. This network is
considered a protected internal network and as a result, must not overlap an existing
internal network.
For its internal operation, the server will reserve the first /30 sub-network
originating from the SSL VPN network (an interface "tun0" will be created, and has
the first IP address of the network. This interface can only be seen in command line).
The following /30 sub-networks will be used by clients.
For example, if the SSL/VPN service uses the network 192.168.100.0/24, the first SSL
VPN client will use the second /30 sub-network:
• Network address: 192.168.100.4
• Address of the tunnel's interface on the server side: 192.168.100.5
• Address of the tunnel's interface on the client side: 192.168.100.6
• Broadcast address: 192.168.100.7
As such, the maximum number of SSL VPN clients on this network is 63 (64 /30 sub-
networks including one used by the server).
471
SSL VPN
Openvpn_client.zip
Openvpn_client.zip
• CA.cert.pem
• Openvpnclient.cert.pem
• Openvpnclient.pkey.pem
• Openvpnclient.ovpn
1. The SSL VPN client authenticates the user through the captive portal. During this
step, the firewall will check whether the authenticated user has the privileges to
open an SSL VPN tunnel.
2. If the authentication is successful, the client will send a request to retrieve the
configuration files sent back by the firewall in a compressed folder
open pn_client.zip . The folder includes the following files:
• The certificate of the certification authority (CA.cert.pem),
• The client's certificate and its private key (openvpnclient.cert.pem
andopenvpnclient.pkey.pem),
• The configuration of the OpenVPN client.
3. The client begins the setup of the TLS tunnel with certificate authentication,
using the certificates retrieved in the previous step. Before the tunnel is set up,
the firewall will check whether the maximum number of users has been reached
and whether a sub-network can be reserved for this new client. If all the
conditions have been verified, the tunnel will be set up and the user will be
considered authenticated.
NOTE: If the SSL VPN server can be accessed through a UDP or TCP port, the SSL VPN
client will first attempt to set up the tunnel with the UDP protocol; if that fails, the
client will automatically make a new attempt with the TCP protocol.
472
SSL VPN
CONFIGURING A TUNNEL
SSL VPN
473
SSL VPN
• An authentication
method has to be
configured
10
The first step in setting up an SSL VPN tunnel is the authentication of the user via the
captive portal, meaning that:
• An external or internal directory has to be configured on the firewall,
• A profile of the captive portal must be attached to the interface from which users
log on,
• An authentication method has to be configured.
The possible authentication methods for the SSL VPN service are explicit methods
that require a login/password pair, in this case LDAP (internal, external or Microsoft
Active Directory), Kerberos and Radius.
474
SSL VPN
11
Certificates will be used for authentication between the client and the SSL VPN
server. For this purpose, a root certification authority (CA) exists in the factory
configuration on all Stormshield Network firewalls. This CA is named sslvpn-full-
default-authority, and contains a server certificate (which identifies the SSL VPN
server), and a client certificate (which identifies all clients; each one of them will
then be distinguished by a login/password pair).
NOTE: A CA dedicated to the SSL VPN can be created without the need to rely on the
default CA. The creation of CAs is covered in the Expert level course.
475
SSL VPN
Default settings
Custom settings
12
To allow a user to set up an SSL VPN tunnel, you will need to assign the
corresponding privileges in the menu Configuration ⇒ Users ⇒ Access privileges.
Regardless of which user is connected, default access can be selected in the tab
Detailed access ⇒ VPN SSL section. Select Allow in the field Default SSL VPN policy
476
SSL VPN
13
To allow SSL VPN clients to access the authentication portal on interfaces associated
with the firewall's authentication profiles, the implicit filter rule named Allow
interfaces associated with authentication profiles (Authd) to access the
authentication portal and SSL VPN must be enabled.
If this is not the case, explicit filter rules have to be added in the active policy that
allows traffic to the public interface on the service's listening port.
477
SSL VPN
14
The SSL VPN service can be configured in Configuration ⇒ VPN ⇒ SSL VPN.
• Network parameters section:
• UTM IP address (or FQDN) used: this refers to the address to which SSL
VPN clients will log in (public address most of the time). Warning: entering
an FQDN will involve name resolution via a DNS service,
NOTE: the networks assigned to UDP and TCP clients must be different.
478
SSL VPN
15
NOTE: Warning: certain ports are reserved for internal use only and cannot
be selected. These ports are smtp_proxy: 8081/TCP, ftp_proxy: 8083/TCP,
pop3_proxy: 8082/TCP, ssl_proxy: 8084/TCP, http_proxy: 8080/TCP,
loopback_proxyssl: 8085/TCP, firewall_srv: 1300/TCP, ldap: TCP/389, ldaps
TCP/636, pptp: TCP/1723, TCP/4444, TCP/8087, smux_tcp: TCP/199,
isakmp: UDP/500, isakmp_nat: UDP/4500, bootps: UDP/67, bootpc:
UDP/68.
479
SSL VPN
• Scripts to run on the client: makes it possible to run scripts when the clients logs
in and logs out. Examples of scripts are provided in detail in the document
snentno_SSL_VPN_Tunnel.pdf accessible via https://mystormshield.eu.
• Certificates used section: customizes the certificates used. Reminder: the server
certificate makes it possible to identify the SSL VPN server while the user
certificate allows SSL VPN clients to be identified (each client will then be
identified by its login). If these certificates are modified, ensure that they are
issued by the same certification authority. Otherwise, the configuration will not
be applied.
480
SSL VPN
17
Filter rule no. 1 makes it possible to initiate connections from SSL VPN clients to
internal web servers,
Filter rule no. 2 makes it possible to initiate connections from SSL VPN clients to the
Internet; in this case, a NAT rule must also be added.
481
SSL VPN
18
The Stormshield Network SSL VPN application can be downloaded from your secure-
access area https://mystormshield.eu and on the firewall's captive portal after
authentication.
NOTE: various packages are available for Microsoft Windows 7 and 10, and the SSL
VPN client v2.9.1 and above must be used with SNS firewalls in version 4.2.
Once it has started, the SSL VPN client will require three parameters:
• The IP address or FQDN of the firewall to contact
• The login of the user with SSL VPN privileges,
• The user’s password.
A window will indicate that the connection to this site is not secure, because the
client did not trust the CA that signed the server certificate presented by the
firewall’s captive portal. You can therefore:
• Display the certificate to know which CA signed it,
• Trust this certificate, meaning that the CA will be added to the list of
trusted authorities, and the configuration of the tunnel can continue,
• Cancel the connection, which will stop the configuration of the tunnel.
When the tunnel has been set up, the client workstation will have a specific interface
for the SSL VPN tunnel whose IP address belongs to the object Network assigned to
the client in the server configuration.
482
SSL VPN
19
The Stormshield SSL VPN client has an address book function that can save various
VPN profiles in a single encrypted file. A specific password is used to protect the file.
To add an entry to the address book, simply click on Add and enter the details, then
click on OK to save.
Entries can also be imported/exported.
The address book can be found in:
%USERPROFILE%\AppData\Local\Stormshield\Stormshield SSL VPN Client\AddrBook.gap
483
SSL VPN
Disconnected
Connecting
Connected
20
The color of the Stormshield SSL VPN client icon that appears in the notification zone
of the Windows taskbar corresponds to its status:
When the client is connected, information about the connection will appear when
you scroll over the icon.
484
SSL VPN
21
You can view open SSL VPN tunnels in Monitoring => SSL VPN tunnels tab in the
firewall’s monitoring page. Tunnels can also be deleted by right-clicking on Log off
this user.
Users connected via an SSL VPN tunnel are considered authenticated and can be
viewed in the Users menu. The Auth. method column indicates that the VPN client
authenticated via an SSL VPN tunnel.
485
SSL VPN
22
486
SSL VPN
Lab
487
SSL VPN
Lab
3. Filtering:
• Allow all users (authenticated and unauthenticated) on your network to
access your neighbors' firewalls over the SSLVPN and UDPVPN ports.
• Allow the networks Net-SSLVPN_TCP and Net-SSLVPN_UDP to access
internal networks.
4. Retrieve the file ““L VPN profile for mobile OpenVPN Connect clients (single
.ovpn file) through the captive portal over the public IP address of the other
company. It is downloaded by default in /home/user/Downloads, open a
terminal and type the following commands:
su –
cd /home/user/Download
openvpn openvpn_mobile_client.ovpn
An error may occur during the addition of a route if the pushed route already
exists, but this does not prevent the tunnel from being set up.
On a second terminal, look up your routing table to see which routes have
been added on the client, using the command ip route show.
5. Look up the list of authenticated users in ASQ as well as logs relating to SSL
VPN on the firewall side.
6. Confirm access to the various servers on the DMZ and ping the internal IP
address of the firewall on the LAN.
Bonus:
1. Without logging out the user John Smith, modify the SSL VPN configuration to
grant access to the object "Any".
2. Add rules (NAT + filter) allowing the networks Net-SSLVPN_TCP and Net-
SSLVPN_UDP to access the Internet once the tunnel has been set up.
3. Add a URL filter policy so that access to only sites in the "IT" and "News"
groups is allowed.
488
APPENDIX -
TROUBLESHOOTING
CSNA - STORMSHIELD NETWORK SECURITY - VERSION 3.X
In this appendix, we offer additional learning resources on topics that will not be
evaluated in Stormshield certification exams.
489
Troubleshooting
Appendix
INTRODUCTION
TROUBLESHOOTING
Program
➔ Introduction
Before creating an incident
Essential elements
Additional information
Access to the firewall
490
Troubleshooting
Appendix
INTRODUCTION
Stormshield Network's technical support team will not be able to diagnose incidents
without knowing specific information about the firewall and the architecture in
which it runs.
The cause of an issue may be a configuration error as much as an architecture flaw,
or abnormal behavior on the communication protocol used.
This chapter explains the elements that technical support needs in order to examine
an incident. These elements are sorted by troubleshooting level.
491
Troubleshooting
Appendix
BEFORE CREATING AN
INCIDENT
TROUBLESHOOTING
Program
✔ Introduction
➔ Before creating an incident
Essential elements
Additional information
Access to the firewall
492
Troubleshooting
Appendix
Webinars
Opening an incident
Before creating an incident with technical support, you are advised to check the
firewall configuration first. A few general questions you need to ask:
493
Troubleshooting
Appendix
On the main page of technical support's knowledge base, a section named "Online
training" lists the courses conducted by members of the support team on the various
features.
The main goal of the knowledge base is to catalog well-known issues or tips on how
to configure the firewall. Use the search field or the section Categories to find
articles you need.
Once you have identified the type of information you need to provide, you can log in
to your client area (https://mystormshield.eu) to open a case:
For more details on how to access technical support, refer to the documents
"Getting Started with STORMSHIELD Support" and "Technical support charter"
found in the "Operational" section of the Documentation / Document base menu in
your "mystormshield" area.
494
Troubleshooting
Appendix
ESSENTIAL ELEMENTS
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
➔ Essential elements
Additional information
Access to the firewall
495
Troubleshooting
Appendix
ESSENTIAL ELEMENTS
CLI mode:
• system information > /log/sysinfoCLI
Technical report
The technical report (also called sysinfo or system report) is the most crucial element
required by the support team for any incident. It is a shell script that executes a set
of commands on the firewall, which provides a lot of information on the status of
the firewall when the report was generated.
496
Troubleshooting
Appendix
In SSH mode, the sysinfo command can display additional sections if you add the
relevant option. The output of the sysinfo help command follows:
sysinfo -h
sysinfo [-arp] [-ndp] [-host] [-conn] [-raid] [-proxy] [-global] [-smart] [-time] [-sysctl] [-vmstat] | [-a]
-arp: add ARP table
-ndp: add NDP table
-host: add ASQ host table
-conn: add ASQ Connection table
-raid: add RAID information
-proxy: add PROXY information
-global: add GLOBAL information
-smart: add SMART information
-time: display time objects information
-sysctl: display sysctl information
-vmstat: display vmstat information
-a: add all optional information
Configuration backup
The backup of the configuration serves two purposes. First, it shows the active
configuration used and the features potentially involved when the incident occurred.
This helps STORMSHIELD's support to identify any mistakes in the configuration.
The second role of a configuration backup is to reconstruct an environment similar
to yours in an attempt to reproduce the problem while allowing changes to be made
to the configuration without disrupting production.
Network diagram
A diagram of the network will provide a view of the environment in which the
firewall was installed. Interoperability with other devices may sometimes be the
cause.
A detailed description will allow support to quickly diagnose the issue and avoid
misunderstandings, ambiguity or the wrong interpretation of the conditions under
which the problem arose.
497
Troubleshooting
Appendix
ADDITIONAL
INFORMATION
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
✔ Essential elements
➔ Additional information
Access to the firewall
498
Troubleshooting
Appendix
ADDITIONAL INFORMATION
• Activity reports
• SSH mode
less /log/l_alarm
id=firewall time="2014-07-23 15:29:03" fw="U70SXA00000" tz=+0200 startime="2014-07-23 15:29:02" pri=4
confid=00 srcif="Ethernet0" srcifname="out" ipproto=icmp icmptype=3 icmpcode=10 proto=icmp src=64.1.2.3
srcname=public.ip.test srcmac=00:01:02:03:04:05 dst=172.21.3.1 dstname=Firewall_bridge_out ipv=4
action=block msg="Message ICMP invalide (no TCP/UDP linked entry)" class=protocol classification=0 alarmid=67
11
Logs (or events) show why a packet is blocked, so it helps to monitor them when the
issue occurs.
There are several ways to view events in real time in the monitoring tab:
• Logs that specifically capture the incident
• Activity reports
When you create a ticket with support, provide the logs that cover a test/issue
period. All log files are saved in the /log partition and named according to the format
l_<category_name> (example: l_alarm or l_connection).
To send these files to support, transfer them via SCP on your workstation and add
them to the current ticket.
499
Troubleshooting
Appendix
ADDITIONAL INFORMATION
12
When verbose mode is enabled, you can analyze the processes that a module runs,
based on the packets it receives. This is a way to check whether the behavior of the
module complies with its intended purpose.
When illegal behavior is detected, support will report such information to the R&D
department. In this case, you will be given a "fix request" number in your ticket. This
number will also appear in the release notes of the version in which a fix has been
included.
Find out how to implement verbose mode under the Verbose mode category of the
knowledge base on https://mystormshield.eu.
Coredump files
500
Troubleshooting
Appendix
Traffic captures
The FreeBSD operating system has by default a command that can capture traffic
going through the firewall's interfaces – tcpdump.
When the incident relates to traffic that goes through the firewall, frames must be
captured simultaneously on the network interfaces that such traffic passes through.
The -w option of the tcpdump command saves the results of the capture in a binary
file that can be used later with a frame analyzer such as Wireshark (frame captures
in text format provide too little usable information, unlike the binary format which
contains detailed data about each layer).
The –s0 option captures all frames and provides comprehensive information about
the application layers, and also makes it possible to verify checksums (IP, TCP, UDP,
etc).
501
Troubleshooting
Appendix
ACCESS TO THE
FIREWALL
TROUBLESHOOTING
Program
✔ Introduction
✔ Before creating an incident
✔ Essential elements
✔ Additional information
➔ Access to the firewall
502
Troubleshooting
Appendix
15
Technical support may need access to the firewall via an SSH connection or the GUI.
This will make it easier to retrieve information or observe incidents in real time and
then capture the corresponding traffic with all the necessary options.
503
Troubleshooting
Appendix
504
LABS
-
SOLUTIONS
505
Labs - Solutions
1. In Oracle VirtualBox, right-click on the running VMs, select Close , then ACPI
shuto . For each highlighted VM, click on “ apshots , then Take ; you can
name it I it for example.
2. After you have restarted the VMs, run the script again on the graphical VMs,
because the IP configuration pushed on these machines does not persist after a
reboot. In a Chromium browser, enter the URL https://10.0.0254/admin.
3. Click on the name of the user, then on "Preferences" (top right - icon with a key
and screwdriver), then select the value "Always stay connected" in the line "log
off when idle".
4. Language and time zone: click on the menu System => Configuration in the
menu on the left. Start with the configuration of the time zone first, as the
firewall must be rebooted after changes are made. Later on, you can check the
date, time (and synchronize it with the date and time on your machine) and
language of messages generated by the firewall in the General configuration
tab
5. SSH can be enabled in the menu System => Configuration => Firewall
administration tab by selecting Enable SSH access and Allow passwords.
6. Details of the license can be viewed in the menu "System => License" in the
menu on the left. In advanced properties, enable the automatic installation of
the license.
7. The password can be changed in the menu System => Administrators =>
ADMIN account tab.
8. You can check whether local log storage has been enabled in the menu
Configuration => Notifications – Logs – Syslog - IPFIX.
9. The configuration can be backed up in the menu "System => Maintenance =>
Backup tab".
506
Labs - Solutions
NOTE: All solutio s sho the o figuratio fro “ite A’s perspe ti e.
Lab – Objects
To add required objects, go to the menu Configuration => Objects => Network
objects. Next, add the requested objects using the Add button. Ensure that you use
appropriate object types (network objects for networks, host objects for firewalls,
etc). You can use the Create and duplicate button to create objects of the same type.
For the DNS servers on the firewall, go to the Configuration => System =>
Configuration => menu, Network settings tab=> List of DNS servers used by the
firewall. Delete the two objects in the list, then add the object G _default with
the IP address 192.36.253.1.
Bonus
Use the Import and Export buttons to modify the objects database from a CSV file. If
you encounter issues during the import, encode the files in UTF-8 with Unix (LF)
carriage returns. The imported file is in /home/user/Downloads. Use it as a base to
create the file to import, for example:
Check whether there are the two objects created in the objects database after the
import:
507
Labs - Solutions
• Interfaces configuration
508
Labs - Solutions
Disable the static routes to the remote networks (menu Configuration => Network =>
Routing => Static route tab). If you have not done the Objects bonus lab exercise,
create two new objects that will then be used in your NAT rules: srv_ftp_pub =
192.36.253.x2 and srv_mail_pub = 192.36.253.x3. To build up your policy, go to the
menu "Security policy => Filtering - NAT". Copy the policy (10) Pass all to policy 4 by
clicking on Edit then Copy to. From the drop-down menu, select the appropriate
policy, click on Edit then Rename. Add the following NAT rules:
As you can see, the dynamic NAT rule was placed after the static NAT rules. If this is
not the case, FTP and SMTP servers that attempt to access the Internet would get
the public IP address of the firewall after translation instead of their dedicated public
IP addresses. The instructions in the specifications given during the lab exercise were
therefore inaccurate.
Do not forget to enable the policy and confirm access with the other company.
Bonus:
• The NAT rule that allows access to servers in the DMZ without revealing the
private IP address is disabled in the example above, and must remain disabled for
the rest of the lab exercises.
• If you enable it, the firewall that processes the rule will use more resources and
slow down performance (since it needs to keep the NAT table up to date).
However, if an attacker took over control of one of your servers in the DMZ, they
would not be able to find out the IP address of the local network by capturing
packets that originate from it because they have been translated.
509
Labs - Solutions
Lab – Filtering
First you need to create a host object named "pc_200 , with the IP address
192.168.x.200.
Copy the filter policy LAB_4 to LAB_5 and add the following filter rules to it:
All traffic is logged with this policy, with rules set to Pass for TCP/UDP, and Pass
or Blo k for ICMP packets in verbose mode.
To allow the other company to connect to your firewall via the web interface, its
public IP address must be added in the section Access to the firewall's administration
pages in System => Configuration => Firewall administration tab (so no alarm for this
specific type of traffic).
510
Labs - Solutions
3. To determine the groups in which URLs will be classified, go to the Web objects
menu then enter these values in the "Check URL classification" field.
4. While all the websites mentioned except neverssl.com are in HTTPS, you must
create a URL filter policy to block requested categories in addition to the SSL
filter policy you need to implement to manage the websites.
Begin by creating web objects in Configuration => Objects => Web objects =>
Certificate name (CN) tab; two custom CN categories must be created:
• A custom category named White-list", containing the CNs
*.bbc.com/*, *.bbci.co.uk/* and *.bbc.co.uk/*.
• A custom category named Bla k-list", containing the CNs
*.mozilla.org, *.home.barclays and *.twitter.com
Next, create the custom URL category, named la klist and containing
* e erssl. o /* in Configuration => Objects => Web objects, URL tab.
Go to the menu Configuration => Security Policy => SSL Filtering in the slot
SSLFilter_00, and change its contents so that it includes the following policy:
511
Labs - Solutions
4. As for URL filtering, go to Configuration => Security Policy => URL Filtering in the
slot URLFilter_00, and change its contents so that it includes the following
policy:
Then, modify the filter policy (menu configuration => security policy => Filtering
and NAT) and change the HTTP and HTTPS rules as follows:
5. The www.cnn.com website has been blocked by a filter rule with an FQDN
object, which blocks HTTP requests without the need for any response to be
sent to the browser. However, the URL filter blocks the www.euronews.com
website; if you attempt to access it in HTTP, the block page appears, and the SSL
filter blocks it if you attempt to access it in HTTPS.
512
Labs - Solutions
Lab – Authentication
2. To use an internal LDAP directory, start the LDAP configuration wizard . To do so,
go to the menu "Configuration => Users => Directory configuration". Choose
"Internal LDAP", and fill in the requested fields (select the IN interface for Profile
0 and remember to enable user enrollment for this profile). Test access to the
captive portal via https://192.168.x.254/auth.
3. From the menu Configuration => Users => Users and groups, click on Add user to
add the user whose ID is js ith . After you confirm the addition, enter the
password pass ord .
5. In the filter policy, create the rule to authenticate users if they are not
authenticated. To do so, add an authentication rule before the current rule for
HTTP, which will contain: PASS (+redirect to the authentication service) from
UnknownUser@Network_in to Internet (service http) + Exception for the News
group
8. In the menu Configuration => System => Administrators, add an entry for the
user jsmith granting him supervision privileges and confirm.
513
Labs - Solutions
1. Copy the filter policy LAB_7 to LAB_8 and add a Pass any any any filter rule to
the top of this policy.
2. In the menu "Configuration => VPN => IPSEC VPN => encryption policy –
tunnels => Site-to-site (gateway-gateway)", start the wizard to create a site-to-
site tunnel "add => Site-to-Site tunnel". The wizard will ask you to configure the
traffic endpoints and PSK authentication mode by entering the PSK. The Phase1
encryption profile is selected with the peer parameter IKE Profile in the Peers
tab. The Phase 2 encryption profile is selected with the Encryption profile
parameter in the VPN policy.
4. To link up the IN and DMZ networks, create two group objects or describe all
phase 2 profiles with network pairs. Adapt the traffic endpoints of your VPN
policy accordingly. Enable keepalive by changing its value from 0 to 30.
5. Add the following filtering rules to allow access and ping your FTP server:
The other company will have to add the following policies to access your FTP
server:
6. Encryption profiles can be created in the menu Configuration => VPN => IPSEC
VPN => Encryption profiles tab. At the bottom left of the window, you can create
Phase 1 and Phase 2 profiles by entering the specified parameters.
7. Change the profile used in phase 2 in Configuration => VPN => IPSEC VPN =>
Encryption policy – tunnels, site-to-site tab. The profile for phase 1 can be
modified in Configuration => VPN => IPSEC VPN => Peers; select your peers and
change the IKE profile field.
514
Labs - Solutions
8. To interconnect both sites using VTIs, follow the steps below on both firewalls by
adapting the IP addresses and networks:
o Create a VTI that has an address in a network other than the networks
configured on the firewall:
o Add the static routes (or policy-based routes) to access the remote
networks via the local VTI and the IP address of the remote VTI:
o Modify the IPsec VPN policy using the IP addresses of VTIs as traffic
endpoints:
o Modify the filter rules to indicate the VTI as the source and destination
interface for traffic sent through the IPsec VPN tunnel.
515
Labs - Solutions
3. Configure the SSL VPN server in Configuration ⇒ VPN ⇒ SSL VPN. First, enable
the server by selecting Enable SSL VPN. Next, enter the following information
in the sections Network parameters and DNS parameters sent to the client:
2. SSL VPN privileges can be assigned to the user created in the authentication lab
exercise via Configuration ⇒ Users ⇒ Access privileges tab ⇒ Detailed access
tab. Apply the following line:
516
Labs - Solutions
4. On the client side (the other company), open a terminal and perform the
following operations:
5. You can look up the connected user in the Monitoring section of the Users menu,
then in SSL VPN logs in VPN logs.
6. Test access to the other o pa y’s web and FTP servers using the servers'
private IP addresses.
517
Labs - Solutions
Bonus:
1. Go to Configuration ⇒ VPN ⇒ SSL VPN and select the object any for the parameter
Available networks or hosts. You need to download the file named
ope p _ o ile_ lie t.o p again on the client side in order to conduct checks
later.
NAT rule: During the lab exercise on address translation, if you created the outgoing
NAT rule as shown in the solution (source object = network_internals), you do not
need to create the NAT rule above, since et_““LVPN is a protected network.
3. Select a new URL filter policy from the menu Configuration ⇒ Security policy ⇒ URL
Filtering. In the Action field of the default Any rule, redirect to a block page. Add two
new rules above with the action pass for the Information Security and News
categories. Apply the configuration. In the menu Configuration ⇒ Security policy ⇒
Filtering and NAT, select the URL filter policy that you have just defined in the rule’s
security inspection which allows the SSL VPN network to access the Internet. Apply
and activate the filter policy
518
Solutions – Advanced Labs
ADVANCED LABS
519
Advanced Labs
Introduction
This document presents a set of CSNA lab exercises and their solutions, which can be used directly with the
virtual training platform on Institute. This platform is open to all certified users and trainees. However, the
infrastructure used in Lab 1 will be slightly different from the infrastructure used in the CSNA lab exercises,
so that all the advanced lab exercises provided in this document can be covered.
From Lab 2 onwards, exercises will not be related to one another. If any lab exercise uses objects that were
not seen during the course, explanations will be provided.
Requirements
CSNA Lab 1 (getting started with the firewall) completed.
520
Advanced Labs
I the fi st poi t of La i the C“NA ou se, t ai ees had to take a s apshot a ed i it elo of ea h
machine. Your Oracle VirtualBox configuration must look like this by the end of Lab 1 (all VMs shut down):
• NatNetwork 192.36.253.0/24:
521
Advanced Labs
1. Add the firewall SNS_TRAINER by fully cloning one of the available firewalls, and assign its three
network cards as follows:
• Interface 2: physical network card of the host, wired or wireless (in bridge mode), faster than
Natnetwork mode.
• Interface 3: network card of the host Virtual Host Ethernet Adapter#1 (administration).
2. Modify interface 1 on the firewalls SNS_EVA1_V4_x (where x is either A or B) by spreading them out
on the internal network LAN_INTERCO.
3. If you wish to do so, enable interface 4 on the firewalls SNS_EVA1_V4_x and connect it to the network
card of the host Virtual Host Ethernet Adapter#1 (by default on network 192.168.56.0/24). Configure only
one IP address and mask on this network card (no default gateway) - it will only be used for firewall
administration from your host.
522
Advanced Labs
Network configuration
The table below is based on the assumption that the firewall SNS_TRAINER, bridged on the physical network
card of your host (bridge), obtains its IP address via DHCP. If this is not the case, change its address
parameters for Internet access.
2. On the firewalls SNS_EVA1_V4_x (where x is either A or B), configure the DNS proxy cache as seen in
the CSNA exercises (only the DNS server located on the Debian can resolve to the Internet).
3. On the firewall SNS_TRAINER, configure the DNS proxy cache to allow the network 192.36.253.0/24
to resolve to the Internet. The firewall's DNS servers must be learned via DHCP, so configure the firewall
accordingly.
523
Advanced Labs
• DN“ se e : s _d s . . .
• The gateway for this range will be the IP address of the firewall interface connected to your
internal network.
2. Configure your workstation in DHCP client mode to test the IP address assignment.
4. Co figu e the DHCP se e to ese e the IP add ess of the o je t p _ad i fo ou host. The
gateway for this range will be the IP address of the firewall interface connected to your internal network.
Test IP address assignment again on your workstation to confirm that the reservation has been applied.
524
Advanced Labs
1. Configure the firewalls SNS_EVA1_V4_x (where x is either A or B), by following the diagram above:
• Disable the OUT interface then create two VLANs (public interfaces) with OUT as the parent
interface,
• Apply the following configuration for each VLAN interface:
VLAN_ID SNS_EVA1_V4_A SNS-EVA1_V4_B
10 11.1.10.10/24 -
11 11.1.11.10/24 -
20 - 11.1.20.10/24
21 - 11.1.21.10/24
2. Configure the firewall SNS_TRAINER by disabling its out interface, and create the four VLANs above
on this interface (IP address ending in .254). Configure its Internet access as well, and use CLI commands to
check that it works:
• system ping host=8.8.8.8
• system nslookup host=www.stormshield.com.
If name resolution is not working with the DNS servers that the firewall uses by default, replace them where
necessary with DNS servers obtained via DHCP.
3. On the firewalls SNS_EVA1_V4_x, check whether the DNS proxy cache is enabled (Lab 1 point 8), with
the DNS server in the DMZ as the only one allowed to resolve (srv_dns_priv). On the firewall SNS_TRAINER,
modify the configuration of the DNS proxy cache so that only VLANs are allowed to resolve.
525
Advanced Labs
4. On the firewalls SNS_EVA1_V4_x, configure a router object, which will be your default gateway,
di e ted at the i st u to ’s t o gate a s – 11.1.x0.254 and 11.1.x1.254, in load balancing mode on
SNS_EVA1_V4_A, and as a backup gateway on SNS_EVA1_V4_B.
5. On each firewall, configure the return routes for each link where necessary.
6. O ea h fi e all, op the Pass all poli i a la k slot a d o figu e t a slatio ules to e a le
Internet access.
7. On the firewall SNS_Trainer, configure filter rules to block traffic on VLANs x0 or x1, by leaving these
rules disabled.
8. On the firewall SNS_EVA1_V4_A, test the Internet access in connection-based load balancing mode.
In the monitoring menus, check whether this load balancing mode has been applied by opening the same
web page several times in separate tabs in the browser on your machine GRAPHICAL_CLIENT_A.
9. On the firewalls SNS_EVA1_V4_B, test the Internet access in backup gateway mode and check
whether the expected switch takes place when the main link is shut down. This fault can be simulated by
enabling the filter rule Block VLAN_x0 on the firewall SNS_TRAINER.
10. While still in connection-based load balancing mode, test the application of different weights on both
links so that 2/3 of traffic goes through the main link, and check the monitoring menus.
Note:
Before moving on to another exercise, disable VLAN interfaces on each firewall, as well as any return
routes that were created, and enable the out interface again. Replace the router object that was created
with a host object 192.36.253.254.
526
Advanced Labs
3. Outgoing: the SMTP server in the DM) is allo ed to ea h the pu li IP add ess of the eigh o ’s
“MTP se e , allo Net o k_i to do so as ell
5. As T ai ee A, test the ail se e o the pu li IP add ess of B’s “MTP se e ith Tel et, as shown
in the example below:
telnet 192.36.253.23 25
(server data)
HELO myhostname
(server data)
MAIL FROM: <user@a.net>
(server data)
RCPT TO: <user@b.net>
(server data)
DATA
(server data)
Subject: test1
• i se t a e pt li e afte the su je t li e,
6. Cha ge the Tel et test usi g HELLO , hi h is ot e og ized i the RFC. What do ou o se e?
Do ou see logs elati g to this ope atio o A’s a d B’s fi e alls?
10. Prohibit the SMTP server from relaying external messages to your mail domain
11. Change the Telnet test that Trainee A conducted by using a prohibited e-mail address (source or
desti atio , e.g. use @ . et as the sou e o use @ . et as the desti atio
12. What logs do ou see i T ai ee A’s a d B’s logs he ou atte pt this spoofi g operation?
527
Advanced Labs
14. In the incoming filter rule on firewall B, enable the antivirus analysis, then check that the firewall's
signature database is up to date. Next, switch to firewall A and get the te t file a ed ei a . o .t t fou d
o A’s e se e . “e d a essage f o A usi g its De ia e ail se e http:// . . . : . “e d a
message to user@b.net by adding this file as an attachment and check whether:
15. Configure the antispam policy on firewall B based on the following criteria:
• DN“ RBL a al sis is e a led, a d the do ai a. et is la klisted he k that the DN“ RBL
database is up to date)
528
Advanced Labs
• Company: Othercompany
3. Create an authentication policy and profile, and configure the captive portal for temporary accounts,
which will log in to Network_in.
5. All temporary accounts are logged in to Network_in. Only Internet access to news websites is
available to them with antivirus and URL filtering. The antivirus can be tested on eicar.org, which also has to
be allo ed, o o o e of the pu li add esses of site B’s e se e s. Test I te et a ess ith Joh “ ith
and check the authentication method shown in monitoring.
6. Change the date on your computer, moving forward by one day, and synchronize your firewall with
the date and time of your workstation. Check the users that appear in the list of temporary accounts.
7. After this test, set your computer back to the right time.
529
Advanced Labs
You must configure sponsorship so that external users can access resources, after an internal sponsor has
confirmed their requests. As the sponsored user is on the host GRAPHICAL_CLIENT_B, and the sponsor is on
GRAPHICAL_CLIENT_A, the sponsored user will therefore connect on the out branch of firewall A.
Before you begin, to ensure that this lab exercise goes smoothly, connect to the Debian server on A and in
the command prompt, type:
1. Add static routes to allow users on site B to reach the network lan_dmz1_A.
2. Configure an internal LDAP directory (a.net) and create an account (user) that is allowed to confirm
sponsorship requests.
3. Create an internal authentication policy and profile, and the captive portal for the sponsor, who will
log in via the IN interface.
4. Create an external authentication policy and profile, configure e-mails via SMTP and configure the
captive portal for sponsored users, who will log in via the out interface.
5. As a sponsored user, submit a sponsorship request. As a sponsor, use the user@a.net account found
on your SMTP server to accept sponsored users (use webmail to display your mailbox).
6. Configure rules to allow sponsored users to send pings to the dmz1 on A, and check that the pings
are successful.
7. Force the sponsored user to log out, and ensure that the ping no longer works.
530
Advanced Labs
2. Co figu e a IP“e tu el ith “t o g e ptio p ofiles a d the Keep ali e fu tio e a led,
according to the following topology:
3. After you have checked that your IPSec VPN tunnel works, add rules to allow communication between
the local networks chosen as traffic endpoints. Check by pinging 10.255.255.1 from the graphical client on
site A.
4. Enable the SSL VPN server on site A to let the SSL VPN client contact all networks (any), and test
access to resources from site B using a user account created in the LDAP directory for this purpose.
5. Co figu e filte ules to allo the ““L VPN lie t to pi g loop p o the i st u to ’s fi e all. Modif
the IPsec VPN topology where necessary.
531
Advanced Labs
1. Create the child VLAN interfaces of the out interface on sites A and B. Assign the IP addresses as
shown in the diagram.
2. Create two VPN tunnels between the head office (site A) and the agency (site B) using VTIs (IPpub1_A
to IPpub1_B and IPpub2_A to IPpub2_B).
3. Use a router object at the head office and the agency to reach resources located on the networks of
the remote site, with 50-50 load balancing. Make the necessary changes to the configuration to enable
communications.
4. All traffic must be encrypted between the IN and DMZ networks at the head office and the agency.
5. O the i st u to ’s fi e all, si ulate an Internet access failure at the head office, and check what
impact the failure had on network traffic between sites A and B. Then, revert to the normal operating mode.
Operational tunnels Load balancing Fault tolerance Advantages of router object Disadvantages of router object
532
Advanced Labs
1. Enable Bird dynamic routing. After reading the tests in Appendix 2, create static routes on each site to
reach resources located on the network LAN_IN_x on the remote site. For each test, compare the Bird routing table with
the firewall’s routing table to determine which routes were added.
2. Fo fu tio al tests, use the i st u to ’s fi e all to si ulate a I te et a ess failure at the head
office, for example by disabling a VLAN interface. Check what impact the failure had on network traffic
between sites A and B, then revert to the normal operating mode.
Load balancing Fault tolerance Advantages of Bird static routing Disadvantages of Bird static routing
Variations of scenario 2
1. From site A, you must allow access not only to the remote network LAN_IN_B 192.168.2.0/24, but
also to a network LAN_IN_B2 192.168.3.0/24 (configure a second IP address for the IN interface on firewall
B), without changing the number of static routes that Bird injected in the system.
2. Set up the configuration to observe the results, and indicate your conclusions.
533
Advanced Labs
1. Enable OSPF dynamic routing with Bird. After reading and applying the tests in Appendix 3, ideally, you
should have dynamic routes on each site to reach resources located on the networks LAN_IN_x and LAN_DMZ1_x on
the remote site. For each test, check the routes that OSPF injected in the system and check the resulting
routing table on the firewalls to determine which routes were added. Use filters to view only routes to
networks that you want to observe.
2. Fo fu tio al tests, use the i st u to ’s fi e all to si ulate a I te et a ess failu e at the head
office, for example by disabling a VLAN interface. Check what impact the failure had on network traffic
between sites A and B, then revert to the normal operating mode.
Load balancing Fault tolerance Advantages of Bird dynamic routing Disadvantages of Bird dynamic routing
534
Advanced Labs
4. Enable Syslog on the firewall to send all logs to SVC in TCP (RFC 5424).
5. Log in to the SVC's web interface and check that the logs have indeed been received.
6. Edit an SNS log view and use display filters to familiarize yourself with the administration interface.
535
Advanced Labs
Solutions
SOLUTIONS
ADVANCED LABS
536
Advanced Labs
Solutions
2. Under Parameters, add the domain name as well as a DNS server (the object "srv_dns" created during
the previous exercise).
3. Through the Address range section, add the address range requested in the exercise, and delete the
default range (named dhcp_range). Enter "Firewall_in" as the gateway for your address range.
4. Edit the object "pc_admin" to include your host's MAC address (you will find this address in the results
of the command "ipconfig /all" on your Windows system, or "ifconfig" if you are using a Linux system).
5. Select the object "pc_admin" in the Reservation section of the configuration menu in the DHCP
module. To test whether the new IP address was assigned, ensure that your machine is in DHCP mode, and
unplug/plug in the network cable that connects it to the UTM.
537
Advanced Labs
Solutions
• On firewall B:
Configure routing in CONFIGURATION => NETWORK => ROUTING; your default gateway must be
Fi e all_i _ oute if ou a e a DHCP lie t o this i te fa e.
The command system ping host=8.8.8.8 confirms that Internet access functions.
The command system nslookup host=www.stormshield.com makes it possible to confirm that name
resolution functions properly. If it fails (e.g., your ISP does not recognize the servers dns1.google.com and
dns2.google.com), check the following points:
• In CONFIGURATION => SYSTEM => CONFIGURATION, NETWORK SETTINGS tab, REMOVE THE
SERVERS dns1.google.com and dns2.google.com from the list of DNS servers that the firewall
uses, and add the server Firewall_in_dns1. The resolution test must now be functional.
3. The menu CONFIGURATION => NETWORK => DNS PROXY CACHE must look like this, respectively on
firewalls A and B, then on TRAINER:
4. On the firewalls SNS_EVA1_V4_x, go to CONFIGURATION => OBJECTS => NETWORK OBJECTS to create
a router object on A as follows:
The object created on B is identical but with the host GW_TRAINER_VLAN_20 as the main gateway and
GW_TRAINER_VLAN_21 as the backup gateway.
539
Advanced Labs
Solutions
However, return routes are not necessary on the firewalls SNS_EVA1_V4_x, unless you want to publish a
server in a DMZ so that it can be reached from one or both links. In this case, you can create return routes
as follows (example of SNS_EVA1_V4_A):
5. Go to MONITORING => SECURITY POLICY => FILTER - NAT. Add the following translation rules in the
slot used, respectively for A and SNS_TRAINER:
540
Advanced Labs
Solutions
6. On the firewall SNS_Trainer, add block rules to simulate a failure with the ISP:
You can also go to MONITORING => LOGS – AUDIT LOGS => Network traffic to check whether connections
alternate between two different routes:
541
Advanced Labs
Solutions
8. After generating traffic from GRAPHICAL_CLIENT_B, check on the firewall SNS_EVA1_V4_B whether
all traffic takes a single route:
• After the block rule is enabled on the firewall SNS_TRAINER, all traffic will take the backup route:
9. Go back to the firewall SNS_EVA1_V4_A after you have disabled the block rule on the firewall
SNS_TRAINER, and change the router object as follows:
10. You will see that load balancing is 2/3 – 1/3 in the monitoring menus.
542
Advanced Labs
Solutions
2. When HELLO, which is not recognized in the RFC, is used, the server replies:
4. In IDS inspection mode, the logs are plugin logs and firewall B shows an application alarm, but allows
the traffic. In IPS mode, the application alarm invalid SMTP protocol (BadCmdWaitingHeloEhlo) appears and the
Telnet connection is shut down:
5. To set up an incoming SMTP policy, go to Configuration > Security policy > SMTP filtering:
• Rule 1 prohibits address spoofing on your mail domain, since external users are not allowed to
use internal addresses,
• Rule 2 accepts only messages that are intended for you. The implicit Block all rule, which cannot be seen
but is active, prohibits your SMTP server from relaying external messages to your mail domain.
6. This SMTP policy must now be applied to the incoming filter rule, which must also be modified to add
the t a slatio di e ti e i the filte ule so that the "p o ope atio ill applied o e tl . Go to
Configuration > Security policy > Filter - NAT:
543
Advanced Labs
Solutions
Edit the properties of the SMTP protocol in the Proxy tab in Configuration > Application protection > Protocols > SMTP:
7. When you run Telnet from the client workstation, the firewall may block your access and raise a
Possi le DN“ e i di g atta k ala m. You can also run Telnet directly from the Debian machine, first with
an illegal recipient, then an illegal sender. The Telnet output resembles:
Do note that the firewall did not shut down the connection, but the illegal users were blocked.
8. The SMTP p o logs o fi e all B sho that t o su essi e ope atio s e e lo ked: Default poli :
e ipie t is lo ked , the “e de is lo ked .
9. To implement an outgoing SMTP policy in firewall A, go to Configuration > Security policy > SMTP
filtering:
544
Advanced Labs
Solutions
Apply this policy to the outgoing SMTP filter rule then go to Configuration > Security policy > SMTP filtering (smtp_01
profile), click on Go to global configuration and select Apply the NAT rule on scanned traffic :
You will now see an attempt to spoof an e- ail add ess ia Tel et i fi e all A’s logs: Default poli : se de
is lo ked .
10. Apply the antivirus analysis to the incoming filter rule on firewall B:
11. In the monitoring tab, check whether the signature database is up to date, and if it is not, force an update:
On Trainee A’s workstation, open http://172.16.1.11/Virus, right-click on eicar.com.txt and save the file on your
computer. Log in to Trainee A’s webmail, attach this file to an e-mail and send it. You will immediately receive a code
545
Advanced Labs
Solutions
The SMTP proxy logs on firewall B will show that this e-mail was blocked.
On firewall B, go to Configuration > Application protection > Antispam and apply the same configurations:
12. Enable the antispam analysis to the incoming filter rule on firewall B:
546
Advanced Labs
Solutions
Next, check whether the DNS RBL database is up to date, then on firewall A, send a message to user@b.net
from your webmail; you will receive a non-delivery notification immediately.
The SMTP proxy logs show that the e- ail as lo ked ith the essage Message ot se t due to a tispa
poli .
547
Advanced Labs
Solutions
3. Create an authentication policy via the menu CONFIGURATION => USERS => AUTHENTICATION =>
Authentication policy tab:
Configure the interface corresponding to the authentication profile in the menu CONFIGURATION => USERS
=> AUTHENTICATION => CAPTIVE PORTAL tab:
4. To allow Internet access conditions to be displayed, go to the menu CONFIGURATION => USERS =>
AUTHENTICATION => CAPTIVE PORTAL PROFILES tab and select the relevant option:
548
Advanced Labs
Solutions
Use the object any@voucher_users.local.domain in rule 4 to define a user with a temporary account.
On the host GRAPHICAL_CLIENT_A, test access to www.eicar.org. You will be redirected to the captive portal on which
you log in as jean.dupont with the password indicated earlier. The Internet access conditions appear:
549
Advanced Labs
Solutions
Whe ou a ept the te s at the otto of the page sele t I ha e ead the te s a d li k o I a ept ,
you will be redirected to the website. Go to MONITORING => MONITOR => USERS to view the properties of
the connected user:
You can also test news websites (www.euronews.com) or other categories in HTTP to check whether your URL filter
has been applied.
6. After the temporary account expires - which you can simulate by changing the date on the firewall -
the temporary account created will disappear.
550
Advanced Labs
Solutions
2. The configuration of the internal directory on firewall A is the same as the configuration in the CSNA
course. The only difference is in CONFIGURATION => USERS => AUTHENTICATION => Captive portal profiles
tab. Select the checkbox Enable sponsorship:
3. Go to CONFIGURATION => USERS => AUTHENTICATION, Authentication policy tab to create the
following policy for the sponsor:
551
Advanced Labs
Solutions
Create an internal authentication policy and profile, and configure the captive portal for the sponsor, who
will log in via the IN interface.
A li k to the o figu atio of the fi e all’s “MTP se e aki g it possi le to se d the e uest to the
sponsor) is highlighted; click on it to configure the service:
552
Advanced Labs
Solutions
Use the Testing the SMTP configuration button to test user@a.net, and on GRAPHICAL_CLIENT_A, check whether
this test is effective, by logging in to the webmail:
Go back to CONFIGURATION => USERS => AUTHENTICATION, Authentication policy tab. Create the following
policy:
553
Advanced Labs
Solutions
Use the user@a.net account found on your SMTP server to accept sponsored users (use webmail to display
your mailbox):
You will be asked to authenticate as a sponsor on the captive portal if you have not already done so; the
sponsorship request is successful:
554
Advanced Labs
Solutions
6. In CONFIGURATION ⇒ SECURITY POLICY ⇒ FILTER - NAT on firewall A, add the following rules:
555
Advanced Labs
Solutions
556
Advanced Labs
Solutions
3. At this stage, the tunnel is mounted. This is the view of the logs on A:
557
Advanced Labs
Solutions
After you have checked that your IPSec VPN tunnel works, add the following filter rules, respectively on A
and TRAINER:
4. The SSL VPN tunnel is enabled in the same way as in the CSNA course, with the user jdupont:
Likewise for filter rules (allow SSL VPN clients to access internal resources).
558
Advanced Labs
Solutions
Jean Dupont logs in as an SSL VPN client, can access resources on site A, but not the loopback interface on
the T ai e fi e all, e e though usi g a i a essi le et o ks i ludes the loop a k interface available
via IPSec VPN.
5. The IPsec VPN topology must be modified to create a route between the SSL VPN client network and
the loop a k i te fa e o T ai e f o the i st u to ’s poi t of ie :
As soon as the filter rules are defined on the Trainer site and on site A, the SSL VPN client can ping the
loopback interface on Trainer (via IPSec VPN) through the SSL VPN tunnel:
559
Advanced Labs
Solutions
1. The firewall on site A uses a router object to access the Internet, so you can check whether load
balancing works in Monitoring => Logs => Network traffic, show the column Translated source address. In
the example below, we opened four tabs to the same website on GRAPHICAL_CLIENT_A, in which we clearly see
alternating translated source addresses on both VLAN interfaces on site A:
2. Go to Configuration => Network => Virtual interfaces, IPSec interfaces (VTI) tab, and create the
interfaces as shown below, respectively on A and B:
Create host objects that represent remote VTIs on sites A and B, in Configuration => Objects => Network
objects, Add button:
Create host objects as well that represent each public IP address on the remote site:
Create static routes respectively on A and B that make it possible to reach remote public IP addresses, in
Configuration => Network => Routing, IPv4 static routes tab:
560
Advanced Labs
Solutions
Return routes are already configured in the .na files provided, but you can check them. You would have
created such files in a configuration that was fully set up.
In Configuration => VPN => IPSec VPN, Peers tab, create the following peers on site A:
Then on site B:
561
Advanced Labs
Solutions
The Keep alive option is enabled on one of the firewalls (A in this example) to force tunnels to be set up.
You can check VPN logs or tunnel monitoring at this stage (example given from A):
562
Advanced Labs
Solutions
Note:
Before going on to point 3, back up the configuration of firewalls A and B. This will save you time for the
other scenarios in this document.
563
Advanced Labs
Solutions
3. Create router objects respectively on A and B in Configuration => Objects => Network objects,
Add button:
Reminder: router objects can be used as default gateways or for policy-based routing (PBR). Go to
Configuration => Security policy => Filter - NAT, and create the following rules respectively on A and B:
When PBR is used with VTIs, you must create return routes on each firewall (the first two return routes in
the examples below were in the .na files) in Configuration => Network => Routing, IPv4 return routes tab:
564
Advanced Labs
Solutions
On GRAPHICAL_CLIENT_A, try to open the web page of the server Debian-Training-Webmail_B four times with its private
IP address, and display the connection logs to check whether load balancing is functioning (show the column
Destination interface on firewall A):
4. Traffic is encrypted between the networks of the head office and the agency as soon as it goes
th ough a VTI. Whe the o espo di g oute o je t is ei g eated, the alue Do ot oute is al ead
configured for the parameter If no gateways are available. There is nothing else to configure.
5. Two disabled filter rules o the i st u to ’s fi e all ake it possi le to si ulate a I“P failu e.
Enable rule 1:
The oute o ito i g e u illust ates this p o le fo A’s poi t of ie i this e a ple :
565
Advanced Labs
Solutions
However, nothing has changed in the IPSec VPN tunnel monitoring menu or IPSec VPN logs, which is normal
because when peers are configured, the advanced Liveness option in IKEv2 (DPD in IKEv1) did not change,
and its default value is Passive (IKE will not send messages to detect the validity of its phase 1 key). Set peers
to Low on one of the sides (A or B):
566
Advanced Labs
Solutions
Repeat the test on GRAPHICAL_CLIENT_A, i.e., opening the web page of the server Debian-Training-
Webmail_B several times with its private IP address, and display the connection logs (show the column
Destination interface on firewall A):
When access simulating the ISP1 on the firewall TRAINER is enabled again, and access for ISP2 is disabled,
VPN logs now show the issue (the message Remote seems to be dead appears for the disabled link) since
the detection of phase 1 validity was enabled in the meantime.
6. You now have all the information you need to fill in the table:
Note:
Attempts to add links to a peer already used in the topology (e.g., a link between the second public IP address
on A to the first address on B, with VTI interfaces) will fail. Moreover, if you attempt to create a new peer
(on an existing public IP address and with the same parameters as the previous one), the peer will encounter
an error whether you use PSK or certificates, because it will be considered a duplicate.
• Site A: 2 Internet connections, site B: 1 Internet connection; 1 tunnel via VTI from B to A1,
another from B to A2.
• Site A: 2 Internet connections, site B: 2 Internet connections; 4 tunnels in all, from A1 to B1,
from A1 to B2, from A2 to B1, from A2 to B2.
Generally speaking, since an IPsec VPN peer is associated with a single public IP address, for full fault
tolerance and several tunnels up simultaneously, VTIs must be used with Stormshield firewalls, and on both
sites, there must be as many public IP addresses as the desired number of simultaneous tunnels.
567
Advanced Labs
Solutions
Solution to scenario 2
All s ee aptu es i this solutio a e f o A’s poi t of ie .
1. Begin by testing whether load balancing works; the screen captures below represent the Bird
configuration and the result in command line:
The sho stati o a d sho s that the outes ha e the sa e eight, ut a e ot i je ted i to the
system routing table. During routing, IP packets are routed, so sending one packet via the first route and the
next packet via a second route is not compatible with firewalls that must manage sessions, so load balancing
is not an option.
Only the route with the highest preference will be injected into the system table, which is somewhat logical.
568
Advanced Labs
Solutions
Since the test was successful, il will be implemented in the next point.
Note:
Comments that begin with # in the Bird configuration have been removed from the screen captures in this
solution to make the configuration easier to read, but keep them in the actual configuration so that
administrators who share the firewall management role with you can refer to them.
Now, add monitoring on each link with BFD on both sides:
The routing table is the same as the previous one; a frame capture using the command tcpdump –ni enc1
port 3784 (and on the second link with enc2) shows BFD in action:
2. Routing without BFD is tested first, by disabling the interface vlan_10 on the firewall TRAINER:
On the firewall on site A, the route monitoring menu shows that the first link is unavailable:
569
Advanced Labs
Solutions
IPSec VPN logs also show that tunnel 1 is unavailable, but because it was idle for too long (this corresponds
to the frequency of Liveness tests to detect the validity of the phase 1 key):
The route to the network LAN_IN_B 192.168.2.0/24 has not changed, and is associated with the traffic
endpoint VTI of the tunnel that is down, and therefore no longer valid!
570
Advanced Labs
Solutions
The observations made here are logical, because the routing table is supposed to change only if one of the
interfaces is down. But you will notice that even when an IPSec VPN tunnel with VTIs is down, the VTIs remain
active - this makes it easier for the tunnel to resume operation quickly.
The check link option used in the Bird configuration file at the beginning of the protocol static section is
therefore unnecessary.
Applying the same tests as before (interface vlan_10 disabled on the firewall TRAINER), BFD frames no longer
travel over the link vti1 (a capture with tcpdump –ni enc1 port 3784 remains mute).
This time, the output of the system routing table shows that the route is operational:
As soon as normal operations resume (the interface vlan_10 enabled on the firewall TRAINER), the system
routing table will point back very quickly to the route with the highest priority.
You can send a test ping from Graphical_client_A to the IP address 192.168.2.254, and repeatedly
enable/disable the interface of the firewall TRAINER; it takes so little time to switch that it is almost not
noticeable. BFD can be configured with detection intervals in milliseconds (the default value is 100 ms), but
this is not necessary in our case, since the renegotiation of the tunnel will only take a few seconds.
Load balancing Fault tolerance Advantages of Bird static Disadvantages of Bird static
routing routing
NO OUI, but only Multiple links possible, and No load balancing as is the case
with BFD with BFD, very quick switch to with a router object
the route to take
1. The networks 192.168.2.0/24 and 192.168.3.0/24 can be aggregated by changing the mask to a single
line: 192.168.2.0/23 192.168.2.0-192.168.3.255); the configuration of dynamic routing on site A therefore
571
Advanced Labs
Solutions
becomes:
Note:
Whether or not there is a firewall, smart rules that minimize the contents of the routing table remain in
force. On each site, it is preferable that you use contiguous networks and route aggregation by using masks
of varying lengths.
572
Advanced Labs
Solutions
Solution to scenario 3
1. Modify the file presented in the first test in Appendix 3 for A and B as follows:
#On A: #On B:
573
Advanced Labs
Solutions
Filtering that involves the default gateway 0.0.0.0/0 and the network 192.36.253.0/24 was effective, but
OSPF also sees networks connected on the OUT interface of the remote firewall, and host addresses in /32.
Modify the existing filter so that you do not see these networks:
• 11.1.0.0/16+ makes it possible to ignore any network beginning with 11.1, for any mask
higher than or equal to 16.
• 0.0.0.0/0{32,32} makes it possible to ignore the mask /32, regardless of the IP address.
filter network {
if net ~ [ 192.168.56.0/24, 0.0.0.0/0, 11.1.0.0/16+, 0.0.0.0/0{32,32} ] then reject;
else accept;
}
After you modify the configuration file in Configuration => Network => Routing, IPv4 dynamic routing tab,
save the changes and in command line, view the injected routes as seen earlier:
Only the internal networks on the remote site will now be imported into the routing table on A as a type 2
external route. The routes in question were indeed imported in OSPF by the pseudo-protocol kernel on
firewall B. OSPF therefore does not learn them directly, as a type 2 external route is supposed to be
redistributed in OSPF by an ASBR router, which is an OSPF router connected to other routers that do not use
OSPF to exchange external routes inside and outside the OSPF domain, which is somewhat the case here.
574
Advanced Labs
Solutions
The output via the command netstat –rn shows the path taken to reach the remote networks:
Since timers were not configured for Hello messages, they must adopt the default values in OSPF; display
them so that you can predict the average time before a failure is detected:
During a failure on VTI1, if the firewall does not receive any Hello messages for 40 seconds, the system will
switch to the second link.
On the firewall on site A, you must wait for about 40 seconds before the changes to the routing table are
applied (switch to VTI2):
575
Advanced Labs
Solutions
After normal operations resume (the interface on TRAINER enabled again), the route to the remote networks
does not change (no reply on interface enc1), unless link 2 is disabled on TRAINER.
Load balancing Fault tolerance Advantages of Bird dynamic Disadvantages of Bird dynamic
routing routing
NO* YES Standard OSPF protocol that Switch time depends on the
implements fault detection OSPF Dead Timer, set to 40
mechanisms seconds by default
Note:
There is a parameter in the Bird configuration called ECMP (Equal Cost Multiple Paths) that you can test to
set up fault tolerance, but you will arrive at the same conclusions as the ones in scenario 2. Since routing on
layer 3 implements packet-based load balancing, it is not compatible with a firewall that must analyze
sessions (all packets relating to a connection must go through the same interfaces).
576
Advanced Labs
Solutions
2. To enable syslog on the firewall, go to Configuration => Notifications => Logs – Syslog - >IPFIX. Open
the SYSLOG tab and enable a profile by specifying the IP address, protocol and port of the syslog server.
577
Lab - Exercises
training@stormshield.eu
578 21/12/2021