Stormshield Network Firewall for Your Network
Total Page:16
File Type:pdf, Size:1020Kb
GUIDE STORMSHIELD NETWORK SECURITY USER CONFIGURATION MANUAL Version 4 Date: December 18, 2019 Reference: sns-en-user_configuration_manual-v4.0.1 SNS - USER CONFIGURATION MANUAL - V 4 IP addresses and host objects 27 Table of contents URLs 28 Ports 29 WELCOME 11 Network packets 29 Recommendations on the operating Alarms view 30 environment 11 System events view 30 Introduction 11 Logs 30 Security watch 12 ADMINISTRATORS 33 Physical security measures 12 Organizational security measures 12 “Administrators” tab 33 Human media 13 Interactive features 33 IT security environment 13 Possible operations 33 User awareness 15 Table of privileges 34 Administrator management 15 “Administrator account” tab 37 User password management 16 Authentication 37 Work environment 17 Exports 37 User access management 17 “Ticket management” tab 38 The table 38 ACCESS PRIVILEGES 18 Possible operations 38 “Default options” tab 18 ANTISPAM 39 SSL VPN Portal 18 IPSEC 18 “General” tab 39 SSL VPN 18 SMTP parameters 39 Sponsorship 19 Advanced properties 40 “Detailed access” tab 19 “Whitelisted domains” tab 41 Possible operations 19 Interactive features 42 Interactive features 19 “Blacklisted domains” tab 42 Configuration table 19 Interactive features 42 “PPTP” tab 21 ANTIVIRUS 43 Interactive features 21 Antivirus engine 43 ACTIVE UPDATE 22 Settings 43 Automatic updates 22 Analysis of ClamAV files 43 Advanced properties 22 Analysis of Kaspersky files 43 Update servers of the URL database 22 Sandboxing 44 Update servers of customized context- based protection signatures 22 APPLICATIONS AND PROTECTIONS 45 Update servers 22 View by inspection profile 45 Selecting the configuration profile 45 LOGS - AUDIT LOGS 23 The various columns 47 Private data 23 View by context 48 Collaborative security 23 Storage device: SD Card 23 AUTHENTICATION 50 Actions 24 “Available methods” tab 50 Toolbar no. 1: period 24 Interactive features 50 Toolbar no. 2: simple or advanced Authentication methods 51 search 24 “Authentication policy” tab 57 Toolbar no. 3: actions 25 Actions on the rules of the authentication Information 26 policy 58 Displaying details of a row of logs 26 Interactive features 59 Interactive features 26 New rule 59 Simple search mode 26 "Captive portal" tab 60 Advanced search mode 26 Page 2/439 sns-en-user_configuration_manual-v4.0.1 - 12/18/2019 SNS - USER CONFIGURATION MANUAL - V 4 Captive portal 61 Defining a default authority or sub- SSL server 61 authority 83 Conditions of use for Internet access 61 Downloading a certificate 83 Advanced properties 62 Downloading an identity 84 "Captive portal profiles" tab 62 Downloading a CRL 84 Possible actions 62 Authentication 63 CLI CONSOLE 85 Conditions of use for Internet access 63 List of commands 85 Authentication periods allowed 63 Data entry zone 86 Advanced properties 63 Transparent or explicit HTTP proxy CONFIGURATION 87 and multi-user objects 65 “General configuration” tab 87 Multi-user objects 65 General configuration 87 Transparent proxy (implicit) 66 Cryptographic settings 87 Explicit proxy 66 Password policy 88 BLOCK MESSAGES 68 Date/Time settings 89 Advanced properties 89 Antivirus tab 68 Industrial firewalls only (SNi40 models) 90 POP3 protocol 68 “Firewall administration” tab 91 SMTP protocol 68 Access to the firewall’s administration FTP protocol 68 interface 91 “HTTP block page” tab 68 Access to firewall administration pages 92 Block page tabs 69 Disclaimer for access to the administration Editing block pages 69 interface 92 Remote SSH access 92 CERTIFICATES AND PKI 71 “Network settings” tab 93 Possible operations 71 IPv6 support 93 Search bar 71 Proxy server 93 Filter 72 DNS resolution 93 Add 72 Revoke 72 CONFIGURATION OF MONITORING 94 Actions 72 Interval between refreshments 94 Download 73 Configuration of interfaces and QoS queues Check usage 73 to be monitored 94 Adding authorities and identities 73 "Interface configuration" tab 94 Adding a root authority 73 "QoS configuration" tab 94 Adding a sub-authority 75 Adding a user identity 76 DASHBOARD 96 Adding a smart card identity 78 The module configuration menu 96 Adding a server identity 79 Favorite modules 96 Importing a file 80 Configuration 96 Revoking an authority, sub-authority The dynamic area: widgets 97 or certificate 81 Network 97 Revoking an authority 81 Protections 98 Revoking a sub-authority or certificate 81 Properties 98 Revoking a certificate 81 Health indicators 99 Creating, renewing or removing a CRL 82 Services 100 Creating a CRL 82 Pay As You Go 100 Renewing a CRL 82 Removing a CRL 83 DHCP 101 Removing the private key of an General 101 identity (while keeping the certificate)83 “DHCP server” service 101 Page 3/439 sns-en-user_configuration_manual-v4.0.1 - 12/18/2019 SNS - USER CONFIGURATION MANUAL - V 4 Default settings 101 Intrusion prevention alarms 124 Address range 101 System events 124 Reservation 102 “Recipients” tab 125 Advanced properties 103 Creating a group 125 “DHCP relay” service 104 Deleting a group 125 Settings 104 Check use 126 Listening interfaces on the DHCP “Templates” tab 126 relay service 104 Editing the template (HTML) 126 Vulnerability manager 126 DIRECTORIES CONFIGURATION 106 Certificate request 127 Main window 106 User enrollment 127 "Add a directory" button 106 List of variables 127 "Action" list 106 Example of a report received by e-mail Creating an internal LDAP 106 regarding alarms 127 Step 1: Selecting the directory 107 Step 2: Accessing the directory 107 ENROLMENT 128 Internal LDAP directory screen 107 The enrolment table 128 Connecting to an external LDAP Possible operations 128 directory 108 User enrolment and certificate requests 128 Step 1: Selecting the directory 108 Advanced properties 129 Step 2: Accessing the directory 108 External LDAP directory screen 109 FILTERING AND NAT 130 Connecting to a PosixAccount Evaluation of filtering and the impact of external LDAP directory 112 NAT 130 Step 1: Selecting the directory 112 “FastPath” mode 130 Step 2: Accessing the directory 112 Policies 130 External LDAP directory screen 113 Selecting the filter policy 131 Connecting to a Microsoft Active Possible operations 132 Directory 115 Selecting multiple objects 132 Step 1: Selecting the directory 115 Drag & drop 132 Step 2: Accessing the directory 115 “Filtering” tab 132 Microsoft Active Directory screen 116 Actions on filter policy rules 133 Interactive features 135 DNS CACHE PROXY 119 Filter table 136 Enable DNS cache 119 “NAT" tab 148 List of clients allowed to used the Actions on NAT policy rules 149 DNS cache 119 Interactive features 151 Advanced properties 119 NAT table 152 DYNAMIC DNS 121 HIGH AVAILABILITY 157 List of dynamic DNS profiles 121 Step 1: Creating or joining a high Configuring a profile 121 availability cluster 157 DNS resolution 121 Step 2: Configuring network interfaces 158 Dynamic DNS service provider 121 If you have chosen to create a cluster 158 Advanced properties 122 If you have chosen to join a cluster 158 Step 3: Cluster’s pre-shared key and data E-MAIL ALERTS 123 encryption 159 “Configuration” tab 123 If a cluster is being created 159 Enable e-mail notifications 123 If a cluster exists 160 SMTP server 123 Step 4: Summary and finalizing the E-mail sending frequency (in cluster 160 minutes) 124 If a cluster is being created 160 Page 4/439 sns-en-user_configuration_manual-v4.0.1 - 12/18/2019 SNS - USER CONFIGURATION MANUAL - V 4 If a cluster exists 160 Conclusion 192 High availability screen 161 Layout of the configuration screen 192 Communication between firewalls in Interface tree 192 the high availability cluster 161 Toolbar 194 Advanced properties 161 Creating a bridge 195 Creating a bridge without members 195 HOST REPUTATION 163 Creating a bridge containing selected “Configuration” tab 163 interfaces 195 General 163 Modifying a bridge 195 "Hosts" tab 164 “General configuration” tab 195 Included list 164 “Advanced properties” tab 196 Advanced properties 164 Deleting a bridge 197 Modifying an Ethernet interface (in bridge IDENTIFICATION PORTAL 165 mode) 198 Connection 165 “General configuration” tab 198 Presentation 165 “Advanced properties” tab 199 Logging off 167 Modifying an Ethernet interface (in advanced mode) 200 IMPLICIT RULES 168 Creating or modifying a Wi-Fi interface Implicit filter rules 168 (WLAN) 200 Rule table 168 “General configuration” tab 201 Advanced properties 169 Creating a VLAN 202 INSPECTION PROFILES 170 Creating a VLAN without a parent interface 202 Creating a VLAN attached to selected Security inspection 170 interfaces 202 Global configuration for each profile 170 Modifying a VLAN 202 Configuring profiles 171 “General configuration” tab 202 IPSEC VPN 172 “Advanced properties” tab 203 Deleting a VLAN 204 “Encryption policy – Tunnels” tab 172 Creating a PPTP modem 205 Site to site (Gateway-Gateway) 173 Modifying a PPTP modem 205 Anonymous – Mobile users 176 “General configuration” tab 205 “Peers” tab 179 “Advanced properties” tab 206 List of peers 179 Creating a PPPoE modem 206 Peer information 180 Modifying a PPPoE modem 206 “Identification” tab 185 “General configuration” tab 206 Approved certificate authorities 185 “Advanced properties” tab 207 Mobile tunnels: pre-shared keys 186 Deleting a modem 207 Advanced configuration 186 “Encryption profiles” tab 187 General remarks on configuring modems 207 Default encryption profiles 187 Creating a USB/Ethernet interface (for USB Table of profiles 187 sticks /modems) 207 Creating a modem profile 207 INTERFACES 191 Creating a USB/Ethernet interface 208 Operating modes between interfaces191 Modifying a USB/Ethernet