Checking and adapting the security policy after the EWC URL database has been changed

After the EWC URL database has been changed, the administrator has two ways to rebuild a security policy that complies with the one in place before the change:

• Import the URL/SSL filter profiles recommended by Stormshield (faster solution),

• Manually fix the security policy (longer solution).

Solution 1: Import the URL/SSL filter profiles recommended by Stormshield

Stormshield offers a backup file (.na format) that contains 3 recommended URL/SSL filter profiles that the administrator can restore on the firewall. These profiles will automatically be placed in the first 3 SSL/URL filter profiles:

• 00: "permissive" profile,

• 01: "standard" profile,

• 02: "restrictive" profile.

The recommended URL/SSL filter profiles are explained in the appendix Recommended URL/SSL filter profiles.

IMPORTANT
By importing these profiles, all URL/SSL filter profiles configured earlier on the firewall will be lost.

Backing up the firewall's configuration

Back up the firewall's current configuration so that you can restore it whenever necessary.

1. In System > Maintenance > Backup, fill in the field Backup filename.
   In the Advanced properties section, you can set a password to protect the backup file.

2. Click on Download the configuration backup and save the backup file (.na format) on your administration workstation.

Importing the recommended URL/SSL filter profiles

1. Retrieve the templates_Extended_Web_Control.na file from your MyStormshield personal area in Downloads > Downloads > Stormshield Network Security > Tools.

2. In System > Maintenance > Restore, select the file templates_Extended_Web_Control.na.

3. In the Advanced properties section:

   • Unselect Restore the configuration from the file,

   • Select URL filtering and SSL filtering.

4. Click on Restore the configuration from the file.
   The recommended profiles will automatically be imported in the SSL/URL filter profiles 00, 01 and 02.
   All other URL/SSL filter profiles (profiles 03 to 09) will be reinitialized.

Adapting the security policy

1. In Configuration > Security Policy > URL filtering and SSL filtering, adapt the profiles so that they match your organization's activity and policy.

   TIP
   You can copy one policy to another by clicking on Edit > Copy to on the right side of its name, and by selecting the destination policy.
   If this policy is the one used in the filter policy, you can skip the next step.

2. In Configuration > Security policy > Filter - NAT > Filtering tab, ensure that the rules in the filter policy use profiles from the new URL/SSL filter policy. Adapt the filter policy if necessary.

3. If you use authentication exception rules in the filter policy, you must fix them by replacing the former categories with the new ones. The tables that map former and new URL categories are shown in the Appendices.

Checking and fixing URL category groups

If you use URL category groups in the firewall's configuration, check that they still contain the desired URL categories. Reminder: these groups can be used in the following modules:

• URL filtering,

• SSL filtering,

• Filter - NAT, in authentication exception rules,

• HTTP protocol, in the configuration of the antivirus scan that targets excluded URLs.

Solution 2: Manually fix the security policy

IMPORTANT
Before continuing, if you have not already done so, we strongly recommend backing up the current configuration of your firewall so that you can restore it whenever necessary.

Fixing the URL/SSL filter policy

In Configuration > Security Policy > URL filtering and SSL filtering, for each URL/SSL filter profile used:

1. Click on Add all predefined categories to add new unused categories that match former categories. These new categories are imported and placed at the end of profiles in enabled rules and with an action to show block pages BlockPage_00.

   TIP
   Block pages can be customized in Configuration > Notifications > Block messages > Block page tab. For more information, refer to the Block pages section in the SNS user manual:

   • HTTP block page tab for SNS 4.3 versions,
   • Block page tab for SNS 4.8 versions and higher.

    

   Reminder: the new categories without any equivalence with former categories were automatically imported during migration and placed in disabled rules with a block action.

2. Select the categories to allow/block, then rebuild and gather the corresponding rules by sections. Reminder: the recommended URL/SSL filter profiles are explained in the appendix Recommended URL/SSL filter profiles.

3. Click on Purge rules to delete rules that detect unknown categories. The list of categories in question is provided in the appendix Former EWC URL categories without any equivalence with new categories.

4. Apply blacklist mode by creating a rule that allows Any category in the last position of the URL/SSL filter profile.

Fixing the filter policy

1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.

2. Adapt the filter policy to assign profiles from the new URL/SSL filter policy to rules.

3. If you use authentication exception rules in the filter policy, you must fix them by replacing the former categories with the new ones. The tables that map former and new URL categories are shown in the Appendices.

Checking and fixing URL category groups

If you use URL category groups in the firewall's configuration, check that they still contain the desired URL categories. Reminder: these groups can be used in the following modules:

• URL filtering,

• SSL filtering,

• Filter - NAT, in authentication exception rules,

• HTTP protocol, in the configuration of the antivirus scan that targets excluded URLs.