diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.de-de.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.de-de.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.de-de.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.de-de.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-asia.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-asia.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-asia.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-asia.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-au.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-au.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-au.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-au.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ca.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ca.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ca.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ca.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-gb.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-gb.md
index 8f3e4abe07f..da6b27185cf 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-gb.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-gb.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -40,7 +40,7 @@ In addition to the installation and configuration of Stormshield Network Securit
### Install and configure Stormshield Network Security on your Public Cloud environment
> [!primary]
-> In this tutorial, the installation and configuration of Stormshield Network Security is done primarily via the command line. Open a terminal to execute the instructions.
+> In this tutorial, the installation and configuration of Stormshield SNS EVA is done primarily via the command line. Open a terminal to execute the instructions.
>
> Please note that all sections related to « High Availability » or « stormshield-2 » are optional as well as using vRack network with Additional IP. They are included to demonstrate how to set up the system with two instances in an active/passive mode for high availability. In a minimal version, it can also work with just one instance if that is sufficient for your needs.
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ie.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ie.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ie.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-ie.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-sg.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-sg.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-sg.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-sg.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-us.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-us.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-us.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.en-us.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-es.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-es.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-es.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-es.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-us.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-us.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-us.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.es-us.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-ca.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-ca.md
index 3e98b789e5d..9e14e8ada62 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-ca.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-ca.md
@@ -1,12 +1,12 @@
---
title: 'Sécuriser votre infrastructure OVHcloud avec Stormshield Network Security'
excerpt: 'Découvrez comment sécuriser votre infrastructure OVHcloud avec Stormshield Network Security déployé sur Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objectif
-Dans le paysage numérique actuel en constante évolution, la sécurisation de l'infrastructure cloud est devenue une priorité absolue pour les organisations de toutes tailles. Alors que les entreprises dépendent de plus en plus des solutions cloud pour leurs opérations, assurer la protection des données sensibles et maintenir l'intégrité du réseau est une tâche critique. **S**tormshield **N**etwork **S**ecurity (SNS) est une solution de sécurité complète conçue pour protéger les environnements cloud contre un large éventail de menaces. Ce guide fournit des instructions pas à pas pour déployer et configurer SNS sur le Public Cloud d'OVHcloud avec le vRack et le routage IP public, couvrant les fonctionnalités clés telles que les pare-feu réseau, les VPN IPSec et les VPN SSL/TLS. En suivant ce guide, vous renforcerez la sécurité de votre infrastructure Public Cloud OVHcloud et assurerez la sécurité de vos opérations.
+Dans le paysage numérique actuel en constante évolution, la sécurisation de l'infrastructure cloud est devenue une priorité absolue pour les organisations de toutes tailles. Alors que les entreprises dépendent de plus en plus des solutions cloud pour leurs opérations, assurer la protection des données sensibles et maintenir l'intégrité du réseau est une tâche critique. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) est une solution de sécurité complète conçue pour protéger les environnements cloud contre un large éventail de menaces. Ce guide fournit des instructions pas à pas pour déployer et configurer SNS EVA sur le Public Cloud d'OVHcloud avec le vRack et le routage IP public, couvrant les fonctionnalités clés telles que les pare-feu réseau, les VPN IPSec et les VPN SSL/TLS. En suivant ce guide, vous renforcerez la sécurité de votre infrastructure Public Cloud OVHcloud et assurerez la sécurité de vos opérations.
**Ce guide explique comment sécuriser votre infrastructure OVHcloud avec Stormshield Network Security déployé sur Public Cloud.**
@@ -22,10 +22,10 @@ Dans le paysage numérique actuel en constante évolution, la sécurisation de l
- Être connecté à l'[espace client OVHcloud](/links/manager).
- Un [utilisateur OpenStack](/pages/public_cloud/compute/create_and_delete_a_user) (facultatif).
- Des connaissances de base en réseau.
-- Un compte Stormshield créé via le [site Stormshield](https://www.stormshield.com/fr/){.external}.
+- Un compte Stormshield créé via le [site Stormshield](https://documentation.stormshield.eu/SNS/v4/fr/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
- S'assurer que le vRack est activé et configuré pour permettre une communication sécurisée entre les composants de l'infrastructure.
- Une adresse [Additional IP](/links/network/additional-ip) pour permettre le failover et la configuration de la haute disponibilité.
-- Une licence Stormshield Network Security BYOL (**B**ring **Y**our **O**wn **L**icence), obtenue auprès de [partenaires ou revendeurs tiers](https://www.stormshield.com/partner/partner-finder/){.external}, que vous devrez fournir lors de l'installation et de la configuration.
+- Une licence Stormshield Elastic Virtual Appliance BYOL (**B**ring **Y**our **O**wn **L**icence), obtenue auprès de [partenaires ou revendeurs tiers](https://www.stormshield.com/partner/partner-finder/){.external}, que vous devrez fournir lors de l'installation et de la configuration.
## En pratique
@@ -40,7 +40,7 @@ En plus de l'installation et de la configuration de Stormshield Network Security
### Installer et configurer Stormshield Network Security sur votre environnement Public Cloud
> [!primary]
-> Dans ce tutoriel, l'installation et la configuration de Stormshield Network Security (SNS) s'effectuent principalement via la ligne de commande. Ouvrez un terminal pour exécuter les instructions.
+> Dans ce tutoriel, l'installation et la configuration de Stormshield SNS EVA s'effectuent principalement via la ligne de commande. Ouvrez un terminal pour exécuter les instructions.
>
> Veuillez noter que toutes les rubriques relatives à la « Haute disponibilité » ou à « Stormshield-2 » sont facultatives, de même que l'utilisation du réseau vRack avec Additional IP. Ils sont inclus pour montrer comment mettre en place le système avec deux instances en mode actif/passif pour une haute disponibilité. Dans une version minimale, il peut également fonctionner avec une seule instance si cela suffit à vos besoins.
@@ -49,23 +49,23 @@ En plus de l'installation et de la configuration de Stormshield Network Security
#### Configurer votre vRack
-Dans cette étape, nous configurons le vRack, un réseau virtuel privé fourni par OVHcloud. Le vRack vous permet d'interconnecter plusieurs instances ou serveurs au sein d'un environnement Public Cloud, assurant ainsi l'isolation du réseau tout en maintenant une communication sécurisée. En ajoutant votre projet Public Cloud et votre bloc Additional IP au même vRack, vous pouvez permettre à vos instances SNS de communiquer de manière sécurisée, tout en gardant le contrôle total de la gestion des adresses IP. Le réseau privé vRack vous permet également de sécuriser des serveurs Bare Metal Cloud ou des VM Private Cloud avec des appliances de sécurité déployées sur le Public Cloud.
+Dans cette étape, nous configurons le vRack, un réseau virtuel privé fourni par OVHcloud. Le vRack vous permet d'interconnecter plusieurs instances ou serveurs au sein d'un environnement Public Cloud, assurant ainsi l'isolation du réseau tout en maintenant une communication sécurisée. En ajoutant votre projet Public Cloud et votre bloc Additional IP au même vRack, vous pouvez permettre à vos instances SNS EVA de communiquer de manière sécurisée, tout en gardant le contrôle total de la gestion des adresses IP. Le réseau privé vRack vous permet également de sécuriser des serveurs Bare Metal Cloud ou des VM Private Cloud avec des appliances de sécurité déployées sur le Public Cloud.
**Ajouter votre projet Public Cloud et votre bloc Additional IP au même vRack.**
A des fins d'exemple pour ce guide, le bloc IP est `147.135.161.152/29`.
-Nous utilisons la première IP utilisable `147.135.161.153` pour la première instance de SNS et nous utilisons temporairement la seconde IP utilisable `147.135.161.154` pour le second SNS.
+Nous utilisons la première IP utilisable `147.135.161.153` pour la première instance de SNS EVA et nous utilisons temporairement la seconde IP utilisable `147.135.161.154` pour le second SNS EVA.
L'adresse de la passerelle est `147.135.161.158`.
Reportez-vous au guide « [Configurer un bloc IP dans un vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) » pour plus d'informations.
Voici ci-dessous l'architecture que nous allons mettre en place.
-{.thumbnail}
+{.thumbnail}
#### Configurer le réseau OpenStack
-Créez le réseau privé pour les interfaces externes SNS :
+Créez le réseau privé pour les interfaces externes SNS EVA :
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Créez le réseau privé pour les interfaces internes du SNS :
+Créez le réseau privé pour les interfaces internes du SNS EVA :
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -85,7 +85,7 @@ openstack network create --provider-network-type vrack --provider-segment 200 --
openstack subnet create --network stormshield-vlan200 --subnet-range 10.200.0.0/16 --dhcp --dns-nameserver stormshield-vlan200
```
-Créez le réseau privé pour les interfaces SNS HA (**H**igh **A**vailability) :
+Créez le réseau privé pour les interfaces SNS EVA HA (**H**igh **A**vailability) :
```bash
openstack network create --provider-network-type vrack --provider-segment 199 --disable-port-security stormshield-ha
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Déployer les instances SNS
+#### Déployer les instances SNS EVA
Rendez-vous dans la section `download` du [site officiel de Stormshield](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Connectez-vous à votre compte Stormshield et suivez les instructions pour télécharger l'image Stormshield OpenStack.
-Rendez-vous dans le dossier où vous avez téléchargé votre image SNS Openstack et importez l'image (pour ce tutoriel, nous utilisons l'image `utm-SNS-EVA-4.8.3-openstack.qcow2`) :
+Rendez-vous dans le dossier où vous avez téléchargé votre image SNS EVA Openstack et importez l'image (pour ce tutoriel, nous utilisons l'image `utm-SNS-EVA-4.8.3-openstack.qcow2`) :
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Créez les instances SNS (dans cet exemple, nous les avons appelées `stormshield-1` et `stormshield-2`) :
+Créez les instances SNS EVA (dans cet exemple, nous les avons appelées `stormshield-1` et `stormshield-2`) :
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> Pour des raisons de performances, nous vous suggérons d'utiliser les versions de machines virtuelles répertoriées pour des types de licence SNS EVA donnés :
>
-> - EVA1 : versions B3-16 ou B3-32
-> - EVA2 : B3-32
-> - EVA3 : B3-32 ou B3-64
-> - EVA4 : B3-128
-> - EVAU : B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configurer les instances SNS
+#### Configurer les instances SNS EVA
-Connectez-vous à l'[espace client OVHcloud](/links/manager), rendez-vous dans la section `Public Cloud`{.action}, puis sélectionnez le projet Public Cloud concerné. Dans le menu de gauche, cliquez sur `Instances`{.action} sous l'onglet **Compute**, puis retrouvez vos deux instances SNS.
+Connectez-vous à l'[espace client OVHcloud](/links/manager), rendez-vous dans la section `Public Cloud`{.action}, puis sélectionnez le projet Public Cloud concerné. Dans le menu de gauche, cliquez sur `Instances`{.action} sous l'onglet **Compute**, puis retrouvez vos deux instances SNS EVA.
-Accédez à la console VNC pour les deux instances SNS et configurez la disposition du clavier ainsi que le mot de passe.
+Accédez à la console VNC pour les deux instances SNS EVA et configurez la disposition du clavier ainsi que le mot de passe.
-Configurez la passerelle par défaut sur le premier SNS avec notre passerelle de bloc IP :
+Configurez la passerelle par défaut sur le premier SNS EVA avec notre passerelle de bloc IP :
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configurez l'interface réseau externe sur le premier SNS avec la première adresse IP utilisable de notre bloc IP et l'interface réseau interne avec l'adresse IP `10.200.0.1` :
+Configurez l'interface réseau externe sur le premier SNS EVA avec la première adresse IP utilisable de notre bloc IP et l'interface réseau interne avec l'adresse IP `10.200.0.1` :
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Appliquez la nouvelle configuration réseau :
ennetwork
```
-Effectuez la même configuration pour le second SNS mais avec la seconde adresse IP `147.135.161.154` de notre bloc IP pour l'interface externe au lieu de `147.135.161.153`.
+Effectuez la même configuration pour le second SNS EVA mais avec la seconde adresse IP `147.135.161.154` de notre bloc IP pour l'interface externe au lieu de `147.135.161.153`.
-Ajoutez une licence différente sur les deux instances SNS en suivant la [documentation officielle](https://documentation.stormshield.eu/SNS/v4/fr/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Ajoutez une licence différente sur les deux instances SNS EVA en suivant la [documentation officielle](https://documentation.stormshield.eu/SNS/v4/fr/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Créez une règle de pare-feu similaire à celle-ci sur les deux SNS dans l'interface graphique Web :
+Créez une règle de pare-feu similaire à celle-ci sur les deux SNS EVA dans l'interface graphique Web :
-{.thumbnail}
+{.thumbnail}
-Sur le premier SNS, créez un groupe de pare-feu (`Configuration` > `System` > `High Availability`). Concernant l'adresse IP, vérifiez quelle IP a été assignée à l'interface HA par le DHCP OpenStack.
+Sur le premier SNS EVA, créez un groupe de pare-feu (`Configuration` > `System` > `High Availability`). Concernant l'adresse IP, vérifiez quelle IP a été assignée à l'interface HA par le DHCP OpenStack.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-Lorsque la configuration de la HA est terminée sur le premier SNS, rejoignez le groupe de pare-feu sur le second :
+Lorsque la configuration de la HA est terminée sur le premier SNS EVA, rejoignez le groupe de pare-feu sur le second :
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-La seconde interface externe du SNS utilisera désormais la même adresse IP que la première. Par conséquent, l'adresse IP `147.135.161.154` peut dorénavant être utilisée à d'autres fins.
+La seconde interface externe du SNS EVA utilisera désormais la même adresse IP que la première. Par conséquent, l'adresse IP `147.135.161.154` peut dorénavant être utilisée à d'autres fins.
-Si tout est configuré correctement, après le redémarrage du second SNS, vous devriez voir quelque chose de similaire dans les indicateurs d'intégrité du lien HA :
+Si tout est configuré correctement, après le redémarrage du second SNS EVA, vous devriez voir quelque chose de similaire dans les indicateurs d'intégrité du lien HA :
-{.thumbnail}
+{.thumbnail}
-#### Configurer et sécuriser la gestion du SNS
+#### Configurer et sécuriser la gestion du SNS EVA
> [!tabs]
> **Étape 1**
@@ -207,31 +207,36 @@ Si tout est configuré correctement, après le redémarrage du second SNS, vous
>>
>> Créez un objet hôte pour votre adresse IP publique :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 3**
>>
>> Limitez l'accès à l'interface graphique à votre adresse IP publique et activez le SSH :
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Étape 4**
>>
>> Limitez l'accès au SSH à votre adresse IP publique :
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Resynchroniser la configuration HA
-La synchronisation entre les deux instances SNS est cruciale pour s'assurer que les deux pare-feux sont toujours à jour avec la même configuration. À ce stade, les deux instances SNS ne doivent plus être synchronisées, car nous avons configuré un grand nombre de paramètres sur la première instance dont la seconde n'a pas connaissance.
+La synchronisation entre les deux instances SNS EVA est cruciale pour s'assurer que les deux pare-feux sont toujours à jour avec la même configuration. Cela peut se faire via la ligne de commande SSH ou directement via l'interface utilisateur graphique (GUI).
-Connectez-vous en SSH à l'instance SNS active :
+> [!primary]
+> Pour cet exemple, nous utilisons la solution en ligne de commande SSH. Si vous préférez utiliser l’interface utilisateur graphique pour la synchronisation, reportez-vous à la section « Écran de la Haute disponibilité » de la [documentation de Stormshield SNS EVA](https://documentation.stormshield.eu/SNS/v4/fr/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} pour connaître les étapes détaillées.
+
+À ce stade, les deux instances SNS EVA ne doivent plus être synchronisées, car nous avons configuré un grand nombre de paramètres sur la première instance dont la seconde n'a pas connaissance.
+
+Connectez-vous en SSH à l'instance SNS EVA active :
```bash
ssh admin@
```
-Synchronisez les deux SNS :
+Synchronisez les deux SNS EVA :
```bash
hasync
@@ -241,26 +246,26 @@ Cette manipulation est nécessaire à chaque mise à jour de la configuration.
### Configurations de cas d'usages
-Après avoir déployé le firewall SNS **E**lastic **V**irtual **A**ppliance (EVA), il peut être utilisé dans plusieurs scénarios de sécurité avancés tels que VPN IPsec, VPN SSL/TLS, passerelles réseau (IN ou OUT) comme décrit ci-dessous.
+Après avoir déployé le firewall SNS EVA, il peut être utilisé dans plusieurs scénarios de sécurité avancés tels que VPN IPsec, VPN SSL/TLS, passerelles réseau (IN ou OUT) comme décrit ci-dessous.
Grâce au réseau privé vRack, les VLAN listés peuvent également être utilisés en dehors de l'environnement Public Cloud : sur les produits BareMetal ou Private Cloud.
#### Cas d'usage n°1 : configurer Stormshield Network Security pour une utilisation en tant que passerelle
Dans cet exemple, le pare-feu virtuel agira comme une passerelle sécurisée pour les instances privées (ou tout autre serveur) au sein du VLAN200 du réseau vRack donné. Ce type de trafic peut faire l'objet d'un filtrage d'URL sur le pare-feu.
-{.thumbnail}
+{.thumbnail}
- Créez un objet réseau pour le VLAN200 en suivant [cette partie de la documentation officielle de Stormshield](https://documentation.stormshield.eu/SNS/v4/fr/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Créez une nouvelle règle de filtrage](https://documentation.stormshield.com/SNS/v4/fr/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similaire à celle-ci pour permettre au trafic provenant du VLAN200 de sortir :
-{.thumbnail}
+{.thumbnail}
- [Créez une règle NAT](https://documentation.stormshield.eu/SNS/v4/fr/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similaire à celle-ci :
-{.thumbnail}
+{.thumbnail}
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -281,13 +286,13 @@ Créez une instance sur le VLAN200 :
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Connectez-vous en SSH à l'instance SNS :
+Connectez-vous en SSH à l'instance SNS EVA :
```bash
ssh -A admin@
```
-Depuis l'instance SNS, connectez-vous en SSH au serveur web Ubuntu. Vérifiez quelle adresse IP a été assignée à votre instance de serveur web Ubuntu par le DHCP OpenStack :
+Depuis l'instance SNS EVA, connectez-vous en SSH au serveur web Ubuntu. Vérifiez quelle adresse IP a été assignée à votre instance de serveur web Ubuntu par le DHCP OpenStack :
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
Dans cet exemple, Internet doit pouvoir atteindre le serveur web privé installé sur le VLAN200. Le but de cette configuration est de protéger le serveur web avec un pare-feu réseau.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Étape 1**
@@ -320,19 +325,19 @@ Dans cet exemple, Internet doit pouvoir atteindre le serveur web privé install
>>
>> Créez un objet hôte pour l'instance ubuntu-webserver :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 3**
>>
>> Créez une règle NAT similaire à celle-ci :
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Étape 4**
>>
>> Créez une règle de filtrage similaire à celle-ci :
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Testez l'accès au site web depuis l'extérieur :
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
Dans cet exemple, le tunnel IPsec est configuré pour interconnecter deux régions PCI différentes : SBG7 (réseau VLAN200) et GRA11 (réseau VLAN201), mais chacun de ces sites peut être un site distant tel qu'un bureau ou un datacenter.
-{.thumbnail}
+{.thumbnail}
Répétez toutes les étapes dans une autre région en utilisant le VLAN 201 au lieu du VLAN 200 et des plages d'IP différentes pour les sous-réseaux Stormshield-ext et Stormshield-ha.
##### **Configurer le premier site**
-- [Ajoutez un objet hôte](https://documentation.stormshield.eu/SNS/v4/fr/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} pour le SNS distant et ajoutez un objet réseau pour le réseau privé distant VLAN201.
+- [Ajoutez un objet hôte](https://documentation.stormshield.eu/SNS/v4/fr/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} pour le SNS EVA distant et ajoutez un objet réseau pour le réseau privé distant VLAN201.
- [Créez un tunnel de site à site standard](https://documentation.stormshield.eu/SNS/v4/fr/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Répétez toutes les étapes dans une autre région en utilisant le VLAN 201 au
>>
>> Ajoutez le réseau privé local et le réseau privé distant :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>>
> **Étape 2**
>>
>> Créez la passerelle distante :
>>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 3**
>>
>> Choisissez une clé pré-partagée :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 4**
>>
>> Créez et activez le tunnel :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 5**
>>
>> Ajoutez une règle de filtrage comme celle-ci pour autoriser le trafic à travers le tunnel :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
Dans cet exemple, un client OpenVPN distant se connectera au réseau privé à l'intérieur du VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuration du répertoire LDAP**
@@ -442,19 +447,19 @@ Dans cet exemple, un client OpenVPN distant se connectera au réseau privé à l
Dans un scénario de production, ce LDAP/AD doit être distant et non local.
-{.thumbnail}
+{.thumbnail}
- Créez l'annuaire des utilisateurs :
-{.thumbnail}
+{.thumbnail}
- Ajoutez un utilisateur à notre annuaire local :
-{.thumbnail}
+{.thumbnail}
- Choisissez un mot de passe pour le nouvel utilisateur :
-{.thumbnail}
+{.thumbnail}
##### **Configuration des objets réseau VPN**
@@ -462,17 +467,17 @@ Créez deux objets réseau pour le client VPN SSL.
Réseau client UDP :
-{.thumbnail}
+{.thumbnail}
Réseau client TCP :
-{.thumbnail}
+{.thumbnail}
##### **Configuration du serveur VPN SSL**
Configurez le serveur VPN SSL :
-{.thumbnail}
+{.thumbnail}
##### **Gestion des droits des utilisateurs**
@@ -480,21 +485,21 @@ Ajoutez à votre utilisateur l'autorisation d'utiliser le serveur VPN SSL (`Conf
Recherchez votre utilisateur :
-{.thumbnail}
+{.thumbnail}
Autorisez VPN SSL :
-{.thumbnail}
+{.thumbnail}
##### **Configuration des règles de filtrage**
Ajoutez une règle de filtrage comme celle-ci pour permettre au client VPN d'accéder au VLAN200 :
-{.thumbnail}
+{.thumbnail}
##### **Synchronisation des instances SNS**
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> Pour tester la connectivité SSL/TLS, utilisez n'importe quel appareil sur lequel OpenVPN est installé. Cet exemple inclut le test d'un client OpenVPN au-dessus d'une instance OpenStack dans une autre région.
>
+> Dans cet exemple, nous utilisons le client OpenVPN, mais vous pouvez également utiliser la [version packagée par Stormshield](https://vpn.stormshield.eu/){.external}.
Téléchargez le fichier de configuration VPN (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-fr.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-fr.md
index 3e98b789e5d..9e14e8ada62 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-fr.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.fr-fr.md
@@ -1,12 +1,12 @@
---
title: 'Sécuriser votre infrastructure OVHcloud avec Stormshield Network Security'
excerpt: 'Découvrez comment sécuriser votre infrastructure OVHcloud avec Stormshield Network Security déployé sur Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objectif
-Dans le paysage numérique actuel en constante évolution, la sécurisation de l'infrastructure cloud est devenue une priorité absolue pour les organisations de toutes tailles. Alors que les entreprises dépendent de plus en plus des solutions cloud pour leurs opérations, assurer la protection des données sensibles et maintenir l'intégrité du réseau est une tâche critique. **S**tormshield **N**etwork **S**ecurity (SNS) est une solution de sécurité complète conçue pour protéger les environnements cloud contre un large éventail de menaces. Ce guide fournit des instructions pas à pas pour déployer et configurer SNS sur le Public Cloud d'OVHcloud avec le vRack et le routage IP public, couvrant les fonctionnalités clés telles que les pare-feu réseau, les VPN IPSec et les VPN SSL/TLS. En suivant ce guide, vous renforcerez la sécurité de votre infrastructure Public Cloud OVHcloud et assurerez la sécurité de vos opérations.
+Dans le paysage numérique actuel en constante évolution, la sécurisation de l'infrastructure cloud est devenue une priorité absolue pour les organisations de toutes tailles. Alors que les entreprises dépendent de plus en plus des solutions cloud pour leurs opérations, assurer la protection des données sensibles et maintenir l'intégrité du réseau est une tâche critique. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) est une solution de sécurité complète conçue pour protéger les environnements cloud contre un large éventail de menaces. Ce guide fournit des instructions pas à pas pour déployer et configurer SNS EVA sur le Public Cloud d'OVHcloud avec le vRack et le routage IP public, couvrant les fonctionnalités clés telles que les pare-feu réseau, les VPN IPSec et les VPN SSL/TLS. En suivant ce guide, vous renforcerez la sécurité de votre infrastructure Public Cloud OVHcloud et assurerez la sécurité de vos opérations.
**Ce guide explique comment sécuriser votre infrastructure OVHcloud avec Stormshield Network Security déployé sur Public Cloud.**
@@ -22,10 +22,10 @@ Dans le paysage numérique actuel en constante évolution, la sécurisation de l
- Être connecté à l'[espace client OVHcloud](/links/manager).
- Un [utilisateur OpenStack](/pages/public_cloud/compute/create_and_delete_a_user) (facultatif).
- Des connaissances de base en réseau.
-- Un compte Stormshield créé via le [site Stormshield](https://www.stormshield.com/fr/){.external}.
+- Un compte Stormshield créé via le [site Stormshield](https://documentation.stormshield.eu/SNS/v4/fr/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
- S'assurer que le vRack est activé et configuré pour permettre une communication sécurisée entre les composants de l'infrastructure.
- Une adresse [Additional IP](/links/network/additional-ip) pour permettre le failover et la configuration de la haute disponibilité.
-- Une licence Stormshield Network Security BYOL (**B**ring **Y**our **O**wn **L**icence), obtenue auprès de [partenaires ou revendeurs tiers](https://www.stormshield.com/partner/partner-finder/){.external}, que vous devrez fournir lors de l'installation et de la configuration.
+- Une licence Stormshield Elastic Virtual Appliance BYOL (**B**ring **Y**our **O**wn **L**icence), obtenue auprès de [partenaires ou revendeurs tiers](https://www.stormshield.com/partner/partner-finder/){.external}, que vous devrez fournir lors de l'installation et de la configuration.
## En pratique
@@ -40,7 +40,7 @@ En plus de l'installation et de la configuration de Stormshield Network Security
### Installer et configurer Stormshield Network Security sur votre environnement Public Cloud
> [!primary]
-> Dans ce tutoriel, l'installation et la configuration de Stormshield Network Security (SNS) s'effectuent principalement via la ligne de commande. Ouvrez un terminal pour exécuter les instructions.
+> Dans ce tutoriel, l'installation et la configuration de Stormshield SNS EVA s'effectuent principalement via la ligne de commande. Ouvrez un terminal pour exécuter les instructions.
>
> Veuillez noter que toutes les rubriques relatives à la « Haute disponibilité » ou à « Stormshield-2 » sont facultatives, de même que l'utilisation du réseau vRack avec Additional IP. Ils sont inclus pour montrer comment mettre en place le système avec deux instances en mode actif/passif pour une haute disponibilité. Dans une version minimale, il peut également fonctionner avec une seule instance si cela suffit à vos besoins.
@@ -49,23 +49,23 @@ En plus de l'installation et de la configuration de Stormshield Network Security
#### Configurer votre vRack
-Dans cette étape, nous configurons le vRack, un réseau virtuel privé fourni par OVHcloud. Le vRack vous permet d'interconnecter plusieurs instances ou serveurs au sein d'un environnement Public Cloud, assurant ainsi l'isolation du réseau tout en maintenant une communication sécurisée. En ajoutant votre projet Public Cloud et votre bloc Additional IP au même vRack, vous pouvez permettre à vos instances SNS de communiquer de manière sécurisée, tout en gardant le contrôle total de la gestion des adresses IP. Le réseau privé vRack vous permet également de sécuriser des serveurs Bare Metal Cloud ou des VM Private Cloud avec des appliances de sécurité déployées sur le Public Cloud.
+Dans cette étape, nous configurons le vRack, un réseau virtuel privé fourni par OVHcloud. Le vRack vous permet d'interconnecter plusieurs instances ou serveurs au sein d'un environnement Public Cloud, assurant ainsi l'isolation du réseau tout en maintenant une communication sécurisée. En ajoutant votre projet Public Cloud et votre bloc Additional IP au même vRack, vous pouvez permettre à vos instances SNS EVA de communiquer de manière sécurisée, tout en gardant le contrôle total de la gestion des adresses IP. Le réseau privé vRack vous permet également de sécuriser des serveurs Bare Metal Cloud ou des VM Private Cloud avec des appliances de sécurité déployées sur le Public Cloud.
**Ajouter votre projet Public Cloud et votre bloc Additional IP au même vRack.**
A des fins d'exemple pour ce guide, le bloc IP est `147.135.161.152/29`.
-Nous utilisons la première IP utilisable `147.135.161.153` pour la première instance de SNS et nous utilisons temporairement la seconde IP utilisable `147.135.161.154` pour le second SNS.
+Nous utilisons la première IP utilisable `147.135.161.153` pour la première instance de SNS EVA et nous utilisons temporairement la seconde IP utilisable `147.135.161.154` pour le second SNS EVA.
L'adresse de la passerelle est `147.135.161.158`.
Reportez-vous au guide « [Configurer un bloc IP dans un vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) » pour plus d'informations.
Voici ci-dessous l'architecture que nous allons mettre en place.
-{.thumbnail}
+{.thumbnail}
#### Configurer le réseau OpenStack
-Créez le réseau privé pour les interfaces externes SNS :
+Créez le réseau privé pour les interfaces externes SNS EVA :
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Créez le réseau privé pour les interfaces internes du SNS :
+Créez le réseau privé pour les interfaces internes du SNS EVA :
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -85,7 +85,7 @@ openstack network create --provider-network-type vrack --provider-segment 200 --
openstack subnet create --network stormshield-vlan200 --subnet-range 10.200.0.0/16 --dhcp --dns-nameserver stormshield-vlan200
```
-Créez le réseau privé pour les interfaces SNS HA (**H**igh **A**vailability) :
+Créez le réseau privé pour les interfaces SNS EVA HA (**H**igh **A**vailability) :
```bash
openstack network create --provider-network-type vrack --provider-segment 199 --disable-port-security stormshield-ha
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Déployer les instances SNS
+#### Déployer les instances SNS EVA
Rendez-vous dans la section `download` du [site officiel de Stormshield](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Connectez-vous à votre compte Stormshield et suivez les instructions pour télécharger l'image Stormshield OpenStack.
-Rendez-vous dans le dossier où vous avez téléchargé votre image SNS Openstack et importez l'image (pour ce tutoriel, nous utilisons l'image `utm-SNS-EVA-4.8.3-openstack.qcow2`) :
+Rendez-vous dans le dossier où vous avez téléchargé votre image SNS EVA Openstack et importez l'image (pour ce tutoriel, nous utilisons l'image `utm-SNS-EVA-4.8.3-openstack.qcow2`) :
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Créez les instances SNS (dans cet exemple, nous les avons appelées `stormshield-1` et `stormshield-2`) :
+Créez les instances SNS EVA (dans cet exemple, nous les avons appelées `stormshield-1` et `stormshield-2`) :
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> Pour des raisons de performances, nous vous suggérons d'utiliser les versions de machines virtuelles répertoriées pour des types de licence SNS EVA donnés :
>
-> - EVA1 : versions B3-16 ou B3-32
-> - EVA2 : B3-32
-> - EVA3 : B3-32 ou B3-64
-> - EVA4 : B3-128
-> - EVAU : B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configurer les instances SNS
+#### Configurer les instances SNS EVA
-Connectez-vous à l'[espace client OVHcloud](/links/manager), rendez-vous dans la section `Public Cloud`{.action}, puis sélectionnez le projet Public Cloud concerné. Dans le menu de gauche, cliquez sur `Instances`{.action} sous l'onglet **Compute**, puis retrouvez vos deux instances SNS.
+Connectez-vous à l'[espace client OVHcloud](/links/manager), rendez-vous dans la section `Public Cloud`{.action}, puis sélectionnez le projet Public Cloud concerné. Dans le menu de gauche, cliquez sur `Instances`{.action} sous l'onglet **Compute**, puis retrouvez vos deux instances SNS EVA.
-Accédez à la console VNC pour les deux instances SNS et configurez la disposition du clavier ainsi que le mot de passe.
+Accédez à la console VNC pour les deux instances SNS EVA et configurez la disposition du clavier ainsi que le mot de passe.
-Configurez la passerelle par défaut sur le premier SNS avec notre passerelle de bloc IP :
+Configurez la passerelle par défaut sur le premier SNS EVA avec notre passerelle de bloc IP :
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configurez l'interface réseau externe sur le premier SNS avec la première adresse IP utilisable de notre bloc IP et l'interface réseau interne avec l'adresse IP `10.200.0.1` :
+Configurez l'interface réseau externe sur le premier SNS EVA avec la première adresse IP utilisable de notre bloc IP et l'interface réseau interne avec l'adresse IP `10.200.0.1` :
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Appliquez la nouvelle configuration réseau :
ennetwork
```
-Effectuez la même configuration pour le second SNS mais avec la seconde adresse IP `147.135.161.154` de notre bloc IP pour l'interface externe au lieu de `147.135.161.153`.
+Effectuez la même configuration pour le second SNS EVA mais avec la seconde adresse IP `147.135.161.154` de notre bloc IP pour l'interface externe au lieu de `147.135.161.153`.
-Ajoutez une licence différente sur les deux instances SNS en suivant la [documentation officielle](https://documentation.stormshield.eu/SNS/v4/fr/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Ajoutez une licence différente sur les deux instances SNS EVA en suivant la [documentation officielle](https://documentation.stormshield.eu/SNS/v4/fr/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Créez une règle de pare-feu similaire à celle-ci sur les deux SNS dans l'interface graphique Web :
+Créez une règle de pare-feu similaire à celle-ci sur les deux SNS EVA dans l'interface graphique Web :
-{.thumbnail}
+{.thumbnail}
-Sur le premier SNS, créez un groupe de pare-feu (`Configuration` > `System` > `High Availability`). Concernant l'adresse IP, vérifiez quelle IP a été assignée à l'interface HA par le DHCP OpenStack.
+Sur le premier SNS EVA, créez un groupe de pare-feu (`Configuration` > `System` > `High Availability`). Concernant l'adresse IP, vérifiez quelle IP a été assignée à l'interface HA par le DHCP OpenStack.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-Lorsque la configuration de la HA est terminée sur le premier SNS, rejoignez le groupe de pare-feu sur le second :
+Lorsque la configuration de la HA est terminée sur le premier SNS EVA, rejoignez le groupe de pare-feu sur le second :
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-La seconde interface externe du SNS utilisera désormais la même adresse IP que la première. Par conséquent, l'adresse IP `147.135.161.154` peut dorénavant être utilisée à d'autres fins.
+La seconde interface externe du SNS EVA utilisera désormais la même adresse IP que la première. Par conséquent, l'adresse IP `147.135.161.154` peut dorénavant être utilisée à d'autres fins.
-Si tout est configuré correctement, après le redémarrage du second SNS, vous devriez voir quelque chose de similaire dans les indicateurs d'intégrité du lien HA :
+Si tout est configuré correctement, après le redémarrage du second SNS EVA, vous devriez voir quelque chose de similaire dans les indicateurs d'intégrité du lien HA :
-{.thumbnail}
+{.thumbnail}
-#### Configurer et sécuriser la gestion du SNS
+#### Configurer et sécuriser la gestion du SNS EVA
> [!tabs]
> **Étape 1**
@@ -207,31 +207,36 @@ Si tout est configuré correctement, après le redémarrage du second SNS, vous
>>
>> Créez un objet hôte pour votre adresse IP publique :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 3**
>>
>> Limitez l'accès à l'interface graphique à votre adresse IP publique et activez le SSH :
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Étape 4**
>>
>> Limitez l'accès au SSH à votre adresse IP publique :
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Resynchroniser la configuration HA
-La synchronisation entre les deux instances SNS est cruciale pour s'assurer que les deux pare-feux sont toujours à jour avec la même configuration. À ce stade, les deux instances SNS ne doivent plus être synchronisées, car nous avons configuré un grand nombre de paramètres sur la première instance dont la seconde n'a pas connaissance.
+La synchronisation entre les deux instances SNS EVA est cruciale pour s'assurer que les deux pare-feux sont toujours à jour avec la même configuration. Cela peut se faire via la ligne de commande SSH ou directement via l'interface utilisateur graphique (GUI).
-Connectez-vous en SSH à l'instance SNS active :
+> [!primary]
+> Pour cet exemple, nous utilisons la solution en ligne de commande SSH. Si vous préférez utiliser l’interface utilisateur graphique pour la synchronisation, reportez-vous à la section « Écran de la Haute disponibilité » de la [documentation de Stormshield SNS EVA](https://documentation.stormshield.eu/SNS/v4/fr/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} pour connaître les étapes détaillées.
+
+À ce stade, les deux instances SNS EVA ne doivent plus être synchronisées, car nous avons configuré un grand nombre de paramètres sur la première instance dont la seconde n'a pas connaissance.
+
+Connectez-vous en SSH à l'instance SNS EVA active :
```bash
ssh admin@
```
-Synchronisez les deux SNS :
+Synchronisez les deux SNS EVA :
```bash
hasync
@@ -241,26 +246,26 @@ Cette manipulation est nécessaire à chaque mise à jour de la configuration.
### Configurations de cas d'usages
-Après avoir déployé le firewall SNS **E**lastic **V**irtual **A**ppliance (EVA), il peut être utilisé dans plusieurs scénarios de sécurité avancés tels que VPN IPsec, VPN SSL/TLS, passerelles réseau (IN ou OUT) comme décrit ci-dessous.
+Après avoir déployé le firewall SNS EVA, il peut être utilisé dans plusieurs scénarios de sécurité avancés tels que VPN IPsec, VPN SSL/TLS, passerelles réseau (IN ou OUT) comme décrit ci-dessous.
Grâce au réseau privé vRack, les VLAN listés peuvent également être utilisés en dehors de l'environnement Public Cloud : sur les produits BareMetal ou Private Cloud.
#### Cas d'usage n°1 : configurer Stormshield Network Security pour une utilisation en tant que passerelle
Dans cet exemple, le pare-feu virtuel agira comme une passerelle sécurisée pour les instances privées (ou tout autre serveur) au sein du VLAN200 du réseau vRack donné. Ce type de trafic peut faire l'objet d'un filtrage d'URL sur le pare-feu.
-{.thumbnail}
+{.thumbnail}
- Créez un objet réseau pour le VLAN200 en suivant [cette partie de la documentation officielle de Stormshield](https://documentation.stormshield.eu/SNS/v4/fr/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Créez une nouvelle règle de filtrage](https://documentation.stormshield.com/SNS/v4/fr/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similaire à celle-ci pour permettre au trafic provenant du VLAN200 de sortir :
-{.thumbnail}
+{.thumbnail}
- [Créez une règle NAT](https://documentation.stormshield.eu/SNS/v4/fr/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similaire à celle-ci :
-{.thumbnail}
+{.thumbnail}
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -281,13 +286,13 @@ Créez une instance sur le VLAN200 :
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Connectez-vous en SSH à l'instance SNS :
+Connectez-vous en SSH à l'instance SNS EVA :
```bash
ssh -A admin@
```
-Depuis l'instance SNS, connectez-vous en SSH au serveur web Ubuntu. Vérifiez quelle adresse IP a été assignée à votre instance de serveur web Ubuntu par le DHCP OpenStack :
+Depuis l'instance SNS EVA, connectez-vous en SSH au serveur web Ubuntu. Vérifiez quelle adresse IP a été assignée à votre instance de serveur web Ubuntu par le DHCP OpenStack :
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
Dans cet exemple, Internet doit pouvoir atteindre le serveur web privé installé sur le VLAN200. Le but de cette configuration est de protéger le serveur web avec un pare-feu réseau.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Étape 1**
@@ -320,19 +325,19 @@ Dans cet exemple, Internet doit pouvoir atteindre le serveur web privé install
>>
>> Créez un objet hôte pour l'instance ubuntu-webserver :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 3**
>>
>> Créez une règle NAT similaire à celle-ci :
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Étape 4**
>>
>> Créez une règle de filtrage similaire à celle-ci :
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Testez l'accès au site web depuis l'extérieur :
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
Dans cet exemple, le tunnel IPsec est configuré pour interconnecter deux régions PCI différentes : SBG7 (réseau VLAN200) et GRA11 (réseau VLAN201), mais chacun de ces sites peut être un site distant tel qu'un bureau ou un datacenter.
-{.thumbnail}
+{.thumbnail}
Répétez toutes les étapes dans une autre région en utilisant le VLAN 201 au lieu du VLAN 200 et des plages d'IP différentes pour les sous-réseaux Stormshield-ext et Stormshield-ha.
##### **Configurer le premier site**
-- [Ajoutez un objet hôte](https://documentation.stormshield.eu/SNS/v4/fr/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} pour le SNS distant et ajoutez un objet réseau pour le réseau privé distant VLAN201.
+- [Ajoutez un objet hôte](https://documentation.stormshield.eu/SNS/v4/fr/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} pour le SNS EVA distant et ajoutez un objet réseau pour le réseau privé distant VLAN201.
- [Créez un tunnel de site à site standard](https://documentation.stormshield.eu/SNS/v4/fr/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Répétez toutes les étapes dans une autre région en utilisant le VLAN 201 au
>>
>> Ajoutez le réseau privé local et le réseau privé distant :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>>
> **Étape 2**
>>
>> Créez la passerelle distante :
>>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 3**
>>
>> Choisissez une clé pré-partagée :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 4**
>>
>> Créez et activez le tunnel :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Étape 5**
>>
>> Ajoutez une règle de filtrage comme celle-ci pour autoriser le trafic à travers le tunnel :
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
Dans cet exemple, un client OpenVPN distant se connectera au réseau privé à l'intérieur du VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuration du répertoire LDAP**
@@ -442,19 +447,19 @@ Dans cet exemple, un client OpenVPN distant se connectera au réseau privé à l
Dans un scénario de production, ce LDAP/AD doit être distant et non local.
-{.thumbnail}
+{.thumbnail}
- Créez l'annuaire des utilisateurs :
-{.thumbnail}
+{.thumbnail}
- Ajoutez un utilisateur à notre annuaire local :
-{.thumbnail}
+{.thumbnail}
- Choisissez un mot de passe pour le nouvel utilisateur :
-{.thumbnail}
+{.thumbnail}
##### **Configuration des objets réseau VPN**
@@ -462,17 +467,17 @@ Créez deux objets réseau pour le client VPN SSL.
Réseau client UDP :
-{.thumbnail}
+{.thumbnail}
Réseau client TCP :
-{.thumbnail}
+{.thumbnail}
##### **Configuration du serveur VPN SSL**
Configurez le serveur VPN SSL :
-{.thumbnail}
+{.thumbnail}
##### **Gestion des droits des utilisateurs**
@@ -480,21 +485,21 @@ Ajoutez à votre utilisateur l'autorisation d'utiliser le serveur VPN SSL (`Conf
Recherchez votre utilisateur :
-{.thumbnail}
+{.thumbnail}
Autorisez VPN SSL :
-{.thumbnail}
+{.thumbnail}
##### **Configuration des règles de filtrage**
Ajoutez une règle de filtrage comme celle-ci pour permettre au client VPN d'accéder au VLAN200 :
-{.thumbnail}
+{.thumbnail}
##### **Synchronisation des instances SNS**
-Synchronisez les deux instances HA SNS :
+Synchronisez les deux instances HA SNS EVA :
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> Pour tester la connectivité SSL/TLS, utilisez n'importe quel appareil sur lequel OpenVPN est installé. Cet exemple inclut le test d'un client OpenVPN au-dessus d'une instance OpenStack dans une autre région.
>
+> Dans cet exemple, nous utilisons le client OpenVPN, mais vous pouvez également utiliser la [version packagée par Stormshield](https://vpn.stormshield.eu/){.external}.
Téléchargez le fichier de configuration VPN (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.it-it.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.it-it.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.it-it.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.it-it.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pl-pl.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pl-pl.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pl-pl.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pl-pl.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file
diff --git a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pt-pt.md b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pt-pt.md
index 8f3e4abe07f..a79bb85066c 100644
--- a/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pt-pt.md
+++ b/pages/public_cloud/public_cloud_network_services/tutorial-stormshield_network_security_vrack/guide.pt-pt.md
@@ -1,12 +1,12 @@
---
title: 'Securing your OVHcloud infrastructure with Stormshield Network Security'
excerpt: 'Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud'
-updated: 2024-10-23
+updated: 2024-11-29
---
## Objective
-In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. **S**tormshield **N**etwork **S**ecurity (SNS) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
+In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats. This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
@@ -22,10 +22,10 @@ In today's rapidly evolving digital landscape, securing cloud infrastructures ha
- Access to the [OVHcloud Control Panel](/links/manager)
- An [OpenStack user](/pages/public_cloud/compute/create_and_delete_a_user) (optional)
- Basic networking knowledge
-- A Stormshield account on the [Stormshield website](https://www.stormshield.com/en/){.external}
+- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP address](/links/network/additional-ip) for ensuring network failover and high availability setup.
-- Stormshield Network Security Licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
+- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/){.external}, as you will need to provide it during the installation and configuration process.
## Instructions
@@ -49,23 +49,23 @@ In addition to the installation and configuration of Stormshield Network Securit
#### Configure your vRack
-In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
+In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`.
-We use the first usable IP `147.135.161.153` for the first instance of SNS and use temporally the second usable IP `147.135.161.154` for the second SNS.
+We use the first usable IP `147.135.161.153` for the first instance of SNS EVA and use temporally the second usable IP `147.135.161.154` for the second SNS EVA.
The gateway address is `147.135.161.158`.
Please refer to the guide [Configuring an IP block in a vRack](/pages/bare_metal_cloud/dedicated_servers/configuring-an-ip-block-in-a-vrack) for more information.
Below is the architecture that we are going to set up.
-{.thumbnail}
+{.thumbnail}
#### Configure OpenStack networking
-Create the private network for the SNS external interfaces:
+Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
@@ -75,7 +75,7 @@ openstack network create --provider-network-type vrack --provider-segment 0 --di
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
-Create the private network for the SNS internal interfaces:
+Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
@@ -95,17 +95,17 @@ openstack network create --provider-network-type vrack --provider-segment 199 --
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
-#### Deploy the SNS instances
+#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/fr/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm){.external}. Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
-Go to the folder where you have downloaded your SNS Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
+Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (for this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.7.6
```
-Create the SNS instances (for this example, we called them `stormshield-1` and `stormshield-2`):
+Create the SNS EVA instances (for this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
@@ -118,20 +118,20 @@ openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.7.6 --netwo
> [!primary]
> For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
>
-> - EVA1: B3-16 or B3-32 flavors
-> - EVA2: B3-32
-> - EVA3: B3-32 or B3-64
-> - EVA4: B3-128
-> - EVAU: B3-256
+> - EVA1: B3-8 / B3-16
+> - EVA2: B3-16 / B3-32
+> - EVA3: B3-32 / B3-64
+> - EVA4: B3-64 / B3-128
+> - EVAU: B3-128 / B3-256
>
-#### Configure the SNS instances
+#### Configure the SNS EVA instances
-Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS instances.
+Log into the [OVHcloud Control Panel](/links/manager), go to the `Public Cloud`{.action} section, and select the relevant Public Cloud project. In the left menu, click on `Instances`{.action} under the **Compute** tab, then find your two SNS EVA instances.
-Access the VNC console for both SNS instances and configure the keyboard layout and the password.
+Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
-Configure the default gateway on the first SNS with our IP block gateway:
+Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
@@ -141,7 +141,7 @@ Firewall_out_router=147.135.161.158,resolve=static
...
```
-Configure the external network interface on the first SNS with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
+Configure the external network interface on the first SNS EVA with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
@@ -165,33 +165,33 @@ Apply the new network configuration:
ennetwork
```
-Do the same configuration for the second SNS but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
+Do the same configuration for the second SNS EVA but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
-Add a different licence on both SNS instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
+Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm){.external}.
-Create a firewall rule similar to this on both SNS in the web GUI:
+Create a firewall rule similar to this on both SNS EVA in the web GUI:
-{.thumbnail}
+{.thumbnail}
-On the first SNS, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
+On the first SNS EVA, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-When the configuration of the HA is finished on the first SNS, join the group of firewalls on the second one:
+When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
-{.thumbnail}
+{.thumbnail}
-{.thumbnail}
+{.thumbnail}
-The second SNS external interface will now use the same IP address as the first SNS. Therefore the `147.135.161.154` IP address can be used for something else now.
+The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
-If everything is configured properly, after the reboot of the second SNS, you should see something similar to this in the Health Indicators of the HA Link:
+If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
-{.thumbnail}
+{.thumbnail}
-#### Configure and secure the SNS management
+#### Configure and secure the SNS EVA management
> [!tabs]
> **Step 1**
@@ -207,31 +207,36 @@ If everything is configured properly, after the reboot of the second SNS, you sh
>>
>> Create a host object for your public IP:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Restrict access to the GUI to your public IP and enable SSH:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Restrict SSH access to your public IP:
>>
->> {.thumbnail}
+>> {.thumbnail}
#### Re-synchronize the HA configuration
-The synchronization between the two SNS instances is crucial to ensure that both firewalls are always up to date with the same configuration. At this point, the two SNS instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
-Log in to the active SNS instance using SSH:
+> [!primary]
+> For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm){.external} for detailed steps.
+
+At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
+
+Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
-Synchronize the two SNS:
+Synchronize the two SNS EVA:
```bash
hasync
@@ -241,26 +246,26 @@ You need to do this each time you update the configuration.
### Use cases configuration
-After deploying SNS **E**lastic **V**irtual **A**ppliance (EVA) firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
+After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across BareMetal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
-{.thumbnail}
+{.thumbnail}
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external}.
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm){.external} similar to this one to allow the traffic coming from VLAN200 to go out:
-{.thumbnail}
+{.thumbnail}
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/SNS_for_Cloud_-_VMWare_NSX/NAT-Rules.htm){.external} similar to this one:
-{.thumbnail}
+{.thumbnail}
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -281,13 +286,13 @@ Create an instance on VLAN200:
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
-Log-in via SSH to the SNS instance:
+Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
-From the SNS instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
+From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
@@ -304,7 +309,7 @@ HTTP/2 200
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
-{.thumbnail}
+{.thumbnail}
> [!tabs]
> **Step 1**
@@ -320,19 +325,19 @@ In this example, the Internet should be able to reach the private web server ins
>>
>> Create a host object for the ubuntu-webserver:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Create a NAT rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
> **Step 4**
>>
>> Create a filter rule like this one:
>>
->> {.thumbnail}
+>> {.thumbnail}
>>
Test to access the website from outside:
@@ -342,7 +347,7 @@ curl -I http://
HTTP/1.1 200 OK
```
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -353,13 +358,13 @@ hasyn
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
-{.thumbnail}
+{.thumbnail}
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
-- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS and add a network object for the VLAN201 remote private network.
+- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm){.external} for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm){.external}.
@@ -368,34 +373,34 @@ Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200
>>
>> Add the local and the remote private network:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 2**
>>
>> Create the remote gateway:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 3**
>>
>> Choose a pre-shared key:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 4**
>>
>> Create and activate the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
> **Step 5**
>>
>> Add a filter rule like this one to allow traffic through the tunnel:
>>
->>{.thumbnail}
+>>{.thumbnail}
>>
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -434,7 +439,7 @@ PING () 56(84) bytes of data.
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
-{.thumbnail}
+{.thumbnail}
##### **Configuring the LDAP directory**
@@ -442,19 +447,19 @@ In this example, a remote OpenVPN client will connect to the private network ins
In a production scenario, this LDAP/AD should be remote and not local.
-{.thumbnail}
+{.thumbnail}
- Create the user directory:
-{.thumbnail}
+{.thumbnail}
- Add a user to our local directory:
-{.thumbnail}
+{.thumbnail}
- Choose a password for the new user:
-{.thumbnail}
+{.thumbnail}
##### **Configuring VPN network objects**
@@ -462,17 +467,17 @@ Create two network objects for the SSL VPN client.
UDP client network:
-{.thumbnail}
+{.thumbnail}
TCP client network:
-{.thumbnail}
+{.thumbnail}
##### **SSL VPN server configuration**
Configure the SSL VPN server:
-{.thumbnail}
+{.thumbnail}
##### **Managing user permissions**
@@ -480,21 +485,21 @@ Add permission to your user to use the SSL VPN server (`Configuration` > `Users`
Search your user:
-{.thumbnail}
+{.thumbnail}
Allow SSL VPN:
-{.thumbnail}
+{.thumbnail}
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
-{.thumbnail}
+{.thumbnail}
-##### **Synchronization of SNS instances**
+##### **Synchronization of SNS EVA instances**
-Synchronize the two HA SNS instances:
+Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
@@ -506,6 +511,7 @@ hasync
> [!primary]
> To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
>
+> In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/){.external}.
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
@@ -557,4 +563,4 @@ PING () 56(84) bytes of data.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](/links/professional-services) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
-Join our [community of users](/links/community).
+Join our [community of users](/links/community).
\ No newline at end of file