This course comprehensively covers the tools and methods used to gather crucial network data. With such data, issues can be analyzed and fixed effectively in the command line interface (CLI) on Stormshield Network UTM appliances.

This course caters to employees of companies aiming for Stormshield’s highest level of partnership, and potential support engineers and expert instructors specializing in our UTM appliances

Target audience

IT managers, network administrators and IT technicians.

Objectives

At the end of the course, and after revising the fundamentals, trainees are expected to know:

• the organization of the file system, and the daemons and processes on Stormshield Network appliances
• how to locate, explore and handle the various configuration and log files
• the difference between specific features and anomalies in network and routing configurations
• how to capture network traffic and analyze captures
• how to analyze a security policy, and identify its general directives and special parameters
• how to identify the processes applied to ongoing connections
• how to generate an adapted, comprehensive and usable report to make a diagnosis
• how to configure IPSec VPN tunnel policies, identify enabled mechanisms and diagnose malfunctions on these mechanisms
• how to analyze and debug a high availability configuration

Prerequisites

• Trainees must already be CSNE-certified with a certification that is still valid.
• Advanced knowledge of TCP/IP and UNIX shell.

Certification exam

To obtain certification, trainees must complete a 4-hour online exam containing 60 questions.

The exam consists of a combination of MCQs and open questions on features, settings and advanced troubleshooting methods that must be implemented to provide an exhaustive response to the incident reports that our clients submit.

The minimum score required to obtain the certification is 70%.

Access to the exam automatically opens the day after the end of the course on the https://institute.stormshield.eu platform and remains open for six months. If trainees fail their first attempt or are unable to sit for the exam within this time frame, they will be entitled to a second and final attempt, which opens automatically and immediately for a week.

Detailed training program

Individual introduction of trainees

Introduction to the course

Operating system and related UNIX commands

• Shell access and settings
• SSH features
• File system and associated commands
• Directories and associated commands
• System and user environment
• Files and associated commands

Logs

• Local logs: location, characteristics, syntax and categories
• Associated commands
• Configuration files
• Logd, logctl, kernel message logs

Configuration files

• Directories, structure and general syntax
• Backups (*.na), decbackup and tar
• Default configuration

Objects

• Object syntax
• Dynamic and FQDN objects

Network and routing

• Network interface settings
• Bridges and associated commands
• Routing functions and their priorities
• Default routes and static routes
• Gatemon and router objects
• Dynamic routing
• Relative commands and showing routes
• Verbose mode
• Lab: Network and routing

Traffic captures and analyses

• Introduction and tips
• General syntax and arguments
• Common filters
• Commented examples and preparations for effective captures
• Analyzing traffic with tcpdump (TCP and UDP/icmp traffic)
• Lab: Network/tcpdump

ASQ: the various stages of its analysis

• Step-by-step analysis of network layers
• Associated commands
• Global settings
• Special profiles and settings
• Asynchronous ASQ: various cases and watermarking
• ASQ verbose mode
• Lab: ASQ settings

ASQ: security policy

• Configuration files and directories, and rule syntax
• Filtering: associated commands
• Filtering: examples of loaded rules (action, inspection level, plugin, PBR, QoS, interfaces and proxy)
• Filtering: translation of groups and lists
• NAT: revision (dynamic NAT, static NAT by port, static NAT/bimap and no NAT)
• NAT: associated commands
• NAT: syntax of loaded rules
• LAB: NAT and filtering

ASQ: stateful tracking and status tables

• Protected address table
• Host table
• Connection table: examples of connection statuses (NAT, vconn, FTP plugin, async, lite, etc.)
• LAB: ASQ stateful tracking

Daemons and processes

• Lists and roles
• Supervisor daemon
• Relative commands

Eventd: event manager

IPSec VPN

• Stormshield Network IKE/IPsec implementation
• Configuration files
• Security policy (SPD and SAD)
• IKE negotiations
• Negotiations: main mode and aggressive mode
• ISAKMP and IPsec SAs
• IKE proposals
• Specific features: NAT-T, DPD, Keepalive, SharedSA, Policy None and SPD cache
• Associated commands
• Analysis of an IPSec-SA
• Logs
• “Delete SA” notifications
• ISAKMP traffic captures and analyses
• Particularities of dynamic peers
• Verbose mode and common errors
• LAB: ISAKMP/IPsec

PKIs and certificates

• Recap and global directives
• CA directory
• Configuration tips
• Certificate verification

High availability

• Overview
• Configuration files
• Relative commands
• Enabling HA and managing network interfaces
• Processes and traffic involved
• Replications/synchronization
• HA events and logs