IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
New features in SNS 3.10.1
Firewalls must not be upgraded from SNS in version 3.10.x or higher to a 4.0.x version. This operation is not supported.
For further information, refer to Recommendations.
ClamAV antivirus
A new parameter in ClamAV makes it possible to restrict the duration of the antivirus analysis. This acts as a new layer of protection against zip bombs.
As such, if the length of the analysis implies that the analyzed file contains an overwhelming amount of data, the analysis will be stopped. The action applied to the file will then depend on the value given to the “When the antivirus analysis fails” field in the Analyzing files tab for FTP, HTTP, POP3 and SMTP protocols. This value is set by default to “Block”.
Set by default to 120 seconds, this new parameter can only be modified through the CLI / Serverd command:
CONFIG ANTIVIRUS LIMITS MaxProcTime=<time>
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
High availability
LACP link aggregation
On firewalls containing LACP aggregates, it is now possible to assign a weight to each interface in the aggregate in order to calculate the quality of high availability.
Assign the value 1 to the new LACPMembersHaveWeight parameter in the following CLI / Serverd commands:
CONFIG HA CREATE
CONFIG HA UPDATE
This will display the interfaces of the aggregate in the Impact of the unavailability of an interface on a firewall's quality indicator table in the High availability module of the web administration interface.
Without these commands, the default behavior remains the same: the aggregate will be considered a single interface, and the cluster will switch only when all the interfaces in the aggregate are lost.
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
Loss of network modules
The health status calculation that determines the switch from one node to another in a cluster has been enhanced so that the system will recognize the loss of network modules more easily, even after the firewall is restarted.
NAT rules with ARP publication
In high availability configurations, firewalls may send a Gratuitous ARP (GARP) for all their interfaces in order to maintain traffic routing, so that the network can be informed whenever the location of a MAC address changes.
This operating mode has been improved so that all virtual IP addresses from an ARP broadcast of a NAT rule will send a Gratuitous ARP (GARP) during a switch.
IPsec VPN mobile peers
Multiple mobile policies can now be supported simultaneously when peers are distinguished by their logins (ID). These policies can be added in Configuration > VPN > IPsec VPN, Peers tab.
Using the peer’s login (ID) also makes it possible to change the VPN configuration of a particular mobile peer distinguished by its login, without affecting the tunnels of other mobile peers.
Certificates and PKI
Certificates generation
Certificates can now be generated with new and more efficient algorithms that use elliptic curve cryptography. The following CLI / Serverd commands now offer the options of SECP, Brainpool and RSA:
PKI CA CREATE
PKI CERTIFICATE CREATE
PKI REQUEST CREATE
PKI CA CONFIG UPDATE
The size parameter in these commands also needs to be set. Its value must correspond to the selected algorithm:
| Algorithm | Sizes allowed |
| RSA | 768, 1024, 1536, 2048 or 4096 |
| SECP | 256, 384, or 521 |
| Brainpool | 256, 384, or 512 |
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
Certificate enrollment
Stormshield firewalls now support the EST (Enrollment over Secure Transport) certificate enrollment protocol, which is particular due to its use of HTTPS requests secured by the TLS protocol.
The following operations can be performed when EST is set up on Stormshield firewalls:
- Distribution of the public key of the certification authority (CA) that signs certificates,
- Certificate creation or renewal requests by the PKI administrator,
- Certificate creation or renewal requests by the certificate holder (enrollment),
The existing certificate can directly authenticate renewal requests, which no longer require a password, if the EST server allows it.
In SNS version 3.10, these operations can only be performed using CLI / serverd commands that begin with:
PKI EST
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
Management
New health indicators
Two new health indicators are available: the first relating to CPU temperature, and the second relating to the administration password if it is too old or is still the default password.
Stability and performance
The synchronization of SNS with SMC has been enhanced to allow smoother data exchange between both products, especially during direct access to the firewall administration interface from SMC.
Authentication
Temporary accounts
The password that the firewall automatically generates when a temporary account is created (User > Temporary accounts) now meets the minimum password length required in the firewall’s password policy (module System > Configuration > General configuration tab).
New SN SSO Agent pour Linux
A new Linux-based SN SSO Agent supports directories that run on non-Windows systems, such as Samba 4. It can be configured in the Authentication module in the web administration interface, and detected through logs exported via Syslog. Exported logs are filtered by regular expressions configured earlier in the interface.
To authenticate peers (client or server) in TLS, Stormshield firewalls now only accept certificates that have the Key Usage field, i.e., certificates that comply with X509 v3.
Increased security during firmware updates
Security is now tighter during firmware updates. In addition to update packages being protected by signatures to ensure their integrity, Stormshield now also secures communications with the update servers used. These communications now take place in HTTPS and over port 443.
Initial configuration via USB
In an initial configuration via USB key, the setconf command offers a new feature that allows writing lines in sections in addition to writing values in keys (tokens). The CSV format of the command file has been enriched for this purpose.
For further information regarding the setconf command, refer to the technical note Initial configuration via USB key.
System
The random generator on the kernel named arc4random has been upgraded so that it is no longer based on RC4 but on CHACHA20, which is faster and more robust.
The firewall operating system has been upgraded to refresh time zones and daylight saving time.
Hardware
Hardware-based security for VPN secrets on compatible SN3100 models
Ever since revision A3 of SN3100 firewalls, they now offer a trusted platform module (TPM) that secures VPN secrets. With the TPM, a level of security can be added to SN3100 appliances that act as VPN concentrators, which may not necessarily be physically secure. Support for this module begins with this version 3.10.
Serverd Commands
There are now new CLI / Serverd commands that operate functions on TPMs and begin with:
SYSTEM TPM
TPM parameters can also be added to some PKI commands:
PKI CERTIFICATE CREATE
PKI CERTIFICATE PROTECT
PKI REQUEST CREATE
PKI SCEP QUERY
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
SSH commands
A new CLI / SSH command makes it possible to operate the TPM, and begins with:
tpmctl
It includes the possibility of approving new PCRs (Platform Configuration Registers) after the BIOS or hardware modules are updated.
For more information on the syntax of this command, refer to the CLI SSH Commands Reference Guide.