New features in SNS 3.11.1 LTSB

Long-Term Support Branch (LTSB)

SNS version 3.11 is labeled “LTSB” so that it can be considered a version that will be stable over a long term, and will be supported for at least 12 months.

Refer to Compatibility to find out which products are compatible. For more information on the LTSB label, refer to the documents in the section Product > Product Life Cycle on MyStormshield.

SNi20 model industrial firewalls

Version 3.11.1 LTSB of the SNS firmware ensures compatibility with new SNi20 industrial firewalls.

The features listed below are not available on such firewalls in 3.11.x LTSB versions of the SNS firmware, and are available only from SNS version 4.1.1 onwards:

• Hardware bypass,
• Hardware-secured VPN secrets with the TPM module,
• Link aggregation (LACP),
• Network loop management protocols (RSTP and MSTP).

For more information, refer to the product page for the SNi20 model.

High availability

Shorter failover time when an interface fails

In a high availability configuration, when an interface on a node in the cluster fails, the time it takes for a passive node to switch to active mode is now one second, shortening the interruption to network traffic.

System

NTP client

The interface that NTP requests go through can now be configured. The time synchronization daemon on an SNS firewall previously made such requests go through the default interface.

This new parameter can only be modified through the CLI / Serverd command:

CONFIG NTP SERVER ADD name=<hostname|groupname> bindaddr=<Firewall_obj>

CONFIG NTP ACTIVATE

For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.

Key size of certificates generated by the SSL proxy

The size of keys for certificates generated by the SSL proxy can now be configured.

This parameter can only be modified through CLI / Serverd commands:

PKI CA CONFIG UPDATE caname=<name> server_size=<size>

PKI ACTIVATE

For more information on the syntax of these commands, refer to the CLI Serverd Commands Reference Guide.

Regular CRL retrieval

The IP address presented by the firewall can now be specified for Regular retrieval of certificate revocation lists (CRL).

This address can only be configured through the CLI / Serverd command:

PKI CONFIG UPDATE checkcrlbindaddr=<bindaddr>

For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.

Authentication

LDAP

Backup LDAP servers can now be configured on ports other than the main LDAP server port.

Certificates and PKI

CRL retrieval

On root authorities that have a built-in certificate revocation list distribution point (CRLDP), CRLs will now be automatically retrieved from these distribution points when an application uses the root authority’s certificate.

Obsolete features

Filter - NAT - HTTP cache feature

As the use of the HTTP cache function in filter rules will be phased out in a future version of SNS, a warning message now appears to encourage administrators to modify their configurations.

This message appears under the filter grid in the Checking the policy field.

IPsec VPN - Backup peers

As the use of backup peers (referred to as “Backup configuration”) is obsolete and will be phased out in a future version of SNS, a warning message now appears to warn administrators and encourage them to modify their configurations. This message appears under the IPsec policy grid in the Checking the policy field.

For this configuration, use virtual IPsec interfaces instead, with router objects or dynamic routing.