IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
New features in SNS 3.5.0
Intrusion prevention
Sandboxing
Activity reports and sandboxing analysis logs make it possible to access the page describing the malicious file detected on the Stormshield Breach Fighter portal.
Common industrial protocol (CIP)
SNS firewalls now detect and analyze the CIP (Common Industrial Protocol).
CIP encompasses a comprehensive compilation of messages and services for industrial automation applications including monitoring, security, synchronization, movement, configuration and information. It is implemented in particular in the upper layers of the Ethernet/IP protocol. For more detail, please refer to the SNSv3 user and configuration guide.
UMAS industrial protocol
SNS firewalls now detect and analyze UMAS (Unified Messaging Application Services) function codes. The UMAS protocol is an extension of the Modbus protocol and is the intellectual property of Schneider Electric. For more detail, please refer to the SNSv3 user and configuration guide.
NTP
The NTP analysis has been enriched and now has a dedicated control panel that allows, in particular, analyzing or blocking this protocol's modes and operations (NTPv3 and NTPv4). For more detail, please refer to the SNSv3 user and configuration guide.
SSL protocol
When the server presents an unsolicited client certificate, it will raise a new alarm (by default, packets will not be blocked): "SSL: Unexpected client certificate".
Configuration
Firewall name
Firewall names can now be 127 characters long, instead of 15 previously.
Filter - NAT
"IPsec only" option
Two optional conditions have been added in the Action panel in the settings of each filter rule in order to allow packets matching this rule only if they are going out through an IPsec tunnel after being processed by the rule:
- Force source packets in IPsec for packets going through the rule from the source to the destination,
- Force return packets in IPsec for return packets from a connection matching the rule.
This allows, for example, rejecting packets if the IPsec tunnel has not been configured or if it is inactive.
Authentication
Captive portal - Logout page
For every profile on the captive portal (authentication portal), it is possible to enable a page reserved for logging out. Once the user has authenticated, this page will appear instead of the captive portal while the requested web page opens in a new tab.
VPN
IPsec VPN IKEv2
An option has been added to make it possible to prevent a full re-authentication during the renewal of SAs. In this case, only keys will be renewed in order to avoid potentially losing packets during re-authentication.
Security-wise, this option is less safe since the identity of the peer, and in particular the identity of the CRL, is verified only when the tunnel is initialized and no longer during each renewal of the IKE phase.
This option can only be enabled in command line:
config ipsec peer update name=Site_Name reauth=0
When you enable it, the following warning message will therefore appear: "When the reauthentication option is disabled, authentication components will be verified only during the initial IKE SA negotiation."
Network
DHCP
The maximum number of IP addresses that the DHCP server could distribute used to be set according to the firewall type (S, M, M-VM, L, XL, XL-VM). It is now specific to each model.
Virtual machines
Monitoring - Watchdog
Virtual firewalls are now equipped with a monitoring mechanism (watchdog) that allows them to restart automatically when the firewall is idle for a specified duration.
Notifications
E-mail alerts
The firewall can now verify the identity of the SMTP server through which notification e-mails are sent. This can only be done when encryption has been enabled, and therefore requires the STARTTLS option on the SMTP server. This verification is based on the certificate that the server presents during encryption.
Web administration interface
Bridge and Wi-Fi interface
WiFi interfaces can now be added to or removed from a bridge by dragging and dropping from the Network > Interfaces configuration module.
E-mail alerts
A button has been added to the E-mail alerts parameter to allow sending test e-mails in order to check the firewall's SMTP configuration.