IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
New features in SNS 3.8.0
Virtual machines
Stormshield Network EVA
Version 3.8.0 of the firmware ensures compatibility with new virtual firewalls in the Elastic Virtual Appliance (EVA) range.
These firewalls automatically adapt their limits (number of connections, IPsec tunnels, etc.) according to the amount of memory allocated to the instance. They therefore allow scaling the amount of RAM used and the number of virtual processors (vCPU) according to the following values:
- EVA1: up to 2 GB of RAM and 1vCPU.
- EVA2: up to 3 GB of RAM and 2vCPU.
- EVA3: up to 6 GB of RAM and 4vCPU.
- EVA4: up to 8 GB of RAM and 4vCPU.
- EVAU: up to 64 GB of RAM and 16vCPU.
Whenever the capacity of an EVA's memory is modified, it generates a system event as well as an entry in the system log file (l_system file) in order to inform the administrator of any changes to the model, and license as a result.
Do note that in a factory configuration (new installation or reset to factory settings using the command defaultconfig), EVAs have two routed network interfaces (not together in a bridge). Furthermore, both of these interfaces are configured in DHCP by default.
For further information on how to install an EVA firewall or on upgrading a V / VS-VU model to an EVA model, refer to the EVA - Installation guide.
V and VS-VU range virtual firewalls support only 3.8.x versions in view of an upgrade to the EVA range.
Instantiation of virtual machines
The creation of virtual machines can be automated using a disk image that was read the first time the virtual firewall was started.
This disk image contains at least one "user-data" file that includes the super-user's password (admin account) and the name of the host that needs to be assigned to the firewall. The image may also include a shell script (named script.sh) or an nsrpc script (named script.nsrpc) in order to add extra automatic configuration parameters (adding filter rules, etc.).
Hardware
Stormshield Network SN710, SN910, SN2000 and SN3000
These firewall models support cards for 4 copper 10 Gigabit Ethernet ports (only in automatic media detection mode).
Intrusion prevention
The mechanism that detects and blocks SYN Flood attacks that target hosts in the internal network can be extended to protect the firewall’s internal services. In this case, the firewall will generate specific logs that allow logging denial of service attempts by way of such attacks.
To enable this additional protection, implicit rules to the firewall's internal services must be disabled and replaced with equivalent explicit rules.
For more explanations on how to implement this protection, please refer to the relevant article in the Stormshield Knowledge Base.
SSL protocol
An additional action is available for the configuration of the SSL protocol analysis (Application protection > Protocols > SSL > Proxy tab): Delegate to user.
This action forces the client's browser to present a security alarm in order to inform the user of any potential risks. Users bear the responsibility of disregarding the alarm if they wish to access the requested website anyway.
In such cases, the administrator will be informed when an alarm is raised and a specific entry is written in the alarm log file (l_alarm).
The technical note Configuring HTTPS filtering was updated to include the description of this new operating mode.
NTP
The analysis for this protocol has been extended. The NTP protocol configuration module now makes it possible to either analyze or block one or several versions of NTP (v1, v2, v3 and v4). For each version of the protocol analyzed, a dedicated tab offers the possibility of allowing or blocking specific NTP commands.
Protocol whitelist
A whitelist of protocols that do not need to be analyzed by the intrusion prevention engine has been added. This list can only be loaded in command line (System > CLI console module) using the following command:
CONFIG PROTOCOL IP COMMON IPS CONFIG UnanalyzedIpProto="list_of_protocol_numbers"
The protocol numbers are available on the IANA website (Internet Assigned Numbers Authority).
Do note that this list contains VRRP (112) and SCTP (132) protocols by default. To show the contents of the list, use the command:
CONFIG PROTOCOL IP COMMON SHOW
For more information on the syntax of these commands, please refer to the CLI SERVERD Commands Reference Guide.
MAC address management has been changed in version 3.8.0 in order to fix issues encountered when certain advanced interface configurations are applied.
As such, Stormshield now applies stricter use of promiscuous mode.
These changes may affect the behavior of the following configurations:
- Ethernet interface with at least one VLAN on which the MAC address has been forced [1],
- Disabled Ethernet interface with one or several VLAN(s),
- Ethernet interface with one or several VLANs included in a bridge,
- HA interface with one or several VLANs.
[1] High availability forces MAC addresses on one of the members of the cluster.
If any of these configurations concerns you, check that all your network devices use your firewall's real MAC address.
For further information, please refer to this article in the Stormshield Knowledge Base.
System
Trusted certification authorities
The number of built-in root certification authorities on firewalls has been significantly increased. The size of the /var partition on SN210(W), SN310, SN510, SN710 and SNi40 models has therefore been increased as a result.
IPsec VPN
From version 3.8.0 onwards, mobile IPsec policies containing several peers can be built as long as they use the same IKE encryption profile.
In certificate-based authentication, the certificates of the various peers must be issued by the same CA,
IPsec VPN - IKEv2
Support for the OCSP protocol has been introduced in version 3.8.0, to verify certificates used in setting up IKEv2 tunnels.
IPsec VPN (IKEv2 and IKEv1 + IKEv2)
Mobile users (anonymous peers) can simultaneously set up several IPsec tunnels with a firewall by authenticating on different domains (directories). User groups can also be specified on these domains (optional).
A mobile user can therefore simultaneously set up a tunnel to a specific network as a member of the Administrators group on the domain Domain1.org, and a tunnel to a particular host as a member of the Users group on the domain Domain2.org.
Maintenance
Initialized virtual machines in the V, VS and VU ranges allow the installation of a new initialization pack so that they can be upgraded to virtual machines in the EVA range.
The level of security implemented during the negotiation and use of SSL VPN tunnels has been raised:
- Stronger authentication and encryption algorithms:
- SHA256,
- ECDHE-RSA-AES128-SHA256,
- AES-256-CBC (except on SN160(W), SN210(W) and SN310 firewalls, which continue to use AES-128-CBC).
- LZ4-based data compression (can be enabled or disabled),
- Strict verification of certificates presented by the server (certificate name and "server" certificates).
If you are not using the Stormshield VPN SSL client, you must:
- Work with OpenVPN clients in a recent version (2.4.x) or OpenVPN Connect (smartphones and tablets),
- Download the configuration of the client again from the captive portal of the firewall that hosts the SSL VPN.
LCD display
On firewalls that have LCD screens on their front panels (SN910 and SN6000), the system command (System > CLI console module) CONFIG LCD state=on/off makes it possible to enable or disable the display of information on the LCD screen.
Stormshield Management Center
After the installation of the connecting package, the addresses for connecting to SMC servers can be managed through the following system commands (System > CLI console module):
config fwadmin contact add | remove | list.
For more information on these commands, please refer to the CLI SERVERD Commands Reference Guide.
Logs (Audit logs) - IPsec VPN
The name assigned to an IPsec rule is displayed in the IPsec VPN log file (l_vpn file) for better readability. If no name has been assigned to a rule, it will be identified in the log file by an MD5 hash made up of the various components of the rule (local network, remote network, peer, etc.).
Reminder: the name of an IPsec rule can only be defined in command line (System > CLI console module) with the following commands:
- CONFIG IPSEC POLICY GATEWAY add,
- CONFIG IPSEC POLICY GATEWAY update,
- CONFIG IPSEC POLICY MOBILE add,
- CONFIG IPSEC POLICY MOBILE update.
For more information on the syntax of these commands, please refer to the CLI SERVERD Commands Reference Guide.
Logs (Audit logs) - System events
Two events have been created to track SSH connections to the firewall: one event for successful connections and another for failed connections. These events can be seen in the system event log (l_system file).
Proxies
The firewall's proxy supports the HTTP PATCH method described in the RFC 5789.
Web administration interface
Right-click pop-up menu
The actions displayed in the toolbar can also be accessed by right-clicking in modules that display data grids:
- System: Administrators,
- Network: Virtual interfaces, Routing, Multicast routing and DHCP,
- Objects: Network objects,
- Users: Users, Access privileges and Authentication,
- Security policy: Filter - NAT, URL filtering, SSL filtering and SMTP filtering,
- Application protection: Host reputation, (Hosts tab) and Antispam,
- Notifications: Monitoring configuration;
Filter - NAT
A Protocol column has been added to the NAT tab to facilitate the definition of address translation rules on a full protocol.
Logs - Syslog - IPFIX (Local storage tab)
The field Action required if storage device is saturated is no longer available.
If a storage device is full, the most recent logs automatically erase the oldest logs.
Logs (Audit logs)
A "Yesterday" time range has been added to the search criteria in the Views and Logs modules.
Logs (Audit logs) - Alarms
A pop-up menu (right-click) has been added to alarm logs (Captured packet column) to enable the export of the captured network packet in pcap format.
Do note that to start capturing packets, the checkbox Capture the packet that raised the alarm must be selected in the configuration of the alarm in question (Application protection > Applications and protections module > Advanced column > click on Configure).
Logs (Audit logs) - Alarms - Vulnerabilities
A pop-up menu (right-click) has been added to alarm and vulnerability logs in order to display online help for the selected alarm or vulnerability.
Logs (Audit logs) and Monitoring
A tooltip showing additional information appears when the user scrolls over a host or a port:
- Host: Name, IP address, Operating system, Number of vulnerabilities detected, Reputation score, Bytes received, Bytes sent, Incoming throughput, Outgoing throughput, Input interface and MAC address.
- Port: Name, Port number or Port range, Protocol and Comments (if any).
Dashboard
For EVA models, information regarding the amount of memory currently used and the maximum amount of memory that can be used (if the amount of memory allocated to the virtual machine has been increased) has been added to the Properties widget in the Dashboard.