Explanations on usage
Support reference 57403
In order to ensure a firewall's connectivity with a 4G USB modem, HUAWEI equipment that supports the HiLink function needs to be used (example: E8372H-153).
Spanning Tree protocols (RSTP / MSTP)
Stormshield Network firewalls do not support multi-region MSTP configurations. A firewall implementing an MSTP configuration and interconnecting several MSTP regions may therefore malfunction when managing its own region.
If MSTP has been enabled on a firewall and it is unable to communicate with equipment that does not support this protocol, it would not automatically switch to RSTP.
In order for RSTP and MSTP to function, the interfaces on which they are applied must have an Ethernet layer. As a result:
- MSTP does not support PPTP/PPPoE modems,
- RSTP supports neither VLANs nor PPTP/PPPoE modems.
On SN160(W) and SN210(W) firewall models, the presence of unmanaged switches would cause the status of the firewall's network interfaces to stay permanently "up", even when they are not physically connected to the network.
The firewall's interfaces (VLANs, PPTP interfaces, aggregated interfaces [LACP], etc.) are now grouped together in a common pool for all configuration modules. When an interface previously used in a module is released, it becomes reusable for other modules only after the firewall is rebooted.
Deleting a VLAN interface will change the order of such interfaces the next time the firewall starts. If such interfaces are listed in the dynamic routing configuration or monitored via SNMP MIB-II, this behavior would cause a lag and may potentially cause the service to shut down. You are therefore strongly advised to disable any unused VLAN interfaces instead of deleting them.
The possibility of adding WiFi interfaces in a bridge is currently in experimental mode and cannot be done via the graphical interface.
On SN160(W) models, configurations that contain several VLANs included in a bridge will not be supported.
Configurations with a bridge that includes several unprotected interfaces and a static route leaving one of such interfaces (other than the first) are not supported.
Bird dynamic routing
The Bird dynamic routing engine having been upgraded to version 1.6, in configurations implementing BGP with authentication, the "setkey no" option must be used. For further information on Bird configuration, please refer to the Bird Dynamic Routing Technical Note.
When a Bird configuration file is edited from the web administration interface, the "Apply" action will send this configuration to the firewall. If there are syntax errors, a warning message indicating the row numbers containing errors will inform the user of the need to correct the configuration.
However, if a configuration containing errors is sent to the firewall, it will be applied the next time the Bird service or the firewall is restarted.
After the OpenVPN upgrade to version 2.4.4:
- IP address ranges that extend beyond a Class B network (mask /16) must no longer be used.
- Certain TLS algorithms are no longer available.
If your configurations are affected by these restrictions, SSL VPN tunnels can no longer be set up. Error messages will appear explaining how to help you correct your configuration.
There are several restrictions when IKEv1 and IKEv2 peers are used in the same IPSec policy:
- "Aggressive" negotiation mode is not allowed for IKEv1 peers using pre-shared key authentication. An error message appears when there is an attempt to enable the IPSec policy.
- The hybrid authentication method does not function for IKEv1 mobile peers.
- Backup peers are ignored. A warning message appears when the IPSec policy is enabled.
- The authentication algorithm "non_auth" is not supported for IKEv1 peers. In such cases, the IPSec policy cannot be enabled.
- In configurations that implement NAT-T (NAT-Traversal - transporting the IPSec protocol through a network that performs dynamic address translation), the translated IP address must be defined as the ID of a peer that uses pre-shared key authentication and for which a local ID in the form of an IP address had been forced.
The IPSec peer distributes data decryption. On multi-processor firewalls, this process is therefore optimized whenever the number of peers is at least equal to the number of the appliance's processors.
A Certificate Revocation List (CRL) is not required. Even if no CRL is found for the certificate authority (CA), negotiation will be authorized.
Support reference 37332
DPD (Dead Peer Detection)
The VPN feature DPD (Dead Peer Detection) allows checking whether a peer is still up by sending pings.
If a firewall is the responder in an IPSec negotiation in main mode, and DPD has been set to "inactive", this parameter will be forced to "passive" in order to respond to the peer's DPD queries. During this IPSec negotiation, DPD will be negotiated even before the peer has been identified, and therefore before even knowing whether DPD queries can be ignored for this peer.
This parameter has not been modified in aggressive mode, as in this case DPD would be negotiated when the peer has already been identified, or when the firewall is the initiator of the negotiation.
For site-to-site IPSec tunnels, the additional keepalive option that allows artificially keeping these tunnels up cannot be used with traffic endpoints with IPv6 addresses. In cases where traffic endpoints are dual stack (both IPv4 and IPv6 addresses are used), only IPv4 traffic will benefit from his feature.
IPSec VPN IKEv2
The EAP (Extensible Authentication Protocol) protocol cannot be used for the authentication of IPSec peers using the IKEv2 protocol.
In a configuration that implements an IPSec tunnel based on IKEv2 and address translation, the identifier that the source machine presents to the remote peer in order to set up the tunnel corresponds to its real IP address instead of its translated IP address. You are therefore advised to force the settings of the local identifier to be presented (Local ID field in the definition of an IKEv2 IPSec peer) using the translated address (if it is static) or an FQDN from the source firewall.
A backup configuration cannot be defined for IPSec peers using IKEv2. In order to implement a redundant IKEv2 IPSec configuration, you are advised to use virtual IPSec interfaces and router objects in filter rules (PBR).
In version 2, the following are the main features that are unavailable for IPv6 traffic:
- IPv6 address translation (NATv6),
- Application inspections (Antivirus, Antispam, HTTP cache, URL filtering, SMTP filtering, FTP filtering and SSL filtering),
- Use of the explicit proxy,
- DNS cache,
- SSL VPN portal tunnels,
- SSL VPN tunnels,
- Radius or Kerberos authentication,
- Vulnerability management,
- Modem interfaces (especially PPPoE modems).
In cases where the firewall is in high availability and IPv6 has been enabled on it, the MAC addresses of interfaces using IPv6 (other than those in the HA link) must be defined in the advanced properties. Since IPv6 local link addresses are derived from the MAC address, these addresses will be different, causing routing problems in the event of a switch.
Support reference 51251
Whenever the firewall receives INFORM DHCP requests from a Microsoft client, it will send its own primary DNS server to the client together with the secondary DNS server configured in the DHCP service. You are advised to disable the Web Proxy Auto-Discovery Protocol (WPAD) on Microsoft clients in order to avoid such requests.
Upgrading to a major firmware release will cause the reinitialization of preferences in the web administration interface (e.g.: customized filters).
Updates to a lower version
Firewalls sold with version 3 firmware are not compatible with older major versions.
Backtracking to a major firmware version older than the firewall's current version would require a prior reset of the firewall to its factory settings (defaultconfig). For example, this operation would be necessary in order to migrate a firewall from a 3.0.1 version to a 2.x version.
Support reference 3120
The NTP client on firewalls only supports synchronization with servers using version 4 of the protocol.
If a configuration backup has been performed on a firewall whose system version is higher than the current version, it will be impossible to restore this configuration. For example, a configuration backed up in 3.0.0 cannot be restored if the firewall's current version is 2.5.1.
Network objects with automatic (dynamic) DNS resolution, for which the DNS server offers round-robin load balancing, cause the configuration of modules to be reloaded only when the current address is no longer found in responses.
DNS (FQDN) name objects
DNS name objects cannot be members of object groups.
Filter rules can only be applied to a single DNS name object. A second FQDN object or any other type of network object cannot be added as such.
DNS name objects (FQDN) cannot be used in a list of objects Do note that no warnings will be displayed when such configurations are created.
When a DNS server is not available, the DNS name object will only contain the IPv4 and/or IPv6 address entered when it was created.
If a large number of DNS servers is entered on the firewall, or if new IP addresses relating to DNS name objects are added to the DNS server(s), several requests from the firewall may be required in order to learn all of the IP addresses associated with the object (requests at 5-minute intervals).
If the DNS servers entered on client workstations and on the firewall differ, the IP addresses received for a DNS name object may not be the same. This may cause, for example, anomalies in filtering if the DNS object is used in the filter policy.
When a filter rule uses load balancing (use of a router object), the destination interface listed in the filter logs may not necessarily be correct. Since filter logs are written as soon as a network packet matches the criteria of a rule, the outgoing interface will not yet be known. As such, the main gateway is systematically reported in filter logs instead.
Quality of Service
Network traffic to which Quality of Service (QoS) queues have been applied will not fully benefit from enhancements made to the performance of the "fastpath" mode.
Activate heuritic analysis option is not supported on SN160(W), SN210(W) and SN310 models.
Events sent via the IPFIX protocol do not include either the proxy's connections or traffic sent by the firewall itself (e.g.: ESP traffic for the operation of IPSec tunnels).
Reports are generated based on logs recorded by the firewall, which are written when connections end. As a result, connections that are always active (e.g.: IPSec tunnel with translation) will not be displayed in the statistics shown in activity reports.
Whether logs are generated by the firewall depends on the type of traffic, which may not necessarily name objects the same way (srcname and dstname). In order to prevent multiple representations of the same object in reports, you are advised to give objects created in the firewall's database the same name as the one given through DNS resolution.
GRE protocol and IPSec tunnels
The decryption of GRE traffic encapsulated in an IPSec tunnel would wrongly generate the alarm "IP address spoofing on the IPSec interface". The action Pass must therefore be configured for this alarm in order for this type of configuration to function.
Rewritten HTML code is not compatible with all web services (apt-get, Active Update) because the "Content-Length" HTTP header has been deleted.
NAT is not supported on instant messaging protocols
Support reference 35960
Keep initial routing
The option that allows keeping the initial routing on an interface is not compatible with the features for which the intrusion prevention engine needs to create packets:
- reinitialization of connections when a block alarm is detected (RESET packet sent),
- SYN Proxy protection,
- protocol detection by plugins (filter rules without any protocol specified),
- rewriting of data by certain plugins such as web 2.0, FTP with NAT, SIP with NAT and SMTP protections.
Support reference 29286
The GRE protocol's state is managed based on source and destination addresses. As such, two simultaneous connections with the same server cannot be distinguished, either from the same client or sharing a common source address (in the case of "map").
Support for address translation operations on the H323 protocol is basic, namely because it does not support NAT bypasses by gatekeepers (announcement of an address other than the connection's source or destination).
Support reference 35328
If the "Keep original source IP address" option has been enabled on the FTP proxy, reloading the filter policy would disrupt ongoing FTP transfers (uploads or downloads).
Filter rules that specify an out interface included in a bridge without being the first interface of such a bridge will not be applied.
Network objects may be allowed to use multi-user authentication (several users authenticated on the same IP address) by entering the object in the list of multi-user objects (Authentication > Authentication policy).
Filter rules with a 'user@object' source (except 'any' or 'unknown@object'), with a protocol other than HTTP, do not apply to this object category. This behavior is inherent in the packet processing mechanism that the intrusion prevention engine runs. The message warning the administrator of this restriction is as follows: "This rule cannot identify a user logged on to a multi-user object."
Geolocation and public IP address reputation
Whenever a filter rule specifies geolocation conditions and public address reputation, both of these conditions must be met in order for the rule to apply.
If IP addresses of hosts are distributed via a DHCP server, the reputation of a host whose address may have been used by another host will be assigned to both hosts. In this case, the host's reputation may be reinitialized using the command monitor flush hostrep ip = host_ip_address.
Support reference 31715
Authenticated users cannot be filtered within the same URL filter policy. However, particular filter rules may be applied (application inspection) according to users.
Captive portal - Logout page
The captive portal logout page only works with authentication methods based on passwords.
The SSO agent authentication method is based on authentication events collected by Windows domain controllers. Since these events do not indicate the source of the traffic, interfaces cannot be specified in the authentication policy.
Support reference 47378
The SSO agent does not support user names containing the following special characters: " <tab> & ~ | = * < > ! ( ) \ $ % ? ' ` @ <space>. As such, the firewall will not receive connection and disconnection notifications relating to such users.
Multiple Microsoft Active Directory domains
In the context of multiple Microsoft Active Directory domains linked by an approval relationship, an Active Directory and SSO agent need to be defined in the firewall's configuration for each of these domains.
SPNEGO and Kerberos cannot be used on several Active Directory domains.
The IPSec Phase 1 negotiation is incompatible with multiple Microsoft Active Directories for the authentication of mobile clients.
The IKEv1 protocol requires extended authentication (XAUTH).
External LDAP directory - Microsoft Active Directory
Users do not appear in the member list of their primary group.
This behaviour is due to Microsoft Active Directory : indeed, the memberof attribute of a user does not include his primary group. User is also absent from the member attribute of its primary group.
As Stormshield firewalls use the member attribute to get the member list of a group, so users do not appear in the list of members of their primary group.
Users that have been defined as administrators on the firewall must originate from the default directory.
Users can only authenticate on the default directory via SSL certificate and Radius.
Multi-user authentication on the same machine in cookie mode does not support the CONNECT method (HTTP). This method is generally used with an explicit proxy for HTTPS connections. For this type of authentication, you are advised to use "transparent" mode. For further information, please refer to our online help at documentation.stormshield.eu, under the section "Authentication".
Conditions of use
The Internet access conditions of use may not display correctly on the captive portal in Internet Explorer v9 with the IE Explorer 7 compatibility mode.
The management of multiple LDAP directories requires authentication that specifies the authentication domain: user@domain.
The <space> character is not supported in user logins.
Users may only log off from an authentication using the same method used during authentication. For example, a user authenticated with the SSO agent method will not be able to log off via the authentication portal as the user would need to provide a cookie to log off, which does not exist in this case.
Whenever a temporary account is created, the firewall will automatically generate an 8-character long password. If there are global password policies that impose passwords longer than 8 characters, the creation of a temporary account would then generate an error and the account cannot be used for authentication.
In order to use temporary accounts, you will therefore need a password policy restricted to a maximum of 8 characters.
HA interaction in bridge mode and switches
In a firewall cluster configured in bridge mode, the average duration of a traffic switch was observed to be around 10 seconds. This duration is related to the switchover time of 1 second, in addition to the time that switches connected directly to the firewalls take to learn MAC addresses.
A session routed by the filter policy may be lost when a cluster is switched over.
High availability based on a cluster of firewalls of differing models is not supported. Moreover, clusters in which one firewall uses 32-bit firmware and the other uses 64-bit firmware are not allowed.
VLAN in an aggregate and HA link
Support reference 59620
VLANs belonging to an aggregate (LACP) cannot be selected as high availability links. This configuration would prevent the high availability mechanism from running on this link — the MAC address assigned to this VLAN on each firewall will therefore be 00:00:00:00:00:00.
Support reference 28665
The application inventory carried out by the Vulnerability manager is based on the IP address of the machine initiating the traffic in order to index applications.
For machines with an IP address shared among several users, for example an HTTP proxy, a TSE server or a router that dynamically translates the source, may greatly increase the load on the module. You are therefore advised to place the addresses of these machines in an exclusion list (unsupervised elements).
Stormshield Network administration suite
SN Real-Time Monitor
File transfer commands (sending and receiving) from the CLI console in SN Real-Time Monitor no longer function in 2.x and higher versions.
Support reference 28665
The command CLI MONITOR FLUSH SA ALL was initially meant to disable ongoing IPSec tunnels by deleting their SAs (security associations). However, as Bird dynamic routing also uses this type of security association (SA), this command would degrade the Bird configuration, preventing any connections from being set up. This issue also arises with the "Reinitialize all tunnels" function, offered in the Real-Time Monitor interface.
The Bird service must be restarted in order to resolve this issue.
SN Event Reporter
SN Event Reporter is no longer included in the administration suite from version 3 upwards, and connections from SN Event Reporter to firewalls in version 3 and up will not be supported