Explanations on usage

IPsec VPN

IPsec VPN IKEv2

Whenever an IPsec IKEv2 tunnel set up with a mobile peer in config mode is abruptly shut down by the remote client, the IP address that is assigned to it remains locked and unavailable. This behavior can now be changed by modifying the UniqueIDs parameter in the configuration file ~/ConfigFiles/VPN/0x (where x represents the number of the IPsec policy).

For example, to allow users to recover their previous IP addresses, add the parameter UniqueIDs=no in the section of the peer in question, then reload the configuration of the VPN policy by using the CLI/SSH command envpn -u (this will shut down tunnels in progress).
The EAP (Extensible Authentication Protocol) protocol cannot be used for the authentication of IPsec peers using the IKEv2 protocol.
In a configuration that implements an IPsec tunnel based on IKEv2 and address translation, the identifier that the source machine presents to the remote peer in order to set up the tunnel corresponds to its real IP address instead of its translated IP address. You are therefore advised to force the settings of the local identifier to be presented (Local ID field in the definition of an IKEv2 IPsec peer) using the translated address (if it is static) or an FQDN from the source firewall.
A backup configuration cannot be defined for IPsec peers using IKEv2. In order to implement a redundant IKEv2 IPsec configuration, you are advised to use virtual IPsec interfaces and router objects in filter rules (PBR).

Interruption of phase 2 negotiations

The Charon IPsec management engine, used in IKEv1 policies, may interrupt all tunnels with the same peer if a single phase 2 negotiation fails. This occurs when the peer does not send notifications following a failed negotiation due to a difference in traffic endpoints.

The behavior of the Racoon IPsec management engine was modified in version 3.11.1 so that this issue no longer occurs in Racoon <=> Charon tunnels. However, you may still encounter this issue when the Charon IPsec management engine negotiates with an appliance that does not send failure notifications.

Obsolete use of backup peers

The use of backup peers (designated as the “Backup configuration”) is obsolete and will be phased out in a future version of SNS. A warning message now appears to encourage administrators to modify their configurations.

For this configuration, use virtual IPsec interfaces instead, with router objects or dynamic routing.

IPsec - Mixed IKEv1 / IKEv2 policy

There are several restrictions when IKEv1 and IKEv2 peers are used in the same IPsec policy:

"Aggressive" negotiation mode is not allowed for IKEv1 peers using pre-shared key authentication. An error message appears when there is an attempt to enable the IPsec policy.
The hybrid authentication method does not function for IKEv1 mobile peers.
Backup peers are ignored. A warning message appears when the IPsec policy is enabled.
The "non_auth" authentication algorithm is not supported for IKEv1 peers. In such cases, the IPsec policy cannot be enabled.
In configurations that implement NAT-T (NAT-Traversal - transporting the IPsec protocol through a network that performs dynamic address translation), the translated IP address must be defined as the ID of a peer that uses pre-shared key authentication and for which a local ID in the form of an IP address had been forced.

Decryption

The IPsec peer distributes data decryption. On multi-processor firewalls, this process is therefore optimized whenever the number of peers is at least equal to the number of the appliance's processors.

Support reference 37332

DPD (Dead Peer Detection)

The VPN feature DPD (Dead Peer Detection) makes it possible to check whether a peer is still up by sending ISAKMP messages.

If a firewall is the responder in an IPsec negotiation in main mode, and DPD has been set to "inactive", this parameter will be forced to "passive" in order to respond to the peer's DPD queries. During this IPsec negotiation, DPD will be announced even before the peer is identified, so before even knowing whether DPD queries can be ignored for this peer.

This parameter has not been modified in aggressive mode, as in this case DPD would be negotiated when the peer has already been identified, or when the firewall is the initiator of the negotiation.

PKI

A Certificate Revocation List (CRL) is not required. Even if no CRLs are found for the certification authority (CA), negotiation will be allowed.

Keepalive IPv6

For site-to-site IPsec tunnels, the additional keepalive option that allows artificially keeping these tunnels up cannot be used with traffic endpoints with IPv6 addresses. In cases where traffic endpoints are dual stack (both IPv4 and IPv6 addresses are used), only IPv4 traffic will benefit from his feature.

Mobile policy

In mobile IPsec policies containing several peers and using certificate authentication:

Peers must use the same IKE encryption profile,
The certificates of the various peers must be issued by the same CA,

Network

4G modems

In order to ensure a firewall's connectivity with a 4G USB modem, HUAWEI equipment in the following list must be used:

E3372h-153,
E8372h-153.

Other key models may work, but they have not been tested.

Spanning Tree protocols (RSTP / MSTP)

Stormshield Network firewalls do not support multi-region MSTP configurations. A firewall implementing an MSTP configuration and interconnecting several MSTP regions may therefore malfunction when managing its own region.

If MSTP has been enabled on a firewall and it is unable to communicate with equipment that does not support this protocol, it would not automatically switch to RSTP.

In order for RSTP and MSTP to function, the interfaces on which they are applied must have an Ethernet layer. As a result:

MSTP does not support PPTP/PPPoE modems,
RSTP supports neither VLANs nor PPTP/PPPoE modems.

Interfaces

On SN160(W) and SN210(W) firewall models, the presence of unmanaged switches would cause the status of the firewall's network interfaces to stay permanently "up", even when they are not physically connected to the network.

The firewall's interfaces (VLANs, PPTP interfaces, aggregated interfaces [LACP], etc.) are now grouped together in a common pool for all configuration modules. When an interface previously used in a module is released, it becomes reusable for other modules only after the firewall is rebooted.

Deleting a VLAN interface will change the order of such interfaces the next time the firewall starts. If such interfaces are listed in the dynamic routing configuration or monitored via SNMP MIB-II, this behavior would cause a lag and may potentially cause the service to shut down. You are therefore strongly advised to disable any unused VLAN interfaces instead of deleting them.

The possibility of adding WiFi interfaces in a bridge is currently in experimental mode and cannot be done via the graphical interface. On SN160(W) models, configurations that contain several VLANs included in a bridge will not be supported.

Configurations containing a bridge that includes several unprotected interfaces, and a static route leaving one of such interfaces (other than the first), are not supported.

Bird dynamic routing

Since the Bird dynamic routing engine has been upgraded to version 1.6, the "setkey no" option must be used in configurations that implement BGP with authentication. For further information on Bird configuration, refer to the Bird Dynamic Routing Technical Note.

When a Bird configuration file is edited from the web administration interface, the "Apply" action will send this configuration to the firewall. If there are syntax errors, a warning message indicating the row numbers containing errors will inform the user of the need to correct the configuration.

However, if a configuration containing errors is sent to the firewall, it will be applied the next time the Bird service or the firewall is restarted.

System

Support reference 80692

Access to configuration modules

After a firewall is updated, some configuration modules may become inaccessible and an error would occur if major changes were made to the display preferences of modules (e.g. displayed columns or their order) or if a display preference no longer exists in the new version.

To restore access to the configuration modules in question, the default settings of the user preferences must be restored in the Preferences module.
Find out more

Support reference 78677

Cookies generated for multi-user authentication

After a new security policy is implemented on mainstream web browsers, multi-user authentication SNSno longer functions when users visit unsecured websites via HTTP.

When this occurs, an error message or a warning appears, depending on the web browser used, and is due to the fact that the authentication cookies on the proxy cannot use the "Secure" attribute together with the “SameSite” attribute in an unsecured HTTP connection.

The web browser must be manually configured to enable browsing on these websites again.
Find out more

Support reference 51251

DHCP server

Whenever the firewall receives INFORM DHCP requests from a Microsoft client, it will send its own primary DNS server to the client together with the secondary DNS server configured in the DHCP service. You are advised to disable the Web Proxy Auto-Discovery Protocol (WPAD) on Microsoft clients in order to avoid such requests.

Migration

Upgrading to a major firmware release will cause the reinitialization of preferences in the web administration interface (e.g.: customized filters).

Updates to a lower version

Firewalls sold with version 3 firmware are not compatible with older major versions.

Backtracking to a major firmware version older than the firewall's current version would require a prior reset of the firewall to its factory settings (defaultconfig). For example, this operation would be necessary in order to migrate a firewall from a 3.0.1 version to a 2.x version.

Support reference 3120

Configuration

The NTP client on firewalls only supports synchronization with servers using version 4 of the protocol.

Restoring backups

Configurations that are backed up on a firewall with a system version higher than the current version cannot be restored. For example, a configuration backed up in 3.0.0 cannot be restored if the firewall's current version is 2.5.1.

Dynamic objects

Network objects with automatic (dynamic) DNS resolution, for which the DNS server offers round-robin load balancing, cause the configuration of modules to be reloaded only when the current address is no longer found in responses.

DNS (FQDN) name objects

DNS name objects cannot be members of object groups.

Filter rules can only be applied to a single DNS name object. A second FQDN object or any other type of network object cannot be added as such.

DNS name objects (FQDN) cannot be used in a NAT rule Do note that no warnings will be displayed when such configurations are created.

When a DNS server is not available, the DNS name object will only contain the IPv4 and/or IPv6 address entered when it was created.

If a large number of DNS servers is entered on the firewall, or if new IP addresses relating to DNS name objects are added to the DNS server(s), several requests from the firewall may be required in order to learn all of the IP addresses associated with the object (requests at 5-minute intervals).

If the DNS servers entered on client workstations and on the firewall differ, the IP addresses received for a DNS name object may not be the same. This may cause, for example, anomalies in filtering if the DNS object is used in the filter policy.

Filter logs

When a filter rule uses load balancing (use of a router object), the destination interface listed in the filter logs may not necessarily be correct. Since filter logs are written as soon as a network packet matches the criteria of a rule, the outgoing interface will not yet be known. As such, the main gateway is systematically reported in filter logs instead.

Quality of Service

Network traffic to which Quality of Service (QoS) queues have been applied will not fully benefit from enhancements made to the performance of the "fastpath" mode.

Advanced antivirus

The option Activate heuristic analysis is not supported on SN160(W), SN210(W) and SN310 firewall models.

Link aggregation (LACP)

Support reference 76432

Link aggregation (LACP) is not compatible with the 40G SFP+ LM4 network module (reference NA-TRANS-QSFP40-SR).

Certificates and PKI

SCEP

The SCEP implementation on SNS firewalls has the following characteristics and limitations:

The **SCEP CertPoll** message, meant to simplify polling requests by sending only the transaction ID, has not been implemented. This request ID is used on the firewall to locate the request that was initially sent and submit it again to the server. This adaptation does not in any way affect the operation of SCEP exchanges.
The **GetCACaps** operation, which makes it possible to retrieve the list of SCEP features implemented on the server, is not available. This does not in any way affect the management of certificates through SCEP.
The **GetNextCACert** operation, which makes it possible to retrieve the CA's future certificate before the expiration of the current certificate, has not been implemented. The CA's new certificate can in fact be retrieved through the **GetCACert** SCEP operation when the certificate that was being used up until then has expired.
The **GetCRL** operation, which retrieves the latest update of the CRL associated with the CA of the SCEP server, has not been implemented. This operation generates unnecessary and excessive activity on the server and the firewall has its own option "Enable regular retrieval of certificate revocation lists (CRL)" (System > Configuration module > General settings tab).
The draft specification imposes the restriction of the POST method to only SCEP **PKIOperation** operations. On SNS firewalls, this method is used by default for all requests. However, the GET method can be imposed using the "post=off" option for the various SCEP commands available in command line.
The encryption and authentication algorithms used by default on the firewall are 3DES and SHA-1.

SSL VPN

After the OpenVPN upgrade to version 2.4.4:

IP address ranges that extend beyond a Class B network (mask /16) must no longer be used.
Certain TLS algorithms are no longer available.

If your configurations are affected by these restrictions, SSL VPN tunnels can no longer be set up. Error messages will appear explaining how to help you correct your configuration.

IPv6 support

In version 3, the following are the main features that are unavailable for IPv6 traffic:

IPv6 traffic through IPsec tunnels based on virtual IPsec interfaces (VTI),
IPv6 address translation (NATv6),
Application inspections (Antivirus, Antispam, URL filtering, SMTP filtering, FTP filtering and SSL filtering),
Use of the explicit proxy,
DNS cache,
SSL VPN portal tunnels,
SSL VPN tunnels,
Radius or Kerberos authentication,
Vulnerability management,
Modem interfaces (especially PPPoE modems).

High availability

In cases where the firewall is in high availability and IPv6 has been enabled on it, the MAC addresses of interfaces using IPv6 (other than those in the HA link) must be defined in the advanced properties. Since IPv6 local link addresses are derived from the MAC address, these addresses will be different, causing routing problems in the event of a switch.

Audit logs

Support reference 60085

Sandboxing

After the firewall has been restarted, a "System error Sandboxing license unavailable" alarm will indicate that the sandboxing license is not available. This alarm appears even when you neither have a sandboxing license nor use sandboxing in your filter rules.

Notifications

IPFIX

Events sent via the IPFIX protocol do not include either the proxy's connections or traffic sent by the firewall itself (e.g., ESP traffic for the operation of IPsec tunnels).

Activity reports

Reports are generated based on logs recorded by the firewall, which are written when connections end. As a result, connections that are always active (e.g.: IPsec tunnel with translation) will not be displayed in the statistics shown in activity reports.

Whether logs are generated by the firewall depends on the type of traffic, which may not necessarily name objects the same way (srcname and dstname). In order to prevent multiple representations of the same object in reports, you are advised to give objects created in the firewall's database the same name as the one given through DNS resolution.

Intrusion prevention

GRE protocol and IPsec tunnels

Decrypting GRE traffic encapsulated in an IPsec tunnel would wrongly generate the alarm "IP address spoofing on the IPsec interface". This alarm must therefore be set to Pass for such configurations to function.

HTML analysis

Rewritten HTML code is not compatible with all web services (apt-get, Active Update) because the "Content-Length" HTTP header has been deleted.

Instant messaging

NAT is not supported on instant messaging protocols

Support reference 35960

Keep initial routing

The option that makes it possible to keep the initial routing on an interface is not compatible with features for which the intrusion prevention engine must create packets:

Reinitialization of connections when a block alarm is detected (RESET packet sent),
SYN Proxy protection,
Protocol detection by plugins (filter rules without any protocol specified),
Rewriting of data by certain plugins such as web 2.0, FTP with NAT, SIP with NAT and SMTP.

NAT

Support reference 29286

The GRE protocol's state is managed based on source and destination addresses. As such, two simultaneous connections with the same server cannot be distinguished, either from the same client or sharing a common source address (in the case of "map").

H323 support

Support for address translation operations on the H323 protocol is basic, namely because it does not support NAT bypasses by gatekeepers (announcement of an address other than the connection's source or destination).

Proxies

Support reference 35328

FTP proxy

If the "Keep original source IP address" option has been enabled on the FTP proxy, reloading the filter policy would disrupt ongoing FTP transfers (uploads or downloads).

Filtering

Multi-user filtering

Network objects may be allowed to use multi-user authentication (several users authenticated on the same IP address) by entering the object in the list of multi-user objects (Authentication > Authentication policy).

Filter rules with a 'user@object' source (except 'any' or 'unknown@object'), with a protocol other than HTTP, do not apply to this object category. This behavior is inherent in the packet processing mechanism that the intrusion prevention engine runs. The message warning the administrator of this restriction is as follows: "This rule cannot identify a user logged on to a multi-user object."

Geolocation and public IP address reputation

Whenever a filter rule specifies geolocation conditions and public address reputation, both of these conditions must be met in order for the rule to apply.

Host reputation

If IP addresses of hosts are distributed via a DHCP server, the reputation of a host whose address may have been used by another host will be assigned to both hosts. In this case, the host's reputation may be reinitialized using the command monitor flush hostrep ip = host_ip_address.

Outgoing interface

Filter rules that specify an out interface included in a bridge without being the first interface of such a bridge will not be applied.

Support reference 31715

URL filtering

Authenticated users cannot be filtered within the same URL filter policy. However, particular filter rules may be applied (application inspection) according to users.

Authentication

Captive portal - Logout page

The captive portal's logout page works only for password-based authentication methods.

SSO Agent

The SSO Agent authentication method is based on authentication events collected by Windows domain controllers. Since these events do not indicate the source of the traffic, interfaces cannot be specified in the authentication policy.

Support reference 47378

The SSO agent does not support user names containing the following special characters: " <tab> & ~ | = * < > ! ( ) \ $ % ? ' ` @ <space>. As such, the firewall will not receive connection and disconnection notifications relating to such users.

Multiple Active Directory domains

When multiple Active Directory domains are linked by an approval relationship, an Active Directory and SN SSO Agent must be defined in the firewall configuration for each of these domains.

SPNEGO and Kerberos cannot be used on several Active Directory domains.

Mobile clients cannot be authenticated with multiple Active Directories in phase 1 of the IPsec negotiation.

The IKEv1 protocol requires extended authentication (XAUTH).

LDAP directory - Microsoft Active Directory

Users are missing from the list of members of their primary group.
This is due to how Microsoft Active Directory works: the user's memberof attribute does not in fact contain the user's primary group. Likewise, the user is not included in the member attribute of his primary group.

As Stormshield firewalls use the member attribute to obtain a group's list of users, they therefore do not appear in the list of members of their primary group.

Multiple directories

Users that have been defined as administrators on the firewall must originate from the default directory.

Users can only authenticate on the default directory via SSL certificate and Radius.

CONNECT method

Multi-user authentication on the same machine in cookie mode does not support the CONNECT method (HTTP). This method is generally used with an explicit proxy for HTTPS connections. For this type of authentication, you are advised to use "transparent" mode. For further information, please refer to our online help at documentation.stormshield.eu, under the section "Authentication".

Conditions of use

The Internet access conditions of use may not display correctly on the captive portal in Internet Explorer v9 with the IE Explorer 7 compatibility mode.

Users

The management of multiple LDAP directories requires authentication that specifies the authentication domain: user@domain.

The <space> character is not supported in user logins.

Logging out

Users may only log out from an authentication session using the same method used during authentication. For example, a user authenticated with the SSO Agent method will not be able to log out via the authentication portal as the user would need to provide a cookie to log out, which does not exist in this case.

Temporary accounts

Whenever a temporary account is created, the firewall will automatically generate an 8-character long password. If there are global password policies that impose passwords longer than 8 characters, the creation of a temporary account would then generate an error and the account cannot be used for authentication.

In order to use temporary accounts, you will therefore need a password policy restricted to a maximum of 8 characters.

High availability

HA interaction in bridge mode and switches

In a firewall cluster configured in bridge mode, the average failover was observed to last about 10 seconds. This duration is linked to the failover time of 1 second, in addition to the time that switches connected directly to the firewalls take to learn MAC addresses.

Policy-based routing

A session routed by the filter policy may be lost when a cluster is switched over.

Models

High availability is not supported on clusters made up of firewalls of different models. Clusters in which one firewall uses 32-bit firmware and the other uses 64-bit firmware are also not allowed.

VLAN in an aggregate and HA link

Support reference 59620

VLANs belonging to an aggregate (LACP) cannot be selected as high availability links. This configuration would prevent the high availability mechanism from running on this link — the MAC address assigned to this VLAN on each firewall will therefore be 00:00:00:00:00:00.

Vulnerability management

Support reference 28665

The application inventory carried out by the Vulnerability manager is based on the IP address of the machine initiating the traffic in order to index applications.

For hosts with an IP address shared among several users, for example an HTTP proxy, a TSE server or a router that dynamically translates the source, may greatly increase the load on the module. You are therefore advised to place the addresses of these machines in an exclusion list (unsupervised elements).

Stormshield Network administration suite

SN Real-Time Monitor

File transfer commands (sending and receiving) from the CLI console in SN Real-Time Monitor no longer function in 2.x and higher versions.

Support reference 28665

The command CLI MONITOR FLUSH SA ALL was initially meant to disable ongoing IPsec tunnels by deleting their SAs (security associations). However, as Bird dynamic routing also uses this type of security association (SA), this command would degrade the Bird configuration, preventing any connections from being set up. This issue also arises with the "Reinitialize all tunnels" function, offered in the Real-Time Monitor interface.

The Bird service must be restarted in order to resolve this issue.

SN Event Reporter

SN Event Reporter is no longer included in the administration suite from version 3 upwards, and connections from SN Event Reporter to firewalls in version 3 and up will not be supported