Before you migrate an existing configuration to version 3 of the firmware, ensure that you have:

  • Carefully read the section Known issues in the Stormshield Knowledge base (use the same login credentials as those for your MyStormshield client area),
  • Read the section Explanations on usage carefully.
  • Back up the main partition on the backup partition and back up the configuration

MAC address management

MAC address management has been changed in version 3.8.0 in order to fix issues encountered when certain advanced interface configurations are applied.

As such, Stormshield now applies stricter use of promiscuous mode.

These changes may affect the behavior of the following configurations:

  • Ethernet interface with at least one VLAN on which the MAC address has been forced [1],
  • Disabled Ethernet interface with one or several VLAN(s),
  • Ethernet interface with one or several VLANs included in a bridge,
  • HA interface with one or several VLANs.

[1] High availability forces MAC addresses on one of the members of the cluster.

If any of these configurations concerns you, check that all your network devices use your firewall's real MAC address.

For further information, please refer to this article in the Stormshield Knowledge Base.

SSL protocol

From version 3.7.0 of the firmware onwards, encryption suites with a weak level of security (suites based on MD5, SHA1 and DES) are no longer available for the SSL protocol used by the various firewall components (SSL VPN, SSL proxy, etc.).

For configurations that use these encryption suites, algorithms with a higher level of security must be chosen in order to migrate the firewall to an SNS 3.7.0 version or higher. Otherwise, the affected services will not run or will refuse to start.


Support reference 66421

Before upgrading the firewall to v3, check your IPsec VPN configuration as follows:

In the menu Configuration > VPN > IPSEC VPN > Identification tab, check that the email addresses indicated in Mobile tunnels: Pre-shared keys are valid, or correct them if necessary.

If an address contains an error (e.g., product@stormshield or product@stormshield.e), the IPSec policy will fail to activate, returning the error message Failed to parse PSK list from slotfile.

EVA (Elastic Virtual Appliances)

You are advised to set the memory of an EVA to 2 GB if you use the antivirus and sandboxing features frequently.

Microsoft Internet Explorer

The use of Microsoft Internet Explorer browsers, including version 11, may adversely affect user experience. You are therefore strongly advised to use the browsers listed in the Compatibility section.

Extended Web Control

If synchronous mode has been enabled on the Extended Web Control URL filtering solution (X-CloudURL_Async=0 parameter in the [Config] section of the configuration file ConfigFiles/proxy), it must be disabled before upgrading the firewall to v3. To do so, delete the line containing the X-CloudURL_Async parameter.

Updating a cluster with several high availability links

For clusters that implement more than one link dedicated to high availability, ensure that the main link is active before proceeding to upgrade to version 3.

SSO agent authentication method

In a configuration using he "SSO Agent" authentication method, the SSO agent has to be migrated to a version equal to or higher than 1.4 before migrating the firewall's version.

The "Domain name" field must also be entered in the configuration of the SSO agent before migrating the firewall. This domain name must match the actual name of the domain (e.g.: in order to let the SSO agent run.

Policy-based routing

If the firewall has been reset to its factory settings (defaultconfig) after a migration from a 1.x version to a 2.x version then to a 3.x version, the order in which routing will be evaluated will be changed and policy-based routing [PBR] will take over priority (policy-based routing > static routing > dynamic routing >…> default route). However, if the firewall has not been reset, the order of evaluation stays the same as in version 1 (static routing > dynamic routing > policy-based routing [PBR] > routing by interface > routing by load balancing > default route).

Filter policies and users

In previous versions of the firmware, the filter policy did not distinguish between users and groups. In version 3, support for multiple directories requires strict checks on users. Migrating a configuration to version 3 of the firmware may therefore generate warnings asking the administrator to re-enter users in the filter policy in order to avoid any ambiguity.