Before you migrate an existing configuration to version 3 of the firmware, ensure that you have:

  • Read the section Known issues carefully,
  • Read the section Explanations on usage carefully.
  • Perform a backup of the main partition towards the backup partition, and perform a configuration backup

SSL protocol

From version 3.7.0 of the firmware onwards, encryption suites with a weak level of security (suites based on MD5, SHA1 and DES) are no longer available for the SSL protocol used by the various firewall components (SSL VPN, SSL proxy, etc.).

For configurations that use these encryption suites, algorithms with a higher level of security must be chosen in order to migrate the firewall to an SNS 3.7.0 version or higher.


Support reference 66421

Before upgrading the firewall to v3, check your IPsec VPN configuration as follows:

In the menu Configuration > VPN > IPSEC VPN > Identification tab, check that the email addresses indicated in Mobile tunnels: Pre-shared keys are valid, or correct them if necessary.

If an address contains an error (e.g., product@stormshield or product@stormshield.e), the IPSec policy will fail to activate, returning the error message Failed to parse PSK list from slotfile.

Web enrollment

Support reference 54754

Web enrollment is supported only if users log on to the authentication portal using Mozilla Firefox.

Microsoft Internet Explorer

The use of Microsoft Internet Explorer browsers, including version 11, may adversely affect user experience. You are therefore strongly advised to use the browsers listed in the Compatibility section.

Extended Web Control

If synchronous mode has been enabled on the Extended Web Control URL filtering solution (X-CloudURL_Async=0 parameter in the [Config] section of the configuration file ConfigFiles/proxy), it must be disabled before upgrading the firewall to v3. To do so, delete the line containing the X-CloudURL_Async parameter.

Updating a cluster with several high availability links

For clusters that implement more than one link dedicated to high availability, ensure that the main link is active before proceeding to upgrade to version 3.

SSO agent authentication method

In a configuration using he "SSO Agent" authentication method, the SSO agent has to be migrated to a version equal to or higher than 1.4 before migrating the firewall's version.

The "domain name" field must also be entered in the configuration of the SSO agent before migrating the firewall. This domain name must match the actual name of the domain (e.g.: in order to let the SSO agent run.

Policy-based routing

If the firewall has been reset to its factory settings (defaultconfig) after a migration from a 1.x version to a 2.x version then to a 3.x version, the order in which routing will be evaluated will be changed and policy-based routing [PBR] will take over priority (policy-based routing > static routing > dynamic routing >…> default route). However, if the firewall has not been reset, the order of evaluation stays the same as in version 1 (static routing > dynamic routing > policy-based routing [PBR] > routing by interface > routing by load balancing > default route).

Filter policies and users

In previous versions of the firmware, the filter policy did not distinguish between users and groups. In version 3, support for multiple directories requires strict checks on users. Migrating a configuration to version 3 of the firmware may therefore generate warnings asking the administrator to re-enter users in the filter policy in order to avoid any ambiguity.