New features in version 3.6.0

IPSec VPN - AES-GCM encryption algorithm

The AES-GCM encryption algorithm is now available for IPSec VPN encryption profiles, and has the following characteristics:

  • It performs both authentication and encryption,
  • It is only supported in IKEv2,
  • Whenever it is used, the imposed value of the pseudo-random function (PRF) is SHA2 256, in line with the requirements of the "ANSSI Diffusion Restreinte" mode,
  • Encryption performance is closely linked to the firewall's hardware capacities.

Firewall health indicator

SNS provides a system of health indicators in the form of colored icons in the upper banner of the web administration interface. The icon appears only when the firewall has a minor (yellow) or major (red) defect.

The indicator takes into account the status of hardware (e.g., CPU, memory, power, disks, etc.) and high availability. More detailed information can be found by scrolling over the icon.

A new MIB, Stormshield Health Monitor, is also available as a way to monitor this health indicator via SNMP. Download it on


The following modules have been added to the Monitoring menu:

  • DHCP monitoring which shows the list of all the hosts that have obtained an IP address through the firewall's DHCP server.
  • SSL VPN tunnel monitoring which shows the list of all users connected to the firewall through an SSL VPN tunnel. A button also offers the possibility of renegotiating the selected tunnel.
  • IPSec VPN tunnel monitoring which shows IPSec policies that have been defined on the firewall and the corresponding tunnels.
  • Black list / white list monitoring which shows the hosts that have been quarantined (blacklist) and the hosts allowed to pass through the firewall without being monitored by it (whitelist).

Customized warning message

Customized warning messages can now be added to the authentication page of the web administration interface.


High Availability

Warning messages relating to high availability are now displayed in the Hardware monitoring / High availability view, making it easier to analyze the status of the cluster.

Kaspersky antivirus

The Kaspersky antivirus engine libraries can now be completely deleted from the firewall via the command serverd CONFIG ANTIVIRUS ERASEKAV [force=<on|off>]. Do note that deleting Kaspersky libraries will prevent the proxy from being used in all cases, even when no antivirus has been enabled.


Antispam databases are now updated only when the antispam is used in a security policy. If you select the antispam in a policy, the log The antispam base is missing. The antispam feature will not run correctly. will be generated. When this policy is enabled, the antispam databases will be reloaded and run correctly.


The Do not initiate the tunnel (Responder only) option is now available for IKEv2 peers. This mode is particularly adapted to the hubs of star configurations, in which only peers set up tunnels.

Intrusion prevention

S7 industrial protocol

The table of predefined operations of the S7 industrial protocol has been updated, making it possible to allow or block additional S7 function codes.

Virtual machines

vSphere deployment wizard

IP parameters and the password of the virtual machine administrator can now be entered in the vSphere deployment wizard. This saves the user from having to open the console to enter such information the first time the virtual machine is started up.



Web administration interface


When a new rule is created, a predefined rule name is added automatically. This name is used in order to switch from the Filter and NAT view to the Audit logs or Monitoring view.

If you copy and paste a rule with a comment that was automatically generated, this comment will be updated with the relevant date and connected user.


Command line interface

Scripts spanning several lines can now be run in the Configuration > System > CLI console field. This command block may, for example, be generated from a recorded sequence of commands (Record commands button).

Dragging and dropping objects

The drag and drop function is now available for FQDN and time objects.

Log filtering

Two new filter criteria are available for the Received and Sent fields: Higher than 1 MB, Higher than 10 MB, and Higher than 100 MB. In particular, they make it possible to identify the connection that uses the largest amount of resources.

Monitoring - New interactive features

The following actions can now be performed by right-clicking in the monitoring views:

  • Adding a host to the blacklist,
  • Adding a host to the objects base or to a group.

Users and groups

Whenever monitoring is enabled, scrolling over the name of a user displays complementary information about his connection:

  • IP address of the user's workstation,
  • Country from which the connection originates,
  • Reputation of the connecting host's IP address,
  • Bandwidth used,
  • MAC address of the connecting host,
  • Interface on the firewall through which the user’s connection was set up.

A Users view is now available in the Logs - Audit logs menu. It shows the Authentication log which sets out users' authentication actions.