New features in version 3.1.0

New models - Wireless networks

Version 3.1.0 of the firmware ensures compatibility with new Wi-Fi firewall models SN160W and SN210W.

These firewalls must therefore be updated after you receive them.

They offer all the features needed for securing Wi-Fi connections.

Wireless network management built into this version is compatible with 802.11 a/b/g/n standards. Two WLAN interfaces, and therefore distinct networks, can be configured on each firewall.


Network objects

New objects corresponding to services and service groups used by the Stormshield Endpoint Security solution have been included in the SNS firewall objects database.


Diffie-Hellman DH19 NIST Elliptic Curve Group (256-bits) and DH20 NIST Elliptic Curve Group (384-bits) have been added to the encryption profiles available for IPSec IKEv2 tunnels.


A button that allow renaming IPSec peers has been added to the Peers tab in the IPSec VPN module.

Support reference 56589


Object names associated with source and destination IP address have been added to notification reports sent by email.

Certificates and PKI

The period for verifying CRLs (Certificate Revocation Lists) used to be set at 24 hours. It can now be configured for a period ranging from 3600 seconds (1 hour) to 604800 seconds (1 week). The default value is 21600 seconds (6 hours).

These settings can only be modified via the CLI command: PKI CONFIG UPDATE checkcrlperiod= xxxxx.

HTTP block page

The return code associated with the HTTP block page (default value: 202 - Accepted) can be modified using the command: config protocol http profile proxy urlfilteringindex=X HTTPCodeOnFail=Y.

High availability

When the quality of the passive firewall changes (e.g., when a link is lost, or when disconnecting from a power supply module), the cluster will send out an SNMP alert (TRAP) in order to warn the administrator. The firewall will also add a message resembling "The quality of a node in the cluster has been modified: SN910XXXXXXXXXX 12 -> 11" in the system event log (l_system log).

In a high availability configuration with a quality factor below 100%, a warning message appears in several cases indicating that the role of a cluster member might change, in particular:

  • when an interface in an aggregate is created, added or deleted,
  • when a connected interface is disabled,
  • when a disconnected interface is enabled,


The options Use DNS servers provided by the firewall (register-dns) and Prohibit use of third-party DNS servers (block-outside-dns), respectively instructing the SSL VPN client to either write the DNS server(s) specified by the Stormshield Network firewall in its configuration or to avoid using third-party DNS servers, can be configured in the ConfigurationSSL VPN module. This feature shortens the time needed for receiving responses to the client's DNS requests, especially for machines running in Microsoft Windows 10.

SSL VPN Portal

The Java Web Start application is now used instead of the standard Java application during connections to the SSL VPN portal.

Global objects

SNS firewalls now support global time objects and router objects, which can therefore be managed and deployed using the Stormshield Management Center solution.

CRL verification and support for BindAddr in the firewall's LDAP requests

In the firewall's LDAP configuration, the BindAddr parameter followed by the firewall's private IP address forces the firewall to present this IP address during LDAP requests to an external directory: LDAP traffic can therefore be encapsulated in an IPSec tunnel in order to encrypt requests to the directory.

This parameter can only be modified in command line: setconf ConfigFiles/ldap LDAP_Name BindAddr FW_Private_IP.

Monitoring - Reports - Audit logs


Each line showing a vulnerability detected on a host will now include a link to the page providing details on the vulnerability in question.

New pop-up menus can be opened by right-clicking on a line of data:

  • Hosts monitoring: you can look for the host in logs, show details about the host, reset its reputation score, add the host to the objects database and/or add it to a group, etc.
  • User monitoring: you can look for the value in logs, show details about the host on which a user is connected, disconnect the user, etc.
  • Connections monitoring: you can display a full line, add the source or destination object to the objects database, show details about the host, ping the source or destination, etc.

Intrusion prevention

IEC 60870-5-104 protocol

The intrusion prevention system now scans the industrial protocol IEC 60870-5-104 (IEC 104).


A signature context, vbscript, has been added to the security inspection for HTTP.

Support reference 54140

The intrusion prevention system now detects cache poisoning attempts on Squid web proxies and raises the block alarm Possible HTTP proxy poisoning.

SSL Proxy

RC4 and MD5 encryption algorithms, which are considered weak, have been removed from the list of available algorithms for the SSL proxy.

Modbus protocol

An alarm is now generated when the maximum number of Modbus servers with a UMAS reservation has been reached.

IP protocols (except TCP, UDP and ICMP)

Connections that match IP protocols different from TCP, UDP and ICMP (example: GRE) are referenced in connection statistics logs (IPStateMem , -IPStateConn, -IPStatePacket and -IPStateByte fields in the l_filterstat file).

SNi40 industrial firewalls

Hardware bypass

When hardware bypass was enabled, ongoing connections on interfaces included in the bypass were not modified and therefore ended up being shut down since the corresponding network traffic was not received. This reaction has been modified, and such connections will now be kept active until a standard network configuration is adopted again (bypass reset).


High availability

As part of the process of resetting the firewall to its factory configuration (defaultconfig), the period before the hardware watchdog function is activated will now be 120 seconds compared to the previous 300.