New features in version 3.2.0

System

Active Update

For configurations that use customized context-based protection signatures, the Active Update module makes it possible to enter the URLs of machines that host such signatures in order for them to benefit from automatic updates.

Filter - NAT

Rules in filter and NAT slots can be exported in CSV (Comma-Separated Values) format.

High Availability

Whenever communication issues arise between members of a cluster even though the active firewall is contactable, the passive firewall will check mutual priorities so that it does not switch to active during a reboot.

A minimum period criterion has been added to the HA mechanism for the selection of connections to be synchronized (ConnOlderThan). For example, it allows synchronizing only connections that do not last more than 10 seconds. This parameter can only be modified in command line: config ha update ConnOlderThan=xx

SNMP agent

All NETASQ MIBs have been renamed Stormshield (e.g.: STORMSHIELD-SMI-MIB).

Several tables have been added to STORMSHIELD-SYSTEM-MONITOR-MIB in order to provide:

  • information on the status of the hardware bypass function (SNi40 industrial firewalls),
  • the status of electrical power supplies,
  • the temperature of processors,
  • the status of disks and the RAID, if applicable.

In a high availability configuration, querying STORMSHIELD-HA-MIB will return information regarding the synchronization status of cluster members, the version number of a deployment via Stormshield Management Center, power supply statuses, the temperature of processors and the status of disks, for both the active and passive firewalls.

Network objects

When the use of network objects is being checked, the name applied to the filter or NAT rule in question will be added to the information displayed.

Access privileges

The command MONITOR USER displays users' access privileges (VPN access, sponsorship, etc.). A link in the user's profile leads directly to the Detailed access tab in the Access privileges module when the selected user is filtered. These privileges are also available in configuration backups.

Notifications

When a user logs on (web administration interface / Stormshield Management Center / NSRPC) with administration privileges on a firewall, a notification will be sent to other administrators from this firewall.

Directory configuration

User groups may contain other groups. This feature applies to all types of directories supported by SNS firewalls (internal LDAP directory, external LDAP directories, external POSIX LDAP directories and Microsoft Active Directories).

Proxies

Sandboxing now includes Java and Flash files.

SSL VPN

The SSL VPN service supports UDP- or TCP-based connections. In the event a connection over UDP fails, the client will automatically switch to TCP.

This feature requires the use of the SSL VPN Client software in version 2.4 or upwards.

IPSec VPN (IKEv1)

Mobile users can be authenticated using certificates through an external LDAP directory other than the default directory.

IPSec VPN (IKEv2)

Version 3.2.0 of the firmware enables support for the fragmentation mechanism in IKEv2.

Network

Dynamic routing

In the table listing the intrusion prevention system's protected networks, an option has been added in order to automatically inject networks spread by the dynamic routing engine (IPv4 / IPv6).

The configuration of the dynamic routing engine takes into account customized names of network interfaces. Whenever such configurations are restored on devices that do not know these customized names, the system name of the interface will be automatically used.

Wi-Fi network

An option has been added to prevent direct connections between machines connected to the Wi-Fi network managed by the firewall (AP Isolation). This option (Network > Interfaces module) is enabled by default (public Wi-Fi hotspot configurations); when it is disabled, direct connections between devices connected to the Wi-Fi network will no longer be filtered.

Intrusion prevention

OPC DA protocol

The intrusion prevention system now scans the industrial protocol OPC DA (OPC Data Access).

TDS protocol (Microsoft SQL Server)

The intrusion prevention system scans TDS (Tabular Data Stream) packets used by the Microsoft SQL Server application.

DCE/RPC protocol (Microsoft RPC)

The configuration module for intrusion prevention scans on the DCE/RPC protocol has been modified: UUIDs can now be defined for DCE/RPC services that were not previously defined in a whitelist of services to allow.

Web administration interface

Audit logs

Alarm logs (l_alarm log) specify the names of applications that the intrusion prevention system has detected and that have raised an alarm.

Monitoring

Monitoring data can be printed as graphs.

Reports

The report that shows the highest reputation scores also takes into account internal hosts that are traffic recipients.

A report showing applications that have generated the most alarms can be found in the Reports > Security module.