New features in version 3.2.0
For configurations that use customized context-based protection signatures, the Active Update module makes it possible to enter the URLs of machines that host such signatures in order for them to benefit from automatic updates.
Filter - NAT
Rules in filter and NAT slots can be exported in CSV (Comma-Separated Values) format.
Whenever communication issues arise between members of a cluster even though the active firewall is contactable, the passive firewall will check mutual priorities so that it does not switch to active during a reboot.
A minimum period criterion has been added to the HA mechanism for the selection of connections to be synchronized (ConnOlderThan). For example, it allows synchronizing only connections that do not last more than 10 seconds. This parameter can only be modified in command line: config ha update ConnOlderThan=xx
All NETASQ MIBs have been renamed Stormshield (e.g.: STORMSHIELD-SMI-MIB).
Several tables have been added to STORMSHIELD-SYSTEM-MONITOR-MIB in order to provide:
- information on the status of the hardware bypass function (SNi40 industrial firewalls),
- the status of electrical power supplies,
- the temperature of processors,
- the status of disks and the RAID, if applicable.
In a high availability configuration, querying STORMSHIELD-HA-MIB will return information regarding the synchronization status of cluster members, the version number of a deployment via Stormshield Management Center, power supply statuses, the temperature of processors and the status of disks, for both the active and passive firewalls.
When the use of network objects is being checked, the name applied to the filter or NAT rule in question will be added to the information displayed.
The command MONITOR USER displays users' access privileges (VPN access, sponsorship, etc.). A link in the user's profile leads directly to the Detailed access tab in the Access privileges module when the selected user is filtered. These privileges are also available in configuration backups.
When a user logs on (web administration interface / Stormshield Management Center / NSRPC) with administration privileges on a firewall, a notification will be sent to other administrators from this firewall.
User groups may contain other groups. This feature applies to all types of directories supported by SNS firewalls (internal LDAP directory, external LDAP directories, external POSIX LDAP directories and Microsoft Active Directories).
Sandboxing now includes Java and Flash files.
The SSL VPN service supports UDP- or TCP-based connections. In the event a connection over UDP fails, the client will automatically switch to TCP.
This feature requires the use of the SSL VPN Client software in version 2.4 or upwards.
IPSec VPN (IKEv1)
Mobile users can be authenticated using certificates through an external LDAP directory other than the default directory.
IPSec VPN (IKEv2)
Version 3.2.0 of the firmware enables support for the fragmentation mechanism in IKEv2.
In the table listing the intrusion prevention system's protected networks, an option has been added in order to automatically inject networks spread by the dynamic routing engine (IPv4 / IPv6).
The configuration of the dynamic routing engine takes into account customized names of network interfaces. Whenever such configurations are restored on devices that do not know these customized names, the system name of the interface will be automatically used.
An option has been added to prevent direct connections between machines connected to the Wi-Fi network managed by the firewall (AP Isolation). This option (Network > Interfaces module) is enabled by default (public Wi-Fi hotspot configurations); when it is disabled, direct connections between devices connected to the Wi-Fi network will no longer be filtered.
OPC DA protocol
The intrusion prevention system now scans the industrial protocol OPC DA (OPC Data Access).
TDS protocol (Microsoft SQL Server)
The intrusion prevention system scans TDS (Tabular Data Stream) packets used by the Microsoft SQL Server application.
DCE/RPC protocol (Microsoft RPC)
The configuration module for intrusion prevention scans on the DCE/RPC protocol has been modified: UUIDs can now be defined for DCE/RPC services that were not previously defined in a whitelist of services to allow.
Web administration interface
Alarm logs (l_alarm log) specify the names of applications that the intrusion prevention system has detected and that have raised an alarm.
Monitoring data can be printed as graphs.
The report that shows the highest reputation scores also takes into account internal hosts that are traffic recipients.
A report showing applications that have generated the most alarms can be found in the Reports > Security module.