New features in version 3.3.0

System

IPSec VPN

IPSec policies can now group peers that use various versions of the IKE protocol with restrictions on the use of the IKEv1 protocol (cf. section Explanations on usage). As this feature could not be tested in complex and disparate environments, you are strongly advised to test it out on a test configuration.

It is now possible to define a list of LDAP directories that need to be browsed sequentially in order to authenticate mobile users (certificate or pre-shared key authentication).

Interfaces

Interfaces can now be defined in networks without broadcast addresses (network mask /31 - RFC 3021). Such interfaces are to be used only for point-to-point exchanges.

A "Priority (CoS)" field can be defined for VLAN interfaces. This CoS (Class of Service) priority will then be imposed for all packets sent from this interface.

Global objects

During the deployment of configurations via Stormshield Management Center, additional checks will be performed on global objects used in the firewall's routing instructions.

Authentication by certificate

An advanced option allows user authentication to be enabled on several LDAP directories. When a character string defined by a regular expression is found in a selected field within the certificate that the user presents, the associated LDAP directory will be queried in order to authenticate the user in question and verify his access privileges.

Certificates and PKI

SNS firewalls allow defining separate certificate authorities to sign SCEP exchanges and to sign enrollment certificates. This configuration can only be obtained via the PKI SCEP QUERY command scep_ca_name.

Sandboxing

Additional information is sent whenever files are submitted for sandboxing:

  • Version of the firewall's firmware,
  • MIME types and the names of all files included in the archives.

Notifications

Version 3.3.0 of the firmware supports the secure sending of e-mails using the SMTP protocol associated with the STARTTLS mechanism.

In the SMTP server's settings, an e-mail address replaces the DNS domain name in order to ensure compatibility with certain external SMTP services (Microsoft Office 365 for example).

Routing - Return routes

MAC addresses no longer need to be specified for network objects corresponding to the gateways selected in return routes. When they are not entered, MAC addresses will be learned dynamically.

Implicit rules

Since administration tools (Stormshield Management Center and SN Real-Time Monitor) connect to the firewall's web administration port (TCP/443 - HTTPS by default), implicit rules that allow connections to the firewall from the local network to the usual administration port (TCP/1300) are disabled for firewalls in factory settings.
Administrators who use Global Administration, SN Centralized Manager or NSRPC binary files can now create explicit filter rules (recommended method) or manually re-enable these implicit rules.

Audit logs

Connection logs (l_connection file) indicate as the destination name (dstname field) the SNI (Server Name Indication) requested by the client host during TLS negotiation.

Logs relating to IPSec tunnels (l_vpn file) specify the name of the user who activated logging as well as his group, if it has been defined.

Centralized administration

The source address that needs to be used for the firewall's connection to its centralized administration server (SMC) can be forced. These settings can only be configured using the command lines CONFIG FWADMIN UPDATE and CONFIG FWADMIN ACTIVATE. Details of these commands can be found in the CLI SERVERD Commands Reference Guide.

SNMP Agent

A new OID that allows reporting the comment assigned to an interface has been added to the Stormshield network interface MIB (STORMSHIELD-IF-MIB).

Intrusion prevention

TCP protocol

The default value of a TCP connection timeout has been set to 3600 seconds (1 hour) for firewalls in factory configuration.

DNS protocol

The intrusion prevention engine analyzes the implementation of the DNS protocol over TCP.

BACnet/IP protocol

The intrusion prevention engine analyzes the industrial protocol BACnet/IP (Building Automation and Control Networks over IP).

Multipath TCP

As the firewall's intrusion prevention engine is not in a position to analyze multipath TCP connections, a specific alarm has been added, which blocks such extensions when they are detected ("Multipath TCP").

TDS protocol

The intrusion prevention engine analyzes the TDS (Tabular Data Stream) protocol used for requests sent to Microsoft SQL Server databases.
Note that all traffic streams using the 5000/TCP port are analyzed as TDS protocol.

Facebook Zero protocol

Support reference 64995

As Facebook has implemented the protocol Facebook Zero (based on Google's QUIC protocol), the use of applications such as Facebook Messenger would set off the "Invalid SSL packet" block alarm. A dedicated "Facebook Zero protocol detected" alarm has been created to allow the administrator to identify and allow such connections.

Web administration interface

Saving commands

The upper banner of the administration interface includes a button that allows saving the sequence of commands run during any configuration performed on the firewall. When the saving process is stopped, this command sequence will be displayed so that it can be copied and pasted in a text editor (to be used in an NSRPC script, for example).

This feature can be enabled or disabled in the user preferences of the web administration interface.

Menu display

The display of certain menus is dependent on the activation or availability of related features:

  • the Users and groups menu only appears if at least one directory has been defined,
  • the Audit logs menu does not appear on firewalls that are not equipped with storage media,
  • the Reports menu appears only when reports have been enabled,
  • the My favorites menu is shown once the first favorite has been defined.

Filtering and NAT

When several cells of a filter policy are modified in succession, the symbol indicating that these cells are in the process of modification () will remain visible until the filter policy is validated.

In certain object selection fields, there is now a button to access a pop-up menu in order to create new objects or modify existing objects from the Filter/NAT module.

User monitoring

New columns have been added, indicating whether the user is allowed to use the SSL VPN portal, set up SSL VPN tunnels or IPSec VPN tunnels.

SN Real-Time Monitor

Hosts monitoring

Support reference 59595

Hosts located behind unprotected interfaces, and which are involved in connections that pass through the firewall, are displayed in the Hosts view in SN Real-Time Monitor.