New features in version 3.4.0
Protection of private data
In the interests of compliance with the European General Data Protection Regulation (GDPR), private data found in logs (e.g., user, machine name, source IP address, etc.) will no longer be displayed systematically. By default, only the super administrator (admin account) will be able to view such data. Other administrators will only be allowed to enable Full access to logs (sensitive data) mode after they have received an individual and temporary Code for access to private data.
Bridge with Wi-Fi interface (experimental)
Wi-Fi interfaces can now be added to bridges. This feature is in an experimental phase, and can only be accessed using the CLI command CONFIG NETWORK INTERFACE and only one SSID is supported per bridge. The address of the bridge is the Wi-Fi interface's MAC address.
An option has been added, allowing sessions to be synchronized depending on their duration (advanced configuration). Sessions that are shorter than the value specified in the Minimum duration of connections to be synchronized (seconds) field will be ignored during a synchronization. This option therefore makes it possible to avoid synchronizing very short connections that may exist in large numbers, such as DNS requests, for example.
The new CLI command MONITOR FAN makes it possible to monitor the status of fans on SN6100 firewalls. Details of this command can be found in the CLI SERVERD Commands Reference Guide.
The "Make-before-break" re-authentication scheme guarantees that the negotiation of a new tunnel is indeed successful before deleting older tunnels. This scheme is now enabled by default. If an issue occurs, the scheme can be disabled using the CLI command CONFIG IPSEC UPDATE slot=xx MakeBeforeBreak=0. Details of this command can be found in the CLI SERVERD Commands Reference Guide.
In the ModeConfig anonymous user configuration (mobile users), object groups can be selected to define DNS servers.
The confidentiality level now adapts to the authentication level: the Diffie-Hellman key (confidentiality) is always bigger than or equal to the public key (authentication), with tolerance for a variation of 3 bits.
The welcome banner for SSH connections to the firewall can now be customized. To do so, simply place an sshd-banner file containing the desired banner in the ConfigFiles folder and run the enservice command. Details of this command can be found in the CLI Console / SSH command reference guide.
Information regarding bandwidth usage for QoS queues can now be collected via SNMP.
BIRD dynamic routing
The BFD (Bidirectional Forwarding Detection) tool is now built into the BIRD dynamic routing module, and is only available for experimentation.
OPC HDA and OPC AE industrial protocols
The industrial protocols OPC HDA (Historical Data Access) and OPC AE (Alarms & Events) are now supported. Events allowed on the network can now be customized and the commands that these protocols use can be monitored.
Oracle TNS, LDAP and HTTP protocols
The analysis of the protocols Oracle TNS (Transparent Network Substrate), LDAP and HTTP have been improved in order to increase the detection rate of malware and attacks.
As the LDAP analysis intercepts LDAP traffic passing through the firewall, ensure that you conduct tests before applying it in your production environment.
A new alarm Invalid HTTP protocol: strict analysis has been added to factor in HTTP errors. In the HIGH inspection profile used by default in profile 09, the alarm level is Minor, and traffic that raises this alarm is blocked.
The default duration for which closed connections are kept has been changed from 20 seconds to 2 seconds.
Among the secondary connections of DCE/RPC-based protocols, the intrusion prevention engine now analyzes the UUID ISystemActivator using the RemoteCreateInstance method (Opnum 4). Address translation is not available for such secondary connections.
Block pages can now be configured for URL filtering so that the user is redirected to the authentication portal. This makes it possible to set up a policy that filters unauthenticated users before granting them access to the website after authentication.
Applications and protections
By default, the inspection profile IPS_09 in the Configuration > Application protection > Applications and protections module is now based on the HIGH alarm model. Furthermore, filter policy 9 has been renamed (9) Pass all High and contains a filter rule that uses the new inspection profile IPS_09.
This modification will not be available after a firmware upgrade, only after a new installation or restoration to factory configuration.
Sandboxing and Security categories
New reports have been added:
- Top most frequently analyzed file types,
- Top hosts that have submitted the most files for sandboxing,
- Top protocols that use sandboxing,
- Top users who have submitted files for sandboxing,
- Detection rate by analytics engine (Sandboxing, Antivirus, AntiSpam).
In order to display these new reports, you will need to disable some others as the number of reports is limited to 30.
Web administration interface
The various pages of the web administration interface can now be added to favorites in the browser.
Dashboard - Sandboxing
The sandboxing widget includes additional information about the status of the connection and submitted file quotas:
- Connected, submitted file quota exceeded,
- Connected, submitted file quota unknown,
- Limited, submitted file quota exceeded,
- Limited, submitted file quota unknown.
Filter - NAT
The number of characters allowed in the source and destination of a filter rule has been increased from 250 to 500, so you can enter a longer list of objects in these fields.
Several hardware queues are now automatically allocated to virtual machines that have several virtual CPUs and VMware vmxnet3 interfaces. The multi-queue function can be disabled by adding pohw.pci.honor_msi_blacklist=1 to the file /boot/loader.conf.custom. Restart the virtual machine to apply the new configuration.