Updating an SNS firewall that has already been configured in DR mode

To update a firewall that has already been configured in DR mode to a more recent SNS version that complies with the ANSSI's IPsec DR recommendations, additional operations may be required, depending on the original version.

From an SNS in 4.3.21 LTSB and higher versions of 4.3 LTSB or SNS in versions 4.7 and higher

Refer to the section Installing this version in Stormshield Network Security (SNS) release notes to update the firewall.

From an SNS in versions 4.2, 4.3 LTSB lower than 4.3.21 LTSB or 4.6

  1. First, read the section Assessing the impact of enabling DR mode.

  2. If you are using Stormshield VPN Exclusive clients, ensure that each client is in version 7.4.018 or higher, then add custom settings in the gateway configuration (IKE Auth). For more information, refer to the section Ensuring the compliance of a mobile IPsec client's configuration with DR mode".

  3. Next, refer to the section Installing this version in Stormshield Network Security (SNS) release notes to update the firewall.

From an SNS version lower than 4.2

DR mode implemented in SNS 4.2 versions apply substantial changes compared to DR mode on previous versions. As such, firewalls on which DR mode is already enabled cannot be updated to SNS version 4.2 or higher.

During attempts to do so, an error will appear:

To update the SNS firewall:

  1. First, read the section Assessing the impact of enabling DR mode.

  2. In Configuration > General configuration tab > Cryptographic settings section, unselect Enable “Diffusion Restreinte (DR)” mode to disable DR mode. The name of the setting may differ from one SNS version to another.
  3. Restart the SNS firewall to apply the choice of disabling DR mode.
  4. Update the SNS firewall. For more information, refer to the Stormshield Network Security (SNS) release notes.
  5. Ensure the compliance of the SNS firewall's configuration with DR mode.
  6. Select Enable "Diffusion Restreinte (DR)" 2021 version compliance mode to enable DR mode.
  7. Restart the SNS firewall to apply the choice of enabling DR mode.

    8. IMPORTANT
    If the newly configured IPsec policy on the firewall uses parameters that are not compatible with DR mode, enabling DR mode will disable this IPsec policy and show the warning message: “‘Diffusion Restreinte' mode disabled the non-compliant VPN configuration”.

  8. If you are using Stormshield IPsec VPN clients, ensure that you use SN VPN Client Exclusive in version 7.4.018 or higher, then check their configuration. For more information, refer to the section Ensuring the compliance of a mobile IPsec client's configuration with DR mode".