Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
New features in version 4.0.1
MAC address filtering
SNS now makes it possible to define and use network objects that are based on MAC addresses only. Such objects can be used in filter policies for level 2 filtering similar to stateful mode.
PROFINET is a set of protocols used in the production, agriculture and transport sectors. PROFINET consists of four main protocols (among others): PROFINET-IO, PROFINET-RT, PROFINET-DCP and PROFINET-PTCP.
You can now filter by these protocols in SNS in order to secure such environments.
Industrial licenses are now verified and the configuration of industrial protocols is suspended if the license is missing (or when firewall maintenance has expired).
New graphical user interface
The SNS version 4.0.1 graphical interface has been fully reworked to improve user comfort. It is now easier to switch between configuration and monitoring modules.
New simplified dashboard
The dashboard has been simplified to provide a clearer view of the status of the firewall. A drill down mechanism enables access to detailed information if it is needed for analyses.
New network configuration panel
The network configuration panel has been simplified to streamline the configuration of interfaces.
New certificate management panel
The certificate management panel has been simplified to facilitate PKI configuration.
New log display panel
The log display panel has been simplified and offers logs in the form of views by specific themes.
New responsive captive portal
The captive portal now has a new responsive design. Its display can be adapted to the size of the screen, so that the captive portal can be used on smartphones or tablets.
Initial installation wizard removed
The initial installation wizard has been removed.
New health indicators
Two new health indicators are available: the first relating to CPU temperature, and the second relating to the administration password if it is too old or is still the default password.
Wi-Fi interface monitoring
Monitoring on Wi-Fi interfaces can now be viewed.
The ARPING command is now available to assist in analyses.
Exporting an identity (containing the private key) or a certificate
You can now export identities (user, server or smart card certificates and the associated private key) or certificates only (user, server or smart card).
Update procedure in cluster mode optimized
The update procedure for clusters has been optimized to prevent update files from being downloaded twice.
Refreshing SSHD configuration
The configuration of the SSHD service has been reworked to ensure compliance with the latest security standards.
A telemetry service is now available on SNS to maintain anonymous statistics regarding the life cycle of SNS firewalls. These statistics serve to improve the quality and performance of future products. The indicators reported in this version are:
- Percentage of CPU use,
- Percentage of memory use,
- Volume of logs generated.
Disabled by default, this service can be enabled/disabled in the module Configuration > General configuration > Advanced properties tab.
Stability and performance
HA mechanisms reworked
High availability synchronization has been simplified to ensure higher stability and better performance.
Proxy mechanisms reworked
The sandboxing features in Breach Fighter have been extracted from the proxy service and now run in a separate service for higher stability.
Improved IPS performance
The IPS connection manager has been enhanced to improve performance.
Simplified DCERPC plugin
The DCERPC plugin has been modified to enable easier configuration.
Overall improved performance
The operating system on SNS firewalls has been upgraded to provide better performance.
A new parameter in ClamAV makes it possible to restrict the duration of the antivirus analysis. This acts as a new layer of protection against zip bombs. As such, if the length of the analysis implies that the analyzed file contains an overwhelming amount of data, the analysis will be stopped.
Set by default to 120 seconds, this parameter can only be modified through the command:
CONFIG ANTIVIRUS LIMITS MaxProcTime=<time>
For more information on the syntax of these commands, please refer to the CLI SERVERD Commands Reference Guide.
Hardware-based security for VPN secrets on compatible SN3100 models
Ever since revision A2 of SN3100 model firewalls, they now implement a trusted platform module (TPM) dedicated to securing VPN secrets. With the TPM, an extra level of security can be added to SN3100 appliances that act as VPN concentrators, which may not necessarily be physically secure. This module is supported from version 4.0.1 onwards and can be configured in the interface and in command line.
SN6100 - Seventh and eighth 8x1G modules supported
From SNS version 4.0.1 onwards, eight 8x1G modules can be supported on SN6100 appliances.