New features in SNS 4.2.4

System

Hardening the operating system

Verification of the integrity of executable files now extends to the userland section of the system.

Only shell scripts are still allowed, but they must be explicitly called by the interpreter, e.g., sh script.sh instead of ./script.sh. If these scripts are run from the event scheduler (eventd), the interpreter must be added for each task described in the configuration file of the event scheduler.

These scripts must also be located only in the root partition (/) so that they can be run. As firmware updates will erase the contents of the "/" folder, these scripts must be moved back to the "/" folder after each firmware update.

Do note that the system performance measurement tools that this file integrity verification mechanism allows may display slightly higher memory consumption values than those shown in earlier versions of SNS. The use of nmemstat is no longer allowed.

Stealth mode

An SNS firewall in factory configuration is no longer in stealth mode by default, to make it easier to integrate the firewall into existing infrastructures.

However, this mode can still be enabled manually by using the Stealth argument in the CLI/Serverd command CONFIG PROTOCOL IP COMMON IPS CONFIG:

CONFIG PROTOCOL IP COMMON IPS CONFIG Stealth=<On|Off>
CONFIG PROTOCOL IP ACTIVATE

Find out more

Path MTU Discovery (PMTUD)

In configurations that involve an IPsec VPN, ICMP 3/4 responses are now fully managed through such tunnels after support for Path MTU Discovery was enabled.

It is disabled by default, but can be managed through the CLI/Serverd command:

CONFIG IPSEC UPDATE slot=<1-10> PMTUD=<0|1|2>
CONFIG IPSEC ACTIVATE
CONFIG IPSEC RELOAD

These commands are explained in detail in the CLI SERVERD Commands Reference Guide.

NOTE
Stealth mode must be disabled so that the PMTUD can function through IPsec.
Find out more

IPsec VPN - DR mode

Warnings are displayed in the Messages widget on the dashboard when the IPsec DR mode is enabled and one of the following conditions is met:

  • The proxy is used in a filter rule,
  • The NSRPC service is open to the outside,
  • The SSL VPN service Is active,
  • The DNS cache service Is active,
  • The DHCP service Is active.

IPsec VPN - IKEv2

PseudoRandom Functions (PRFs) with the following values can now be selected:

This configuration can only be created in command line using the argument prf added to the CLI/Serverd command: CONFIG IPSEC PROFILE PHASE1 PROPOSALS UPDATE (any changes must then be confirmed using the command CONFIG IPSEC ACTIVATE).

These commands are explained in detail in the CLI SERVERD Commands Reference Guide.

NOTE
The use of PRF_HMAC_SHA2_256 is imposed in IPsec DR mode.

Active Update

Packets in the Active Update module are now signed by a new Stormshield certification authority, which replaces the previous Netasq certification authority.

For clients that use internal mirror sites, the packets hosted on your own servers must be updated so that packets signed by the new certification authority are used. This operation is necessary so that the Active Update module can continue to update its databases. 

For Linux environments, a new version of the Active Update mirroring script (updater.sh) is available on Mystormshield (Downloads > Stormshield Network Security Tools). This version makes it possible to retrieve all packets signed by the new certification authority.

Find out more

It is now possible to specify the firewall interface from which requests are sent to automatic update servers. The interface can be specified through the bindaddr argument added to the CLI/Serverd command CONFIG AUTOUPDATE SERVER. Changes to this parameter must then be applied using the command CONFIG AUTOUPDATE ACTIVATE.

Find out more

Automatic checks for firmware updates

Automatic checks for the availability of firmware updates can be enabled or disabled using the CLI/serverd command SYSTEM CHECKVERSION state=0|1.
This mechanism is enabled by default.

Network management

The management of a SNS firewall’s network is now optimized so that the firewall no longer restarts every time SMC sends a network configuration. The firewall now informs SMC to restart only when it is necessary.

Stormshield Management Center (SMC) agent

On SNS firewalls managed via SMC in version 3.0, if the link with the SMC server cannot be set up within 30 seconds after a deployment (this period can be configured in the administration console of the SMC server), the previous configuration will be restored.

On firewalls in high availability, it is now possible to choose whether to restart the passive firewall when applying changes to the network configuration that were applied to the active firewall.

This option can only be configured with the CLI/serverd command HA SYNC:

HA SYNC Ennetwork=0|1: If 0 is selected, the passive firewall will not restart (default behavior), 1 will restart it.

Find out more

Synchronization of the object database with DNS servers

The automatic synchronization of the object database with DNS servers configured on the firewall can now be enabled/disabled and its frequency can be changed.

These operations can only be configured with the CLI/serverd command CONFIG OBJECT SYNC:

  • CONFIG OBJECT SYNC STATE=<0|1> to disable/enable synchronization,
  • CONFIG OBJECT SYNC UPDATE period=<period> to set a synchronization frequency between 1 min and 1 day inclusive (e.g., period=6h5m4s).

These changes must be confirmed using the command CONFIG OBJECT SYNC ACTIVATE.

Find out more

Modifying logs enabled by default

Unlike what was announced in the 4.2.1 release notes, the storage of all log types on disk has been enabled again by default.

Hardware

Support for SN1100 firewall models begins with this version 4.2.4.

Web administration interface

Creating IPsec peers

When a new IPsec peer is created, the wizard now offers version 2 of the IKE protocol by default for this peer.