Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
New features and enhancements in version 4.4.1
Granularity of QoS and routing by application for web services according to the SLA (SD-WAN)
In SNS version 4.4, you can identify the services associated with certain widely recognized web traffic and therefore differentiate Salesforce traffic from YouTube, Microsoft 365 or Zoom traffic, for example. Custom web services can also be created as necessary.
Granular SLA, QoS and routing by application policies can then be defined for each web service used in the organization, making it possible to guarantee optimal connectivity for high-priority web traffic.
Security policy adapted to real-time SaaS applications
The ability to identify web services also makes it possible to adapt the security policy to the various traffic streams identified, by disabling some unnecessary security analyses for such traffic. For example, there is no need to force the identified application traffic to pass through the proxy, allowing such traffic to move more quickly, while relieving the proxy for the benefit of other web traffic.
These web service objects and custom web services also make it possible to lift some restrictions relating to FQDN objects.
IEC61850 MMS protocol
The intrusion prevention engine analyzes the IEC61850 MMS protocol in addition to the MMS protocol.
Jumbo frames supported on SN160(W), SN210(W) and SN310 firewall models
Jumbo frames are now supported on SN160(W), SN210(W) and SN310 firewall models starting from version SNS 4.4. This makes it possible, in particular, to correctly configure such firewalls when an ISP uses a Maximum Transmision Unit (MTU) slightly higher than 1500 bytes.
Even though this MTU can be set to a maximum of 9198 bytes on SN160(W) and SN210(W) firewalls, and 8996 bytes on SN310 firewalls, do note that due to the hardware limitations on these models, the software will verify the checksums of packets with MTUs higher than 1600 bytes. As a result, this may affect the overall performance of these firewall models.
SSL VPN - Backup link
On a firewall that has two separate Internet links, a backup IP address can now be set for the SSL VPN server (different network from the one that includes the primary address). Doing so would alleviate network issues on the interface initially defined and allow clients to continue using the SSL VPN service. The information for the backup connection is automatically added to the configuration file of the SSL VPN client.
This backup IP address can only be configured through the CLI/Serverd command: CONFIG OPENVPN UPDATE serverPublicAddrSecondary=w.x.y.z
The SSL VPN service can also be configured so that all SSL VPN sessions that have reached the maximum idle timeout configured will be automatically disconnected.
Support reference 81691
The mechanism that optimizes the distribution of the IPsec service’s encryption and decryption operations has been modified. The changes improve its performance when encryption is applied with an incoming interface containing plaintext traffic and an outgoing interface containing encrypted traffic.
CPUs can now be distributed in a static manner to process packets from the IPsec service on the firewall. This configuration can only be modified with the following CLI/serverd command:
CONFIG IPSEC CRYPTOLB UPDATE ifincoming=<interface> ifoutgoing=<interface> state=<0|1>
SNMPv3 - Secure communications
In SNS version 4.4, SHA2 has been added to the list of algorithms (SHA1 and MD5) that can be used to secure SNMPv3-based communications.
SNMP agent - Listening IP address on the service
It is now possible to specify the firewall interface through which SNMP requests will move. This can be done by using the bindaddr argument in the CLI/Serverd command: CONFIG SNMP SYSTEM BindAddr=<host>.
Prohibiting a downgrade to an earlier firmware version
On firewalls in version 4.4, downgrades to an earlier firewall version can be prohibited. This makes it possible to prevent a fixed vulnerability from being reintroduced, for example.
This function can be enabled exclusively through the CLI/Serverd command: SYSTEM UPDATE DOWNGRADE off.
Do note that downgrades to an earlier firmware version are allowed by default.
Find out more
Telemetry on firewalls in SNS version 4.4 has added to existing indicators (percentage of CPU used, percentage of memory used and volume of logs generated) data regarding the use of the proxy: number of connections by protocol and number of simultaneous connections through the proxy.
By sending such data, which is completely anonymous, you will be helping Stormshield to refine the parameters of the proxy’s performance for future SNS versions.