New features and enhancements in version 4.5.1
SNS version 4.5 is only compatible with the SSL VPN client in version 3.1 or OpenVPN client 2.5 (or higher).
The SSL VPN client (or OpenVPN client) must be updated on client workstations before the firewall is updated to SNS version 4.5.
Two-factor authentication (2FA)
In SNS version 4.5, the authentication processes managed by the firewall can be made more secure through a new 2FA method in which time-based one-time passwords (TOTP) can be used.
This additional step to protect access is built into the firewall and does not require any third-party TOTP solution. Users who authenticate with an SNS TOTP only need to use an application on their smartphones or in their browsers to generate TOTPs.
The advantage of this method is that it can be enabled for all types of authentication: captive portal, SSL VPN tunnel, web administration interface, console or SSH connections and IPsec/Xauth VPN tunnels.
Do note that since this 2FA method is built into each firewall, users must use as many TOTPs as the number of firewalls to which they must connect.
Dynamic multicast routing
This is an early-access feature and not intended for use on firewalls in a production environment.
Please refer to the section on Limitations and explanations on usage before enabling this feature.
SNS 4.5 versions support dynamic multicast routing over IGMPv2 and v3, and PIMv2.
Dynamic multicast routing can be configured in Configuration > Network > Multicast routing or by using CLI/Serverd CONFIG MULTICASTROUTING commands.
Dynamic multicast routing and static multicast routing cannot be enabled at the same time.
S7 Plus protocol
In SNS version 4.5, the S7 Plus industrial protocol (intellectual property of Siemens) can now be analyzed.
The protocol analysis engine now makes it possible to differentiate read and write operations for the OPC-DA protocol. This guarantees that OPC-DA traffic passing through the firewall will be more thoroughly monitored.
IEC 60870-5-104 protocol
Support reference 82460
A new alarm "IEC 60870-5-104: Invalid TESTFR act message with connection context" (iec104:756) was created to allow IEC 60870-5-104 TESTFR act packets to pass through (stateful inspection of packets) while leaving the IEC 60870-5-104 protocol analysis enabled.
Description of network interfaces
Support reference 81461
Descriptions (optional) added to network interfaces from the web administration interface are now stored in key=value format in the network interface configuration file. These descriptions can then be retrieved when the program is restored via USB key.
Automatic disconnection of expired SSL VPN sessions
A maximum idle timeout can now be set on the SSL VPN service, after which inactive SSL VPN sessions will be automatically disconnected.
This option can only be configured through the CLI/Serverd command:
CONFIG OPENVPN UPDATE Inactive=x (seconds)
HTTPS block pages
The pages that make it possible to block HTTPS traffic not allowed by SSL filtering have been modified. The template for these pages can be completely customized.
The telemetry service in SNS version 4.5 now reports new data:
- Number of objects by type,
- Number of filter and NAT rules,
- Number of IPS alerts,
- Number of IPS signatures used.
By sending such data, which is completely anonymous, you will be helping Stormshield to refine the dimensions and restrictions on future hardware platforms and SNS versions.
IPsec encryption profiles
Diffie-Hellman groups DH31 and DH32 are now available in IPsec encryption profiles. Do note that these profiles cannot be selected if the firewall is in ANSSI Diffusion Restreinte mode.
IPsec VPN logs
Support reference 82931
In the log line "Installing IPSEC SA failed", SPI in and SPI out values are now included to facilitate the analysis of the issue encountered.
Alert when NVM utilities are updated for Intel network cards
Event 152 "Network card software" makes it possible to inform the administrator of automatic updates or failures while updating NVM utilities that manage firmware versions of Intel network cards.