New features and enhancements in SNS 4.6.10

IPsec VPN - Diffusion Restreinte (DR) mode

On firewalls configured in DR mode, ESP traffic encapsulation can now be enabled/disabled in UDP for individual peers. To keep the firewall operating in DR mode during its update to SNS version 4.6.10 and higher, encapsulation is enabled by default.

IPsec VPN Diffusion Restreinte (DR) mode - Generating Certificate Request Payloads

During the generation of certificate request payloads, ANSSI's IPsec DR guidelines recommend replacing the algorithm with SHA2 (previously SHA1).

SNS versions 4.6 (from 4.6.10 onwards), 4.3 LTSB (from version 4.3.21 LTSB onwards) and SNS versions 4.7 and higher comply with with this recommendation.

If IPsec DR mode is enabled on an SNS firewall in version 4.6.10, VPN tunnels can only be negotiated with peers that comply with this recommendation.

As such, in order for the negotiation of VPN tunnels in IPsec DR mode to continue functioning after the SNS firewall is updated to version 4.6.10, ensure that all IPsec DR-compatible peers in your architecture comply with this recommendation:

  • SNS firewalls must all be updated to a version that complies with this recommendation,
  • For firewalls from other vendors, contact them before any updates for more information,
  • For Stormshield VPN Exclusive clients, ensure that every VPN client is in version 7.4.018 or higher and configure any additional parameters on them. For more information, refer to the technical note IPsec VPN - Diffusion Restreinte mode,
  • For all other VPN clients, get in touch with the relevant software vendor for more information before applying any updates.

Sandboxing

The classification of files without extensions and specific MIME types has changed. Such files are no longer systematically analyzed to optimize sandboxing on all other file types.

Server certificate retrieval mechanism

Support reference 84671

The maximum waiting time for a response to a server certificate retrieval request has been reduced, and can now be configured on each SSL protocol inspection profile. The value of the waiting time can be anywhere between 1 and 10 seconds, and is set to 2 seconds by default.

Do note that this configuration can only be changed and enabled with the following CLI/serverd commands:

CONFIG PROTOCOL SSL PROFILE IPS CONFIG TLSServerCertTimeout=[1-10] index=[0-9]

CONFIG PROTOCOL SSL ACTIVATE

More information on the CONFIG PROTOCOL SSL IPS CONFIG command.