New features and enhancements in SNS 4.7.1 EA
Extended Web Control (EWC) URL classification
The Extended Web Control URL classification now uses the Bitdefender URL database.
To set up a URL/SSL filter policy, you are advised to operate in blacklist mode, i.e., explicitly place the URL categories to be prohibited in URL/SSL filter rule groups with a block action. These rules must then be placed above the rule that allows all the other categories.
While updating a firewall, which uses a whitelisted URL/SSL filter policy, to SNS version 4.7.1 or higher (filter rules explicitly allow some categories and are placed above the rule that blocks all other categories), we strongly recommend adding a rule that allows the URL categories misc (miscellaneous), unknown, computersandsoftware (software download websites) and hosting (websites hosting) to avoid affecting user experience. This rule must be placed above the rule that blocks all the other categories.
For more information on the migration of URL/SSL filter policies when the firewall is updated to SNS version 4.7 or higher, please refer to the Technical Note Migrating a security policy to the new EWC URL database.
IPsec DR mode - Generation of certificate request payloads
During the generation of certificate request payloads, ANSSI's IPsec DR guidelines recommend replacing the algorithm with SHA2 (previously SHA1).
SNS in versions 4.7 and higher and SNS 4.3 LTSB versions (from version 4.3.21 LTSB onwards) comply with this recommendation.
If IPsec DR mode is enabled on an SNS firewall in version 4.7, VPN tunnels can only be negotiated with peers that comply with this recommendation.
As such, in order for the negotiation of VPN tunnels in IPsec DR mode to continue functioning after the SNS firewall is updated to version 4.7, ensure that all IPsec DR-compatible peers in your architecture comply with this recommendation:
- SNS firewalls must all be updated to a version that complies with this recommendation,
- For firewalls from other vendors, contact them before any updates for more information,
- For Stormshield VPN Exclusive clients, ensure that every VPN client is in version 7.4.018 or higher and configure any additional parameters on them. For more information, refer to the Technical note IPsec VPN - Diffusion Restreinte mode,
- For all other VPN clients, get in touch with the relevant software vendor for more information before applying any updates.
TS agent authentication method (Citrix/RDS authentication)
SNS version 4.7 introduces a multi-user transparent authentication method for virtual desktop infrastructures (VDI) – the TS agent method.
This method relies on exchanges between the SNS firewall and one or several SN TS agents deployed directly on VDI servers (Citrix Virtual Apps and Desktops or Microsoft Remote Desktop Services).
Each SNS firewall can manage up to 100 TS agents.
For more information, refer to the Technical note SN TS Agent - Installation and deployment.
SSL VPN - Enhanced performance
In SNS version 4.7, a higher number of SSL VPN tunnels can be set up simultaneously on some firewall models. The throughput passing through each SSL VPN tunnel has also been increased.
| Number of simultaneous SSL VPN connections in UDP | ||
| Model | Earlier than SNS v4.7 | SNS v4.7 |
| SN510 | 100 | 100 |
| SN710 | 150 | 150 |
| SN-M-Series-720 | 300 | 300 |
| SN910 | 150 | 500 |
| SN-M-Series-920 | 500 | 500 |
| SN1100 | 500 | 800 |
| SN2100 | 400 | 1000 |
| SN3100 | 500 | 1000 |
| SN6100 | 500 | 1000 |
IPsec VPN - Obsolete Diffie-Hellman methods
As some Diffie-Hellman methods are now obsolete (and indicated as such in the Encryption profiles tab in the IPsec VPN module), administrators are advised to change their IPsec VPN configurations if they use these methods.
These methods are:
- DH1 MODP Group (768-bits),
- DH2 MODP Group (1024-bits),
- DH5 MODP Group (1536-bits),
- DH25 NIST Elliptic Curve Group (192-bits),
- DH26 NIST Elliptic Curve Group (224-bits),
- DH27 Brainpool Elliptic Curve Group (224-bits).
Offline Active Update
SNS version 4.7 introduces the possibility of updating various security databases from the web administration interface by using a single update pack downloaded from the MyStormshield client area.
The date on which security databases were last updated offline or online via Active Update will now be shown in the Active Update widget in the System monitoring module. A warning message will also indicate when the last update of a database was too long ago.
For more information on Offline Active Update.
"Compromised URLs" web category
A "Compromised URLs" category has been added to the URL filtering and SSL filtering modules so that malicious URLs can be blocked when URL/SSL filtering is used in filter rules.
This category, which Stormshield's security teams continuously update to provide you with increased security, can be retrieved via Active Update (offline/online).
Logs - Additional information on blocked IP addresses or domains
When communications with a malicious IP address or domain are blocked, logs will now provide a direct link to additional information hosted on the Stormshield Security portal.
TPM - Protection of all private keys enabled
As of SNS version 4.7, all private keys of certificates on TPM-equipped firewalls can be secured with the TPM. Previously, this feature was limited to certificates used for authentication in an IPsec VPN.
This protection method can now also apply to certificates used particularly in the following cases:
- SSL/TLS decryption,
- Communications between SNS firewalls and SMC servers,
- Sending of logs to a syslog server,
- SSL VPN,
- Internal LDAP.
For more information on protecting private keys with the TPM.
NOTE
Following the update of a firewall to version SNS 4.7.1, even when the TPM was already initialized and certificates were already protected, a message in the dashboard could wrongly indicate that the TPM was not initialized or that automatic updates were not password-protected.
To work around this issue, ensure that you protect any certificates used in the firewall configuration that have not yet been TPM-protected. To do so, use the CLI/Serverd command "MONITOR CERT" to display the certificates in question, then protect them in Configuration > Objects > Certificates and PKI.
Static routing
The blackhole keyword can now be selected as a:
- Gateway when defining a static route,
- Default gateway of the firewall.
More information on the use of the blackhole keyword
Increased security
SSL VPN
Support reference 84357
LZ4 compression is no longer enabled in the default SSL VPN configuration, and does not affect existing configurations.
Integration
Quality of Service (QoS)
As of SNS version 4.7, QoS is supported on PPPoE and PPTP interfaces.
Automatic backups
The network interface used for connecting to automatic backup servers can now be selected (custom servers and Stormshield Cloud backup servers).
Amazon Web Services cloud
As of SNS version 4.7, Stormshield Elastic Virtual Appliance (EVA) instances deployed in the Amazon Web Services cloud can use Elastic Network Adapter (ENA) interfaces.
User experience
Mobile IPsec VPN policy in config mode
Network groups can now be selected as the local network when creating or editing a mobile IPsec policy in config mode.
Do note that if the Stormshield IPsec VPN client or TheGreenBow VPN client is used, the group cannot contain more than 8 networks/routes.
Application protection
It is now possible to search for IPS protections by their IDs.
Health indicators - NTP servers
An NTP server health indicator has been added to the Dashboard and in the System monitoring module.
This indicator makes it possible to:
- Highlight a flaw or response anomaly for an NTP server configured on the firewall,
- Report the absence of an NTP configuration when a service enabled on the firewall requires particular attention with regard to time synchronization in order to run properly (e.g., TOTP authentication).
Scheduled reloading of filter rules
Support reference 81691
The scheduled reloading of filter rules (enfilter -u command activated every day at midnight) can now be disabled by assigning a value of 0 to the DailyRefresh configuration token found in the [Global] section of the configuration file ConfigFiles/Filter/filter.
SD-WAN
The mechanism that manages gateway priorities has been optimized to prevent the default route from being reloaded unnecessarily when gateways have close priority scores.
When a gateway exceeds an SLA threshold, an entry will be systematically generated in the system log file.
SD-WAN monitoring
For a selected gateway, a "Real time chart" tab makes it possible to display the following charts:
- The gateway’s latency measured over the last 10 minutes,
- The status of the gateway over the same period.
High availability
Unicast synchronization
A unicast synchronization can now be set between members of a cluster during the creation of the cluster. This option is required in order to deploy high availability in cloud infrastructures that do not support the multicast protocol.
MAC address synchronization
It is now possible to choose whether MAC address synchronization must be forced when a cluster switches (High availability > Advanced configuration > Force MAC address synchronization option).
For elastic virtual appliances (EVA) deployed in versions 4.7 and higher and in a high availability configuration, this synchronization is now disabled by default. For physical firewalls in factory configuration, this synchronization remains enabled by default.
This option may need to be disabled in configurations that use link aggregation (LACP), for example.