Points to note for updates from a 4.3 LTSB version
IMPORTANT
If you intend to update a firewall from a 4.3 LTSB version to version 4.8 LTSB, we encourage you to read this section carefully.
NOTE
The exhaustive list of new automatic behavior relating to the update of your SNS firewall to version 4.8 LTSB from the latest 4.3 LTSB version available can be found in New firewall behavior in these release notes.
Update path from version 4.3 LTSB
We strongly recommend that you update your firewall from the latest SNS 4.3 LTSB version to SNS 4.3.24 LTSB if necessary.
An exhaustive list of behavioral changes in SNS 4.8 LTSB can be found in the New firewall behavior section of these Release Notes.
Original version | Intermediate updates required |
---|---|
4.3.23 LTSB or lower |
Version 4.3.24 LTSB is recommended, as the firewall's backup partition would become unusable following a direct update to the new version. |
4.3.24 LTSB or higher | None |
BIRD dynamic routing
Version 1 of the BIRD dynamic routing engine is now considered obsolete and will be removed in a future SNS release. Version 2 of the BIRD dynamic routing engine is available in SNS 4.8. LTSB, we strongly advise you to migrate BIRD v1 configurations to BIRD v2.
When updating a configuration using BIRD v1 to SNS 4.8 LTSB, the initial configuration is retained, and it is necessary to manually migrate the configuration from BIRD v1 to BIRD v2.
If your SNS firewalls are managed by an SMC server, it is not possible to manage the dynamic routing of your SNS 4.8 LTSB firewalls from an SMC version lower than 3.6.
Firewalls equipped with a TPM
After upgrading to SNS 4.8 LTSB, the secrets stored in the TPM need to be sealed with the new system specifications using the CLI / Serverd command:
SYSTEM TPM PCRSEAL tpmpassword=<TPMpassword>
Note that in the case of a cluster, this action must be performed for both cluster members from the active firewall, adding the "serial=passive" parameter to seal passive firewall secrets from the active firewall.
For more information on the TPM module, please refer to the Trusted Platform Module section of the SNS user manual, as well as the Technical Note on Configuring the TPM and protecting private keys in SNS firewall certificates.
For firewalls supporting Secure Boot in UEFI (models SN-XS-Series-170, SN-S-Series-220, SN-S-Series-320, SN-M-Series-520, SN-M-Series-720, SN-M-Series-920, SN1100, SN3100, SN-L-Series-2200, SN-L-Series-3200, SN-XL-Series-5200, SN-XL-Series-6200, SNi10, SNi20, SNxr1200), we strongly recommend that you activate Secure Boot before resealing your secrets.
For more information on the impact of enabling Secure Boot, please refer to the Technical Note Managing Secure Boot in SNS firewalls' UEFI.
Suppression of OSCAR, MSN, YMSG and eDonkey protocol analysis
As the OSCAR, MSN, YMSG and eDonkey protocols are obsolete, the intrusion prevention engine no longer supports their analysis. After updating to SNS 4.8 LTSB a configuration with a filtering rule relating to one of these protocols, this rule is ignored and a warning message is displayed within the filtering policy concerned.
SSL VPN
As SNS 4.8 LTSB adds the data-cipher option to the SSL VPN client configuration file, SSL VPN v2 clients are no longer compatible with SNS 4.8 LTSB.
Compression is now disabled by default. It is possible to view and change the compression status (enabled or disabled) from the CLI console. We strongly advise against re-enabling compression, as this feature will no longer be supported in a later version of SNS.
Reputation categories
The reputation categories Exchange Online, Microsoft Authentication, Office 365, Office Online, SharePoint Online and Skype for business, present in previous versions, are no longer available since version SNS 4.4.1. Once a configuration using one of these categories has been updated to SNS 4.8 LTSB, the filtering rules using these categories become inoperative until they are replaced by the Web services introduced in SNS 4.4.1.
Features and algorithms obsolete in SNS 4.8 LTSB version
The features and algorithms listed below have become obsolete in version SNS 4.8 LTSB and will be removed in a future SNS firmware version.
Network Vulnerability Manager (SNVM)
The SNVM module is obsolete. It will be supported for the lifetime of SNS 4.8 LTSB. For more information on the end-of-life date of the SNVM module, please refer to the Services section of the Product Lifecycle.
URL / SSL filtering
The embedded URL database is obsolete. To continue using URL / SSL filtering, you can subscribe to the Extended Web Control option.
PPTP server VPN
PPTP server functionality is obsolete.
SCEP protocol (certificate registration)
The hash algorithms md2, mdc-2, md4, md5, rmd160, and the encryption algorithm des-ede3-cbc are obsolete.
SNMP v3 agent
The MD5 authentication algorithm and the DES and SHA1 encryption algorithms used by the SNMPv3 Agent are obsolete.
Internal LDAP directory
The MD5, SMD5, SHA, SSHA, SHA256, SHA384 and SHA512 password hashing algorithms used by the internal LDAP directory are obsolete.
SSL VPN Portal
SSL VPN Portal functionality is obsolete.