New firewall behavior

This section lists the changes made to the automatic behavior of the firewall when your SNS firewall in version 4.7.6 is updated from the latest 4.3 LTSB version available.

If necessary, we also encourage you to read about the New firewall behavior in SNS version 4.3 introduced since the last available 3.7.x LTSB version.

Changes introduced in version 4.7.5

  • SNMP agent - The value returned by the OID 1.3.6.1.2.1.1.7 is now 76, corresponding to a device that provides services on OSI layers 3, 4 and 7. Previously, the value returned was 72.

Changes introduced in version 4.7.3

  • SN1100 - The maximum number of IPsec tunnels that SN1100 firewalls accepted was too high. The number has been reduced to match announced data.

Changes introduced in version 4.7.2 EA

Find out more

  • Routing - Loopback objects that are used as default gateways are automatically replaced with the blackhole object when the firewall is updated to SNS version 4.7.2 EA or higher.
  • Oscar and Gnutella - Protocols Oscar and Gnutella are now considered obsolete. These protocol scans are automatically disabled when the firewall is updated to SNS version 4.7.2 EA.

Changes introduced in version 4.7.1 EA

Find out more

  • IPsec DR - During the generation of certificate request payloads, ANSSI's IPsec DR guidelines recommend replacing the algorithm with SHA2 (previously SHA1). SNS in versions 4.7 and up comply with with this recommendation.
    If IPsec DR mode is enabled on an SNS firewall in version 4.7, VPN tunnels can only be negotiated with peers that comply with this recommendation.
  • VPN Exclusive client (with DR mode) - the VPN Exclusive client in version 7.4 or higher must be used to set up IPsec tunnels in DR mode with firewalls in SNS versions 4.7 and higher.

  • Firewalls equipped with a TPM - After an update to SNS version 4.7, secrets stored in the TPM must be sealed with the new technical characteristics of the system, by using the CLI/Serverd command:

    SYSTEM TPM PCRSEAL tpmpassword=<TPMpassword>

    Do note that in clusters, this action must be applied to both members from the active firewall (by adding the parameter "serial=passive" from the active firewall to seal the secrets of the passive firewall).

    For more information on the TPM, refer to the section Trusted Platform Module in the SNS user guide.

  • Extended Web Control (EWC) URL classification - The Bitdefender URL database is now the database used.

    To set up a URL/SSL filter policy, you are advised to operate in blacklist mode, i.e., explicitly place the URL categories to be prohibited in URL/SSL filter rules with a block action. These rules must then be placed above the rule that allows all the other categories.

     

    While updating a firewall, which uses a whitelisted URL/SSL filter policy, to SNS version 4.7.1 or higher (filter rules explicitly allow some categories and are placed above the rule that blocks all other categories), we strongly recommend adding a rule that allows the URL categories misc (miscellaneous), unknown, computersandsoftware (software download websites) and hosting (websites hosting) to avoid affecting user experience. This rule must be placed above the rule that blocks all the other categories.

    For more information on the migration of URL/SSL filter policies when the firewall is updated to SNS version 4.7 or higher, please refer to the Technical Note Migrating a security policy to the new EWC URL database.

    IMPORTANT
    URL/SSL filter policies that have been updated after the firewall was updated to SNS version 4.7.1 must be thoroughly checked.

     

  • Resetting to factory configuration - Resetting a firewall to its factory configuration (defaultconfig) now deletes by default all custom configuration files added by the administrator. If you do not wish to delete them, use the command defaultconfig -T.
  • Synchronizing MAC addresses (HA) - On elastic virtual appliances (EVA) deployed in versions 4.7 and higher and in a high availability (HA) configuration, the synchronization of MAC addresses during a cluster switch is now disabled by default.
  • Hardening of the system - As the system has been hardened in SNS version 4.7, this makes the backup partition unusable in SNS version 4.3.23 LTSB and lower versions when they are directly updated to SNS version 4.7. You are advised to update your firewall to SNS version 4.3.24 LTSB or a higher version before updating to SNS version 4.7.

Changes introduced in version 4.6.9

Find out more

  • SSH connections to the firewall - On firewalls in factory configuration and in SNS version 4.6.9 and upwards, the encryption algorithms ssh-rsa, hmac-sha2-256 and hmac-sha2-512 are no longer allowed for SSH connections to the firewall.

Changes introduced in version 4.6.8

Find out more

  • BIRD dynamic routing - In configurations that use BGP with authentication, the "source address <ip>;" directive must be used so that BGP sessions continue to be set up after the SNS firewall has been updated.

Changes introduced in version 4.6.3

Find out more

  • SSL/TLS-based protocols - For security reasons, encryption suites that base their key exchanges on Diffie-Hellman methods (DHE-based suites) have been removed. Only ECDHE-based suites are now available on SNS firewalls.
    This change may have an impact on connections initiated to or from the firewall for various SSL-secured protocols (HTTPS, SSH, LDAPS, SMTPS, etc.) as well as SSL connections established through the firewall's proxy. Due to this change, SNS firewalls may become incompatible with older client applications and external services/machines that use such protocols.

    The ECDHE-based encryption suites available on SNS firewalls are:
    • TLS_AES_128_GCM_SHA256,
    • TLS_CHACHA20_POLY1305_SHA256,
    • TLS_AES_256_GCM_SHA384,
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    • TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Changes introduced in version 4.5.3

Find out more

  • Hardening of the operating system - Text editors Vim and JOE have been removed from the system and replaced with vi.
  • Quality of Service (QoS) - The Treatment when full field, in which the packet congestion processing algorithm in queues (TailDrop or BLUE) could be selected, has been removed from QoS settings. The algorithm used by default is now TailDrop and can only be changed via the CLI/Serverd command CONFIG OBJECT QOS DROP.
  • IPsec DR mode - When DR mode is enabled for the first time, Diffie-Hellman group DH28 is now suggested as the default group for IKE DR and IPsec DR profiles.

Changes introduced in version 4.5.2

Find out more

  • Quality of Service (QoS) - Queues are no longer defined by percentage of bandwidth. After certain SNS firewalls, on which the QoS configuration used queues defined by percentage of bandwidth, are updated to versions 4.5.2 and higher, this percentage will automatically be converted to equivalent absolute bandwidth values.

Changes introduced in version 4.5.1

Find out more

  • SSL VPN - SNS version 4.5 is only compatible with the SSL VPN client in version 3.1 or the OpenVPN client in versions 2.5 and higher. The SSL VPN (or OpenVPN) client can be updated on client workstations before the firewall is updated to SNS version 4.5. The configuration on OpenVPN clients (available on the captive portal) must also be updated after the firewall is updated to version 4.5.
  • QoS - The definition of queues by percentage of bandwidth is obsolete. After being updated to SNS version 4.5, firewalls on which the QoS configuration used queues defined by percentage of bandwidth, a warning message will appear in the grid of queues, asking the administrator to change the configuration of such queues.
  • Kerberos - Kerberos authentication is now TCP-based by default (kerberos_tcp object - port 88/TCP).

Changes introduced in version 4.4.1

Find out more

  • Reputation categories - Exchange Online, Microsoft Authentication, Office 365, Office Online, SharePoint Online and Skype for business reputation categories, which could be found in versions prior to SNS 4.4.1, are no longer available. Filter rules that use them will therefore not function until these categories are replaced with the web services introduced in SNS version 4.4.1.

  • Stealth mode - SNS firewalls in factory configuration are now in stealth mode by default. Do note that disabling stealth mode will affect packet processing performance. As the firewall must keep a log of each packet so that it can respond to ICMP error messages, stealth mode allows the firewall to save resources that would have been used on logging these packets.