Changes to firewall behavior
This section sets out the changes to automatic behavior when SNS firewalls are upgraded to version 4.2.4 from a 3.11.8 LTSB version or higher.
Changes introduced in version 4.2.4
- Hardening of operating system - Only shell scripts are allowed, but they must be explicitly called by the interpreter, e.g., sh script.sh instead of ./script.sh.
- Hardening of operating system - For scripts run from the event scheduler (eventd), the interpreter must be added for each task described in the configuration file of the event scheduler.
- Hardening of operating system - Scripts must be located only in the root partition (/) so that they can be run.
- Stealth mode - SNS firewalls in factory configuration are no longer in stealth mode by default.
- IPSec DR mode - New warnings are displayed in the Messages widget on the dashboard when the IPSec DR mode is enabled.
- IPSec DR mode - Fixing an anomaly in the implementation of ECDSA based on Brainpool 256 elliptic curves makes it impossible to set up IPSec tunnels in DR mode based on ECDSA and Brainpool 256 elliptic curves between a firewall in version SNS 4.2.1 or SNS 4.2.2 and a firewall in version SNS 4.2.4 or higher.
- Active Update - For clients that use internal mirror sites, Active Update packets hosted on your own servers must be updated so that packets signed by the new certification authority are used.
- Stormshield Management Center agent - On SNS firewalls managed via SMC, if the link with the SMC server cannot be set up within 30 seconds after a configuration is restored, the previous configuration will be restored.
- Logs - The storage of all log types on disk, including connections, has been enabled again by default on firewalls in factory configuration.
Changes introduced in version 4.2.2
- IPSec VPN - The firewall disables the ESN when the peer is in IKEv1.
Changes introduced in version 4.2.1
- IPSec VPN - The ESN to prevent ESP replay is automatically enabled.
- IPSec VPN - DR mode in SNS version 4.2 is not compatible with DR mode in earlier SNS versions, and the firewall does not allow updates of firewalls with DR mode enabled.
- The configurations listed below are no longer allowed in version 4.2:
- IKEv1 rules based on pre-shared key authentication in aggressive mode (mobile and site-to-site tunnels),
- IKEv1 rules based on hybrid mode authentication (mobile tunnels),
- IKEv1 backup peers.
- Logs - A field specifying the type of VPN rule (mobile tunnel or site-to-site tunnel) was added to IPSec VPN logs.
- SNMP - An SNMP trap is now raised whenever an IPSec VPN peer cannot be reached.
- SNMP - A new MIB (STORMSHIELD-OVPNTABLE-MIB) is available.
- SNMP - STORMSHIELD-VPNSA-MIB offers additional IPSec statistics.
- Authentication - Captive portal - On firewalls configured in strict HTTPS mode (using the CLI/Serverd command CONFIG AUTH HTTPS sslparanoiac=1), the configuration of the captive portal no longer allows the selection of certificates other than server certificates containing the ExtendedKeyUsage ServerAuth.
- Authentication- SSO agent - The SSO agent v3.0 or higher must be used with SNS firewalls in version 4.2..
- SSL VPN - The SSL VPN client in v2.9.1 or higher must be used with SNS firewalls in version 4.2.
- Logs - Log files created when verbose mode is enabled on firewall services are now placed in a dedicated folder /log/verbose and no longer directly in the /log folder.
- SSL VPN - The configuration file meant for the Stormshield SSL VPN client includes the parameter auth-nocache to force the client not to cache the user's password (except for SSL VPN clients configured in Manual mode).
- TLS protocol v1.3 - TLS v1.3 is used for services on the firewall (captive portal, LDAPS, Syslog TLS, Autoupdate, etc.).
Changes introduced in version 4.1.6
- After signature certificates are updated, the USB Recovery procedure must be used to install versions lower than 4.1.6 on firewalls in version 4.1.6 or higher.
Changes introduced in version 4.1.4
- SSL VPN - A new version of the component that SSL VPN uses in portal mode is offered to users of the service.
Changes introduced in version 4.1.3
- IPSec VPN (IKEv1 + IKEv2) - The warning that appeared when a combined IKEv1/IKEv2 IPSec policy was used has been deleted.
- SSL VPN - The SSL VPN client now applies the interval before key renegotiation, set by default on the SSL VPN server to 14400 seconds (4 hours).
- Default gateway - Default gateways located in a public IP network outside the firewall’s public address range can again be defined on the firewall. This behavior was already possible in version 3.11.
Changes introduced in version 4.1.1
- LDAP directories - Secure connections to internal LDAP directories are now based on standard protocol TLS 1.2.
- HTTP cache function - The HTTP cache function can no longer be used in filter rules.
- Directory configuration - The default port used to access the backup LDAP server is now the same as the port that the main LDAP server uses.
- SNMP agent - The use of the value snmpEngineBoots has changed in order to comply with RFC 3414.
- Configuration of protected mode - A new setting, stealth mode, gives the firewall the possibility of responding to ICMP requests. This new setting has priority over sysctl net.inet.ip.icmpreply calls.
Changes introduced in version 4.0.3
- IPSec VPN - As some algorithms are obsolete and will be phased out in a future version of SNS, a warning message now appears to encourage administrators to modify their configurations. This message appears when these algorithms are used in the profiles of IPSec peers.
Changes introduced in version 4.0.2
- Increased security during firmware updates - Security is now tighter during firmware updates. In addition to update packages being protected by signatures to ensure their integrity, Stormshield now also secures communications with the update servers used. These communications now take place in HTTPS and over port 443.
Changes introduced in version 4.0.1
- The network controller used on SNi40, SN2000, SN3000, SN6000, SN510, SN710, SN910, SN2100, SN3100 and SN6100 firewalls has been upgraded and now allows VLANs with an ID value of 0. This measure is necessary for the industrial protocol PROFINET-RT.
- The internal names of interfaces has changed for SN160 and SN210(W) firewall models. For configurations based on these firewall models and which use Bird dynamic routing, the dynamic routing configuration must be manually changed to indicate the new network interface names.
- Updates will reinitialize preferences in the web administration interface (e.g.: customized filters).
- Policy-based routing - If the firewall has been reset to its factory settings (defaultconfig) after a migration from version 2 to version 3 then to version 4, the order in which routing will be evaluated changes and policy-based routing [PBR] will take over priority (policy-based routing > static routing > dynamic routing >…> default route). However, if the firewall has not been reset, the order of evaluation stays the same as in version 1 (static routing > dynamic routing > policy-based routing [PBR] > routing by interface > routing by load balancing > default route).
- industrial license - Industrial licenses are now verified and the configuration of industrial protocols is suspended if the license is missing (or when firewall maintenance has expired).
- New graphical interface - The SNS version 4.0 graphical interface has been fully reworked to improve user comfort. It is now easier to switch between configuration and monitoring modules.