New firewall behavior

This section lists the changes made to the automatic behavior of the firewall when your SNS firewall in version 4.6.2 is updated from the next 4.3 LTSB version available.

We also encourage you to read about the New firewall behavior in SNS version 4.3 introduced since the last available 3.11.x LTSB version.

Changes introduced in version 4.6.0

Find out more

  • TLS 1.3 protocol - the mechanism that analyzes TLS 1.3 certificates on SSL servers is now automatically disabled when a firewall is migrated from a version lower than SNS 4.3.x to a version higher than or equal to SNS 4.6.0. It is also disabled by default in the incoming SSL analysis profile SSL_00 for firewalls in factory configuration in version 4.6.0 or higher.

Changes introduced in version 4.5.3

Find out more

  • Hardening of the operating system - Text editors Vim and JOE have been removed from the system and replaced with vi.
  • Quality of Service (QoS) - The Treatment when full field, in which the packet congestion processing algorithm in queues (TailDrop or BLUE) could be selected, has been removed from QoS settings. The algorithm used by default is now TailDrop and can only be changed via the CLI/Serverd command CONFIG OBJECT QOS DROP.
  • IPsec DR mode - When DR mode is enabled for the first time, Diffie-Hellman group DH28 is now suggested as the default group for IKE DR and IPsec DR profiles.

Changes introduced in version 4.5.2

Find out more

  • Quality of Service (QoS) - Queues are no longer defined by percentage of bandwidth. After certain SNS firewalls, on which the QoS configuration used queues defined by percentage of bandwidth, are updated to version 4.5.2 or higher, this percentage will automatically be converted to equivalent absolute bandwidth values.

Changes introduced in version 4.5.1

Find out more

  • SSL VPN - SNS version 4.5 is only compatible with the SSL VPN client in version 3.1 or the OpenVPN client in version 2.5 or higher. The SSL VPN (or OpenVPN) client can be updated on client workstations before the firewall is updated to SNS version 4.5. The configuration on OpenVPN clients (available on the captive portal) must also be updated after the firewall is updated to version 4.5.
  • QoS - The definition of queues by percentage of bandwidth is obsolete. After being updated to SNS version 4.5, firewalls on which the QoS configuration used queues defined by percentage of bandwidth, a warning message will appear in the grid of queues, asking the administrator to change the configuration of such queues.
  • Kerberos - Kerberos authentication is now TCP-based by default (kerberos_tcp object - port 88/TCP).

Changes introduced in version 4.4.1

Find out more

  • Stealth mode - SNS firewalls in factory configuration are now in stealth mode by default. Do note that disabling stealth mode will affect packet processing performance. As the firewall must keep a log of each packet so that it can respond to ICMP error messages, stealth mode allows the firewall to save resources that would have been used on logging these packets.