New firewall behavior

This section lists the changes made to the automatic behavior of the firewall when your SNS firewall in version 4.8.4 is updated from the latest 4.3 LTSB version available.

If necessary, we also encourage you to read about the New firewall behavior in SNS version 4.3 introduced since the last available 3.7.x LTSB version.

Changes introduced in version 4.8.3 EA

Find out more

  • Firewalls equipped with a TPM - After an update to SNS version 4.8.3, secrets stored in the TPM must be sealed with the new technical characteristics of the system, by using the CLI/Serverd command:
    SYSTEM TPM PCRSEAL tpmpassword=<TPMpassword>
    Do note that in clusters, this action must be applied to both members from the active firewall, by adding the parameter "serial=passive" from the active firewall to seal the secrets of the passive firewall.
    For more information on the TPM, refer to the section Trusted Platform Module in the SNS user guide.
  • Web services in filters - When a custom web service with a name that is exactly 20 characters long is used in a filter rule, the rule would not function. A warning message will then appear in the Messages widget on the Dashboard. The message indicates the filter policy and rule number that caused the error.
    To work around the issue:

    • Change the name of the web service (to fewer than 20 characters) in the CSV import file that was initially used,
    • Import this file once again in Objects > Web services > Import custom services tab,
    • Modify the filter rule to use the new name of the web service.
  • In the factory settings on firewalls in SNS version 4.8.3 EA or higher, downgrades to a lower firmware version are now allowed once again by default.

  • URL/SSL filtering - The built-in URL database is obsolete and is set to be deleted in a future SNS firmware version. To continue using URL/SSL filtering, you can: 
    • Configure an alternative URL database, such as the one used by the Rectorat de Toulouse (Academy of Toulouse), by following the method described in the Stormshield Knowledge Base (authentication required),
    • Subscribe to the Extended Web Control option.
  • PPTP server VPN - The PPTP server feature is obsolete and is set to be deleted in a future SNS firmware version.
  • SCEP (certificate enrollment) - Hash algorithms md2, mdc-2, md4, md5 and rmd160, and the encryption algorithm des-ede3-cbc, are obsolete. They are set to be deleted in a future SNS firmware version.

Changes introduced in version 4.8.1 EA

Find out more

  • Firewalls in SNS version 4.8.1 EA reject downgrades to versions lower than SNS 4.7.3 or SNS 4.3.24 LTSB.
  • Firewalls equipped with a TPM - After an update to SNS version 4.8, secrets stored in the TPM must be sealed with the new technical characteristics of the system, by using the CLI/Serverd command:

    SYSTEM TPM PCRSEAL tpmpassword=<TPMpassword>

    Do note that in clusters, this action must be applied to both members from the active firewall, by adding the parameter "serial=passive" from the active firewall to seal the secrets of the passive firewall.

    For more information on the TPM, refer to the section Trusted Platform Module in the SNS user guide.

  • SNMPv3 agent - Authentication algorithm MD5 and encryption algorithms DES and SHA1, which the SNMPv3 agent uses, are obsolete and will be removed in a future SNS firmware release.

  • Internal LDAP directory - Password hash algorithms MD5, SMD5, SHA, SSHA, SHA256, SHA384 and SHA512, which the Internal LDAP directory uses, are obsolete and will be removed in a future SNS firmware release.

  • SSL VPN portal - The SSL VPN portal feature is obsolete and is set to be deleted in a future SNS firmware version.

  • BIRD dynamic routing

    • Version 1 of the BIRD dynamic routing engine is now considered obsolete. Version 2 of the BIRD dynamic routing engine is now available,

    • If your SNS firewall pool is managed by an SMC server, it will not be possible to manage dynamic routing on your firewalls in 4.8.1 EA versions and higher from SMC in version 3.6 and below.

  • SNMP agent - The value assigned to the sysname field presented by the SNMP agent now follows a new order.

Changes introduced in version 4.7.7

  • Sandboxing - Only files that have been classified as archive, Office document, executable, PDF and Java files will now be sandboxed to reduce the load on the service. Files that have been classified as other or unknown files will no longer be analyzed.

Changes introduced in version 4.7.5

  • SNMP agent - The value returned by the OID 1.3.6.1.2.1.1.7 is now 76, corresponding to a device that provides services on OSI layers 3, 4 and 7. Previously, the value returned was 72.

Changes introduced in version 4.7.3

  • SN1100 - The maximum number of IPsec tunnels that SN1100 firewalls accepted was too high. The number has been reduced to match announced data.

Changes introduced in version 4.7.2 EA

Find out more

  • Routing - Loopback objects that are used as default gateways are automatically replaced with the blackhole object when the firewall is updated to SNS version 4.7.2 EA or higher.
  • Oscar and Gnutella - Protocols Oscar and Gnutella are now considered obsolete. These protocol scans are automatically disabled when the firewall is updated to SNS version 4.7.2 EA.

Changes introduced in version 4.7.1 EA

Find out more

  • IPsec DR - During the generation of certificate request payloads, ANSSI's IPsec DR guidelines recommend replacing the algorithm with SHA2 (previously SHA1). SNS in versions 4.7 and up comply with with this recommendation.
    If IPsec DR mode is enabled on an SNS firewall in version 4.7, VPN tunnels can only be negotiated with peers that comply with this recommendation.
  • VPN Exclusive client (with DR mode) - the VPN Exclusive client in version 7.4 or higher must be used to set up IPsec tunnels in DR mode with firewalls in SNS versions 4.7 and higher.

  • Firewalls equipped with a TPM - After an update to SNS version 4.7, secrets stored in the TPM must be sealed with the new technical characteristics of the system, by using the CLI/Serverd command:

    SYSTEM TPM PCRSEAL tpmpassword=<TPMpassword>

    Do note that in clusters, this action must be applied to both members from the active firewall (by adding the parameter "serial=passive" from the active firewall to seal the secrets of the passive firewall).

    For more information on the TPM, refer to the section Trusted Platform Module in the SNS user guide.

  • Extended Web Control (EWC) URL classification - The Bitdefender URL database is now the database used.

    To set up a URL/SSL filter policy, you are advised to operate in blacklist mode, i.e., explicitly place the URL categories to be prohibited in URL/SSL filter rules with a block action. These rules must then be placed above the rule that allows all the other categories.

     

    While updating a firewall, which uses a whitelisted URL/SSL filter policy, to SNS version 4.7.1 or higher (filter rules explicitly allow some categories and are placed above the rule that blocks all other categories), we strongly recommend adding a rule that allows the URL categories misc (miscellaneous), unknown, computersandsoftware (software download websites) and hosting (websites hosting) to avoid affecting user experience. This rule must be placed above the rule that blocks all the other categories.

    For more information on the migration of URL/SSL filter policies when the firewall is updated to SNS version 4.7 or higher, please refer to the Technical Note Migrating a security policy to the new EWC URL database.

    IMPORTANT
    URL/SSL filter policies that have been updated after the firewall was updated to SNS version 4.7.1 must be thoroughly checked.

     

  • Resetting to factory configuration - Resetting a firewall to its factory configuration (defaultconfig) now deletes by default all custom configuration files added by the administrator. If you do not wish to delete them, use the command defaultconfig -T.
  • Synchronizing MAC addresses (HA) - On elastic virtual appliances (EVA) deployed in versions 4.7 and higher and in a high availability (HA) configuration, the synchronization of MAC addresses during a cluster switch is now disabled by default.
  • Hardening of the system - As the system has been hardened in SNS version 4.7, this makes the backup partition unusable in SNS version 4.3.23 LTSB and lower versions when they are directly updated to SNS version 4.7. You are advised to update your firewall to SNS version 4.3.24 LTSB or a higher version before updating to SNS version 4.7.

Changes introduced in version 4.6.9

Find out more

  • SSH connections to the firewall - On firewalls in factory configuration and in SNS version 4.6.9 and upwards, the encryption algorithms ssh-rsa, hmac-sha2-256 and hmac-sha2-512 are no longer allowed for SSH connections to the firewall.

Changes introduced in version 4.6.8

Find out more

  • BIRD dynamic routing - In configurations that use BGP with authentication, the "source address <ip>;" directive must be used so that BGP sessions continue to be set up after the SNS firewall has been updated.

Changes introduced in version 4.6.3

Find out more

  • SSL/TLS-based protocols - For security reasons, encryption suites that base their key exchanges on Diffie-Hellman methods (DHE-based suites) have been removed. Only ECDHE-based suites are now available on SNS firewalls.
    This change may have an impact on connections initiated to or from the firewall for various SSL-secured protocols (HTTPS, SSH, LDAPS, SMTPS, etc.) as well as SSL connections established through the firewall's proxy. Due to this change, SNS firewalls may become incompatible with older client applications and external services/machines that use such protocols.

    The ECDHE-based encryption suites available on SNS firewalls are:
    • TLS_AES_128_GCM_SHA256,
    • TLS_CHACHA20_POLY1305_SHA256,
    • TLS_AES_256_GCM_SHA384,
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    • TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Changes introduced in version 4.5.3

Find out more

  • Hardening of the operating system - Text editors Vim and JOE have been removed from the system and replaced with vi.
  • Quality of Service (QoS) - The Treatment when full field, in which the packet congestion processing algorithm in queues (TailDrop or BLUE) could be selected, has been removed from QoS settings. The algorithm used by default is now TailDrop and can only be changed via the CLI/Serverd command CONFIG OBJECT QOS DROP.
  • IPsec DR mode - When DR mode is enabled for the first time, Diffie-Hellman group DH28 is now suggested as the default group for IKE DR and IPsec DR profiles.

Changes introduced in version 4.5.2

Find out more

  • Quality of Service (QoS) - Queues are no longer defined by percentage of bandwidth. After certain SNS firewalls, on which the QoS configuration used queues defined by percentage of bandwidth, are updated to versions 4.5.2 and higher, this percentage will automatically be converted to equivalent absolute bandwidth values.

Changes introduced in version 4.5.1

Find out more

  • SSL VPN - SNS version 4.5 is only compatible with the SSL VPN client in version 3.1 or the OpenVPN client in versions 2.5 and higher. The SSL VPN (or OpenVPN) client can be updated on client workstations before the firewall is updated to SNS version 4.5. The configuration on OpenVPN clients (available on the captive portal) must also be updated after the firewall is updated to version 4.5.
  • QoS - The definition of queues by percentage of bandwidth is obsolete. After being updated to SNS version 4.5, firewalls on which the QoS configuration used queues defined by percentage of bandwidth, a warning message will appear in the grid of queues, asking the administrator to change the configuration of such queues.
  • Kerberos - Kerberos authentication is now TCP-based by default (kerberos_tcp object - port 88/TCP).

Changes introduced in version 4.4.1

Find out more

  • Reputation categories - Exchange Online, Microsoft Authentication, Office 365, Office Online, SharePoint Online and Skype for business reputation categories, which could be found in versions prior to SNS 4.4.1, are no longer available. Filter rules that use them will therefore not function until these categories are replaced with the web services introduced in SNS version 4.4.1.

  • Stealth mode - SNS firewalls in factory configuration are now in stealth mode by default. Do note that disabling stealth mode will affect packet processing performance. As the firewall must keep a log of each packet so that it can respond to ICMP error messages, stealth mode allows the firewall to save resources that would have been used on logging these packets.