New features in SNS 4.2.4
System
Hardening the operating system
Verification of the integrity of executable files now extends to the userland section of the system.
Only shell scripts are still allowed, but they must be explicitly called by the interpreter, e.g., sh script.sh instead of ./script.sh. If these scripts are run from the event scheduler (eventd), the interpreter must be added for each task described in the configuration file of the event scheduler.
These scripts must also be located only in the root partition (/) so that they can be run. As firmware updates will erase the contents of the "/" folder, these scripts must be moved back to the "/" folder after each firmware update.
Do note that the system performance measurement tools that this file integrity verification mechanism allows may display slightly higher memory consumption values than those shown in earlier versions of SNS. The use of nmemstat is no longer allowed.
Stealth mode
An SNS firewall in factory configuration is no longer in stealth mode by default, to make it easier to integrate the firewall into existing infrastructures.
However, this mode can still be enabled manually by using the Stealth argument in the CLI/Serverd command CONFIG PROTOCOL IP COMMON IPS CONFIG:
CONFIG PROTOCOL IP COMMON IPS CONFIG Stealth=<On|Off>
CONFIG PROTOCOL IP ACTIVATE
Path MTU Discovery (PMTUD)
In configurations that involve an IPsec VPN, ICMP 3/4 responses are now fully managed through such tunnels after support for Path MTU Discovery was enabled.
It is disabled by default, but can be managed through the CLI/Serverd command:
CONFIG IPSEC UPDATE slot=<1-10> PMTUD=<0|1|2>
CONFIG IPSEC ACTIVATE
CONFIG IPSEC RELOAD
These commands are explained in detail in the CLI SERVERD Commands Reference Guide.
NOTE
Stealth mode must be disabled so that the PMTUD can function through IPsec.
Find out more
IPsec VPN - DR mode
Warnings are displayed in the Messages widget on the dashboard when the IPsec DR mode is enabled and one of the following conditions is met:
- The proxy is used in a filter rule,
- The NSRPC service is open to the outside,
- The SSL VPN service Is active,
- The DNS cache service Is active,
- The DHCP service Is active.
IPsec VPN - IKEv2
PseudoRandom Functions (PRFs) with the following values can now be selected:
This configuration can only be created in command line using the argument prf added to the CLI/Serverd command: CONFIG IPSEC PROFILE PHASE1 PROPOSALS UPDATE (any changes must then be confirmed using the command CONFIG IPSEC ACTIVATE).
These commands are explained in detail in the CLI SERVERD Commands Reference Guide.
NOTE
The use of PRF_HMAC_SHA2_256 is imposed in IPsec DR mode.
Active Update
Packets in the Active Update module are now signed by a new Stormshield certification authority, which replaces the previous Netasq certification authority.
For clients that use internal mirror sites, the packets hosted on your own servers must be updated so that packets signed by the new certification authority are used. This operation is necessary so that the Active Update module can continue to update its databases.
For Linux environments, a new version of the Active Update mirroring script (updater.sh) is available on Mystormshield (Downloads > Stormshield Network Security > Tools). This version makes it possible to retrieve all packets signed by the new certification authority.
It is now possible to specify the firewall interface from which requests are sent to automatic update servers. The interface can be specified through the bindaddr argument added to the CLI/Serverd command CONFIG AUTOUPDATE SERVER. Changes to this parameter must then be applied using the command CONFIG AUTOUPDATE ACTIVATE.
Automatic checks for firmware updates
Automatic checks for the availability of firmware updates can be enabled or disabled using the CLI/serverd command SYSTEM CHECKVERSION state=0|1.
This mechanism is enabled by default.
Network management
The management of a SNS firewall’s network is now optimized so that the firewall no longer restarts every time SMC sends a network configuration. The firewall now informs SMC to restart only when it is necessary.
Stormshield Management Center (SMC) agent
On SNS firewalls managed via SMC in version 3.0, if the link with the SMC server cannot be set up within 30 seconds after a deployment (this period can be configured in the administration console of the SMC server), the previous configuration will be restored.
On firewalls in high availability, it is now possible to choose whether to restart the passive firewall when applying changes to the network configuration that were applied to the active firewall.
This option can only be configured with the CLI/serverd command HA SYNC:
HA SYNC Ennetwork=0|1: If 0 is selected, the passive firewall will not restart (default behavior), 1 will restart it.
Synchronization of the object database with DNS servers
The automatic synchronization of the object database with DNS servers configured on the firewall can now be enabled/disabled and its frequency can be changed.
These operations can only be configured with the CLI/serverd command CONFIG OBJECT SYNC:
- CONFIG OBJECT SYNC STATE=<0|1> to disable/enable synchronization,
- CONFIG OBJECT SYNC UPDATE period=<period> to set a synchronization frequency between 1 min and 1 day inclusive (e.g., period=6h5m4s).
These changes must be confirmed using the command CONFIG OBJECT SYNC ACTIVATE.
Modifying logs enabled by default
Unlike what was announced in the 4.2.1 release notes, the storage of all log types on disk has been enabled again by default.
Hardware
Support for SN1100 firewall models begins with this version 4.2.4.
Web administration interface
Creating IPsec peers
When a new IPsec peer is created, the wizard now offers version 2 of the IKE protocol by default for this peer.