New features and enhancements in SNS 4.3.21 LTSB

IPsec DR mode compliance

The behavior of the IKE key negotiation engine has been modified to enable its compliance with the requirements of the ANSSI’s IPsec DR guidelines. Changes made will not be noticeable in nominal use cases of SNS products.

IPsec DR mode - Generation of certificate request payloads

During the generation of certificate request payloads, ANSSI's IPsec DR guidelines recommend replacing the algorithm with SHA2 (previously SHA1).

SNS 4.3 LTSB versions (from version 4.3.21 LTSB onwards) and comply with this recommendation.

If IPsec DR mode is enabled on an SNS firewall in version 4.3.21 LTSB, VPN tunnels can only be negotiated only with peers that comply with this recommendation.

As such, in order for the negotiation of VPN tunnels in IPsec DR mode to continue functioning after the SNS firewall is updated to version 4.3.21 LTSB, ensure that all IPsec DR-compatible peers in your architecture comply with this recommendation:

  • On SNS firewalls, you must update all of them to an SNS version that complies with this recommendation,
  • For firewalls from other vendors, contact them before any updates for more information,
  • For Stormshield VPN Exclusive clients, ensure that every VPN client is in version 7.4.018 or higher and configure any additional parameters on them. For more information, refer to the technical note IPsec VPN - Diffusion Restreinte mode,
  • For all other VPN clients, get in touch with the relevant software vendor for more information before applying any updates.

Static routing

The blackhole keyword can now be selected as a:

  • Gateway when defining a static route,
  • Default gateway of the firewall.

More information on the use of the blackhole keyword

High availability and TPM

Support reference 85055

In a high availability configuration such as the following:

  • Members of the cluster are equipped with TPMs that have been initialized,
  • The health status of TPMs is included in the calculation of the quality factor.

When the TPM on the passive firewall (firewall that was initially passive or which became passive after a switch due to a downgraded quality index) encounters a failure, this firewall will be restarted to recover its TPM in a working condition.


The mechanism that manages gateway priorities has been optimized to prevent the default route from being reloaded unnecessarily when gateways have close priority scores.

When a gateway exceeds an SLA threshold, an entry will be systematically generated in the system log file.


It is now possible to set the amount of time to wait before a newly created SA (Security Association) is used. This can prevent potential issues with competing access when an SA is already in use for the same IPsec traffic endpoints. This NewSADelay option can only be configured by using the CLI/Serverd command CONFIG.IPSEC.UPDATE NewSADelay=<value>.

More information on the CONFIG.IPSEC.UPDATE command.

The mechanism that optimizes the distribution of the IPsec service’s encryption and decryption operations on the SNS firewall has been improved.