Points to note for updates from a 3.7 LTSB or 3.11 LTSB version

IMPORTANT
If you intend to update a firewall from a 3.7 LTSB/3.11 LTSB version to version 4.3 LTSB, we encourage you to read this section carefully.

NOTE
The exhaustive list of new automatic behavior relating to the update of your SNS firewall to version 4.3 LTSB from the latest 3.7 LTSB version available can be found in New firewall behavior in these release notes.

Extended Web Control (EWC) URL classification

The Extended Web Control URL classification now uses the Bitdefender URL database.

Due to the new URL database, the firewall's initial security policy (filter policy, URL filter policy and SSL filter policy) must be reviewed after the firewall is updated.

Refer to the technical note Migrating a security policy to the new EWC URL database to find out how to migrate a URL/SSL filter policy during an update of the firewall to SNS version 4.3.24 LTSB or higher.

HTTP cache feature

The HTTP cache function is no longer available in filter rules. Before updating your firewall, ensure that you:

  • Delete the "HTTP cache" options in the filter rules in question,
  • Disable the proxy cache.

Otherwise, the proxy will no longer function.

High availability (HA)

The ports used for communication over HA links have changed. The filter policy must therefore be adapted accordingly on the members of the cluster and on any intermediate equipment through which HA traffic may pass before updating the firewall. The purpose of this step is to prevent connection loss between the members of the cluster.

The ports used by HA are listed in the HA network traffic section in the High availability on SNS technical note.

IPsec VPN

IPsec VPN and HA

IPsec tunnels that were set up will not be synchronized between both members of the cluster during an update, but will be suspended and renegotiated to let encrypted traffic pass through.

DR mode

DR mode set in 4.3 LTSB is not compatible with DR mode in earlier SNS versions, and the firewall does not allow updates of firewalls with DR mode enabled.

Refer to the IPsec VPN - Diffusion Restreinte mode technical note on how to configure DR mode in versions 4.3 LTSB.

IKEv1

The configurations listed below are no longer allowed in version 4.3 LTSB:

  • IKEv1 rules based on pre-shared key authentication in aggressive mode (mobile and site-to-site tunnels),
  • IKEv1 rules based on hybrid mode authentication (mobile tunnels),
  • IKEv1 backup peers.

Algorithms not supported

Versions 4.3 LTSB of the firmware no longer support the following algorithms:

  • Blowfish,
  • DES,
  • CAST128,
  • MD5,
  • HMAC_MD5,
  • NON_AUTH,
  • NULL_ENC.

If the IPsec policy of the firewall to be updated to version 4.3 LTSB uses any of these algorithms, they must be replaced in the firewall's IPsec configuration before performing the update.

NAT-T

NAT-T - In configurations that implement NAT-T (NAT-Traversal - transporting the IPsec protocol through a network that performs dynamic address translation), the translated IP address must be set efined as the ID of a peer that uses pre-shared key authentication and for which a local ID in the form of an IP address had been forced.

Quality of Service (QoS)

QoS configurations set in versions earlier than SNS 4.3 LTSB are no longer valid, and QoS must be configured again following a firewall update.

Refer to the technical note Configuring QoS on SNS firewalls on how to configure QoS in version 4.3 LTSB.

Filtering

SNS now makes it possible to define and use MAC address-based network objects in filter policies. When a MAC address is specified in an object used in a filter rule, any traffic originating from this object that matches this filter rule will not be evaluated if the MAC address presented during the exchange is different from the object's address.

TPM-equipped firewalls

After an update to SNS version 4.3, secrets stored in the TPM must be sealed with the new technical characteristics of the system, by using the command: tpmctl -svp <TPMpassword>.

For more information on this topic, refer to the Stormshield knowledge base.

SSL VPN

The latest 3.x version of the SSL VPN client must be used.

Netmask assigned to clients

The minimum mask size for the network object assigned to TCP and UDP clients in the SSL VPN configuration is now /28.

If the mask of this network object was /29, it must be changed before migrating the firewall to version 4.3 LTSB.

Authentication

Captive portal

The captive portal no longer accepts the selection of certificates other than server certificates that contain the ExtendedKeyUsage ServerAuth.

SSO Agent

The latest 3.x version of the SSO agent must be used.

Dynamic routing

Internal names of interfaces on SN160 and SN210(W) firewall models

The internal name for interfaces has changed on SN160 and SN210(W) firewall models.

To prevent inconsistencies in the configuration, we strongly recommend using the user names of interfaces (e.g, out) instead of internal names (e.g, eth0) regardless of firewall model.

BGP protocol

In configurations that use BGP with authentication, the "source address <ip>;" directive must be used.

For further information on Bird configuration, refer to the Bird Dynamic Routing technical note.

Industrial protocols

Industrial licenses are verified and the configuration of industrial protocols will be suspended if the license is missing (or when firewall maintenance has expired).

System

Hardening of the operating system

The hardening of the operating system imposes the following constraints for custom scripts:

  • Only shell scripts are allowed and they must be explicitly called up by the interpreter (e.g., sh script.sh instead of ./script.sh).
  • For scripts launched through the event scheduler (eventd), the interpreter must be added for each task described in the event scheduler configuration file.
  • Scripts must be located only in the root partition (/) so that they can be run.

TLS protocol - Cryptographic suites

The cryptographic suites that the firewall uses to initiate its own TLS connections (LDAPS, SYSLOG TLS, SMTPS, etc.) have been updated. The following are the suites that can now be used:

  • TLS_AES_128_GCM_SHA256,
  • TLS_CHACHA20_POLY1305_SHA256,
  • TLS_AES_256_GCM_SHA384,
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

This update may affect the firewall's compatibility with servers that use less robust suites. You are therefore advised to check the compatibility of TLS services that interact with the firewall. In the specific case of the LDAPS service in Microsoft Azure, the firewall must be forced to initiate connections that use less robust cryptographic suites (ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384 or DHE-RSA-AES256-SHA256) by executing the CLI/Serverd command CONFIG CRYPTO SSLParanoiac=0.

The firewall must be restarted for changes to be applied.

TLS protocol and firewall services

Firewall services (LDAP, authentication, proxy, etc.) that use the TLS protocol now impose the use of TLS 1.2 or 1.3. Connection attempts in older versions of this protocol will no longer succeed.

Active Update

Use of internal mirror sites

If you use an internal Active Update mirror site, packets hosted on your server must be updated with packets signed by the new certification authority.

The Active Update mirror site can also be hosted on a Stormshield Management Center (SMC) server.

Find out more on using SMC as an Active Update distribution point.

Increased security for firmware updates

Security is now tighter during firmware updates. In addition to update packages being protected by signatures to ensure their integrity, Stormshield now also secures communications with the update servers used. These communications now take place in HTTPS and over port 443.

SN Real-Time Monitor (SNRTM)

SN Real-Time Monitor is not compatible with firewalls in versions 4.3 LTSB.
Firewall monitoring must now be done via the Monitoring tab in the web administration interface.

Virtual firewalls

To update a firewall initially in version SNS 3.7 or higher to version 4.3 LTSB, follow the procedure for migrating a V/VS-VU virtual firewall to an EVA model.

Notable changes introduced between the last 3.7 LTSB version and the last 3.11 LTSB version

IPsec VPN and CRL

When the CRLRequired parameter is enabled in the configuration of a VPN policy, you now must have all the CRLs in the certification chain.

SSL VPN

Strengthened security

The level of security implemented during the negotiation and use of SSL VPN tunnels (OpenVPN) has been raised.

If you use the Stormshield VPN SSL client with automatic mode disabled, or another OpenVPN client, the configuration of SSL VPN clients must be changed accordingly. To do so, download the SSL VPN configuration from the captive portal of the SNS firewall that hosts the SSL VPN service and import it on the clients. With the Stormshield VPN SSL client in automatic mode, the client will automatically retrieve its configuration.

The new requirements to follow are:

  • Stronger authentication and encryption algorithms:
    • SHA256,
    • ECDHE-RSA-AES128-SHA256,
    • AES-256-CBC (except on SN160(W), SN210(W) and SN310 firewalls, which continue to use AES-128-CBC).
  • LZ4-based data compression (can be enabled or disabled),
  • Strict verification of certificates presented by the server (certificate name and "server" certificates).

If you are not using the Stormshield VPN SSL client, you must work with a recent version of OpenVPN (2.4.x) or OpenVPN Connect (smartphones and tablets) clients.

SSL VPN and certificates

In SSL VPN configurations that use certificates without the KeyUsage field, some external services may no longer be able to communicate with the firewall.

To authenticate peers (client or server) in TLS, Stormshield firewalls now only accept certificates that have the Key Usage field, i.e., certificates that comply with X509 v3.