New firewall behavior

This section lists the changes made to the automatic behavior of the firewall when your SNS firewall in version 5.0.5 is updated from the latest 4.8 LTSB version available.

As SNS version 5 is a major version, it introduces new firewall behavior that may have significant impacts on configurations in a production environment. As such, you are strongly advised to carefully read the list of changes, as well as the requirements for the update to version 5,

Changes introduced in version 5.0.5

Obsolete features removed in version 5

Multi-user authentication (authentication with cookies) is obsolete and will be phased out in a future version. Replace it with the TS Agent method.

Changes introduced in version 5.0

Requirements for the update

• After an update to SNS version 5.0.4 EA from SNS 4.3.41, and if the certificates that are used for IPsec VPN or SSL VPN services are TPM-protected, the TPM has to be resealed.
  For more information on the TPM, refer to the section Trusted Platform Module in the SNS user guide.
• Attempts to update to version 5 SSL VPN configurations that use algorithms other than AES-128-GCM, AES-192-GCM, AES-256-GCM and ChaCha20- Poly1305, or with compression enabled, are denied.
• Attempts to update a firewall to version 5 are denied if the certificate used by the firewall has been signed with the obsolete SHA1 algorithm.
• Attempts to update a firewall to version 5 will be denied if ClamAV is used.
• In SNS version 5, the 3DES encryption algorithm is no longer available for IPsec configurations. Since IPsec configurations using this algorithm will not be successfully updated to version 5, edit your IPsec configuration and replace 3DES with another algorithm before the update.
• Routing by interface is no longer available in SNS version 5: the system will prevent v4 configurations that use this feature from being migrated to SNS version 5.

Certificates

A certificate is automatically generated the first time a firewall in SNS version 5 is started. This certificate is used by the firewall's TLS-based authentication services (web administration interface and captive portal) for firewalls in factory configuration, or when the captive portal's certificate has not been explicitly defined.

Replacement of an SNS firewall's connecting package

In SMC, you can generate a new connecting package at any time for a firewall that is already connected to SMC, but the firewall's web administration interface does not allow the replacement of a package that has already been installed. A CLI command can be used to replace a package. For more information, refer to the section Installing a new connecting package on an SNS firewall in the SNS user manual.

SSL VPN

• After a firewall in factory configuration is updated to version 5, the Data Channel Offload (DCO) option is enabled by default when the SSL VPN service is used. If you plan to set up TCP-based SSL tunnels, we strongly recommend that you disable the DCO option, which is intended for UDP-based SSL tunnels, and does not contribute to better performance for TCP-based SSL tunnels.
• Enabling the Data Channel Offload (DCO) option that uses the AES-256-GCM encryption suite for SSL VPN makes TheGreenBow VPN clients incompatible with the Stormshield SSL VPN feature.

Passwords

• The password policy set on firewalls in factory configuration has been hardened. It now imposes a minimum length of 16 characters (previously 8), a mandatory combination of alphanumeric, uppercase, lowercase and special characters, and a minimum entropy of 64 (previously 20).
• UTF-8 is now the character set used by the firewall to encode passwords for firewalls in factory configuration. This prevents connection issues over SSH when the password contains non-ASCII characters (e.g., "€", accented characters, etc.).

Automatic backups

When the automatic backup module is configured to use a certificate that is signed with the obsolete SHA1 algorithm, the certificate will be rejected and the automatic backup will be suspended without sending data for security reasons. An error message prompts the administrator to generate a new customized certificate that is signed using a secure algorithm.

URL/SSL filtering

The embedded URL database has been removed. To continue applying URL/SSL filtering, you can:

• Subscribe to the Extended Web Control option,
• Continue using the built-in URL filtering engine, by combining it with a URL filter database provided by a third-party vendor, for example:
  1. French URL database provided by the Rectorat de Toulouse (Academy of Toulouse), by following the method described in the Stormshield Knowledge Base (authentication required),
  2. Polish URL database provided by Dagma, by following the instructions here: https://stormshield.pl/pomoc/baza-wiedzy/item/zmiana-klasyfikacji-url-na-rozszerzona-klasyfikacje-dedykowana-dla-polskiego-rynku.

  Do note that Stormshield does not guarantee the availability of these databases and does not keep them up to date.

SNMP agent

• Obsolete password encryption algorithms can no longer be selected in the SNMP v3 agent control panel. Only the AES-SHA2 (SHA256) algorithm is available by default. When a configuration using an algorithm other than SHA256 is updated to SNS version 5, a message appears, stating that the algorithm used is obsolete. The algorithm can now be changed through the CLI/Serverd command CONFIG SNMP USERV3.
  More information on the command CONFIG SNMP USERV3.
• SNMP tables with an index starting at 1 are now used by default, and older tables (index starting at 0) are tagged as obsolete. These older tables will be phased out in a future SNS version.
  When upgrading to version 5 or higher an SNS firewall using the older tables, a warning appears, prompting the administrator to enable new SNMP tables by following the procedure described in the SNS v5 user guide.
• A message indicates that SNMP version 1 is obsolete. This version will be phased out in a future version of SNS.

EVAs (Elastic Virtual Appliances)

EVA firewalls in factory configuration are now equipped with a 4 GB /data partition, compared to 2 GB in previous SNS versions. This change does not apply to EVAs that were installed in an earlier version and updated to SNS version 5.

Explicit HTTP proxy

The explicit HTTP proxy is obsolete and will be removed in a future version of SNS.

Network captures

For security reasons, the permission required to make network captures is the "monitoring write" privilege (mon_write).

Alarms

The "Land style attack" alarm (ip:21 alarm) is no longer triggered in IPv6, and no longer generates a log entry. This protection is now provided in the firewall operating system kernel.

Objects

The maximum number of items that a group can contain is now limited to 3000 objects. While configurations containing groups of more than 3,000 items can be updated to version 5, objects can no longer be added to such groups after an update.

Obsolete features removed in version 5

• CRYPT, MD5, SMD5, SHA and SSHA hash functions for the internal LDAP directory,
• MD4, MD5, RIPEMD-160 (rmd160), MD2 and MDC-2 hash functions, and the DES-EDE3-CBC encryption algorithm for SSL/TLS-based algorithms,
• SNVM (Stormshield Network Vulnerability Manager),
• PPTP (Point-to-Point Tunneling Protocol) VPN,
• SSL VPN application portal (web application mode and Java applet),
• ISDN modems (telephone modems connected by serial cable) no longer supported.