IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Recommendations
Before you migrate an existing configuration to version 3 of the firmware, ensure that you have:
- Read the Release notes of all intermediate versions,
- Carefully read the section Known issues in the Stormshield Knowledge base (use the same login credentials as those for your MyStormshield client area),
- Read the section Explanations on usage carefully,
- Backed up the main partition on the backup partition and backed up the configuration.
Updating a firewall from a SNS 3.7 LTSB version to a 3.11 LTSB version introduces several technical changes implemented between these two version branches, which may modify the behavior of the updated firewall. Some of these technical changes include:
- SNS 3.8.0 - Network: the stricter use of promiscuous mode may cause behavior to change in some configurations (Ethernet interfaces with at least one VLAN on which the MAC address has been forced, disabled Ethernet interfaces with one or several VLANs, Ethernet interfaces with one or several VLANs in a bridge, HA interfaces with one or several VLANs).
Find out more - SNS 3.8.0 - SSL VPN: as some authentication algorithms are no longer supported for SSL VPN, the configuration of SSL VPN. clients must be edited accordingly. Find out more
- SNS 3.8.0 - IPsec VPN and CRL: when the CRLRequired parameter is enabled in the configuration of a VPN policy, the user must now possess all the CRLs in the certification chain.
- SNS 3.10.1 - SSL VPN and certificates: in SSL VPN configurations that use certificates without the KeyUsage field, some external services may no longer be able to communicate with the firewall. Find out more
- SNS 3.10.1 - Increased security during firmware updates: to ensure higher security during firmware updates, Autoupdate servers can now only be reached in HTTPS. If an updated firewall contains a specific rule to access this service, this rule must be edited so that it can continue to allow such traffic. Find out more
- SNS 3.10.1 - System: when time zones are automatically refreshed to observe and end daylight saving time, some time-sensitive authentication processes may stop functioning. Find out more
High availability and IPsec VPN (IKEv2)
In version 3.7.x, established IPsec tunnels would occasionally be renegotiated in clustered IPsec VPN configurations when the passive firewall was upgraded to version 3.9.x or higher.
MAC address management
MAC address management has been changed in version 3.8.0 in order to fix issues encountered when certain advanced interface configurations are applied.
As such, Stormshield now applies stricter use of promiscuous mode.
These changes may affect the behavior of the following configurations:
- Ethernet interface with at least one VLAN on which the MAC address has been forced [1],
- Disabled Ethernet interface with one or several VLAN(s),
- Ethernet interface with one or several VLANs included in a bridge,
- HA interface with one or several VLANs.
[1] High availability forces MAC addresses on one of the members of the cluster.
If any of these configurations concern you, check that all your network devices reference your firewall's real MAC address.
For further information, please refer to this article in the Stormshield Knowledge Base.
SSL protocol
From version 3.7.0 of the firmware onwards, encryption suites with a weak level of security (suites based on MD5, SHA1 and DES) are no longer available for the SSL protocol that the various firewall components (SSL VPN, SSL proxy, etc.) use.
For configurations that use these encryption suites, algorithms with a higher level of security must be chosen in order to migrate the firewall to an SNS 3.7.0 version or higher. Otherwise, the affected services will not run or will refuse to start.
IPsec VPN
Support reference 66421
Before upgrading the firewall to version 3, check your IPsec VPN configuration:
In the menu Configuration > VPN > IPsec VPN > Identification tab, check that the email addresses indicated in Mobile tunnels: Pre-shared keys are valid, or correct them if necessary.
If an address contains an error (e.g., product@stormshield or product@stormshield.e), the IPsec policy will fail to activate, returning the error message Failed to parse PSK list from slotfile.
EVA (Elastic Virtual Appliances)
You are advised to set the memory of EVAs to at least 2 GB if you use the antivirus and sandboxing features frequently.
Extended Web Control
If synchronous mode has been enabled on the Extended Web Control URL filtering solution (X-CloudURL_Async=0 parameter in the [Config] section of the configuration file ConfigFiles/proxy), it must be disabled before upgrading the firewall to v3. To do so, delete the line containing the X-CloudURL_Async parameter.
Updating a cluster with several high availability links
For clusters that implement more than one link dedicated to high availability, ensure that the main link is active before proceeding to upgrade to version 3.
SSO agent authentication method
In configurations using the SSO Agent authentication method, the SN SSO Agent must be migrated to a version equal to or higher than 1.4 before migrating the firewall's version.
The "Domain name" field must also be entered in the configuration of the SN SSO Agent before migrating the firewall. This domain name must match the actual name of the domain (e.g.: stormshield.eu) so that the SN SSO Agent can run.
Policy-based routing
If the firewall has been reset to its factory settings (defaultconfig) after a migration from a 1 version to a 2 version then to a 3 version, the order in which routing will be evaluated will be changed and policy-based routing [PBR] will take over priority (policy-based routing > static routing > dynamic routing >…> default route). However, if the firewall has not been reset, the order of evaluation stays the same as in version 1 (static routing > dynamic routing > policy-based routing [PBR] > routing by interface > routing by load balancing > default route).
Filter policies and users
In previous versions of the firmware, the filter policy did not distinguish between users and groups. In version 3, support for multiple directories requires strict checks on users. Migrating a configuration to version 3 of the firmware may therefore generate warnings asking the administrator to re-enter users in the filter policy in order to avoid any ambiguity.