IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Recommendations
Before you migrate an existing configuration to version 3 of the firmware, ensure that you have:
- Read the section Known issues carefully,
- Read the section Explanations on usage carefully.
- Perform a backup of the main partition towards the backup partition, and perform a configuration backup
SSL protocol
From version 3.7.0 of the firmware onwards, encryption suites with a weak level of security (suites based on MD5, SHA1 and DES) are no longer available for the SSL protocol used by the various firewall components (SSL VPN, SSL proxy, etc.).
For configurations that use these encryption suites, algorithms with a higher level of security must be chosen in order to migrate the firewall to an SNS 3.7.0 version or higher.
IPsec VPN
Support reference 66421
Before upgrading the firewall to version 3, check your IPsec VPN configuration as follows:
In the menu Configuration > VPN > IPsec VPN > Identification tab, check that the email addresses indicated in Mobile tunnels: Pre-shared keys are valid, or correct them if necessary.
If an address contains an error (e.g., product@stormshield or product@stormshield.e), the IPsec policy will fail to activate, returning the error message Failed to parse PSK list from slotfile.
SSO agent authentication method
In a configuration using he "SSO Agent" authentication method, the SSO agent has to be migrated to a version equal to or higher than 1.4 before migrating the firewall's version.
The "domain name" field must also be entered in the configuration of the SSO agent before migrating the firewall. This domain name must match the actual name of the domain (e.g.: stormshield.eu) in order to let the SSO agent run.
Microsoft Internet Explorer
The use of Microsoft Internet Explorer browsers, including version 11, may adversely affect user experience. You are therefore strongly advised to use the browsers listed in the Compatibility section.
Extended Web Control
If synchronous mode has been enabled on the Extended Web Control URL filtering solution (X-CloudURL_Async=0 parameter in the [Config] section of the configuration file ConfigFiles/proxy), it must be disabled before upgrading the firewall to v3. To do so, delete the line containing the X-CloudURL_Async parameter.
Updating a cluster with several high availability links
For clusters that implement more than one link dedicated to high availability, ensure that the main link is active before proceeding to upgrade to version 3.
Policy-based routing
If the firewall has been reset to its factory settings (defaultconfig) after a migration from a 1.x version to a 2.x version then to a 3.x version, the order in which routing will be evaluated will be changed and policy-based routing [PBR] will take over priority (policy-based routing > static routing > dynamic routing >…> default route). However, if the firewall has not been reset, the order of evaluation stays the same as in version 1 (static routing > dynamic routing > policy-based routing [PBR] > routing by interface > routing by load balancing > default route).
Filter policies and users
In previous versions of the firmware, the filter policy did not distinguish between users and groups. In version 3, support for multiple directories requires strict checks on users. Migrating a configuration to version 3 of the firmware may therefore generate warnings asking the administrator to re-enter users in the filter policy in order to avoid any ambiguity.