New features and enhancements in SNS 4.8.7
IPsec VPN
Support reference 85633
Firewalls can now be forced to remain in responder mode throughout the IPsec VPN tunnel's lifetime, by using the token reauth=2 in the CLI/Serverd commands CONFIG IPSEC PEER NEW and CONFIG IPSEC PEER UPDATE.
More information on the commands CONFIG IPSEC PEER NEW and CONFIG IPSEC PEER UPDATE.
Detection of obsolete hash algorithms
When certificates are signed with an obsolete hash algorithm (SHA1 and MD5), or by a CA that has been signed with an obsolete hash algorithm, they will now be flagged:
-
By a warning message in the dashboard,
-
By an alert in the certificate in Configuration > Objects > Certificates and PKI.
IPsec encryption load balancing - Firewalls equipped with 2.5 GbE network cards
The IPsec encryption load balancing mechanism is now compatible with firewalls that are equipped with 2.5 GbE network cards.
Updating non-volatile memory (NVM) on 2.5 GbE i226 network cards
Support reference 85329
The non-volatile memory (NVM) on 2.5 GbE i226 network cards has been updated.
The energy efficient Ethernet option can now be enabled. To do so, go to Configuration > Network > Interfaces, then to the Advanced properties tab of the interface that you wish to configure, and select Enable IEEE 802.3az (EEE).
This update will also enable the management of interconnections between 2.5Gb/s and 100Mb/s ports.
Trusted Platform Module (TPM)
The operation of the TPM has been enhanced: the TPM module sealing policy does no longer take into account the PCR hash linked to the firewall startup sequence. The procedure to initialize the TPM has been revised and is now done with the help of a dedicated wizard in the graphic interface. In a HA cluster, the resealing of the passive firewall is made from the graphic interface of the active firewall. It is recommended to seal the TPM to take advantage of the new sealing policy.
For more information, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.
BACnet/IP
Services can now be blacklisted and whitelisted in Configuration > Application protection > Protocols for the BVLL and NPDU layers of the BACnet/IP protocol.