stormshield network elastic virtual appliances ......1....

GUIDE

STORMSHIELD NETWORK SECURITY

ELASTIC VIRTUAL APPLIANCESINSTALLATION GUIDE

Date: March 9, 2020

Reference: sns-en_EVA_Installation-Guide

Table of contentsGetting started 3

Checking requirements 4Requirements by virtual firewall model 4Requirements relating to the hypervisor 4

Registering a Stormshield product 5

Installing a virtual firewall 6Downloading the installation file 6Downloading the activation kit 6Deploying a virtual image on a VMWare platform 6Deploying a virtual image in Xenserver 8

Configuring the virtual firewall 9Initial installation wizard 9Activating the virtual firewall 10

Configuring virtual firewalls in HA on the vSphere hypervisor 11Explanation 12Solution 12Using the web administration interface 12Using the system console 12

Migrating a V / VS-VU model virtual firewall to an EVA model 14Precautions before migration 14Obtaining the serial number of an EVAmodel firewall 15Downloading the EVA activation kit 15Downloading an SNS version in 3.8.0 15Saving the existing virtual machine 16Upgrading the firewall's firmware version 16Adjusting memory on the virtual firewall 16Installing the new activation kit 16Checking themigration 17

Resolving issues 18

Help and support 19

In the documentation, Stormshield Network Security is referred to in its short form: SNS andStormshield Network in its short form: SN.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDE

/20 sns-en_EVA_Installation-Guide - 03/09/2019

Getting startedStormshield Network Elastic Virtual Appliances (EVA) replace V / VS-VUmodels.

Elastic Virtual Appliances:

l Automatically adapt their limits (maximumnumber of connections, rules, objects, IPSectunnels, etc.) according to the amount of memory allocated to the instance. An EVA1 machinewith 2 GB of RAM and an EVA2 machine with 2 GB of RAM therefore have the same limits (onlythe number of vCPU allowed differs).

l Facilitate the switch from onemodel to another with better performance by using their serialnumbers, which include a generic "VMSNS" prefix that is no longer dependent on themodel.

EVA firewalls require an SNS firmware version in 3.8.0 or higher.

Do note that in a factory configuration (new installation or reset to factory settings using thecommand defaultconfig), EVAs have two routed network interfaces (not together in a bridge).Furthermore, both of these interfaces are configured in DHCP by default.

The process of migrating from a V or VS-VUmodel firewall to an EVA is set out in the sectionMigrating a V / VS-VUmodel virtual firewall to an EVAmodel.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDEGETTING STARTED


Checking requirementsYou must be familiar with VMware, Xenserver, Microsoft Hyper-V or Linux KVM virtualenvironments in order to deploy virtual Stormshield firewalls.

The tables below set out all the technical requirements:

Requirements by virtual firewall model

Model Module ValueEVA1 RAM

HDDvCPU

max = 2 GB10 GB (2 GB swap)max = 1

EVA2 RAMHDDvCPU


EVA3 RAMHDDvCPU


EVA4 RAMHDDvCPU


EVAU RAMHDDvCPU


An EVAmust have at least 1 GB of memory. You are advised to set thememory to at least 2 GB ifyou use the antivirus and sandboxing analysis features frequently.

IMPORTANT

Before reducing the amount of memory of an EVA in production, ensure that the new limitsthat will be applied to it are compatible with the existing configuration.

Requirements relating to the hypervisor

The Number of interfaces column in the table represents the number of interfaces connected tothe virtual machine.

Version of the hypervisor Number of interfacesVMware ESX/ESXi Version 6.0 and higher Min. 1 interface

Max. 10 interfaces

Citrix Xen Server Version 7.1 and higher Min. 1 interfaceMax. 7 interfaces

Microsoft Hyper-V Windows Server 2012 and upwards Min. 1 interfaceMax. 8 interfaces

Linux KVM Linux 7.4 and upwards Min. 1 interfaceMax: depends on the Linux vendorchosen

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDECHECKING REQUIREMENTS


Registering a Stormshield productTo register your product:

1. After having placed your order, check your mailbox in order to retrieve the e-mail containingyour serial number and password.

2. Log on to your private-access area (https://mystormshield.eu).

3. If this is your first time registering, you need to create a client account:

a. On the Mystormshield connection page, click on Create a new account.

b. Fill in the form that appears.

c. Confirm the data in the form by clicking on Create a new account.

4. Log on using your ID (e-mail address) and password.

5. Go to the Products > Register an SNS product menu.

6. Read and accept the conditions of use.

7. Fill in themandatory fields (Serial number, Password and Reseller).

8. Click on Register.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDEREGISTERING A STORMSHIELD PRODUCT


https://mystormshield.eu/

Installing a virtual firewallThe following steps need to be carried out in order to install the virtual firewall:

l Download the firewall's installation image,

l Download the activation kit including the license,

l Deploy the image on the virtualization platform,

l Create a base configuration of the firewall,

l Activate the firewall.

Downloading the installation file

Only one type of installation file is available for the entire EVA range. By default, themachineinstalled is an EVA1 firewall that embeds a temporary license.

The initialization kit (and the license that it contains) is what determines later whether it will be anEVA1, EVA2, EVA3, EVA4 or EVAU firewall.

The installation file exists in the four following formats:

l utm-SNS-EVA-version no..ova for VMWare platforms,

l utm-SNS-EVA-version no..openstack.qcow2.gz for Openstack-based platforms,

l utm-SNS-EVA-version no..kvm.qcow2.gz for KVM-based platforms,

l utm-SNS-EVA-version no..hyperv.vhd.zip for Microsoft Hyper-V platforms,

To download the installation file:

1. Log on to your private-access area on https://mystormshield.eu.

2. Go to the Downloads > Downloads > Latest Versions menu.

3. In the Stormshield Network Security - Firmware - V X.YZ window (with X.Y.Z higher than orequal to 3.8.0), select the installation image in the desired format.

4. Save this file on your workstation.

Downloading the activation kit

1. In your Mystormshield private-access area , go to Products > Product management.

2. Select themodel then serial number of your firewall from the list of registered firewalls.

3. In the Downloads window, indicate the activation kit version that you wish to install.

4. Click on the Download the activation kit link.


Deploying a virtual image on a VMWare platform

This procedure is an example based on a VMWare platform. You need to adapt it if you are usinganother virtual environment.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDEINSTALLING A VIRTUAL FIREWALL




1. Open the vSphere client from your administration workstation.

2. Enter the login parameters for vCenter Server:

l IP address / Name,

l User name,

l Password.

3. Click Connect.

4. Click on the File menu then on Deploy OVF template....

5. Click on Browse.

6. Select the access path of the .OVA file downloaded earlier (see section Downloading theinstallation file), then click on Next.

7. Read and accept the conditions of use, then click on Next.

8. Select the location of the inventory in which the virtual machine will be installed, then click onNext.

9. Select the Host/Cluster that will host the virtual machine, then click on Next.

10. Select the storage location, then click on Next.

11. Confirm the disk format by clicking on Next.

12. Select the network used by each interface of the virtual machine, then click on Next.

13. Fill in the form on the firewall's base configuration. This step is optional if you are deploying avirtual Stormshield Network Pay As You Go firewall :

Global configuration

l Customer ID: optional client identifier. Leave this field empty at this stage. You will fill it inlater when you deploy virtual Stormshield Network Security firewalls if you wish toassociate themwith a particular client.

l Hostname: firewall's name,

l Password: enter, then confirm the password of the firewall's admin account. Choose acomplex password that follows the recommendations given by organizations such asthe ANSSI.

Network interface 1 (out)

l Gateway: IP address of the firewall's default gateway (leave this empty if it is DHCP),

l IP address 1: IP address of the firewall's first network interface (indicate DHCP fordynamic address assignment),

l Netmask 1: network mask (leave this empty if it is DHCP).

Network interface 2 (in)

l IP address 2: IP address of the firewall's first network interface (indicate DHCP fordynamic address assignment),

l Netmask 2: network mask (leave this empty if it is DHCP).

14. Click on Next.

15. Confirm the configuration by clicking on Finish.The deployment of your Stormshield Network virtual firewall will automatically begin.



https://www.ssi.gouv.fr/guide/mot-de-passe/

Deploying a virtual image in Xenserver

1. Open XenCenter from your administration workstation.

2. Enter the login parameters for Xenserver:

l IP address/Name,

l User name,

l Password.

3. Click on the File > Import menu.

4. Select Browse and indicate the access path of the OVA file downloaded earlier (see sectionDownloading installation files).

5. Read and accept the conditions of use.

6. Complete the steps for the installation on Xenserver.

The Stormshield Network virtual firewall is now deployed in your virtual infrastructure.



Configuring the virtual firewallYou will now proceed to the configuration and activation of the Stormshield Network virtualfirewall.

Initial installation wizard

The operations described below are not necessary for machines deployed over VMWare if youhave filled in the form for the base configuration during the deployment (Step 19 in thedeployment of a virtual image in VMware). In this case, you can go on directly to the activation ofthe virtual machine.

In all other cases:

1. Select and start up the virtual firewall.

2. Access the Stormshield Network firewall’s administration console by going to the Console tab.

3. An initial wizard will help you in the configuration of your appliance:

a. Select the language of your keyboard:

b. Enter a password for the “admin” super-user and confirm it. Choose a complexpassword that follows the recommendations given by organizations such as the ANSSI:

c. The installation wizard will display the network parameters of each interface detected(DHCP by default) and offer to modify them if necessary:

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDECONFIGURING THE VIRTUAL FIREWALL


https://www.ssi.gouv.fr/guide/mot-de-passe/

d. If you modify an interface's network parameters, indicate its IP address, subnet maskand default gateway in sequence:

e. The wizard will ask if you wish to manage the firewall from its “out” interface. Press"Enter" to accept:

The Stormshield Network firewall now has a base network configuration.

Activating the virtual firewall

By default the serial number of virtual firewalls is VMSNSX00Z0000A0. The activation of thefirewall will allow assigning themodel of the virtual firewall, its permanent serial number, itslicense as well as the subscribed options.

1. Open the web browser.

2. Log on to the firewall's web administration interface by entering the URL https://firewall_IP_address/admin.

3. Enter the name of the “admin” user as well as the password defined during the installation.

4. Go to the SystemUpdate tab in the System> Maintenancemenu.

5. Click on the selector to the right of the Select the update field and select the activation kitdownloaded earlier (*.maj file).

6. Click on Update firmware.Once the initialization kit has been installed, the firewall will restart.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDECONFIGURING THE VIRTUAL FIREWALL


Configuring virtual firewalls in HA on the vSpherehypervisor

Whenever you create a high availability firewall cluster in a VSphere environment, you mayencounter issues when attempting to connect to the cluster remotely in the followingarchitectures:

Firewalls hosted on the same ESX server and connected to vSwitches:

Firewalls hosted on two separate ESX servers and connected to vSwitches:

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDECONFIGURING VIRTUAL FIREWALLS IN HA ON THE VSPHERE HYPERVISOR


Firewalls hosted on two separate ESX servers and connected to dvSwitches:

Explanation

Thanks to VMWare tools, the virtual switch (vSwitch/dvSwitch) automatically learns the MACaddresses of appliances connected to these ports.

Since both members of a Stormshield firewall cluster have the sameMAC address by default,when there are network packets for a particular MAC address, the virtual switch always sendsthem only to the firewall bearing this address regardless of its status in the cluster (active orpassive). Therefore, if the virtual switch (vSwitch/dvSwitch) sends packets to the passivefirewall, these packets will be automatically ignored.

Solution

The solution is to delete the MAC addresses imposed in the configuration of both firewalls. Performthis operation through the web administration interface or the firewall's system console.

Using the web administration interface

In the Network > Interfaces menu > Advanced properties tab > Physical (MAC) address field,delete all customized MAC addresses for network interfaces on virtual firewalls and apply yourchanges.

Using the system console

1. In the configuration file /usr/Firewall/ConfigFiles/network, delete all lines containing the entry"MacAddress=".

2. Next, type the system commands ennetwork and then hasync in order to apply thesechanges and synchronize the active firewall's configuration with the passive firewall'sconfiguration.



Depending on the network devices connected to the Stormshield Network firewalls, and mainlyaccording to their set ARP timeout values, more timemay be required to restore connections whenthe roles of the firewalls are changed within the cluster (active/passive).



Migrating a V / VS-VU model virtual firewall to anEVAmodel

Before you migrate a V / VS-VU firewall, ensure that it has a valid maintenance contract. Migrationis free for models purchased before March 5, 2019.

The following actions are required before you proceed with a migration.

l Obtain the serial number of an EVAmodel firewall,

l Download the EVA activation kit,

l Download an SNS firmware version in 3.8.0,

l Back up the existing virtual machine,

l Upgrade the virtual firewall to the version of the firmware downloaded earlier,

l If necessary, adjust thememory of the virtual firewall (according to the selected EVAmodel),

l Install the new activation kit.

Precautions before migration

Before you migrate your firewall to an EVAmodel, read the following information carefully:

Automatic cloud backups

If your firewall has been configured to send automatic backup files to your personalMystormshield area, back up your configuration locally before migrating your firewall.

Once the firewall's serial number changes during themigration procedure, all backup files relatingto the former serial number will no longer be available in your personal Mystormshield area.

Services associated with the firewall's serial number

SPNEGO authentication:

To configure SPNEGO authentication, you need a DNS entry in order to redirect the user to thefirewall's authentication service. For further information, refer to the technical note SSOConfiguration - Microsoft SPNEGO.

In most cases, this entry contains the firewall's serial number, so this DNS entry needs to bechanged to include the new serial number or a generic name instead of the serial number, suchasmyfirewall.mydomain.com.

SSL proxy:

The SSL proxy's default authority is generated using the firewall's serial number. After you migratethe firewall to an EVAmodel, the proxy will continue to run but presents a certificate with theName and Issuer fields corresponding to the former serial number.

High availability configuration (HA cluster)

In HA clusters, HAmust first be disabled before each member of the cluster is migrated to the EVAmodel.

To do so:

1. Apply version 3.8.0 to the “active” firewall in the cluster. This firewall will restart and become“passive”.

2. Shut down the second member of the cluster, which became “active”.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDEMIGRATING A V / VS-VUMODEL VIRTUAL FIREWALL TO AN EVA MODEL


https://documentation.stormshield.eu/SNS/v3/en/Content/SSO_configuration_-_Microsoft_SPNEGO/000-INTRODUCTION.htm

https://documentation.stormshield.eu/SNS/v3/en/Content/SSO_configuration_-_Microsoft_SPNEGO/000-INTRODUCTION.htm

3. On the firewall in version 3.8.0, in System> CLI console, run these commands:CONFIG HA STATE OFF

CLUSTER LIST

HA CLUSTER REMOVE SERIAL=Firewall1_serial_number

HA CLUSTER REMOVE SERIAL=Firewall2_serial_number

HA CLUSTER ACTIVATE

CONFIG HA ACTIVATE

4. Apply the EVA activation kit. The firewall will restart.

5. Log in to the firewall and create a new cluster.

6. Create a new EVA firewall, which will be the second member of the cluster.

7. As soon as it starts up, add it to the cluster created earlier.

The HA configuration generated accordingly will take into account the firewalls' new serialnumbers.

Obtaining the serial number of an EVA model firewall

To obtain the serial number of an EVAmodel firewall:

1. Get in touch with your Stormshield partner or reseller,

2. Give them the serial number of the V / VS-VUmodel firewall that you wish to migrate,

3. Follow your partner’s or reseller”s instructions until you get a PDF file containing the serialnumber of an EVAmodel firewall.

If you wish to migrate several models, you must obtain the corresponding number of serialnumbers. You can obtain all of these serial numbers in a single request to your Stormshieldpartner or reseller, but you must then migrate each firewall individually.

Downloading the EVA activation kit

With the activation kit, you can apply an EVAmodel and a new serial number to the virtualmachine:

1. In your personal Mystormshield area, go to Products > Product management,

2. Select themodel then serial number of your firewall from the list of registered firewalls,

3. In the Downloads window, indicate the version of the activation kit that you wish to install.

4. Click on the Download the activation kit link,


Downloading an SNS version in 3.8.0

Firewalls can only bemigrated to SNS firmware in version 3.8.0. When themigration is complete,you can upgrade your virtual firewall to a higher version.

1. Go to Downloads > Downloads > Latest Versions.

2. Expand the Stormshield Network Security - Firmware - 3.8.0 window.

3. Select the firmware update file corresponding to EVA / V / VS-VUmodels (fwupd-3.8.0-SNS-amd64-XL-VM.maj),





Saving the existing virtual machine

To retrieve your virtual machine if an incident occurs during themigration process, perform a fullbackup of your machine using one of the following methods:

l Method 1: Create a snapshot of your virtual machine on your virtualization platform,

l Method 2: Clone your virtual machine.

Upgrading the firewall's firmware version

Upgrade the firmware version of the firewall to the SNS 3.8.0 version downloaded earlier.

1. Log in to the firewall's administration interface: https://firewall_IP_address/admin,

2. Authenticate using the administrator account and the associated password,

3. Go to Configuration > System> Maintenance > System update tab.

4. Select the update file (*.maj extension) downloaded earlier.

5. Click on Update firmware.

The firewall will automatically restart to finish upgrading the firmware.

Adjusting memory on the virtual firewall

Depending on the chosen EVAmodel, the capacity of the virtual firewall's memory may need to beadjusted:


2. Authenticate using the administrator account and the associated password. A message willinform you that the firmware version installed requires themigration of the virtual firewall to anEVAmodel,

3. Go to Configuration > System> Maintenance > Configuration tab,

4. In the Maintenance window, click on Shut down the firewall,

5. When the virtual firewall is shut down, modify its memory capacity using themanagementtools on your virtualization platform,

6. Start up your virtual firewall.

Installing the new activation kit

After you install the activation kit retrieved earlier from your personal MyStormshield area, you willbe able to perform two operations simultaneously:

l Change the V / VS-VUmodel to an EVAmodel,

l Assign a new serial number to the firewall in the following format: VMSNSXXXXXXX.

To do so:


2. Authenticate using the administrator account and the associated password,

3. Go to Configuration > System> Maintenance > System update tab.

4. Select the activation kit (file format vminit-Firewall_Serial_Number.maj) in the field Select theupdate.

5. Click on Update firmware.

The firewall will automatically restart once the activation kit has been applied.



Checking the migration

Check that themigration has been properly carried out:


2. Authenticate using the administrator account and the associated password. Themessageinforming you that the firmware version installed requires themigration of the virtual firewall toan EVAmodel should no longer appear,

3. In the upper banner of the administration interface, check that the firewall model is an EVAand that its serial number is in VMSNSXXXXXXX format:

4. In the Properties widget of the Dashboard, check that the information concerning the EVAmodel and its applied/maximum capacities is shown,

5. You can now upgrade your EVAmodel to a firmware version higher than 3.8.0.



Resolving issuesSymptom: The serial number of my firewall is VMSNSX00Z0000A0 (default serial number).

Solution: Your Stormshield Network firewall has not been activated. Refer to the Activating thevirtual firewall section.

Symptom: Some features are not available.

Solutions:

l Check that the serial number of your firewall is not VMSNSX00Z0000A0. If this is so, thismeans that your firewall has not been activated. Refer to the Activating the virtual firewallsection.

l Your firewall has been activated. Check your license and the subscribed options by clickingon the System> Licensemenus in the firewall’s web administration interface.

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDERESOLVING ISSUES


Help and supportTo get help regarding your product, you can refer to Stormshield's documentation portal:https://documentation.stormshield.eu/.

Stormshield has also set up a Technical Assistance Center offering several resources and tools toresolve technical problems on your firewall:

l A knowledge base that you can access using the same login credentials you use for yourMystormshield client area,

l A certified distribution network. You can therefore ask your reseller for advice,

For further information on technical assistance, please refer to the document StormshieldTechnical Assistance Center (TAC) Support Charter .

SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDEHELP AND SUPPORT


https://documentation.stormshield.eu/

https://kb.stormshield.eu/



SNS - ELASTIC VIRTUAL APPLIANCES INSTALLATION GUIDE

[email protected]

All images in this document are for representational purposes only, actual products may differ.

Copyright © Stormshield 2020. All rights reserved. All other company and product namescontained in this document are trademarks or registered trademarks of their respectivecompanies.

stormshield network elastic virtual appliances ......1....

Documents