SMC update
Support reference 85420
Configuration of translation rules
When translation rules are imported from a CSV file, the "random" value can no longer be used in the "nat_from_port_load_balancing" field if the "nat_from_port" field is empty.
If you have imported translation rules with this configuration, updating your firewall to version 3.5.3 will fix this inconsistency. If nothing was entered in the "nat_from_port" field, the value of the "nat_from_port_load_balancing" will automatically be cleared.
Special characters "<", ">" and "@"
The presence of the characters "<" and ">" in the descriptions or comments of filter and NAT rules, separators and objects no longer causes SMC updates to version 3.5.x to fail. However, during the update to version 3.5.3, these characters will be deleted and the rest of the description or comment will be kept.
Likewise, the "@" character is now supported once again in the descriptions of rules and rule separators.
Active Update server
Support reference 85414
When the Active Update server feature was enabled on SMC, the two following issues could occur, and have been fixed:
-
SMC would become unreachable when it could not connect to Stormshield update servers to download databases. When there are connection issues now, SMC remains accessible and an error will be reported in the server's logs.
-
When the Active Update server feature was disabled, the automatic update of databases would continue. The automatic update is now disabled.
Network configuration
Changes to the dynamic routing configuration on the SNS firewall
Support reference 85427
You can now directly access the interface of an SNS firewall from SMC and change its dynamic routing configuration without making SMC unavailable in some cases.
Object database
Object database export
Support reference 85367
The object database can be exported once again to CSV files.
Filter and NAT rules
Importing the global rules of an SNS firewall
Support reference 85144
When a firewall's global rules are imported in SMC, if one of the rules uses an object containing a custom variable, the value of the firewall's variable no longer overwrites the value in SMC.
Rules applying to web services
Support reference 85251
When filter rules that apply to web services are imported via a CSV file, if some web services are not known to SMC, an error will now be generated for each web service that SMC does not recognize.
Synchronizing the connection in an HA cluster
Support reference 84975
In the Action menu of a filter rule, under the Advanced properties tab, the option Synchronize this connection between firewalls (HA) can now be unselected.
Importing the rules from a firewall into SMC
Support reference 84919
When the local rules of an SMC firewall are imported into SNS, the import would fail when a host object on the firewall and a DNS name (FQDN) object in SMC have the same name. Such rules can now be imported without overwriting the DNS name object.
Renaming of application protocols dcerpc and steam
Support reference 85307
The protocols dcerpc and steam, available in filter and NAT rules, have been renamed dcerpc_tcp and steam_udp to make them compatible with the naming system of such protocols on SNS firewalls.
Size of QoS Queue and QoS ACK Queue fields
Support reference 84935
The maximum size of the QoS Queue and QoS ACK Queue fields has been raised from 9 to 31 characters.
Do note that this change takes effect on firewalls from SNSversion 4.3.0 onwards. The deployment of a configuration on a firewall in a version lower than 4.3.0 will fail if the value of the QoS Queue and QoS ACK Queue fields exceeds 9 characters.
Custom variables in filter rules
Support reference 84616
The "%" character can no longer be used in the Group name and Domain name fields in a filter rule's Source menu. Custom variables are therefore no longer supported in these fields.
Configuring SNS firewalls
Importing SNS firewalls via a CSV file
Support reference 85093
When firewalls are imported via a CSV file from the SMC web administration interface, and when the Generate connecting packages checkbox is selected, the files required to generate packages may randomly become corrupted during the import. Connecting packages are now correctly generated when firewalls are imported via a CSV file.
Deploying VPN topologies
Support reference 85016
When a VPN topology that is based on X.509 certificate authentication is deployed, and if the Local IP address for CRL verification field is entered, this IP address is now correctly deployed on SNS firewalls that belong to the topology.
Direct access to a firewall interface
Support reference 83550
When you directly access a firewall's interface via SMC, the last page visited will be shown. If you access the interface for the first time, the main page of the firewall's administration interface will now appear. Previously, the last page visited on another firewall would be shown.