IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.1.0 bug fixes
System
Authentication
Support reference 52192
Attempts to log on to the web administration interface via Google Chrome and SSL (certificate) or SPNEGO would not only fail but raise a brute force attack alarm as well. This issue has been fixed.
Support reference 56711
During the configuration of the Sponsorship method, the "Expiry of the HTTP cookie" field would not be automatically set to Do not use, thereby causing this authentication method to malfunction. This anomaly has been fixed.
Support reference 56595
Attempts to create new objects through the authentication policy wizard would fail and display a "?" instead of the object name. This issue has been fixed.
Support reference 59731
An encoding anomaly in sponsorship e-mails invalidated the validation link included in such e-mails. This anomaly has been fixed.
Objects
Support reference 58476 - 58944
Router objects and time objects were not retained during partial restorations of a configuration. This anomaly has been fixed.
Support reference 56113
Global objects embedded in a router object were not taken into account. This anomaly has been fixed.
Support reference 53218
Whenever an active and operational dialup (PPoE, PPTP, PPP or L2TP modem) was embedded in a router object, the router object would not retrieve its state and would therefore consider it unreachable. This issue has been fixed.
Support reference 59083
Certificates and PKI
During the renewal of certificates via SCEP (Simple Certificate Enrollment Protocol) using the SCEP RENEW command, whenever the Distinguished Names (DN) of such certificates contained more than one attribute of the same type (e.g. OU, CN, O, etc.), only the first occurrence of the attribute would be kept after the operation. This anomaly has been fixed.
Support reference 51618
SSL VPN Portal
Connections to application servers through the SSL VPN portal application no longer functioned in version 3. This issue has been fixed.
SSL VPN
Support reference 58856
The maximum number of SSL VPN tunnels physically allowed on Netasq U model S series firewalls was lower than the expected number of tunnels. This anomaly has been fixed.
Support reference 52972 - 53289
An issue that could prevent new SSL VPN tunnels from being set up (connection blocked at the "GET CONF" stage) has been fixed.
Proxies
Support reference 52034
Whenever a filter rule used the explicit proxy, the authentication rules contained in the filter policy would not take into account this proxy's different listening port (TCP/8080 by default). This anomaly has been fixed.
Support reference 55700
An anomaly regarding the maximum length of a user name and domain that make up an email address has been fixed.
Support reference 54003
The HTTP proxy would mistakenly consider some downloads as partial downloads. This anomaly has been fixed.
Support reference 56464
An anomaly while reading information located behind the domain name specified in the EHLO command would wrongly cause the corresponding SMTP traffic to be blocked.
Support reference 52848
After sandboxing an email, the name of the attachment referenced in the logs would be wrong. This issue has been fixed.
Support reference 49996
An anomaly in the management of the Internet Content Adaptation Protocol's (ICAP) responses in Request Modification (reqmod) mode would either cause the overconsumption of memory resources or the HTTP proxy to be blocked.
Support reference 57326
Whenever an e-mail contained a wrong end-of-line command in its data, the connection would be reset only between the client and the firewall while the server would have to wait until the connection timed out. This anomaly has been fixed.
Support reference 58824
Whenever a client sent a RESET command to the mail server, the connection would be reset only between the client and the firewall while the server would have to wait until the connection timed out. This anomaly has been fixed.
Support reference 56475
Whenever an e-mail contained a sender or recipient address exceeding the size defined by the RFCs (local part or domain name), the proxy would fail to shut down the connection after sending the error message ("553 Localpart too long" or "553 Domain name too long"). This issue has been fixed.
Support reference 59420
The proxy would occasionally refuse to run on a firewall using a filter rule with at least one of its log destination checkboxes unselected (Advanced properties tab in the Action module in the filter rule editing window). This issue has been fixed.
Support reference 58567
Resetting to factory configuration
The help provided with the reset script (defaultconfig) would offer the wrong explanation for the option "–D" (Only Restore the data partition on G2 hardware). This anomaly has been fixed (Only Restore the data partition).
Support reference 56394
Proxies – SN 910 model firewalls
Limits on the number of connections allowed for proxies (HTTP, SSL, SMTP, POP3 and FTP) on SN910 model firewalls were incorrect. They have been increased in order to match this model's actual performance.
Support reference 57286
IPsec
In configurations that contain a site-to-site IPsec tunnel and an anonymous IPsec policy (nomad users), disabling the site-to-site tunnel (tunnel status off) would not delete the peer of the IPsec configuration file. This anomaly, which would cause nomad connections to malfunction, has been fixed.
IPsec (IKEv2)
Support reference 54831
During Phase 1 renegotiations of IPsec tunnels in IKEv2, the IPsec engine would destroy the existing SA (Security Association) as well as child SAs before negotiating the new SA.
Since this could cause significant packet loss, the behavior of the engine has been modified so that it negotiates the new SA first before destroying older ones.
Support reference 59152
An issue that could prevent the setup of IPsec IKEv2 tunnels to SN150 model firewalls has been fixed.
Support reference 59280
The number of IKE SAs for the same IPsec IKEv2 tunnel would increase over time without diminishing the number of unused SAs. This anomaly has been fixed.
High availability
Support reference 56268
Whenever an interface was added to or deleted from an aggregate (LACP), the change was not applied in the quality indicator in the high availability mechanism. This anomaly has been fixed.
Support reference 57056
An optimization in the parameters that detect the loss of an active firewall due to electrical issues (ConsensusTimeout parameter) has considerably shortened the time taken for a cluster to switch.
Support reference 56613
After the high availability management engine has been restarted several times by accident, the associated tokens would not be deleted. The token table could then become saturated, therefore preventing other services on the firewall from starting. This issue has been fixed.
Support reference 56478
Instability on the data synchronizer would cause the high availability management service to restart in loop. As a result of this malfunction, the passive firewall could potentially switch to active mode, making both firewalls in the cluster active. This issue has been fixed.
Support reference 50048
Changing roles after the active member of the cluster has been restarted could cause the IPsec tunnels negotiated by both members of the cluster to be desynchronized.
Support reference 54289 - 58842
After the roles of firewalls have been switched in a cluster, whenever active connections were restored, the parent-child relationship of these connections (connection traffic / data traffic) would not be kept. Data traffic for protocols such as FTP would therefore not be transferred. This issue has been fixed.
Support reference 55076
Application protection
In configurations that use the Karspersky antivirus engine, scanning zip bomb files could cause the temporary partition to saturate, leading in turn to a significant CPU load and resulting in an analytical error. This issue has been fixed.
Filter - NAT
Support reference 56570
Whenever the name entered for a filter rule exceeded the maximum length allowed, the length allowed would not be specified in the error message. This anomaly has been fixed and it now indicates that names must not exceed 255 characters.
Support reference 56672
When scrolling over a service group used in a filter rule, the tooltip that sets out all the services included in the group would not appear. This anomaly has been fixed.
Support reference 58535
When scrolling over a service used in a filter rule, incomplete information would be given in the tooltip. This anomaly has been fixed.
Support reference 59297
When scrolling over an IP address range network object used in a filter rule, the tooltip would wrongly display the message "Object not found". This anomaly has been fixed.
Support reference 55190
Policy-based routing (PBR)
In a configuration such as the following:
- A static route is applied to a network,
- A filter rule implements policy-based routing (PBR) to the same network for a particular port,
- Address translation is applied when packets leave the firewall,
reloading filter rules would prevent connections matching the PBR rule from being set up.
Support reference 50977
Dynamic DNS
Changes to the firewall's IP address were no longer applied to the Dynamic DNS provider whenever the SSL protocol was used, and the verification of this provider's certificate would even fail. This issue has been fixed.
Support reference 55728
Configuration
Changes made to the name of the firewall (System > Configuration module) were neither applied to the sender name for email alerts, nor in the SN Real-Time Monitor dashboard. This anomaly has been fixed.
Support reference 56734
System events
The report generated whenever a brute force attack was blocked would not contain the blocked source IP address. This anomaly has been fixed.
Network
Support reference 57328
VLAN
The firewall would not correctly send the last fragment of a UDP packet meant to go through a VLAN to the parent interface of the VLAN. This issue has been fixed.
Virtual interfaces
Support reference 53881
Whenever a GRE virtual interface that was initially created as inactive was assigned an IP address, its change in status would not immediately be applied in the web administration interface. The user would therefore need to change modules before going back to the virtual interface module in order to view this change. This anomaly has been fixed.
Support reference 58685
Outbound throughput statistics of virtual IPsec interfaces would always display a null value. This anomaly has been fixed.
Intrusion prevention
Support reference 57396
For certain streams of traffic that always use the same source port, whenever they passed through a rule in firewall or IDS mode, resetting the first connection would prevent the setup of the connections that immediately follow. These connections would, in fact, have been considered reset as well. This issue has been fixed by allowing the same source port to be reused in firewall and IDS modes (TCP Closed FastReuse).
Support reference 53011 - 58465
TeamViewer application
After an upgrade of the TeamViewer application, the IPS scan of traffic relating to this application would wrongly set off an "Unknown SSL protocol" block alarm. This issue has been fixed.
Support reference 53094
RTSP (Real-Time Streaming Protocol)
The intrusion prevention system would wrongly block the Scale header in the Play method. This anomaly has been fixed.
Support reference 51867
HTTP
In configurations that use policy-based routing (PBR) for HTTP traffic, enabling the Apply the NAT rule on scanned traffic option (Global configuration of HTTP in the Application protection > Protocols module) would cause the incorrect routing of packets generated by the proxy.
Support reference 53640
As the YouTube for Education filter mechanism is no longer active, it has been replaced with the Youtube restrictions mechanism. This new mechanism can be enabled and configured (strict or moderate restriction) in the IPS tab in HTTP (Application protection > Protocols module).
Support reference 58409
SIP
The maximum number of child connections allowed for SIP has been increased in order to allow:
- 127 simultaneous calls on U30S, U70S, SN150,
- 127 simultaneous calls on U30S, U70S, SN150, SN160(W), SN200, SN210(W), SN300 and SN310 models,
- 1023 simultaneous calls on other models,
instead of 16 as was previously the case on all models.
Support reference 53886
ICMP
Whenever several ICMP requests were received or sent with the same identifier, the same sequence and different data, the firewall would not take into account reply packets from the first request and would block the requests that follow ("ICMP ECHO paylod modified" alarm). This anomaly has been fixed.
Web administration interface
Support reference 54459
SSL protocol
Whenever a checkbox was selected in the SSL negotiation section of a given profile, and such a change was applied, the same checkbox would be selected in all profiles by mistake. This issue has been fixed.
Monitoring - Reports - Audit logs
Support reference 56766
Reports
On firewall models that do not have log partitions (diskless models), an anomaly with the checkbox for enabling reports (Local storage tab in the Notifications > Logs - Syslog - IPFIX module) has been fixed.
Support reference 57247
Monitoring
Whenever reports and history graphs were both disabled (Notifications > Report configuration module), history graphs covering the past 30 days could not be displayed. This issue has been fixed.
Support reference 53352
Logs
Commands to monitor inactive services on the firewall (MONITOR POWER, MONITOR FWADMIN,…) were wrongly logged in the l_server log file. This anomaly has been fixed.
Support reference 54926
Multicast routing
User accounts holding all administration privileges were unable to apply configuration changes made in the Network > Multicast routing module (error message "There is nothing to save"). This anomaly has been fixed.
Stormshield Network Real-Time Monitor
Support reference 58502 - 57414
Users
The command to delete users, available via the pop-up menu (right-click) in the Users module, no longer worked. This issue has been fixed.