IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.10.1 bug fixes
System
SSL proxy
Support reference 74927
To prevent compatibility issues with embedded programs or certain browsers, especially in iOS 13 and macOS 10.15, the size of certificate keys that the SSL proxy generates for SSL connections has been raised to 2048 bits.
IPsec VPN
Support reference 73609
Certificates of IPsec VPN peers are now displayed in the administration interface of the firewall even when they are deployed via SMC.
Support references 74551 - 74456
An anomaly in the IPsec function key_dup_keymsg(), which would generate the error Cannot access memory at address and cause the firewall to shut down suddenly, has been fixed.
IPsec VPN (IKEV1 + IKEv2)
Support reference 73584
In configurations that use both IKEv1 and IKEv2 peers, since the UID (LDAP) and CertNID fields used for authentication are applied, user privilege verifications for IPsec tunnel setup are no longer ignored.
Support reference 72290
On firewalls that host IKEv1 and IKEv2 peers, groups belonging to users who set up mobile IKEv1 tunnels with certificate authentication and XAUTH are now taken into account.
Support reference 74425
A parameter may potentially prevent ResponderOnly mode from running properly whenever Dead Peer Detection (DPD) is enabled. This anomaly has been fixed.
Support reference 75303
When the Bird dynamic routing engine (bird for IPv4 or bird6 for IPv6) was restarted too often, it would cause the IKE daemon to malfunction, preventing IPsec VPN tunnels from being negotiated. This anomaly has been fixed.
IPsec VPN (IKEv2 / IKEv1 + IKEv2)
Support reference 74391
When an extremely large CRL – containing several thousand revoked certificates – is automatically reloaded, the IPsec IKEv2 tunnel manager no longer restarts in loop.
IPsec VPN (IKEv2 / IKEv1 + IKEv2)
Support reference 68796
In configurations that use IKEv2 IPsec policies or which combine IKEv1 and IKEv2, the firewall would sometimes fail to send a network mask to the Stormshield IPsec VPN client when it set up the mobile tunnel in config mode. The network mask that the IPsec client arbitrarily chose would then occasionally conflict with the local network configuration on the client workstation.
The firewall now always sends the network mask /32 (255.255.255.255) to the IPsec VPN client for mobile tunnels in config mode.
High availability
When an alias is added to an existing network interface, firewalls in a HA cluster are no longer switched.
High availability and monitoring
Support reference 73615
A vulnerability to memory leaks has been fixed in high availability configurations with monitoring enabled.
Initial configuration via USB key
Firmware can now be updated again via USB key.
Certificate-based authentication
A content check has been applied to some parameters used in the creation of cookies.
Serial port - File editors
Support reference 72653
A display bug that occurred during the use of Joe / Jmacs editors via serial link has been fixed.
SNMP
Support reference 71584
The use of the value snmpEngineBoots has changed in order to comply with RFC 3414.
Support reference 72984
When a whitelisted user in the SNMP protocol configuration runs an SNMP operation, the “Prohibited SNMP user name” alarm is no longer raised.
SLD daemon
Support references 69577 - 73026
Running the SLD process would sometimes consume an excessive amount of memory resources. This anomaly has been fixed.
Filter - NAT
Support reference 76346
When the “Enable the SYN proxy” option was enabled, it would occasionally generate an error when filter rules were confirmed or edited, making it impossible to use this option. This anomaly has been fixed.
Network
Static routing
Support reference 72938
On the incoming interface of a bridge, policy-based (PBR) routing instructions now take priority over the option to keep initial routing. This new order of priority does not apply to DHCP responses when the IPS automatically adds the option to keep initial routing.
Support reference 72508
Router objects with load balancing that have been configured as the default gateway on the firewall would sometimes override static routes. As a result of this, connections would be initiated from the firewall with the wrong source IP address. This anomaly has been fixed.
Web administration interface
Static routing
Support references 73316 - 73201
In the Network > Routing module, the IPsec interface can now be selected again during the definition of a static route.
Special characters
Support references 68883 - 72034 - 72125 - 73404
A bug during the conversion of special characters to UTF-8 (e.g. Asian or accented characters) would sometimes generate XML errors and prevent affected modules, such as filtering and NAT, from being displayed. This anomaly has been fixed.
Certificates and PKI
Support reference 74111
CRLs containing several thousand revoked certificates would fail to display correctly on some firewall models. This anomaly has been fixed; now only the first 1000 items are displayed.
Automatic backups - Cloud Backup
Support reference 73218
Configuration backups could no longer be restored from Cloud Backup since version 3.5.0. This anomaly has been fixed.
Proxy
Support reference 71870
The proxy no longer shuts down unexpectedly whenever the SSL proxy is used and the maximum number of simultaneous connections is reached.
Support reference 74427
When the certification authority of the SSL proxy expired, the firewall would sometimes stop attempting to generate new keys unnecessarily for some events, e.g., when reloading the filter policy or network configuration, or when changing the date on the firewall. This would cause excessive CPU usage.
Support reference 66508
The proxy no longer shuts down unexpectedly when an HTTP header analysis fails.
Support references 70598 - 70926
The behavior of the HTTP proxy has been changed so that the SLD process on the firewall will no longer be overwhelmed when too many requests are redirected to the authentication portal.
Support references 70721 - 74552
Memory consumption is now optimized when the proxy is used.
Intrusion prevention
Static routing
Support reference 73591
Enabling verbose mode on the intrusion prevention engine that analyzes some protocols (DCE RPC, Oracle, etc.) no longer causes the firewall to suddenly reboot.
SIP
Support references 74771 - 75108
When a sent SIP packet and its reply contained a field with an anonymous IP address, and the 465 alarm "SIP: anonymous address in the SDP connection" was configured to “Pass”, the firewall would restart unexpectedly. This anomaly has been fixed.
HTTP
The HTTP plugin analysis no longer raises an alarm or blocks traffic when there is an empty field in the HTTP header, especially when SOAP messages are encapsulated in an HTTP request.
TDS protocol
The intrusion prevention engine would occasionally generate false positives during the analysis of TDS (Tabular Data Stream) packets.
Trusted Platform Module (TPM)
Support reference 76181
When the IKE2 / IKEv1+IKEv2 IPsec tunnel manager retrieves the encryption key stored on the TPM, it no longer causes memory leaks.
Support reference 76181
An anomaly in a function would sometimes cause a shortage of handles, or object identifiers, used for authentication on the TPM, making communication impossible with the TPM. This anomaly has been fixed.