IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.11.1 LTSB bug fixes
System
IPsec VPN (IKEv1)
Support reference 75824
Whenever a remote peer switched to its backup peer (designated as the “Backup configuration”), the IKE daemon would sometimes restart unexpectedly and shut down open IPsec tunnels. This anomaly has been fixed.
Support reference 77358
When IPsec VPN tunnels were set up with remote users (also known as mobile or nomad users), phase 1 of the IKE negotiation would fail because fragmented packets were not correctly reconstructed after they were received. This anomaly has been fixed.
Support reference 77679
In IPsec configurations that use mobile peers with certificate authentication, and for which no peer IDs were specified, the message indicating a switch to experimental mode no longer appears by mistake.
Support reference 65964
The IPsec management engine (Racoon) used for IKEv1 policies no longer interrupts the phase 2 negotiation with a peer when another phase 2 negotiation fails with the same peer.
IPsec VPN IKEv2 or IKEv1 + IKEv2
Support reference 77722
The presence of the same trusted certification authority with a CRL in both the local IPsec policy and global IPsec policy no longer causes a failure when the IPsec configuration is enabled on the firewall.
Support reference 77097
The management of the authentication process was enhanced for the setup of IPsec VPN tunnels in configurations where several LDAP directories are declared and one or several of these LDAP directories take longer than usual to respond.
These enhancements now make it possible to stop blocking attempts to set up other tunnels during the waiting phase.
IPsec VPN - Virtual interfaces
Support reference 77032
During the decryption of IPv4 traffic that was transported in IPv6 IPsec tunnels through virtual interfaces, the firewall would no longer look for return routes among the IPv6 virtual interfaces. Such IPv4 packets are now correctly exchanged at each tunnel endpoint.
IPsec VPN - Logs
Support references 69858 - 71797
Text strings exceeding the maximum length allowed when they are sent to the firewall's log management service are now correctly truncated and no longer contain non-UTF-8 characters. This anomaly would cause a malfunction when logs were read through the web administration interface.
In addition:
- The maximum supported length of a log line is now 2048 characters,
- The maximum supported length of a text field contained in a log line is now 256 characters.
SSL VPN
Support reference 76762
The Available networks or hosts field was wrongly used to calculate the possible number of SSL VPN clients, and therefore skewed the calculation. This anomaly has been fixed.
SSL VPN Portal
Support references 77168 - 77132 - 77388
The SLD would occasionally restart and log off all users whenever two users logged in via the SSL VPN portal and accessed the same resource.
Support reference 77062
Even though a maximum of servers were accessible via the SSL VPN Portal, additional machines could still be declared. This would cause the firewall's authentication engine to restart repeatedly. Now, servers can no longer be created once the limit is reached, which varies according to the firewall model.
Find out more
GRETAP and IPsec
Support reference 76066
The system command ennetwork -f no longer makes the firewall reboot in loop in configurations containing GRETAP interfaces that communicate through IPsec tunnels.
High availability - link aggregation
In high availability configurations, the mechanism that switches a node from active to passive has been enhanced so that it no longer renegotiates aggregate links (LACP) when:
- The option Reboot all interfaces during switchover (except HA interfaces) is enabled (Configuration > System > High availability module, under Advanced properties, Swap configuration),
- and - - The LacpWhenPassive parameter is enabled with a value of "1" (file /usr/Firewall/ConfigFiles/HA/highavailability Global LACPWhenPassive <0|1>).
Support reference 76748
In a high availability configuration, an active node switching to passive mode would no longer wrongly disable VLAN interfaces that belonged to a link aggregate (LACP).
High availability - IPsec VPN (IKEv2 policy or IKEv1 + IKEv2 policy)
In high availability configurations that apply IKEv2 or IKEv1+IKEv2 IPsec policies, an anomaly sometimes wrongly detected the replay of ESP sequence numbers and packet loss after two failovers in the cluster. This anomaly has been fixed.
High availability - Triggering the failover of a node
The test process in which nodes in the same cluster confirm the availability of other nodes has been enhanced so that the passive node will not be wrongly switched to active mode, thereby creating a configuration with two active nodes.
High availability - Filtering and NAT - Time objects
Support references 76822 - 73023 - 76199
To prevent network instability in high availability clusters, the re-evaluation of filter rules is now optimized when there is a change in the status of time objects used in one or several of these rules.
Monitoring gateways
Support references 71502 - 74524
During the startup sequence of the gateway monitoring mechanism, if any of the gateways used in filter rules switched from an internal "maybe down" status (pinging failed) to an internal "reachable" status, the filter would still consider such gateways disabled. This anomaly has been fixed.
When the status of a gateway changes, it will now be logged as an event.
Support reference 75745
On firewalls that process many connections, and which use configurations with many gateways, replies to pings may take longer to reach the gateway monitoring mechanism. When this occurs, the mechanism would continuously re-send pings, and restart without sending notifications such as logs or system events. This anomaly has been fixed.
Support reference 75745
The gateway monitoring mechanism, which would sometimes restart unexpectedly, has been fixed.
Support reference 76802
In some configurations, the process that relied on the gateway monitoring engine would consume an excessive amount of the firewall's CPU resources. This anomaly has been fixed.
SSL proxy
Support reference 77207
An anomaly in the SSL decision-making cache mechanism (decrypt, do not decrypt, etc) that occurs when there are simultaneous connections with the same destination IP addresses with different ports, would occasionally corrupt this cache and freeze the SSL proxy. This anomaly has been fixed.
Support reference 78044
When attempts to connect to an unreachable SSL server resulted in the SSL proxy immediately returning an error message, the firewall would not properly shut down such connections. An increasing amount of such connections wrongly considered active would then slow down legitimate SSL traffic. This anomaly has been fixed.
SMTP proxy
Support reference 77207
In configurations that use the SMTP proxy in an SMTP filter rule:
- In “Firewall” security inspection mode,
- or - - In "IDS" or "IPS" security inspection mode but without SMTP protocol analysis (Application protection > Protocols > SMTP module > IPS tab: Automatically detect and inspect the protocol checkbox unselected),
when the SMTP server shut down a connection after sending an SMTP/421 server message, the STMP proxy would occasionally freeze. This anomaly has been fixed.
Global host objects included in router objects
Support reference 71974
When global host objects included in router objects (local or global) are renamed, the change is correctly applied in the router object concerned.
ANSSI "Diffusion Restreinte” mode
When the ANSSI "Diffusion Restreinte” mode is enabled (System > Configuration > General configuration tab), a mechanism now checks the compatibility of Diffie-Hellmann (DH) groups used in the configuration of IPsec peers with this mode. The list of allowed DH groups has been updated; now only DH 19 and 28 groups can be used.
SN6000 model firewalls
Support references 75577 - 75579
In a few rare cases, a message warning of missing power supply modules would be wrongly sent on SN6000 firewalls equipped with an IPMI module in version 3.54. A mechanism that restarts the IPMI module has been set up to deal with this issue.
This mechanism is disabled by default and does not affect traffic going through the firewall, but temporarily prevents the refreshment of component data. The mechanism needs about five minutes to run its course, the time it takes to restart the IPMI module and to refresh data on components.
This new parameter can only be modified through the CLI / SSH command:
setconf /usr/Firewall/ConfigFiles/system Monitord EnableRestartIPMI <0|1>
For more information on the syntax of this command, refer to the CLI /SSH Commands Reference Guide.
TPM
Support reference 76664
When a certificate is revoked, the associated .pkey.tpm file is now properly deleted.
Routers
Support references 75745 - 74524
After a firewall is restarted, the router monitoring service now correctly applies the last known status of these routers.
Automatic backups
Support reference 75051
The mechanism that checks the certificates of automatic backup servers was modified after the expiry of the previous certificate.
Connections from Stormshield Management Center (SMC)
Support reference 76345
During the initial connection from SMC to the web administration interface of a firewall in version 3.7 or higher, attempts to retrieve the archive containing all the interface data would fail, thereby preventing connections to the firewall from SMC. This anomaly has been fixed.
Directory configuration
Support reference 76576
The default port used to access the backup LDAP server is now the same as the port that the main LDAP server uses.
Monitoring certificates and CRLs
Support reference 76169
In a HA cluster, the mechanism that monitors the validity of certificates and CRLs on the passive firewall no longer wrongly generates system events every 10 seconds. Typical events are Passive certificate validity (event 133) or Passive CRL validity (event 135).
Local storage
Support reference 75301
Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. This anomaly has been fixed.
Initial configuration via USB key
Support reference 77603
An anomaly in how special characters (spaces, ampersands, etc.) are managed when CSV files are imported, could prevent some data from being applied (e.g., certificates with names that contain spaces). This anomaly has been fixed.
Sandboxing in the proxy
Support reference 77199
The risk of memory leak when the sandboxing engine is used in the proxy has been fixed.
Intrusion prevention
NB-CIFS protocol
The analysis of NB-CIFS traffic from Microsoft Windows hosts no longer wrongly raises the alarm "Invalid NBSS/SMB2 protocol" (alarm nb-cifs:157).
LDAP protocol
Authentication via SASL (Simple Authentication and Security Layer) now supports the NTLMSSP protocol, and therefore no longer generates errors when analyzing LDAP traffic that uses this protocol.
NTP
NTP packets that present a zero origin timestamp no longer wrongly raise the alarm "NTP: invalid value" (alarm ntp:451).
DNS protocol
Support reference 71552
Requests to update DNS records are now better managed in compliance with RFC 2136 and no longer trigger the block alarm "Bad DNS protocol" (alarm dns:88).
Support references 72754 - 74272
The DNS protocol analysis has been modified to reduce the number of false positives from the "DNS id spoofing" alarm (alarm dns:38).
TCP protocol
Support reference 76621
When a threshold was defined for the Maximum number of simultaneous connections for a source host in the TCP configuration, and when a TCP-based filter rule blocked an attempted Syn Flood denial of service attack, the packets that raised the alarm were correctly blocked but no alarm would be raised in the corresponding log file (l_alarm). This anomaly has been fixed.
RTSP protocol
Support reference 73084
When an RTSP request that uses an RTP/AVP/UDP transport mode passes through the firewall, the RTSP analysis engine no longer deletes the Transport field and broadcast channels are set up correctly.
User names
Support reference 74102
User names are no longer case-sensitive when they are saved in the tables of the intrusion prevention engine. This guarantees that names are mapped to filter rules based on the names of authenticated users.
Network
Wi-Fi
Support reference 75238
Changes to the access password of a Wi-Fi network hosted by the firewall are now correctly applied.
Policy-based routing
Support reference 76999
In PBR, when routers were changed directly in filter rules, IPState connection tables (for GRE, SCTP and other protocols) now apply the new router IDs.
High availability
Support references 73236 - 73504
On SN2100, SN3100, SN6100 and SNi40 firewall models, packets would occasionally be lost when a cable was connected to:
- One of the management ports (MGMT) on SN2100, SN3100 or SN6100 models,
- or - - One of the interfaces of an SNi40 firewall.
This issue has been fixed by updating the driver on these interfaces.
Hardware monitoring
System events (ID 88 and 111) are now generated when a defective power supply module reverts to its optimal status (when the module is replaced or plugged back in).
Routing
Support reference 77707
Bird dynamic routing
The check link directive used in the protocol direct section in the Bird dynamic routing configuration file is now correctly applied for IXL network interfaces (fiber 4x10Gbps and 2x40Gbps network extension modules for SN2100, SN3100 and SN6100 models; 4x10G BASE-T modules for SN710, SN910, SN2000, SN2100, SN3000, SN3100 and SN6100 models; fiber 10Gbps onboard ports on SN6100 models) and IGB network interfaces (SNi20, SNi40, SN2000, SN3000, SN6000, SN510, SN710, SN910, SN2100, SN3100 and SN6100).
Web administration interface
Reports
Support reference 73376
The “Top sessions of Administrators” report now shows all the sessions of the firewall's administrators, i.e., sessions of the admin account and of all users and user groups added as administrators. The report previously contained only sessions of the admin account.
Interfaces
Support references 74312 - 76578
When new interfaces were created, their ifnames would sometimes not be correctly assigned (e.g.,vlan0), preventing the interfaces from being created. This issue would arise after interfaces were deleted, releasing their corresponding ifnames as a result, but wrongly leaving the following ifnames to be assigned, even though they were not necessarily free. This anomaly has been fixed.
Certificates and PKI
Support reference 77598
Adding a URI address to the distribution points of certificate revocation lists (CRL) would in some cases create an address for each character entered. This anomaly has been fixed.