IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.11.3 LTSB bug fixes
IMPORTANT
In some situations, memory leaks may affect the proxy, causing the service to restart unexpectedly. Contact Stormshield support if you think that this issue might affect you.
System
Proxies
When the proxy must send a block page, the absence of a Content-Length header in the reply (HTTP HEAD reply) does not wrongly raise the alarm "Additional data at end of a reply" (alarm http:150) anymore.
Support reference 78432
Issues with memory leaks in proxies, which would sometimes restart the service unexpectedly, have been fixed.
Support references 79304 - 79888
An issue with enabling brute force protection, which could freeze the proxy, has been fixed.
Support reference 67947
In configurations with a filter policy that implements:
- A global decryption rule,
- A local filter rule that uses an explicit proxy and has a rule ID that is equal to or lower than the ID of the global decryption rule.
Operations that reload the proxy’s configuration (changing the filter policy, changing the SSL/URL filter policy, changing the SSL/URL filter engine, changing the antivirus engine, etc.) no longer ends connections processed by the proxy.
SSL VPN
Support references 73353 - 77976
The SSL VPN client now applies the interval before key renegotiation set by default on the SSL VPN server to 14400 seconds (4 hours). Users who do not have the Stormshield Network SSL VPN client must retrieve a new configuration file from the firewall's authentication portal so that the client applies the interval.
Find out more
TPM
Support reference 76665
When a PEM certificate is imported on the firewall without its private key, the debug command tpmctl -a -v no longer wrongly returns a TPM file reading error message (tpm file read error).
VPN SSL in portal mode
Support reference 68759
SSL VPN in portal mode now uses a component that is compatible with:
- Java 8 JRE,
- or - - OpenWebStart.
This makes it possible to work around the suspension of public versions of Java JRE 8, scheduled in the near future.
Network objects
Support reference 77385
When a global network object linked to a protected interface is created, this object will now be correctly included in the Networks_internals group.
Support reference 76167
When local or global network objects are restored using a backup file (file with a “.na” extension), the firewall's network routes are reloaded to apply changes that may affect network objects involved in routing.
High availability (HA)
Support reference 70003
The validity of the license for the Vulnerability manager option is now verified before the configuration is synchronized to avoid unnecessarily generating error messages in logs such as "Target: all From: SNXXXXXXXXXXXXX Command: SYNC FILES failed: Command failed : Command has failed : code 1".
Support references 78758 - 75581
Memory leak issues, especially in the mechanism that manages HA status and role swapping in a cluster, have been fixed.
Hardware monitoring
Support reference 77170
On SN2100, SN3100 and SN6100 firewalls, the mechanism that monitors fan rotation speed has been optimized so that it no longer wrongly reports alarms that create doubts about the operational status of fans.
Radius authentication
Support reference 76824
In a configuration that uses Radius server authentication via pre-shared key, selecting another host object in the Server field, then saving this only change no longer causes the initial pre-shared key to be deleted.
SNMP agent
Support reference 74514
The anomalies observed in table indexing, which reflected the hardware status of cluster members in the HA MIB, have been fixed. Returned OIDs did not match the associated MIB, preventing the use of snmpget requests to reach these OIDs. Such requests now function correctly.
Automatic backup
Support reference 79807
After a firewall upgrade to a 3.10.x version, then to a 3.11.x version, automatic backups no longer functioned because the network objects that made it possible to reach the automatic backup server were not correctly created.
Network
Bridge - MAC addresses
Support reference 74879
On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall now automatically maps the MAC address of this device to the new interface once a Gratuitous ARP request is received from this device. This makes it possible to ensure uninterrupted filtering on the moved device.
The device will be switched only if the MAC address is the same after it is moved.
MTU link aggregation
Support references 78517 - 74507
Aggregated links now use the maximum size of a packet (MTU) configured on their link aggregate (LACP).
Intrusion prevention
Connection counter
Support reference 74110
The mechanism that counts simultaneous connections has been optimized to no longer raise the alarm “Maximal number of connexions per host reached” (alarm tcpudp:364).
sfctl command
Support reference 78769
Using the sfctl command with a filter on a MAC address no longer restarts the firewall unexpectedly.
Quarantine when alarm raised on number of connections
Support reference 75097
When “Place the host under quarantine” is the action set for the alarm “Maximal number of connexions per host reached” (alarm tcpudp:364), the host that triggered this alarm is now correctly added to the blacklist for the quarantine period configured.
DCERPC protocol
Support reference 77417
The DCERPC protocol analyzer would sometimes wrongly create several hundred connection skeletons, causing excessive CPU consumption on the firewall.
This issue, which could prevent the firewall from responding to HA status tracking requests and make the cluster unstable, has been fixed.
Web administration interface
LDAP directories
Support reference 69589
Users can now correctly access an external LDAP directory hosted on another Stormshield firewall via a secure connection (SSL) when the option Check the certificate against a Certification authority is selected.