IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.11.6 LTSB bug fixes
System
Proxies
Support reference 80378 - 77199
Issues with memory leaks in proxies, which would sometimes restart the service unexpectedly, have been fixed.
Support reference 79584
An issue with the management of the SSL context, which could freeze the proxy service, has been fixed.
Support references 79957 - 80108
Configurations that use multi-user authentication would sometimes require several minutes to fully load web pages that embed CSP (content-security-policy) directives. This anomaly has been fixed.
IPsec VPN
Support reference 77960
ESP packets passing through an IPsec tunnel did not keep the DF bit ("Don't fragment") even though the parameter net.inet.ipsec.dfbit=2 specified the opposite. This anomaly has been fixed.
Configuration backups - Trusted Platform Module (TPM)
Support reference 79671
During the backup of a configuration with the privatekeys parameter set to none (this parameter can only be modified via CLI/Serverd command: CONFIG BACKUP), private keys stored in ondisk mode on the TPM are no longer wrongly decrypted.
Support reference 79671
Multiple configuration backups can no longer be launched simultaneously or too close apart, so private keys stored in ondisk mode on the TPM will no longer be wrongly decrypted.
High availability (HA)
The errors that occur when the passive member of the cluster is updated are now shown in the firewall’s web administration interface.
Filtering and NAT
Support references 79533 - 79636 - 80043 - 80412
When a time object was enabled or disabled, the re-evaluation of connections that match the filter rule containing this time object no longer cause the firewall to unexpectedly restart.
SNMP agent
Support references 77226 - 78235
The OID "SNMPv2-MIB::sysObjectID.0", which made it possible to identify the type of device queried, presented the default net-snmp value instead of the Stormshield value. This anomaly has been fixed.
Support references 77779 - 80036
Excessive memory consumption issues that caused the SNMP agent service to unexpectedly shut down have been fixed.
Restoring or deploying configurations via Stormshield Management Center (SMC)
Support reference 80269
When the configuration of a firewall was restored or deployed via Stormshield Management Center (SMC), the restoration or deployment process would wrongly attempt to retrieve the private key of a certificate on the TPM even when the firewall did not have such a module. This would then return the error tpm file read error. This anomaly has been fixed.
Network
Link aggregation
Support reference 79805
Whenever two SNS firewalls with an LACP link communicated, traffic was sent from only one link aggregate interface. This anomaly has been fixed.
Hardware
Configuration via USB key
Support references 79645 - 79283
Whenever a firewall is configured via USB key, an information message now appears in the console and a waiting period of two minutes is initiated when the USB key needs to be removed to continue ongoing operations (firmware updates, connecting a firewall to a cluster, etc.).
This makes it possible to prevent key decryption errors on firewalls equipped with a TPM (SN3100 and SNi20).
Intrusion prevention
SMB - CIFS protocol
Support references 77484 - 77166
Anomalies in the SMB - CIFS protocol analysis would wrongly raise the "Invalid NBSS/SMB protocol" blocking alarm (nb-cifs alarm:158) during legitimate access to shared Microsoft Windows disk resources. These anomalies have been fixed.
Web administration interface
NTP client
Support reference 79917
When an NTP server was deleted from the web administration interface; the other NTP servers would lose the bindaddr from their configuration. This anomaly has been fixed.
As a reminder, this parameter makes it possible to define the interface through which NTP requests pass.
Modbus protocol
Support reference 71166
The firewall would not take into account the information entered in the Allowed UNIT IDs table (Application protection > Protocols > Industrial protocols > Modbus > General settings). The same information would also not be shown in the table after quitting the module. This anomaly has been fixed.