IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.2.0 bug fixes
System
Certificates and PKI
Support reference 60548
Whenever an SCEP (Simple Certificate Enrollment Protocol) request was sent to a PKI managed by a Microsoft Windows platform, the authentication phase would fail as the encoding of the password sent was different from the expected encoding (since SCEP is still not covered by any RFC). This anomaly has been fixed.
SNMP agent
Support reference 49523
The OID (Object Identifier) corresponding to the total amount of reserved buffer memory (MIB UCD-SNMP) would wrongly indicate a value that does not correspond to the expected format (32 bits). This issue has been fixed.
Support reference 54961
The unique ID of the SNMP agent would be modified every time the firewall's SNMP service restarted, potentially causing communication errors with monitoring solutions.
Directory configuration
Support reference 58839
Changes to the name of an LDAP directory were not applied in other modules referencing such a directory (e.g.: Filter and NAT). This anomaly has been fixed.
Support reference 57419
In LDAP configurations specifying a backup server, whenever the main server was no longer contactable, LDAP requests in synchronous mode (e.g.: SSL VPN) would not be redirected to the backup server. This issue has been fixed.
Authentication
Support reference 59422
The initial activation of an authentication method would only be applied after its configuration items have been entered and validated twice. This anomaly has been fixed.
Automatic backups
Support reference 59229
Potential communication issues between firewalls and automatic backup servers have been resolved by adding the root Stormshield certificate authority to these servers' trusted authorities.
Filter - NAT
Support reference 59849
Filter rules containing several thousand IP addresses included in groups used in the source or destination could cause the firewall to restart in loop. This issue has been fixed.
Support reference 54522
The "Enable the SYN proxy" option (Filter - NAT > Action module > Quality of Service tab > Connection threshold panel > If threshold is reached field) would not function to protect servers hidden by address translation. This issue has been fixed.
Address translation
Support reference 58919
To translate the source of traffic sent by the firewall, the destination after translation had to be omitted (removal of Any value entered in the Destination column in the section Traffic after translation). This anomaly has been fixed.
CLI command
Support reference 58853
The command MONITOR FLUSH STATE X.Y.Z.A would purge the host and connection table instead of deleting only entries concerning the host X.Y.Z.A. This issue has been fixed.
High availability
Support reference 53958
The status of firewalls' disks is taken into account when calculating the quality of a cluster's members.
Support reference 56613
Instability on the data synchronizer would cause the high availability management service to restart in loop. As a result of this malfunction, the passive firewall could potentially switch to active mode, making both firewalls in the cluster active. This issue has been fixed.
Support reference 56700
Changes made to users' preferences on the active firewall would not be synchronized with the passive firewall. This anomaly has been fixed.
Support reference 57317
Whenever the table of events to be synchronized filled up, the high availability manager would attempt a new full synchronization at the expense of the firewall's performance. This reaction has been modified, so that the mechanism now deletes the oldest events first in order to add the most recent to the queue.
Support reference 58846
In high availability configurations, interfaces that were initially inactive on the main firewall would be indicated as active after the firewall changed its role in the cluster twice (active - passive - active). This anomaly has been fixed.
Support reference 58842
After the roles of firewalls have been switched in a cluster, whenever active connections were restored in incremental mode, the parent-child relationship of these connections (connection traffic / data traffic) would not be kept. In such cases, data traffic for protocols such as FTP would therefore not be forwarded. This issue has been fixed.
Proxies
Support reference 60090
In a configuration for which:
• Web 2.0 scans were disabled (Inspect HTML code option unselected in the IPS tab of the HTTP protocol),
• The alarm "http:150 additional data at end of reply" was set to "pass",
POST HTTP requests to the proxy could cause the firewall to freeze. This issue has been fixed.
Support reference 56009
Whenever SMTP clients exceeded the amount of sent data allowed, the proxy would send a "552 Data size exceeded" response before wrongly generating an "Invalid SMTP protocol" alarm, causing the connection to end. This anomaly has been fixed.
Support reference 56619
The firewall would attempt to reuse a certificate that has just been deleted. This anomaly, which could cause the proxy to freeze, has been fixed.
IPsec (IKEv2)
Support reference 59900
During the setup of an IKEv2 IPsec tunnel, groups with which a user was associated would not be communicated to the intrusion prevention system. This anomaly has been fixed.
Support reference 59730
During the negotiation of an IKEv2 IPsec tunnel initiated by the firewall, it would send additional IP selectors that devices from other vendors (CheckPint) might not accept, thereby preventing the successful setup of the tunnel. This issue has been fixed.
SSL VPN
Support reference 48993
Whenever the SSL VPN server was reloaded, the configuration meant for the client could be incomplete and would prevent connections to the service. This issue has been fixed.
Support reference 59518
The SSL VPN server would not accept certificates containing spaces or special characters (e.g., apostrophes), and would fail to create the configuration archive that the client was supposed to download. This issue has been fixed.
Support reference 49110
SSL VPN performance has been enhanced with support for UDP in the tunnel setup phase.
PPTP
Support reference 59237
Attempts to set up a PPTP tunnel to a firewall that uses routing by interface could cause the PPTP tunnel manager to freeze. This issue has been fixed.
Network objects - Global objects
Support reference 59511
The feature allowing global objects to be exported to a CSV format did not function. This issue has been fixed.
Logs - Local storage
Support reference 59751
An improvement to the parameters for accessing the SD card on U30S, SN200 and SN300 firewalls has fixed the issue of the firewall restarting unexpectedly.
Network
LACP
Support reference 59545
Changes to the MAC address of an aggregate were not applied to the first physical interface belonging to this aggregate.
IPv6
Support reference 58635
ICMP requests, or network neighborhood discovery requests, sent to an interface configured in IPv6 with a subnet mask equal to /64 would raise an “IP address spoofing (type=1)” alarm (source address from an unprotected interface contacting a protected interface). This issue has been fixed.
Network objects
Support reference 54843 - 56211
During operations on the objects database, all entries in the firewall's ARP table would be systematically erased. Network monitoring solutions could then wrongly assume that certain hosts were uncontactable while rebuilding the table. This behavior has been modified and only permanent entries in this table are deleted during operations on the objects database.
Intrusion prevention
SMB2 protocol
Support reference 58662
An error while reading SMB2 packets during an authentication attempt via SPNEGO would wrongly raise the "Invalid NBSS/SMB2 protocol" alarm. This issue has been fixed.
Ethernet/IP protocol
Support reference 59987
The intrusion prevention module dedicated to scanning the industrial Ethernet/IP protocol would be activated by error on certain streams of UDP traffic, causing them to be blocked. This anomaly has been fixed.
Vulnerability Manager
Support reference 55973 58875
Issues with the intrusion prevention engine freezing have been resolved with the optimization of the vulnerability management mechanism for traffic originating from or going to the firewall.
Intrusion prevention engine queue
Support reference 59366
Whenever the number of connections exceeded the event queue managed by the intrusion prevention engine, the message "HA: Overflow detected while reading ASQ events, resync needed" would be generated in event logs, even though high availability was not enabled on the firewall. This message has been changed to "Overflow detected while reading IPS events, resync needed".
ICMP
Support reference 59712
A parameter setting the maximum global rate of ICMP error packets allowed per core has been added. Set by default to 25000 packet/s, this parameter can be modified in the global ICMP configuration.
Web administration interface
Filter - NAT
When comments are being edited, the use of keyboard shortcuts CTRL+C and CTRL+V would copy and paste a new filter rule instead of the relevant comment. This anomaly has been fixed.
Support reference 54930
After the dcerpc protocol was renamed dcerpc_tcp, selecting dcerpc in the protocol field of a filter rule would cause an error. This issue has been fixed.
Support reference 47826
Moving a collapsed rule separator would not move the filter rules associated with it. This anomaly has been fixed.
Logs - Syslog - IPFIX
Support reference 60007
Whenever the formatting of an SD card failed, the error would not be displayed while the formatting window would continue to be displayed. This issue has been fixed.
Administrators
Support reference 61167
After validating the change of the admin account password, the page would remain frozen on the message "Saving configuration, please wait...". This anomaly has been fixed.
Directory configuration
Support reference 60079
Whenever the name of several directories was derived from the name of the default directory (e.g. mycompany.eu [default] , mycompany.eu.fr, mycompany.eu.org, etc.), all of these directories would be represented as default directories in the Users > Directory configuration module.
Monitoring
Monitoring configuration
Support reference 59538 - 59590
Aggregated interfaces could not be selected in the list of interfaces to be monitored. This anomaly has been fixed.
QoS monitoring
Support reference 59322
The QoS monitoring history curve would not display data as the IDs of QoS queues were not taken into account. This anomaly has been fixed.
Hardware
LEDs - SN150
Support reference 58532
The Online LED located on the front panel of the SN150 firewall would not light up whenever the appliance started. This anomaly has been fixed.