IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.3.0 bug fixes
System
High Availability
Support reference 64234
Reloading a filter policy made up of several hundred rules could temporarily prevent communication between both members of the cluster over their high availability link. Depending on the duration of the interruption, the status of the passive firewall would sometimes switch to active. Restoring the connection between both firewalls would then cause both members of the cluster to attempt a full synchronization of the connection table. This reaction, which imposed an unusually heavy load on the cluster, has been fixed.
Support reference 61400
Information regarding high availability would stop appearing in the dashboard, and clicking on the high availability module would display the error message "Failure when loading high availability information". This issue has been fixed.
Support reference 65614
When an HA link fails during heavy traffic, the high availability mechanism would attempt, unsuccessfully, to recreate this link. This anomaly has been fixed.
Support reference 65925
During the restoration of links between connections, an issue occurring whenever firewall roles were switched in a cluster could cause the firewall to restart. This issue has been fixed.
Dynamic routing
Support reference 65730
On SN150, SN160(W), SN210(W) and SN310 firewalls, the system would not apply routes that the Bird dynamic routing engine had learned. This issue has been fixed.
Configuration
Support reference 54377
Defining a proxy server to allow the firewall to access the Internet (System > Configuration > Network settings tab) would cause the CRL (Certificate Revocation List) verification mechanism to freeze. This issue has been fixed.
Support reference 63972
In the module System > Configuration > Network settings tab, enabling the use of a proxy server to allow the firewall to access the Internet would wrongly require the user to enter a login and password. This anomaly has been fixed.
GRETAP interfaces
Support reference 65589
The MAC addresses associated with packets leaving tunnels set up between GRETAP interfaces were wrong. This issue has been fixed.
Link aggregation
Support reference 65755
A malfunction occurring during the distribution of traffic among physical interfaces that belong to a link aggregate has been fixed.
Filtering and NAT
The filter rule reloading mechanism has been optimized. These enhancements are particularly noticeable in the following cases:
- Firewalls and firewall clusters that manage a very high number of connections,
- Filter policies that group several hundred rules,
- Modifications to alarms relating to several network protocols.
Support reference 64851
Reloading filter rules could cause connections to be deleted, making their child connections orphans. This behavior has been modified to delete child connections as well.
Support reference 64508
Connections that pass through a filter rule that uses a time object could end up being associated with an invalid rule after this time object expired. This behavior has been fixed.
Support reference 64365
Since the act of deploying and then collapsing a filter policy is considered a modification of the filter policy, saving this change would cause the policy to be reloaded. Policies will no longer be reloaded in this context.
Support reference 40421
Rule IDs were the same for all implicit rules (0). Each rule now has its own distinct ID.
Support reference 65227
In a configuration such as the following:
• Policy-based routing (PBR) was used for outgoing traffic with a router configured to perform load balancing by source IP address,
• Implicit rules that could authorize such traffic were disabled,
Sending packets from the firewall using the "tracert -s" network command could cause this firewall to reboot. This issue has been fixed.
Support reference 65990
The SSL inspection rule creation wizard would no longer allow the definition of a source interface. This anomaly has been fixed.
Authentication portal
Support reference 60488 - 60143
The authentication portal (captive portal) would be automatically enabled on all profiles during the migration of configurations from a 2.7 (or 2.x) version to a 3.x version of the firmware. This anomaly has been fixed.
Proxies
Support reference 60134
Access from a multi-user host to websites that use Cross-Origin Resource Sharing (CORS) would not allow the display of external resources on the visited website. This issue has been fixed by integrating the Access-Control-Allow-Origin field into the proxy's response.
Support reference 61499
The size of the cache reserved for the generation of certificates used by the SSL proxy has been increased in order to fix performance issues and reduce the possibility of this proxy freezing.
Support reference 60616 - 64504
In configurations using the HTTP proxy (implicit or explicit proxy) and that are subject to URL filter requests, issues with the management of multiple HTTP requests within a connection (HTTP pipelining) have been fixed.
Support reference 43089
An anomaly in the assignment of inspection profiles for filter rules that use the SSL proxy has been fixed.
NSRPC client
Support reference 64100
The NSRPC client for Microsoft platforms was denied connection to SN160(W), SN210(W) and SN310 model firewalls. This issue has been fixed.
SNMP Agent
Support reference 64135
Sending a large volume of SNMP notifications (traps) would cause the firewall's SNMP service to freeze. This issue has been fixed.
Support reference 59492
Non-generic SNMP notifications corresponding to minor or major system events would occasionally not be sent. This anomaly has been fixed.
Support reference 64787
The description of the OID snsHASyncStatus (STORMSHIELD-HA-MIB) was wrong (return codes were inverted for synchronized/unsynchronized statuses). This anomaly has been fixed.
DNS cache
Support reference 58819 - 58633
Whenever the DNS cache was enabled and used by the firewall's protected networks, the creation or modification of a protected interface would not be taken into account in this cache's configuration. This anomaly has been fixed.
SSO Agent
Support reference 59778
Configuring a backup SSO agent without defining a password would cause an error in the authentication portal's management process. This issue has been fixed.
Support reference 59287
The SSO agent installed on Microsoft Windows workstations would send either the FQDN of the Microsoft Active Directory domain (name of the external LDAP directory declared on the firewall) or its NETBIOS name to the firewall. This behavior, which would cause authentication issues, has been modified.
Support reference 61169
The SSO agent installed on Microsoft Windows workstations would send a blank Microsoft Active Directory domain name to the firewall whenever the IP addresses of these workstations changed. This behavior, which would cause authentication issues, has been fixed.
Support reference 64274
The connection between the SSO agent and the firewall would shut down at regular intervals whenever the user group defined in the authentication rule was empty. This anomaly has been fixed.
Support reference 53806
The advanced option "Enable DNS host lookup" allows managing changes to the IP addresses of user workstations and authenticating users who have logged on to hosts that have several IP addresses.
SSL VPN
Support reference 65427 - 65392
Customizations to the UDP listening port on the SSL VPN portal were not applied. This anomaly has been fixed.
SSL VPN Portal
Support reference 60672
Whenever the port used for authentication on the firewall and the SSL VPN portal was modified, the connection to the SSL VPN portal via Java Webstart would fail. This issue has been fixed.
Support reference 59423
Web servers protected by firewalls that were themselves behind NAT (network address translation) equipment could not be contacted via the SSL VPN portal, as the Java client would attempt to connect to the firewalls' private addresses. This behavior has been fixed.
Support reference 60194
The menu that allows selecting the method for loading available applications via the SSL VPN portal would only be available if application servers and web servers were defined. Loading via the Java applet would then be automatically used. This anomaly has been fixed.
IPsec VPN
Support reference 59007
Whenever mobile peers originally defined in IKEv2 with a local ID (optional field), and for which tunnels have been set up, are switched to version 1 of the protocol, this would cause the IKEv1 tunnel management service to restart in loop. This issue has been fixed.
Support reference 64496
The setup of tunnels in mobile mode through virtual tunneling interfaces (VTIs) would fail, as the wrong source interface was assigned (standard IPsec interface instead of the virtual IPsec interface). This issue has been fixed.
IPsec VPN - IKEv1
Support reference 64766
The engine that manages IPsec tunnels in IKEv1 did not automatically apply changes to certificates (renewal) or certificate authorities. This anomaly has been fixed.
IPsec VPN - IKEv2
Support reference 66110
The "Make-before-break" re-authentication scheme that can be used for security associations (SA) would not be taken into account if it had only been defined in global IPsec policies. This anomaly has been fixed.
Do note that this scheme can only be enabled through the configuration file of the active VPN profile (MakeBeforeBreak field in the "[Global]" section of the file ConfigFiles/Global/VPN/xx).
Automatic backups
Support reference 65510
The Digest authentication method for automatic backups to customized servers would repeatedly fail. This issue has been fixed.
Quality of service
Support reference 59940
During the creation of queues, a maximum bandwidth that was too low would not be taken into account even though no warnings were given. The maximum bandwidth indicated cannot be lower than 100 kbs.
USB key
Support reference 63996
USB drives that were formated according to the FAT32 file system would not be recognized when they were started up on SN150 model firewalls. This anomaly has been fixed.
Wi-Fi network
Support reference 59938
The characters "$" and "!" would not be accepted during the definition of a WPA2 key. This anomaly has been fixed.
Audit logs
Support reference 61232
The message indicating that a power supply module was missing would wrongly appear for both models on an SN6000 model firewall. This anomaly has been fixed.
Support reference 65456
The field representing the IP protocol number for IPFIX would systematically take on the value "0" (zero) in logs. This anomaly has been fixed.
Monitoring - Users view
Support reference 60441
Following a modification to the command in the firmware, the "Remove user from ASQ" pop-up menu no longer functioned. This issue has been fixed.
Intrusion prevention
HTTP
Support reference 59442 - 59639
A whitelist was added to the configuration of the HTTP protocol. This list allows defining response header fields for the server that may exceed 4096 bytes (e.g. the Content-Security-Policy field).
Support reference 65504
An issue regarding support for HTTP requests containing a text/vbscript type of content-type field has been fixed.
EtherNet/IP protocol
Support reference 64012
Whenever the EtherNet/IP protocol was transported over the UDP layer, responses to ListIdentity, ListServices or ListInterfaces requests would be considered inappropriate and blocked by an "EtherNet/IP: invalid protocol" alarm. This anomaly has been fixed.
UDP
Support reference 43718
Whenever the UDP traffic destination server was temporarily unavailable, the many "recipient unavailable" ICMP messages generated as a result would set off the block alarm '"Invalid ICMP message (replay)". A dedicated alarm "ICMP replay (UDP connections)" that can be set to "pass" has been created.
Netbios - CIFS protocol
Support reference 64007
Connections presenting several sequences of unreceived packets, and on which an intrusion prevention scan has already started running, could potentially cause the firewall to freeze.
IPv6
Support reference 59217
ICMP requests (pings) sent to an interface on the firewall configured with an IPv6 address would fail and raise the alarm "IP address spoofing (type=1)", which would block traffic. This anomaly has been fixed.
SIP
Support reference 61228
Whenever filter rules for SIP connections were in firewall mode or whenever the "Necessary SDP field missing in the SIP protocol" alarm was set to Pass, a SIP connection in which an SDP (Session Description Protocol) field was missing (media field, for example) would cause the intrusion prevention engine to freeze for the SIP protocol scan. This issue has been fixed.
Users
Support reference 64493
An issue with competing access to data regarding users would cause attempts to delete users who have already been de-authenticated. This issue, which could potentially cause the firewall to freeze or reboot, has been fixed.
Protocols that generate child connections
Support reference 65583
In configurations that handle large volumes of traffic, an issue regarding competing access on traffic that generates many child connections would occasionally cause firewalls to freeze. The management of such connections has been enhanced and the maximum number of child connections generated for each connection can now be configured.
Web administration interface
DHCP relay
Support reference 51631
Even though bridges cannot be used as listening interfaces for DHCP relays, the web administration interface would suggest bridges in the list of selectable interfaces. This anomaly has been fixed.
Authentication
Support reference 50899
Whenever authentication rules were added, objects created in the wizard could not be directly selected for such rules. This anomaly has been fixed.
Support reference 59996
Changes made to an authentication policy, including policies using the SSO agent and SPNEGO methods, would not be visible in subsequent displays of the same authentication policy. This anomaly has been fixed.
Objects
Support reference 64620
When checking the use of an object, clicking on the link to the NAT/filter policy using it would systematically display the NAT/filter policy currently in use. This anomaly has been fixed.
Network objects
Support reference 59983
When displaying details of a "Ports - port ranges" network object, the name of the object would no longer be modifiable. This anomaly has been fixed.
Filter - NAT
Support reference 60576
The selection of a rule separator located under the lower bar of the last page of rules, therefore implying the use of the window scroll bar, would not function correctly. This anomaly has been fixed.
Directory configuration
Support reference 59694
After having displayed the configuration of an external LDAP directory using a backup server, the backup server field would continue to appear even for LDAP directories that do not use this feature. This anomaly has been fixed.
Audit logs
Support reference 56667
The display of certain columns by group (source name, destination name, source port name, etc.) would not work correctly. This anomaly has been fixed.
Support reference 59272
An anomaly in the creation of advanced filters would allow new filters to be added even if they did not apply to the logs displayed. Moreover, clicking subsequently on the Add button of such filters would display the misleading message 'This filter already exists". This anomaly has been fixed.
URL filtering
Support reference 61237
Whenever the names of customized URL filter policies began with the same string of characters, attempting to select any of these policies in a filter rule would systematically select the first of them. This issue has been fixed.
Routing
Support reference 64426
The selection of USB drive/modem devices as gateways for static routes could not be validated. This anomaly has been fixed.
Multi-user objects
Support reference 55877
During connections to the web administration interface using a Microsoft Internet Explorer browser in version 11, multi-user objects added would not be taken into account. This anomaly has been fixed.
Quarantine
Support reference 63949
Whenever a quarantine duration was set to more 49 days, the actual quarantine would last only 17 days and no warning message would be displayed. For technical reasons, the maximum quarantine duration has been restricted to 49 days.
Microsoft Internet Explorer
Support reference 65187
The use of Microsoft Internet Explorer browsers, including version 11, would prevent the display or modification of certain fields in configuration modules. In order for the firewall administration interface to operate optimally, you are advised to use the latest versions of Microsoft Edge, Google Chrome and Mozilla Firefox (LTS - Long Term Support version).
SN Real-Time Monitor
Events view
Support reference 63848
Dates displayed in the Events view would only be formated in hours and minutes. Seconds have been added to the date.
Users view
Support reference 60441
Following a modification to the command in the firmware, the Remove user from ASQ pop-up menu no longer functioned. This issue has been fixed.
Support reference 61017 - 65779
The method displayed for users authenticated via an SSO agent on a firewall in version 3 was wrong (unknown). This anomaly has been fixed.
SSL VPN view
Support reference 64785
The function that makes it possible to shut down an SSL VPN tunnel from the SN Real-Time Monitor interface (Remove this tunnel pop-up menu in the SSL VPN tunnels tab) was no longer operational with SNS firewalls in version 3. This anomaly has been fixed.
Support reference 64785
Following the migration of firewalls to version 3.2.0, SSL VPN tunnels that were set up on such firewalls could no longer be displayed (SSL VPN tunnels tab). This anomaly has been fixed.
Vulnerability Manager view
Support reference 59980
A "No help available" message would appear whenever a detected vulnerability was selected. This anomaly has been fixed.
Active Update view
Support reference 59543
Update information for the "Public IP reputation database" and "Custom context-based signature database" would wrongly display the "No license" warning in the expiration date column. As these features do not require a license, this anomaly has been fixed and "<n/a>" will now appear instead.
Overview
Support reference 59564
The Antivirus column, which would wrongly indicate "Disabled" whenever the Kaspersky antivirus engine was used on the firewall, has been hidden.
Firewall administration
Support reference 64774 - 60480
The menu Applications > Launch administration application and the automatic connection button (Overview) would no longer function with firewalls on which the administration ports have been modified (HTTPS port by default) as the connection URL would be wrong. This issue has been fixed.
Link to the Stormshield knowledge base
Support reference 64117
The link allowing users to log on to the Stormshield knowledge base (Security KB) did not work.
You will need to modify this link (correct value: https://securitykb.stormshield.eu/) in the File > Preferences menu > Miscellaneous tab and restart the application.