IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.4.0 bug fixes
System
High Availability
Support reference 66789
After a connection is lost with the active node of the cluster, the other node will now take over more efficiently as it leaves minimum impact on network resources.
Support reference 65652
From SNS 3.3.1 onwards, in clusters made up of virtual firewalls, the quality of the high availability link displayed would be 0 even though members of the cluster were communicating correctly. This issue has been fixed.
IPsec VPN - IKEv1
Support reference 66135
In local IPsec policies and global IPsec policies (deployed, for example, via SMC or SNCM), the presence of peers or traffic endpoints that overlap would prevent such policies from being activated. Therefore, local policies relying on mobile peers defined by the Any object would overlap any global site-to-site tunnel policy. This issue has been fixed.
IPsec VPN - IKEv2
Support reference 61227
The firewall would not apply user access privileges and refused to authenticate users who present certificates with empty X509v3 Extended Key Usage fields. This issue has been fixed.
Support reference 66862
CRL updates are now correctly applied for VPN tunnels in IKEv2 mode.
Support reference 61100
On SN150 products, existing VPN tunnels in IKEv2 mode would become inoperative after several days, requiring the program or the firewall to be restarted. This issue has been fixed.
Support reference 64048
The number of IKE SAs (Security Associations) for the same IPsec IKEv2 tunnel would increase over time without diminishing the number of unused SAs. The upgrade of the IKEv2 tunnel management engine has fixed this issue.
SSH commands
Support reference 66189
The autoupdate command to update all of the firewall's modules no longer raises the following error whenever a module has been configured to not check the signatures of downloaded data:
Error=Master file version mismatch! (-1 != 1)
Support reference 66137
The SSH command enwifi has been improved: it is no longer called up by the ennetwork –f command on firewall models without Wi-Fi. Furthermore, the enwifi –h command no longer generates inappropriate alarms.
Routing
Support reference 64996
An issue with competing access in configurations that use filter rules in firewall mode as well as policy-based routing (PBR) directives would cause the firewall to freeze. This issue has been fixed.
Support reference 64070
Whenever H323 and TFTP protocols opened a child connection in the opposite direction of the main connection, traffic would not reach its destination if the main connection was associated with a router configured in filter rules (PBR) and/or a return router. This issue has been fixed.
Support reference 67115
A return packet whose initial routing is a static route to a virtual interface (VTI) is now redirected correctly to the return router if the intrusion prevention engine requires it.
Applications and protections
Support reference 61505
Certain actions that were supposed to be performed when alarms were raised by customized context-based protection signatures were not carried out (e.g. sending of e-mails or quarantine). This issue has been fixed.
Audit logs
Support references 66899 - 66797 - 66900
Whenever an internal service corrupted the audit log reporting system, the system would cause all services to hang without making the product restart or making another node in the cluster take over. This issue has been fixed.
Support reference 55251
The name of the user who opened a connection now appears correctly in the connection logs, even if another user has retrieved the same IP address in the meantime.
Support reference 55251
The logd daemon that writes logs and generates reports no longer shuts down unexpectedly and no longer causes logs to be lost.
SSL VPN
Support reference 65347
Implicit rules for OpenVPN over TCP and UDP are no longer unnecessarily generated, only depending on the protocol enabled (TCP and/or UDP).
Support references 65392 - 66937 - 65279
In order to resolve malfunctions on SSL VPN over UDP, it is now possible to define the service's listening IP address using the command CONFIG OPENVPN UPDATE udpBindAddr=(<firewall_ip_object>|""). Details of this command can be found in the CLI SERVERD Commands Reference Guide.
SPNEGO SSO authentication
Support reference 65439
Whenever SPNEGO authentication has been configured, the user now directly accesses websites without having to go through the authentication portal, even when the website's URL contains an apostrophe.
Proxies
Support references 66014 - 65028 - 65033
In some cases, using the SMTP proxy would cause the service to shut down unexpectedly for all types of connections through the proxy: SMTP, as well as HTTP or SSL. This issue has been fixed.
Maintenance
Support reference 67022
The system report (sysinfo) no longer generates illegitimate errors regarding some of the system's binary files.
Log partition
Support reference 64065
The issue with the corruption of the log partition following a sudden shutdown of SNS has been fixed.
Network
Support reference 64123
The accumulation of unanswered ARP requests could cause the loss of the first packet in communications between two hosts belonging to the firewall's networks. This anomaly, which was problematic for certain monitoring tools, has been fixed.
Intrusion prevention
Antispam
Support reference 66530
Active updates of the antispam engine are now faster and no longer use a disproportionate amount of CPU resources.
Application protection
Inspection profile
Support reference 64042
Whenever a client on the firewall's internal network opens a connection to a server on the Internet and the server's response generates an alarm, the alarm will no longer block the client's IP address, but the server's IP address.
Web administration interface
Filtering
Support reference 64008
The usage counter now appears correctly for all filter and NAT rules.
Support reference 64943
When filter rules are copied and pasted, destination information about Disk, Syslog server and IPFIX collector logs is now saved.
Support reference 66798
The right filter policy is now displayed after a global policy is selected.
Support reference 65057
In the Security policy > SMTP filter page, the "?" character can now be entered in the field of the sender's name.
Objects
Support reference 66757
Fixed event time objects that start and end on the same day can now be created again.
Reports
Support reference 65958
The Reports > Sandboxing > Malicious files blocked menu now correctly displays the report on files blocked by the Sandboxing engine.
Users
Support reference 65945
If you had an external LDAP directory configured on the firewall, users whose groups contained special characters in their attributes (DN, OU, etc.) would not be correctly applied. This issue has been fixed.
Support reference 66275
The Configuration > Users > Authentication > Captive portal tab has been optimized to take into account a large number of interfaces.
Network interfaces
Support reference 64870
The Configuration > Network > Interfaces page no longer runs the command relating to Wi-Fi on firewalls without Wi-Fi, and as such no longer generates irrelevant errors.
Protocols
Support reference 66438
In the Protocols module, the button that allows adding customized MS-RPC services is now operational.
Monitoring
Support reference 65898
The Average throughput column in the Monitoring > Connection monitoring menu now shows the correct value for the unit indicated (bits/second).
Support reference 66440
In the interface monitoring configuration, interfaces already on the list can no longer be added, thereby keeping errors to a minimum.
Administrator account password
Support reference 66384
Whenever you change the password of the administrator account, the new password will now be correctly interpreted if it contains spaces.
Login page
Support reference 66027
The help button on the login page that redirected to an unknown page has been deleted.
Virtual machines
Microsoft Azure hosting platform
Support reference 58722
During the initialization of a virtual machine on the Azure platform, the "$" (dollar) character in the administrator password would not be taken into account. The administrator password on the firewall would therefore remain "admin". This issue has been fixed.
Hardware
Support references 65250 - 65820
An exceedingly huge amount of system information would be sent over the serial link, potentially slowing down the firewall and preventing administration via this link. Such information will now no longer be visible by default on the serial link, but only via the ndmesg command. However, you can still modify the KernelMsg parameter in the [Console] section of the ConfigFiles/system configuration file to display the information again.