IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.5.0 bug fixes
System
High Availability
Support reference 65701 - 65946
An issue regarding competing access to the high availability tracking file would cause the syncid field to be deleted from this file. The absence of this field would then make members of the cluster repeatedly synchronize their configurations. This issue has been fixed.
Support reference 66802
Within a cluster in which members are of varying quality or a priority has been defined, resetting the firewall with the highest priority or level of quality would immediately cause it to recover its role as the active firewall without fully synchronizing all information. This issue has been fixed with the addition of a timeout that allows synchronizing before switching roles. Set by default to 15 seconds, this timeout can only be modified in command line with the commands CONFIG HA CREATE and CONFIG HA UPDATE. Details of these commands can be found in the CLI SERVERD Commands Reference Guide.
Support reference 67553
Following a HA swap, network equipment from other vendors may ignore gratuitous ARP requests sent by the new active member of the SNS cluster due to an anomaly in the format of such requests (RFC 5944). This anomaly has been fixed.
Support reference 67776
The high availability quality indicator would be skewed whenever an SD card was inserted into a member of the cluster. This issue has been fixed.
Support reference 67832
An anomaly in the operation of the high availability tracking mechanism, which would cause excessive memory consumption, has been fixed.
Quality of Service
Support reference 67879
During the setup of bandwidth reservation or restriction (CBQ), the actual bandwidth would be much lower than the configured bandwidth restriction. This issue has been fixed.
Configuration – Network parameters
Support reference 58987
Firewalls for which no DNS servers have been declared to perform their own name resolution would restart in loop whenever a firmware update was applied. This issue has been fixed.
Authentication
Support references 64844 - 65776
An anomaly in the way brute force attack attempts were counted would prevent the authentication of legitimate users. This anomaly has been fixed.
Configuration restoration
Support reference 58925
An anomaly in the verification of configuration restoration files' validity has been fixed.
Filter - NAT
Support reference 67922
In rules that group a large number of objects, attempts to add extra objects (source, destination, port, etc.) would cause the web administration interface to disconnect.
Filter - NAT – Global policy
Support reference 66325
Whenever the port in an explicit HTTP proxy was changed, it would not necessarily be applied when global filter rules were generated. This anomaly has been fixed.
Proxies
Support reference 66653
Whenever the proxy sent packets to an ICAP server through a filter rule in firewall mode, it would cause latency issues during web browsing. This issue has been fixed.
Support reference 67713 - 67924
During the initialization of the SMTP proxy's logging mechanism, checks for the existence of an active filter policy would cause the SMTP proxy to freeze.
SSL VPN – UDP
Support reference 67293
The VPN SSL over UDP service would occasionally fail to function with configurations that have several Internet access gateways or several IP addresses on the same interface. To resolve these issues, a field has been added to the VPN > SSL VPN module, allowing the definition of a listening IP address on the service over UDP.
Support reference 66315
The Export the configuration file button would allow exporting archives that contain the server's configuration. Since such archives cannot be used, they have been replaced with an archive containing the client's typical configuration (SSL VPN CA and server certificate, network configuration for the client and the mobile client), similar to the one available on the authentication portal.
Sandboxing
Support reference 57407
After a firewall has been restarted, files would not always be sent for sandboxing analysis (Breach Fighter). This issue has been fixed.
Network
DHCP relay
Support reference 66767
In configurations that use the DHCP relay, enabling WiFI interfaces would prevent the relay of DHCP requests sent from these WiFi interfaces. This issue has been fixed.
Interfaces
Support reference 58822
In a configuration such as the following:
- Several unprotected interfaces are included in a bridge, and
- A static route leaves one of these unprotected interfaces (other than the first).
The first network packets that need to use the static route would be wrongly sent to the bridge's first unprotected interface.
Even though this issue has been fixed, do note that the case described in this configuration is not supported (cf. Explanations on usage > Network > Interfaces).
Intrusion prevention
HTTP
Support reference 65592
Previously, the HTTP headers "Content-Security-Policy" and "Authorization: NTLM" likely to raise the block alarm "Possible buffer overflow in HTTP request/reply" could only be configured in command line. They have since been added to the control panel of the Maximum size of HTTP headers (Application protection > Protocols > HTTP > Advanced properties).
Support references 65250 - 65820
Using the implicit HTTP proxy while the option Apply the NAT rule on scanned traffic (Application protection > Protocols > HTTP > Go to global configuration > Proxy menu) was enabled would generate a very large number of error messages to the console port (messages such as "XXX already released without rule YYYY"). Attempts to display such a large number of messages would cause excessive CPU consumption and would cause the firewall to freeze.
ICMP
Support reference 65930
The "Invalid ICMP message" alarm would be wrongly raised whenever legitimate ICMP packets were sent over a firewall with declared IPsec tunnels. This anomaly has been fixed.
S7 protocol
Support reference 67764
Since encrypted S7 traffic cannot be analyzed, packets would be wrongly blocked when an alarm is raised ("S7: response without corresponding request" or "S7: invalid protocol"). This anomaly has been fixed.
Fragmented packets
Support references 66850 - 66719
An anomaly in the management of fragmented packets would wrongly cause the first fragment to be blocked. This anomaly has been fixed.
IDS / Firewall mode
Support reference 65120
In a configuration such as the following:
- The firewall used filter rules in IDS or firewall mode, and
- The transparent HTTP proxy was enabled.
An anomaly in the management of address translation could cause a combination of connections presenting the same source IP address and the same source port. This anomaly has been fixed.
Virtual machines
Microsoft Hyper-V
Support references 66627 - 67132
On a Microsoft Hyper-V platform, virtual machines with several network interfaces could encounter issues enabling their last interfaces after restarting. This issue has been fixed.
Notifications
E-mail alerts
Support references 66708 - 66782
Notification e-mails sent through the STARTTLS protocol would be truncated. This anomaly has been fixed.
SNMP agent
Support reference 67726
The OID hrStorageType included in the MIB "HOST-RESOURCES-MIB" would no longer return results to SNMP requests. This anomaly has been fixed.
Hardware
Firewall clock
Support reference 58901
Whenever the battery that manages the firewall's clock malfunctioned, it would adopt a random date every time it started up. If this date was earlier than the validity of the appliance's license, the firewall would repeatedly restart. This anomaly has been fixed.
Web administration interface
Wi-Fi network
Support references 65333 - 68006
The web administration interface would wrongly reject the use of special characters (periods, dashes, etc.) in WiFi network names (SSID). This anomaly has been fixed.
Please be reminded that only the " character is prohibited in this field.
IPsec VPN
Support reference 67688
Whenever a peer ID was defined for an IPsec peer, this ID could no longer be deleted via the web administration interface. This issue has been fixed.
QoS monitoring
Support reference 66587
Data displayed in QoS monitoring curves (real time/history) did not match selected queues. This anomaly has been fixed.
Audit logs
Support reference 66838
Whenever a rule name was specified for a filter rule, this name would not appear in the Rule name column in connection logs. This anomaly has been fixed.
Support reference 67018
In Advanced search mode, dragging and dropping an IP address from the Source name or Destination name columns into filter criteria would result in an empty page of data. This anomaly has been fixed.
Certificates
Support references 59271 - 66735 - 64509
After the import of a certificate in PKCS12 format (including the full chain of certification), the certificate would not appear in the list of selectable certificates for an IPsec VPN peer. This anomaly has been fixed.
Logs - Syslog - IPFix
Support reference 67475
The progress bar during the formatting of a removable device (SD card) would not disappear after the completion of the operation. This anomaly has been fixed.
Authentication
Support reference 67256
The sslvpn interface could no longer be selected in the table matching authentication profiles to interfaces. This anomaly has been fixed.
Support reference 67587 - 67985
Whenever the Always display advanced properties checkbox in the firewall's Preferences was not selected, the buttons for selecting the proxy configuration file, logo or style sheet (Authentication > Captive portal > Advanced properties tab) would no longer appear in Mozilla Firefox. This anomaly has been fixed.
Support reference 68097
Title
The term Debug would systematically appear in the tab of the browser displaying the web administration interface. This anomaly has been fixed.
Network objects
Support reference 68250
When checking the use of a network object, the information displayed would indicate the line number in the filter policy (therefore including separators) instead of the number of the filter rule using the object. This anomaly has been fixed.
Stormshield Network Real-Time Monitor
"Hosts" view
Support reference 67297
Ever since version 3.3 of SNRTM, statistics on internal hosts that pass through a Stormshield v2 firewall would no longer be displayed. This anomaly has been fixed.
Do note that statistics concerning hosts located behind unprotected interfaces are displayed for firewalls with firmware in versions between 3.0 and 3.2.1.