Version 3.8.0 bug fixes

Network

Interfaces

Support reference 69982

The advanced configuration option Keep VLAN IDs (for interfaces included in a bridge), which instructs the firewall to accept tagged packets on this interface even when the VLANs concerned have not been explicitly declared, no longer functioned. This issue has been fixed.

Dynamic routing - Router objects

Support references 65524 - 69210 - 70135

Whenever a firewall's default gateway consisted of a router object with load balancing, the dynamic routes that the Bird engine had learned would not be applied. This issue has been fixed.

Static multicast routing

Support reference 70211

A restriction on queue size management in multicast static routing would cause the loss of multicast packets. The size of these queues can now be configured using the command:

CONFIG SMCROUTING UPDATE UpcallQueueLimit = <queue_size>

For more information on this command, please refer to the CLI SERVERD Commands Reference Guide.

VLAN attached to a link aggregate

Support references 67337 - 65108

Whenever VLANs were attached to a link aggregate in any of the following configurations:

  • Inactive aggregate (configured to accept only traffic bearing the tag of the child VLAN over the aggregate),
  • Aggregate with a forced MAC address, even when the VLAN is not in promiscuous mode.

Such VLANs would not function. This issue has been fixed.

Support reference 67698

Whenever VLANs attached to a link aggregate were moved to another link aggregate, the MAC address of such VLANs would be forced to 00:00:00:00:00:00 and the VLANs would not function. This issue has been fixed.

Support reference 67516

In a HA cluster with Periodically send gratuitous ARP requests option enabled, whenever VLANs attached to a link aggregate were moved to another link aggregate, the MAC address inside the ARP packets would be wrong and the VLANs would not function. This issue has been fixed.

Quality of Service (QoS) - GRE interfaces

Support references 67640 - 69253 - 69316

QoS rules defined in the Security policy > Quality of service module would never be applied to traffic passing through GRE interfaces. This issue has been fixed.

GRE interfaces

Support reference 71499

It was not possible to set up TCP connections to or from an SNS firewall through a GRE tunnel. This issue has been fixed.

 

System

Proxies

Support reference 69318

An incident of memory corruption during the use of the SSL proxy would disrupt web access. This issue has been fixed.

Support references 66101 - 64504 - 69005 - 69328

An issue regarding competing access to certain resources used by the OpenSSL module would cause the proxy to freeze. This issue has been fixed.

IPSec VPN

Support reference 70910

In configurations that use virtual IPSec interfaces, an issue with competing access to certain Security Policy parameters would disrupt traffic inside established IPSec tunnels. This issue has been fixed.

IPSec VPN (IKEv1 + IKEv2 or IKEv2 only)

Support reference 70250

An anomaly in the management of Security Associations (SA) during the loss of packets within a tunnel would wrongly generate many child SAs and increase the load on the engine that manages IPSec IKEv2 / IKEv1+IKEv2 tunnels. This anomaly has been fixed.

IPSec VPN - IKEv2

Support reference 70250

In order to prevent the multiplication of inactive child Security Associations (SA) that would increase the load on the engine that manages IPSec IKEv2 tunnels, the maximum lifetime of SAs that no longer send and receive any traffic can be configured using the command (System > CLI Console module):

CONFIG IPSEC PEER NEW

For more information on this command, please refer to the CLI SERVERD Commands Reference Guide.

Captive portal - Sponsorship

Support reference 67894

Whenever the sponsorship authentication method was configured to display a disclaimer page, it would not be displayed during the sponsorship request, and the requester would never see it. This anomaly has been fixed and the disclaimer page is now displayed as soon as a sponsorship request is submitted.

Support reference 70007

An anomaly in the management of sponsorship requests would wrongly cause the detection of a brute force attack and block the requester. This anomaly has been fixed.

Captive portal - SSL VPN - Web administration interface

Support reference 70568

Receiving a non-compliant request could cause the authentication portal management mechanism, SSL VPN and the web administration interface to freeze. This issue has been fixed.

Firewall administration

Support reference 71741

In cases where the administrator password of a firewall was forgotten, if both passwords entered during the password retrieval procedure did not match, the configuration of the firewall would be erased. This issue has been fixed.

Web enrollment

Support reference 54754

Web enrollment with certificate creation was supported only for users logged on to the authentication portal using Mozilla Firefox. This anomaly has been fixed and Microsoft Internet Explorer, Microsoft Edge and Google Chrome are now supported.

High availability and IPSec VPN (IKEv1 + IKEv2 or IKEv2 only)

Support reference 68832

During the reconstruction of a cluster after the physical replacement of the passive firewall, and whenever the quality of the active firewall was lower than the quality of the new passive firewall, established IPSec tunnels would be renegotiated. This issue has been fixed.

High availability - Incident icon

Support references 70506 - 70880

As the high availability (HA) monitoring mechanism takes into account the status of links to router objects, unreachable router objects would wrongly cause the display of an icon indicating an incident on HA links in the firewall cluster. This anomaly has been fixed.

 

Notifications - E-mail alerts

Support reference 69100

An anomaly in the encoding of the SMTP configuration test e-mail would raise the alarm "Incorrect end of line in SMTP" (blocks packets by default) if the SMTP protocol analysis was enabled. This anomaly has been fixed.

Local storage

Support reference 68506 - 71005

Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. This issue has been fixed.

Vulnerability Manager

Support references 58546 - 66338 - 66736 - 68741 - 69083 - 70153 - 66482

The vulnerability management module no longer functioned on SN150, SN160(W), SN210(W) and SN310 firewall models and could cause the firewall to freeze. This issue has been fixed.

USB over Ethernet modem

Support reference 65697

When restarting a U30S or SN200 firewall, the detection of the USB over Ethernet modem would take too long and no IP address would be assigned to the modem. Network services on the firewall therefore needed to be manually rerun (ennetwork command). This anomaly has been fixed.

Antispam

Support reference 69307

A flaw in the operation of the domain name blacklist would wrongly classify legitimate e-mails as spam. This anomaly has been fixed.

Filter - NAT

Support references 69146 - 69011

Adding or deleting an inactive filter rule or a rule containing an empty group in front of a rule that uses the proxy (URL filtering, antivirus, sandboxing, etc.) would skew filter rule IDs. This skew would in turn cause web access to malfunction. This issue has been fixed.

Stormshield Management Center

Ever since version 3.6.1 of SNS, the firewall would no longer factor in the fact that a particular network interface has been specified for connections to the SMC server (BindAddr parameter). This issue has been fixed.

URL filtering - Stormshield Management Center

In configurations that use the URL filter database compiled by the Rectorat de Toulouse (Academy of Toulouse – refer to the article in the Stormshield knowledge base), and whenever the administrator was logged on to the firewall via an SMC server, the Add all predefined categories button (Security policy > URL filtering module) would return an HTTP error message. This anomaly has been fixed.

SSO agent - Nested groups

Support references 66905 - 66350 - 67257 - 69977

Enabling nested groups (Users > Directory configuration > Advanced properties) in a Microsoft Active Directory combined with the SSO agent authentication method would cause excessive memory consumption and could prevent connections to the firewall's web administration interface and captive portal. This issue has been fixed.

Command line

Support reference 68861

The system command ennetwork -v would require an argument for which no default value was assigned, unlike what was indicated in command help. This anomaly has been fixed and the value DEBUG is now assigned to this argument whenever no value has been explicitly specified.

SNMP

Support reference 70258

Querying OIDs that correspond to the firewall's network interfaces would cause the firewall's SNMP server to consume too much memory. This anomaly has been fixed.

LDAP directories

Support reference 69872

During the configuration of a Microsoft Active Directory with secure SSL access, an error message "No LDAP configuration" would appear by mistake. Confirming this message and refreshing the screen would remove the directory concerned from the list of directories. This anomaly has been fixed.

Alarms on SN3000 firewalls

Support references 71022 - 71051

On SN3000 firewalls, an alarm indicating a power supply failure would appear on the dashboard even though the firewall would be running properly. This anomaly has been fixed.

Intrusion prevention

SIP

Support reference 68583

The firewall would not take into account the optional fields Record-Route and Route, which can be added by SIP proxies. The addresses and routes indicated in these fields would therefore not be translated when necessary. This anomaly has been fixed.

Support reference 66573

As certain SIP telephones do not specify the network port number used (Contact field in the REGISTER request), the firewall would not correctly redirect incoming REGISTER requests formed in this manner. This anomaly has been fixed.

SNMP

Support reference 68686

Enabling intrusion prevention analysis on the SNMP protocol would cause the excessive consumption of processing resources on the firewall and slow down all network traffic passing through this firewall. This anomaly has been fixed.

LDAP protocol

Support references 71152 - 69806

The analysis of the LDAP protocol would wrongly raise the alarm ldap_tcp:427 (Bad LDAP protocol) and block connections to the target LDAP directory. This anomaly has been fixed.

 

Support reference 71192

An issue during the analysis of LDAP packets that authenticate via SASL (Simple Authentication and Security Layer) would cause the firewall to freeze. This issue has been fixed.

Software Restoration via USB key

Support reference 68227

SN6000 model firewalls

The internal disk detection method used during a USB recovery would not function on SN6000 firewalls. This anomaly has been fixed.

Web administration interface

Support reference 69237

An issue that slowed down the display of the web administration interface, and which could cause the engine that manages these administration pages to freeze, has been fixed.

Users

Support reference 68972

Displaying users or groups that belong to very large directories (thousands of objects) would sometimes require several minutes or would not even succeed. This issue has been fixed.

Static routing

Support references 65971 - 67347 - 70135

Adding a static route by specifying the destination network first instead of the interface would cause the error message "interface not found" to appear. This issue has been fixed.

Filter - NAT

In a configuration:

  • Using several rule separators,
  • With a separator placed at the top of the filter or NAT policy.

Whenever all separators were collapsed, deleting the separator at the top would not delete the filter or NAT rules placed under this separator. This anomaly has been fixed.

Administration privileges

Support reference 68691

Users with administration privileges would not be able to modify certain parameters such as DNS or NTP configuration. This anomaly has been fixed.

Administrators

Support references 68888 - 70656

Administrator accounts with names that contained special characters such as uppercase characters would not appear in the list of administrators after being added. This issue has been fixed.

Temporary accounts

The button to export the list of temporary accounts would not function with Microsoft Edge. This issue has been fixed.

Logs - Audit logs

The button to export the contents of audit logs would not function with Microsoft Edge and would log the user off the administration interface. This issue has been fixed.

The hashes of captured network packets (configuration via advanced alarm options) would not be anonymized whenever the administrator only had restricted access to logs. This anomaly has been fixed.

Network objects

Support references 67681 - 68079

After application of the Host or Network filter, the order in which displayed objects were sorted in the IPv4 or IPv6 column would be wrong (sorted by characters that make up the IP address instead of in numerical order). This anomaly has been fixed.

Captive portal

Support reference 68872

In the Users > Authentication module > Captive portal > Advanced properties tab, even when a network object has been selected for the Port on the captive portal field, this field would show a numerical value and would be wrongly indicated as an anomaly. This issue has been fixed.

Virtual machines

Log partition

Support references 61281 - 69313

On Openstack-based virtualization or hosting platforms (Xen Server, KVM, Cloudwatt, etc.), the virtual firewall's log partition would sometimes not be detected and the Logs - Audit logs menu would then be hidden. This issue has been fixed.

Xen Server - "Live migrate" function

Support reference 60867

The use of the Live migrate function, which allows hot-transferring a virtual firewall from a Xen server to another, would cause a system error and make the firewall restart.