IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.8.0 bug fixes
Network
Interfaces
Support reference 69982
The advanced configuration option Keep VLAN IDs (for interfaces included in a bridge), which instructs the firewall to accept tagged packets on this interface even when the VLANs concerned have not been explicitly declared, no longer functioned. This issue has been fixed.
Dynamic routing - Router objects
Support references 65524 - 69210 - 70135
Whenever a firewall's default gateway consisted of a router object with load balancing, the dynamic routes that the Bird engine had learned would not be applied. This issue has been fixed.
Static multicast routing
Support reference 70211
A restriction on queue size management in multicast static routing would cause the loss of multicast packets. The size of these queues can now be configured using the command:
CONFIG SMCROUTING UPDATE UpcallQueueLimit = <queue_size>
For more information on this command, please refer to the CLI SERVERD Commands Reference Guide.
VLAN attached to a link aggregate
Support references 67337 - 65108
Whenever VLANs were attached to a link aggregate in any of the following configurations:
- Inactive aggregate (configured to accept only traffic bearing the tag of the child VLAN over the aggregate),
- Aggregate with a forced MAC address, even when the VLAN is not in promiscuous mode.
Such VLANs would not function. This issue has been fixed.
Support reference 67698
Whenever VLANs attached to a link aggregate were moved to another link aggregate, the MAC address of such VLANs would be forced to 00:00:00:00:00:00 and the VLANs would not function. This issue has been fixed.
Support reference 67516
In a HA cluster with Periodically send gratuitous ARP requests option enabled, whenever VLANs attached to a link aggregate were moved to another link aggregate, the MAC address inside the ARP packets would be wrong and the VLANs would not function. This issue has been fixed.
Quality of Service (QoS) - GRE interfaces
Support references 67640 - 69253 - 69316
QoS rules defined in the Security policy > Quality of service module would never be applied to traffic passing through GRE interfaces. This issue has been fixed.
GRE interfaces
Support reference 71499
It was not possible to set up TCP connections to or from an SNS firewall through a GRE tunnel. This issue has been fixed.
System
Proxies
Support reference 69318
An incident of memory corruption during the use of the SSL proxy would disrupt web access. This issue has been fixed.
Support references 66101 - 64504 - 69005 - 69328
An issue regarding competing access to certain resources used by the OpenSSL module would cause the proxy to freeze. This issue has been fixed.
IPsec VPN
Support reference 70910
In configurations that use virtual IPsec interfaces, an issue with competing access to certain Security Policy parameters would disrupt traffic inside established IPsec tunnels. This issue has been fixed.
IPsec VPN (IKEv1 + IKEv2 or IKEv2 only)
Support reference 70250
An anomaly in the management of Security Associations (SA) during the loss of packets within a tunnel would wrongly generate many child SAs and increase the load on the engine that manages IPsec IKEv2 / IKEv1+IKEv2 tunnels. This anomaly has been fixed.
IPsec VPN - IKEv2
Support reference 70250
In order to prevent the multiplication of inactive child Security Associations (SA) that would increase the load on the engine that manages IPsec IKEv2 tunnels, the maximum lifetime of SAs that no longer send and receive any traffic can be configured using the command (System > CLI Console module):
CONFIG IPSEC PEER NEW
For more information on this command, please refer to the CLI SERVERD Commands Reference Guide.
Captive portal - Sponsorship
Support reference 67894
Whenever the sponsorship authentication method was configured to display a disclaimer page, it would not be displayed during the sponsorship request, and the requester would never see it. This anomaly has been fixed and the disclaimer page is now displayed as soon as a sponsorship request is submitted.
Support reference 70007
An anomaly in the management of sponsorship requests would wrongly cause the detection of a brute force attack and block the requester. This anomaly has been fixed.
Captive portal - SSL VPN - Web administration interface
Support reference 70568
Receiving a non-compliant request could cause the authentication portal management mechanism, SSL VPN and the web administration interface to freeze. This issue has been fixed.
Firewall administration
Support reference 71741
In cases where the administrator password of a firewall was forgotten, if both passwords entered during the password retrieval procedure did not match, the configuration of the firewall would be erased. This issue has been fixed.
Web enrollment
Support reference 54754
Web enrollment with certificate creation was supported only for users logged on to the authentication portal using Mozilla Firefox. This anomaly has been fixed and Microsoft Internet Explorer, Microsoft Edge and Google Chrome are now supported.
High availability and IPsec VPN (IKEv1 + IKEv2 or IKEv2 only)
Support reference 68832
During the reconstruction of a cluster after the physical replacement of the passive firewall, and whenever the quality of the active firewall was lower than the quality of the new passive firewall, established IPsec tunnels would be renegotiated. This issue has been fixed.
High availability - Incident icon
Support references 70506 - 70880
As the high availability (HA) monitoring mechanism takes into account the status of links to router objects, unreachable router objects would wrongly cause the display of an icon indicating an incident on HA links in the firewall cluster. This anomaly has been fixed.
Notifications - E-mail alerts
Support reference 69100
An anomaly in the encoding of the SMTP configuration test e-mail would raise the alarm "Incorrect end of line in SMTP" (blocks packets by default) if the SMTP protocol analysis was enabled. This anomaly has been fixed.
Local storage
Support reference 68506 - 71005
Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. This issue has been fixed.
Vulnerability Manager
Support references 58546 - 66338 - 66736 - 68741 - 69083 - 70153 - 66482
The vulnerability management module no longer functioned on SN150, SN160(W), SN210(W) and SN310 firewall models and could cause the firewall to freeze. This issue has been fixed.
USB over Ethernet modem
Support reference 65697
When restarting a U30S or SN200 firewall, the detection of the USB over Ethernet modem would take too long and no IP address would be assigned to the modem. Network services on the firewall therefore needed to be manually rerun (ennetwork command). This anomaly has been fixed.
Antispam
Support reference 69307
A flaw in the operation of the domain name blacklist would wrongly classify legitimate e-mails as spam. This anomaly has been fixed.
Filter - NAT
Support references 69146 - 69011
Adding or deleting an inactive filter rule or a rule containing an empty group in front of a rule that uses the proxy (URL filtering, antivirus, sandboxing, etc.) would skew filter rule IDs. This skew would in turn cause web access to malfunction. This issue has been fixed.
Stormshield Management Center
Ever since version 3.6.1 of SNS, the firewall would no longer factor in the fact that a particular network interface has been specified for connections to the SMC server (BindAddr parameter). This issue has been fixed.
URL filtering - Stormshield Management Center
In configurations that use the URL filter database compiled by the Rectorat de Toulouse (Academy of Toulouse – refer to the article in the Stormshield knowledge base), and whenever the administrator was logged on to the firewall via an SMC server, the Add all predefined categories button (Security policy > URL filtering module) would return an HTTP error message. This anomaly has been fixed.
SSO agent - Nested groups
Support references 66905 - 66350 - 67257 - 69977
Enabling nested groups (Users > Directory configuration > Advanced properties) in a Microsoft Active Directory combined with the SSO agent authentication method would cause excessive memory consumption and could prevent connections to the firewall's web administration interface and captive portal. This issue has been fixed.
Command line
Support reference 68861
The system command ennetwork -v would require an argument for which no default value was assigned, unlike what was indicated in command help. This anomaly has been fixed and the value DEBUG is now assigned to this argument whenever no value has been explicitly specified.
SNMP
Support reference 70258
Querying OIDs that correspond to the firewall's network interfaces would cause the firewall's SNMP server to consume too much memory. This anomaly has been fixed.
LDAP directories
Support reference 69872
During the configuration of a Microsoft Active Directory with secure SSL access, an error message "No LDAP configuration" would appear by mistake. Confirming this message and refreshing the screen would remove the directory concerned from the list of directories. This anomaly has been fixed.
Alarms on SN3000 firewalls
Support references 71022 - 71051
On SN3000 firewalls, an alarm indicating a power supply failure would appear on the dashboard even though the firewall would be running properly. This anomaly has been fixed.
Intrusion prevention
SIP
Support reference 68583
The firewall would not take into account the optional fields Record-Route and Route, which can be added by SIP proxies. The addresses and routes indicated in these fields would therefore not be translated when necessary. This anomaly has been fixed.
Support reference 66573
As certain SIP telephones do not specify the network port number used (Contact field in the REGISTER request), the firewall would not correctly redirect incoming REGISTER requests formed in this manner. This anomaly has been fixed.
SNMP
Support reference 68686
Enabling intrusion prevention analysis on the SNMP protocol would cause the excessive consumption of processing resources on the firewall and slow down all network traffic passing through this firewall. This anomaly has been fixed.
LDAP protocol
Support references 71152 - 69806
The analysis of the LDAP protocol would wrongly raise the alarm ldap_tcp:427 (Bad LDAP protocol) and block connections to the target LDAP directory. This anomaly has been fixed.
Support reference 71192
An issue during the analysis of LDAP packets that authenticate via SASL (Simple Authentication and Security Layer) would cause the firewall to freeze. This issue has been fixed.
Software Restoration via USB key
Support reference 68227
SN6000 model firewalls
The internal disk detection method used during a USB recovery would not function on SN6000 firewalls. This anomaly has been fixed.
Web administration interface
Support reference 69237
An issue that slowed down the display of the web administration interface, and which could cause the engine that manages these administration pages to freeze, has been fixed.
Users
Support reference 68972
Displaying users or groups that belong to very large directories (thousands of objects) would sometimes require several minutes or would not even succeed. This issue has been fixed.
Static routing
Support references 65971 - 67347 - 70135
Adding a static route by specifying the destination network first instead of the interface would cause the error message "interface not found" to appear. This issue has been fixed.
Filter - NAT
In a configuration:
- Using several rule separators,
- With a separator placed at the top of the filter or NAT policy.
Whenever all separators were collapsed, deleting the separator at the top would not delete the filter or NAT rules placed under this separator. This anomaly has been fixed.
Administration privileges
Support reference 68691
Users with administration privileges would not be able to modify certain parameters such as DNS or NTP configuration. This anomaly has been fixed.
Administrators
Support references 68888 - 70656
Administrator accounts with names that contained special characters such as uppercase characters would not appear in the list of administrators after being added. This issue has been fixed.
Temporary accounts
The button to export the list of temporary accounts would not function with Microsoft Edge. This issue has been fixed.
Logs - Audit logs
The button to export the contents of audit logs would not function with Microsoft Edge and would log the user off the administration interface. This issue has been fixed.
The hashes of captured network packets (configuration via advanced alarm options) would not be anonymized whenever the administrator only had restricted access to logs. This anomaly has been fixed.
Network objects
Support references 67681 - 68079
After application of the Host or Network filter, the order in which displayed objects were sorted in the IPv4 or IPv6 column would be wrong (sorted by characters that make up the IP address instead of in numerical order). This anomaly has been fixed.
Captive portal
Support reference 68872
In the Users > Authentication module > Captive portal > Advanced properties tab, even when a network object has been selected for the Port on the captive portal field, this field would show a numerical value and would be wrongly indicated as an anomaly. This issue has been fixed.
Virtual machines
Log partition
Support references 61281 - 69313
On Openstack-based virtualization or hosting platforms (Xen Server, KVM, Cloudwatt, etc.), the virtual firewall's log partition would sometimes not be detected and the Logs - Audit logs menu would then be hidden. This issue has been fixed.
Xen Server - "Live migrate" function
Support reference 60867
The use of the Live migrate function, which allows hot-transferring a virtual firewall from a Xen server to another, would cause a system error and make the firewall restart.