IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.9.0 bug fixes
Intrusion prevention
High availability
Support reference 70654
In a configuration such as the following:
- the active firewall would receive, on an interface uninvolved in HA, packets bearing a source address that is an IP address used for the HA link (IP address spoofing attempt),
- Such packets were allowed by a rule in Firewall or IDS mode,
or
the action of the "IP address spoofing (type 2)" alarm was forced to "pass",
the firewall cluster would become unstable.
Additional protection mechanisms have been set up to prevent such situations.
DNS protocol
Support references 71390 - 71391
On firewalls using only IPv4, the DNS protocol analyzer would unnecessarily add IPv6 addresses in the host table. This would eventually flood the table on small firewall models. This issue has been fixed.
OPC UA protocol
Support reference 72255
An anomaly during the analysis of the Industrial protocol OPC UA (value of the SecureChannel field in an OPN packet) would wrongly raise the block alarm "OPCUA invalid protocol". This anomaly has been fixed.
SIP
Support references 71980 - 68971
Some SIP communications would fail after they were put on hold whenever a peer sent INVITE packets containing deprecated "c=IN IP4 0.0.0.0" information which the firewall would reject (block alarm "Invalid SIP protocol (SDP)").
This issue was fixed after a new specific alarm was created ("SIP: Anonymous address in the SDP connection"). Such packets are no longer blocked by default, but the alarm can be configured to block them.
TNS protocol - Oracle
Support references 72518 - 71272
Analyses of TNS - Oracle client-server communications that undergo packet fragmentation and address translation (NAT) no longer desynchronize traffic due to packets being rewritten.
DCERPC protocol
Support reference 70716
The risk of memory leak while analyzing the DCERPC protocol has been fixed.
IKE protocol
The SNMP protocol analyzer would wrongly block some valid IKE packets whenever SNMP packets passed through UDP port 500. This issue has been fixed.
System
CLI commands
Support reference 72020
Temporary files created during a PKI update through the CLI command PKI IMPORT were not deleted. This anomaly has been fixed.
IPsec VPN
Support reference 71401
IPsec configurations using the AES256-CBC encryption protocol, and in which traffic endpoints exchanged several separate network streams, would cause traffic to be corrupted during the traffic encryption phase. This issue has been fixed.
IPsec VPN (IKEv1 + IKEv2)
Support reference 72290
On firewalls that host IKEv1 and IKEv2 peers, groups belonging to users who set up mobile IKEv1 tunnels with certificate authentication and XAUTH would not be taken into account. This anomaly has been fixed.
High availability - SNMP
Support reference 71474
For firewalls on which the SNMP agent had never been enabled, the HA configuration synchronizer would wrongly attempt to synchronize this SNMP agent's system ID. This anomaly has been fixed.
High availability - link aggregation
Support references 65863 - 71002
Whenever the weight of a link aggregate was modified in a HA configuration (High availability module > Weight field or CLI command CONFIG HA WEIGHT UPDATE) it would not be applied and would generate a system error. This issue has been fixed.
High availability - SN6000 / SN6100
Support reference 72924
On clusters that handle a large number of connections (tens of thousands) involving several thousand protected hosts, the HA switch would cause connections to be lost. This issue has been resolved by using all processors to restore connections, hosts and active users.
Authentication – SSO Agent
Support reference 71101
The use of the SSO agent authentication method would cause some users to be wrongly registered as administrators. This anomaly has been fixed.
Quality of Service
Support reference 71136
If no reference bandwidth has been defined (Security policy > Quality of Service > Maximum bandwidth per interface > Total bandwidth field) a CPU overload would occur on SN160(W), SN210(W) and SN310 firewall models. A value adapted to the firewall model is now defined by default.
Router objects
Support reference 71502
An anomaly in the gateway monitoring mechanism, which occurred whenever a gateway switched from an internal "maybe down" status (pinging failed) to an internal "reachable" status, has been fixed.
FQDN objects
Support reference 69784
The number of IP addresses saved for an FQDN object would be wrongly restricted to 32 entries. This issue has been fixed.
SSL VPN
Support references 66481 - 69424
An anomaly in the counter that counts the number of users connected via SSL VPN would wrongly restrict the number of connections allowed, thereby preventing new valid tunnels from being set up. This anomaly has been fixed.
Filtering and NAT
Support reference 71283
The following error message is now displayed whenever a filter and NAT policy contains an empty port group: The Group_Name port group used in this rule is empty.
SN2100 and SN3100 - 1 Gigabit/s interfaces
Support reference 71672
The presence of unconnected 1 Gigabit/s network interfaces would cause the excessive consumption of CPU resources on SN2100 and SN3100 firewall models. This issue has been fixed by updating the driver on these interfaces.
IPsec VPN
Support reference 71858
In IPsec configurations where one tunnel endpoint offered Phase 2 AES and AES_GCM_16 encryption algorithms, and the other endpoint offered only AES_GCM_16, tunnels could not be negotiated. This issue has been fixed.
Captive portal - Conditions of use for Internet access
Support reference 69176
The conditions of use for Internet access displayed on the captive portal, specifically for guest authentication methods, could not be accepted on iOS mobile devices. This issue has been fixed.
SNMP
Support reference 72116
Bandwidth information regarding 10 Gigabit/s interfaces was not correctly reflected in the ifSpeed and ifHighSpeed OIDs. This anomaly has been fixed.
Support reference 71972
As the snsUptime object is duplicated in the Stormshield-SYSTEM-MONITOR and Stormshield-HA MIBs, requests to this object would not return any results. This object has since been renamed "snsHA Uptime" in the Stormshield-HA MIB to work around this issue.
Support reference 71886
The ranges of values defined for the snsNodeIndex and snsIfIndex objects in the Stormshield-HA MIB were wrong. These anomalies have been fixed.
Support reference 69010
The wrong syntax in the snsQosEntryIndex object (MIB Stormshield-QOS) would prevent some monitoring tools from querying this MIB correctly. This anomaly has been fixed.
SSL proxy
Support reference 72663
The SSL proxy would wrongly consider some certificates invalid and proceed to block access to the corresponding websites. This issue has been fixed.
GRETAP interfaces
Support reference 69981
In configurations using GRETAP tunnels that meet the following conditions:
- One of the tunnel endpoints is an SN310 firewall,
- A VLAN is attached to the GRETAP interfaces that carry the tunnel,
- The GRETAP interface is a member of a bridge,
- The Keep VLAN IDs option has been enabled on all interfaces belonging to this bridge.
On SN310 models, outgoing traffic on the physical interface would be corrupted (zero-checksum packets) and rejected by the remote firewall.
Automatic backups
Support reference 72131
During automatic backups to a customized server, if the server's response contained the HTTP 204 return code (No Content), this response would be misinterpreted as an error and would generate the system event 87 "Backup failed". However, the backup file would be saved on the server. This misinterpretation of the HTTP 204 return code has been fixed.
Virtual machines
After an EVA has been reset to its factory settings (defaultconfig), the initial connection to its web administration interface would result in a failure to load the firewall’s configuration. This issue has been fixed.
IPsec logs (IKEv2 only or IKEv1 + IKEv2)
Support reference 73155
Some IPsec log entries (l_vpn file) would not contain the source (src) and destination (dst) fields. This anomaly has been fixed.
Network
VLAN attached to a GRETAP interface
Support reference 72961
On VLANs attached to a GRETAP interface, their MTUs would be set to an incorrect value every time the firewall was restarted. This issue has been fixed.
Web administration interface
Logs
Support reference 71615
Log lines could no longer be copied to the clipboard whenever they were selected. This anomaly has been fixed.
Logs - Geolocation
Whenever a user scrolls over the flag of a source or destination country, the tooltip would display the name of the country or the country code, depending on the log selected. The tooltip now shows both in the format Country name (country code). Do note that the country code is the criterion for filter/search functions.
Notifications
Support reference 59495
The wrong value of the field specifying the interface on which an alarm was raised would be indicated in the HTML report sent by e-mail. This anomaly has been fixed.
Monitoring - SSL VPN tunnels
Support reference 72046
Users would not be able to log off via the right-click menu, and attempting to do so would generate a system error message. This anomaly has been fixed.
Support reference 72048
Searches in the logs of users who have logged on via SSL VPN would not return any results. This issue has been fixed.
System events
Support reference 71337
Whenever a line containing special characters was dragged and dropped to a filter or search zone, these characters would be encoded and distort the filter. This anomaly has been fixed.
Stormshield Network Real-Time Monitor
Support reference 72564
Connecting SN Real-Time Monitor to a firewall that used whitelists/blacklists would cause the monitoring application to immediately shut down. This issue has been fixed.