IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.0 LTSB bug fixes
Hardware
Support references 70452 - 70242
On standard SN2100 model firewalls (sold by default with a single disk, but eligible for the RAID option) or on models without RAID option, the results of S.M.A.R.T tests would show an alert message regarding the absence of the second disk.
It is therefore recommended that you update the firmware on SN2100 model firewalls to version 3.7.0 in order to stop this message from appearing if you have not subscribed to the RAID option.
System
IPsec VPN - IKEv2 - Mobile tunnels
Support reference 69737
Setting up a very large number of mobile IPsec IKEv2 tunnels (about 17000 tunnels) would cause the SAD (Security Association Database) and SPD (Security Policy Database) to desynchronize, blocking traffic between these tunnels as a result. This issue has been fixed.
Stormshield Management Center
Support reference 68469
Whenever SMC servers set up connections to the web administration interface of a firewall for which the firmware does not appear in the SMC database, the firewall would generate a local archive of this administration interface in order to forward it to the server.
On small firewall models (SN150), such archives could saturate storage space. These archives are now created in memory before being forwarded to the server.
High availability
Support references 69112 - 69141
During the migration of a firewall cluster in an SNS 2.X version to an SNS 3.5.1 version or higher, the firewall that switched to passive after being updated would not switch back to active during the update of the other member of the cluster. This issue has been fixed.
Router objects
Support references 68887 - 69418
Pings from gateways defined in a router object would mistakenly generate an entry in audit logs whenever such gateways switched from an internal "maybe not reachable" status (pinging failed) to an internal "reachable" status. This anomaly has been fixed.
Network
Management of ARP entries
Support references 69450 - 69312
The ARP entry creation service (e.g., creation of a NAT rule with ARP publication) would shut down as soon as there is a failure while creating an entry. This anomaly has been fixed.
Intrusion prevention
TLS protocol
Support reference 68896
The absence of certain encryption suites during the implementation of the TLS 1.3 protocol would raise "Unauthorized cipher level" alarms. This anomaly has been fixed.
ARP protocol
Support reference 69239
After moving a host, without modifying its IP address, from one interface to another within the same bridge, packets going to this host would always be sent to the previous connection interface (the ARP table would not be updated). This anomaly has been fixed.
TCP protocol - Multipath
Support reference 69908
When TCP packets are received with the multipath option size set to zero:
- in a rule in firewall mode,
- in a rule in IDS or IPS mode with the action of the "Multipath TCP" alarm forced to Allow,
the firewall would freeze. This issue has been fixed.
Web administration interface
Inactive rules
Support reference 70084
Whenever a filter or NAT rule was set to inactive (Status off), field values corresponding to this line (Source, Destination, etc.) would no longer be grayed out. This anomaly has been fixed.