IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.12 LTSB bug fixes
System
IPsec VPN (IKEV1 + IKEv2)
Support reference 74425
A parameter would occasionally prevent ResponderOnly mode from running properly whenever Dead Peer Detection (DPD) was enabled. This anomaly has been fixed.
IPsec VPN (IKEv1)
Support reference 75824
Whenever a remote peer switched to its backup peer (designated as the “Backup configuration”), the IKE daemon would sometimes restart unexpectedly and shut down open IPsec tunnels. This anomaly has been fixed.
GRETAP and IPsec
Support reference 76066
The system command ennetwork -f no longer makes the firewall reboot in loop in configurations containing GRETAP interfaces that communicate through IPsec tunnels.
SSL VPN
A new certificate, with which Java JAR compiled files can be signed, has been installed and replaces the former certificate due to expire soon (05/24/2020).
SNMP
Support reference 71584
The use of the value snmpEngineBoots has changed in order to comply with RFC 3414.
Proxy
Support references 70721 - 74009 - 74552 - 76041 - 76767
Memory consumption is now optimized when the proxy is used.
Proxy - URL filtering
Support reference 73516
The connection between the HTTP/HTTPS proxy and the URL filtering engine of the Extended Web Control solution would occasionally be lost; this would display the URL filtering is pending page to clients whose connections used the proxy. This anomaly has been fixed.
Captive portal - Sponsorship
Support reference 67894
Whenever the sponsorship authentication method was configured to display a disclaimer page, it would not be displayed during the sponsorship request, and the requester would never see it. This anomaly has been fixed and the disclaimer page is now displayed as soon as a sponsorship request is submitted.
Behavior when the log management service is saturated
Support references 73078 - 76030
When the log management service on the firewall is saturated, it is now possible to define how the firewall manages packets that generate alarms and those intercepted by filter rules that have been configured to log events:
- Block such packets since the firewall is no longer able to log such events,
- Do not block such packets and apply the configuration of the security policy even though the firewall is unable to log such events.
The behavior of the intrusion prevention system can be configured in the firewall's administration interface via Configuration > Application protection > Inspection profiles.
A percentage threshold, above which the firewall will consider that its log management service is saturated, can also be set. Once this percentage is reached, the firewall will apply the configured action to packets that need to be logged.
The threshold can be changed only with the following CLI / Serverd commands:
CONFIG SECURITYINSPECTION COMMON LOGALARM BlockOverflow=<0|1> BlockDrop=<0-100>
CONFIG SECURITYINSPECTION COMMON LOGFILTER BlockOverflow=<0|1> BlockDrop=<0-100>
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
Daemon shutdown time
Support reference 74990
In some rare cases, a daemon would shut down after a certain duration and prevent the firewall from completing its update. This duration has been shortened to allow the firewall update to run properly.
Network
VLAN attached to a GRETAP interface
Support references 72961 - 76122
On VLANs attached to a GRETAP interface, their MTUs would be set to an incorrect value every time the firewall was restarted. This anomaly has been fixed.
Hardware
Firewalls with IXL cards
Support reference 74175
For firewalls equipped with IXL cards:
- Fiber 4x10Gbps and 2x40Gbps network extension modules for SN2100, SN3100 and SN6100 models,
- 4x10G BASE-T modules for SN710, SN910, SN2000, SN2100, SN3000, SN3100 and SN6100 models.
- Fiber 10Gbps onboard ports on SN6100 models.
IXL interfaces did not correctly detect link state. This problem has been resolved by an update to the IXL driver.
Web administration interface
Automatic backups - Cloud Backup
Support reference 73218
Configuration backups could no longer be restored from Cloud Backup since version 3.5.0. This anomaly has been fixed.
Intrusion prevention
DNS protocol
Support references 72754 - 74272
The DNS protocol analysis has been modified to reduce the number of false positives from the "DNS id spoofing" alarm (alarm dns:38).