IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.15 LTSB bug fixes
IMPORTANT
In some situations, memory leaks may affect the proxy, causing the service to restart unexpectedly. Contact Stormshield support if you think that this issue might affect you.
System
Proxies
Support reference 78432
Issues with memory leaks in proxies, which would sometimes restart the service unexpectedly, have been fixed.
SSL VPN
Support reference 76762
The Available networks or hosts field was wrongly used to calculate the possible number of SSL VPN clients, and therefore skewed the calculation. This issue has been fixed.
Support references 73353 - 77976
The SSL VPN client now applies the interval before key renegotiation set by default on the SSL VPN server to 14400 seconds (4 hours). Users who do not have the Stormshield Network SSL VPN client must retrieve a new configuration file from the firewall's authentication portal so that the client applies the interval.
Find out more
VPN SSL in portal mode
Support reference 68759
SSL VPN in portal mode now uses a component that is component with:
- Java 8 JRE,
- or - - OpenWebStart.
This makes it possible to work around the suspension of public versions of Java JRE 8, scheduled in the near future.
IPsec VPN IKEv2 or IKEv1 + IKEv2
Support reference 77722
The presence of the same trusted certification authority with a CRL in both the local IPsec policy and global IPsec policy no longer causes a failure when the IPsec configuration is enabled on the firewall.
Monitoring gateways
Support references 71502 - 74524
During the startup sequence of the gateway monitoring mechanism, if any of the gateways used in filter rules switched from an internal "maybe down" status (pinging failed) to an internal "reachable" status, the filter would still consider such gateways disabled. This anomaly has been fixed.
When the status of a gateway changes, it will now be logged as an event.
Support reference 76802
In some configurations, the process that relied on the gateway monitoring engine would consume an excessive amount of the firewall's CPU resources. This anomaly has been fixed.
High availability (HA)
Support references 78758 - 75581
Memory leak issues, especially in the mechanism that manages HA status and role swapping in a cluster, have been fixed.
High availability (HA) - link aggregation
In high availability configurations, the mechanism that switches a node from active to passive has been enhanced so that it no longer renegotiates aggregate links (LACP) when:
- The option Reboot all interfaces during switchover (except HA interfaces) is enabled (Configuration > System > High availability module, under Advanced properties, Swap configuration),
- and - - The LacpWhenPassive parameter is enabled with a value of "1" (file /usr/Firewall/ConfigFiles/HA/highavailability Global LACPWhenPassive <0|1>).
Support reference 76748
In high availability configurations, an active node switching to passive mode would no longer wrongly disable VLAN interfaces that belonged to a link aggregate (LACP).
High availability (HA) - IPsec VPN IKEv2 or IKEv1 + IKEv2
Support references 68832 - 71456
During the reconstruction of a cluster after the physical replacement of the passive firewall, and whenever the quality of the active firewall was lower than the quality of the new passive firewall, established IPsec tunnels would be renegotiated. This anomaly has been fixed.
Automatic backups
Support reference 75051
The mechanism that checks the certificates of automatic backup servers was modified after the expiry of the previous certificate.
Support reference 75301
Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. This anomaly has been fixed.
SMTP proxy
Support reference 77207
In configurations that use the SMTP proxy in an SMTP filter rule:
- In “Firewall” security inspection mode,
- or - - In "IDS" or "IPS" security inspection mode but without SMTP protocol analysis (Application protection > Protocols > SMTP module > IPS tab: Automatically detect and inspect the protocol checkbox unselected),
when the SMTP server shut down a connection after sending an SMTP/421 server message, the STMP proxy would occasionally freeze. This anomaly has been fixed.
Directory configuration
Support reference 76576
The default port used to access the backup LDAP server is now the same as the port that the main LDAP server uses.
Network
Interfaces
Support references 73236 - 73504
On SN2100, SN3100, SN6100 and SNi40 firewall models, packets would occasionally be lost when a cable was connected to:
- One of the management ports (MGMT) on SN2100, SN3100 or SN6100 models,
- or - - One of the interfaces of an SNi40 firewall.
This anomaly was fixed after the driver was updated on these interfaces.
Intrusion prevention
DNS protocol
Support reference 71552
Requests to update DNS records are now better managed in compliance with RFC 2136 and no longer trigger the block alarm "Bad DNS protocol" (alarm dns:88).
RTSP protocol
Support reference 73084
When an RTSP request that uses an RTP/AVP/UDP transport mode passes through the firewall, the RTSP analysis engine no longer deletes the Transport field and broadcast channels are set up correctly.
User names
Support reference 74102
User names are no longer case-sensitive when they are saved in the tables of the intrusion prevention engine. This guarantees that names are mapped to filter rules based on the names of authenticated users.
sfctl command
Support reference 78769
Using the sfctl command with a filter on a MAC address no longer restarts the firewall unexpectedly.
OPC UA protocol
Support reference 72255
An anomaly during the analysis of the Industrial protocol OPC UA (value of the SecureChannel field in an OPN packet) would wrongly raise the block alarm "OPCUA invalid protocol". This anomaly has been fixed.