IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.2 LTSB bug fixes
Network
Interfaces
Support reference 69982
The advanced configuration option Keep VLAN IDs (for interfaces included in a bridge), which instructs the firewall to accept tagged packets on this interface even when the VLANs concerned have not been explicitly declared, no longer functioned on SN 510, 710, 910, 2000, 2100, 3000, 3100, 6000, 6100 and SNi40 models. This issue has been fixed.
System
High availability - Incident icon
Support references 70506 - 70880 - 70707
As the high availability (HA) monitoring mechanism takes into account the status of links to router objects, unreachable router objects would wrongly cause the display of an icon indicating an incident on HA links in the firewall cluster. This anomaly has been fixed.
IPsec VPN
Support reference 70910
In configurations that use virtual IPsec interfaces, an issue with competing access to certain Security Policy parameters would disrupt traffic inside established IPsec tunnels. This issue has been fixed.
Proxies
Support reference 69318
An incident of memory corruption during the use of the SSL proxy would disrupt web access. This issue has been fixed.
Support references 66101 - 64504 - 69005 - 69328
An issue regarding competing access to certain resources used by the OpenSSL module would cause the proxy to freeze. This issue has been fixed.
Filter - NAT
Support references 69146 - 69011
Adding or deleting an inactive filter rule or a rule containing an empty group in front of a rule that uses the proxy (URL filtering, antivirus, sandboxing, etc.) would skew filter rule IDs. This skew would in turn cause web access to malfunction. This issue has been fixed.
LDAP directories
Support reference 69872
During the configuration of a Microsoft Active Directory with secure SSL access, an error message "No LDAP configuration" would appear by mistake. Confirming this message and refreshing the screen would remove the directory concerned from the list of directories. This anomaly has been fixed.
Local storage
Support references 68506 - 71005
Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. This issue has been fixed.
Firewall administration
Support reference 71741
In cases where the administrator password of a firewall was forgotten, if both passwords entered during the password retrieval procedure did not match, the configuration of the firewall would be erased. This issue has been fixed.
Alarms on SN3000 firewalls
Support references 71022 - 71051
On SN3000 firewalls, an alarm indicating a power supply failure would appear on the dashboard even though the firewall would be running properly. This anomaly has been fixed.
IPsec VPN (IKEv1 + IKEv2 or IKEv2 only)
Support reference 70250
An anomaly in the management of Security Associations (SA) during the loss of packets within a tunnel would wrongly generate many child SAs and increase the load on the engine that manages IPsec IKEv2 / IKEv1+IKEv2 tunnels. This anomaly has been fixed.
Intrusion prevention
LDAP protocol
Support references 71152 - 69806
The analysis of the LDAP protocol would wrongly raise the alarm ldap_tcp:427 (Bad LDAP protocol) and block connections to the target LDAP directory. This anomaly has been fixed.
Support reference 71192
An issue during the analysis of LDAP packets that authenticate via SASL (Simple Authentication and Security Layer) would cause the firewall to freeze. This issue has been fixed.
Stormshield Management Center
Communication between SNS and SMC
Ever since version 3.6.1 of SNS, the firewall would no longer factor in the fact that a particular network interface has been specified for connections to the SMC server (BindAddr parameter). This issue has been fixed.
Updating SNS firewalls from SMC
Ever since version 3.6 of SNS, firewall updates from SMC would not function, regardless of whether they had been run via an SNS CLI command or by accessing the firewall directly from SMC. The update file would not be downloaded on the firewall. This issue has been fixed.