IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.20 LTSB bug fixes
System
Proxies
Support reference 75970
When the proxy must send a block page, the absence of a Content-Length header in the reply (HTTP HEAD reply) does not wrongly raise the alarm "Additional data at end of a reply" (alarm http:150) anymore.
Support reference 81624
In configurations that use multi-user authentication, the application of "img-src https://*" CSP (content-security-policy) directives would sometimes cause the proxy service to unexpectedly restart. This issue has been fixed.
IPsec VPN
Support references 79713 - 81464
Packets would sometimes get lost whenever the keys of IPsec tunnels were renewed. This issue has been fixed.
IPsec VPN IKEv2 or IKEv1 + IKEv2
Support reference 77097
The management of the authentication process was enhanced for the setup of IPsec VPN tunnels in configurations where several LDAP directories are declared and one or several of these LDAP directories take longer than usual to respond.
These enhancements now make it possible to stop blocking attempts to set up other tunnels during the waiting phase.
SSL proxy
Support reference 77207
The SSL proxy would sometimes restart when all of the following conditions occurred:
- An SSL filter policy applied a “Pass without decrypting” action when a CN could not be categorized,
-
A connection matched this rule (“Pass without decrypting”) because the classification of the CN failed.
- A simultaneous connection to the same website was classified with the action “Block without decrypting”.
This issue has been fixed.
Radius authentication
Support reference 76824
In a configuration that uses Radius server authentication via pre-shared key, selecting another host object in the Server field, then saving this only change no longer causes the initial pre-shared key to be deleted.
Local storage
Support reference 75301
Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. Unlike what was announced in the 3.7.15 LTSB release notes, this anomaly is now fixed in version 3.7.20 LTSB.
IP address reputation and geolocation service
Support reference 77980
An anomaly relating to the IP address reputation and geolocation service would sometimes result in memory corruption, which would cause the firewall to unexpectedly restart. This issue has been fixed.
Intrusion prevention
Connection counter
Support reference 74110
The mechanism that counts simultaneous connections has been optimized to no longer raise the alarm “Maximal number of connexions per host reached” (alarm tcpudp:364).
SMB - CIFS protocol
Support references 77484 - 77166
Anomalies in the SMB - CIFS protocol analysis would wrongly raise the "Invalid NBSS/SMB protocol" blocking alarm (nb-cifs alarm:158) during legitimate access to shared Microsoft Windows disk resources. This issue has been fixed.
Web administration interface
LDAP directories
Support reference 69589
Users can now correctly access an external LDAP directory hosted on another Stormshield firewall via a secure connection (SSL) when the option Check the certificate against a Certification authority is selected.
Modbus protocol
Support reference 71166
The firewall would not take into account the information entered in the Allowed UNIT IDs table (Application protection > Protocols > Industrial protocols > Modbus > General settings). The same information would also not be shown in the table after quitting the module. This issue has been fixed.
Network
Multicast routing - Address translation
Support reference 80359
Multicast network traffic packets are no longer duplicated if multicast routing is applied after a destination NAT rule is applied to this traffic.