IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.24 LTSB bug fixes
System
IPsec VPN
Support reference 81691
Due to an anomaly in the sequencing of processes/threads when priority is dynamically changed, packets would sometimes get lost on firewalls handling heavy traffic. This anomaly has been fixed.
Optimizing performance
Support reference 82430
To optimize the firewall's performance in some specific contexts, an option has been added so that the synchronization of ASQ events relating to high availability can be disabled.
Support reference 81691
To optimize the firewall's performance, CPU is now better distributed between encryption and decryption tasks.
IPsec VPN IKEv2
Support reference 79713
The reauthentication of an IPsec IKEv2 tunnel in phase 1 would sometimes end too quickly, causing legitimate packets to be wrongly rejected. To prevent this situation, a new setting can be used to delete the older IKE SA later.
Optimizing the initialization of addresses reserved for NAT
Support reference 81691
When two interfaces, which are not included in a bridge, have the same address, the firewall may shut down unexpectedly. To prevent this from occurring, an option has been added to disable, when necessary, the function that optimizes the initialization of addresses reserved for NAT.
Filtering and NAT
Support reference 81369
When a NAT policy containing many rules is reloaded, network packets may get lost. An optimization mechanism that prevents such packet loss can be enabled using the CLI/Serverd command CONFIG PROTOCOL IP COMMON IPS CONFIG, by adding the natdiff parameter to the existing parameters in the OptimizeRuleMatch option.
Use the following parameters in a default configuration: OptimizeRuleMatch=equal,diff,cache,natdiff.
Any changes must then be confirmed with the command CONFIG PROTOCOL IP ACTIVATE.
Do note that this mechanism is disabled by default.
Support reference 78647
Exporting NAT/filter rules in CSV format would wrongly generate the "Any" value for the "#nat_to_target" field in the export file, in cases where filter rules were not associated with any NAT rules. This anomaly would then prevent such CSV files from being imported into SMC if the filter rules concerned had a “Block” rule.
Creating interfaces
Support reference 75064
Configurations containing several hundred interfaces (e.g., virtual interfaces, VLAN interfaces, etc.) would cause excessive CPU consumption after the network interface configuration file was repeatedly reloaded.
Intrusion prevention
SSL proxy
Support reference 80792
Since Zoom application traffic is incompatible with the antivirus analysis, its CNs have been added to the CN group proxyssl_bypass.