IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.6 LTSB bug fixes
System
High availability - Firewalls with IXL cards
For firewalls equipped with IXL cards:
- Fiber 4x10Gbps and 2x40Gbps network extension modules for SN2100, SN3100 and SN6100 models,
- 4x10G BASE-T modules for SN710, SN910, SN2000, SN2100, SN3000, SN3100 and SN6100 models.
- Fiber 10Gbps onboard ports on SN6100 models.
Whenever the active node is lost in a firewall cluster that uses an IXL card, the other node will now take over immediately. Furthermore, after the switch, traffic will no longer be redirected regularly to the passive firewall.
Firewalls with IXL cards
Support reference 71576
Issues with traffic control that would stop traffic on firewalls with an IXL card have been fixed.
Support reference 73005
An issue with latency, which would affect firewalls connected using an IXL card on third-party equipment, has been fixed.
IPsec VPN (IKEv1 + IKEv2)
Support reference 73584
In configurations that use both IKEv1 and IKEv2 peers, as UID (LDAP) and CertNID fields used for authentication are applied, user privilege verifications for IPsec tunnel setup are no longer ignored.
Support reference 72290
On firewalls that host IKEv1 and IKEv2 peers, groups belonging to users who set up mobile IKEv1 tunnels with certificate authentication and XAUTH are now taken into account.
CLI commands
Support reference 72020
Temporary files created during a PKI update through the CLI command PKI IMPORT are now correctly deleted.
PKI
The validity of the built-in certificate authority on firewalls has been extended to January 1, 2038.
IPsec VPN
Support reference 71858
In IPsec configurations where one tunnel endpoint offered Phase 2 AES and AES_GCM_16 encryption algorithms, and the other endpoint offered only AES_GCM_16, tunnels could not be negotiated. This issue has been fixed.
Router objects
Support reference 71502
An anomaly in the gateway monitoring mechanism, which occurred whenever a gateway switched from an internal "maybe down" status (pinging failed) to an internal "reachable" status, has been fixed.
SNMP
Support reference 72116
Bandwidth information regarding 10 Gigabit/s interfaces was not correctly reflected in the ifSpeed and ifHighSpeed OIDs. This anomaly has been fixed.
GRETAP interfaces
Support reference 69981
In configurations using GRETAP tunnels that meet the following conditions:
- One of the tunnel endpoints is an SN310 firewall,
- A VLAN is attached to the GRETAP interfaces that carry the tunnel,
- The GRETAP interface is a member of a bridge,
- The Keep VLAN IDs option has been enabled on all interfaces belonging to this bridge.
On SN310 models, outgoing traffic on the physical interface would be corrupted (zero-checksum packets) and rejected by the remote firewall. This issue has been fixed.
SSL VPN
Support reference 66481
An anomaly in the counter that counts the number of users connected via SSL VPN would wrongly restrict the number of connections allowed, thereby preventing new valid tunnels from being set up. This anomaly has been fixed.
HA monitoring
Support reference 73615
A potential memory leak issue in the HA monitoring module has been fixed.
Network
Firewalls with IXL cards
Support reference 72957
To prevent some negotiation issues relating to the automatic detection of media speed, the available values for IXL network cards can now be selected in the Network > Interfaces module.
Wi-Fi
Support reference 71139
WiFi firewall models no longer randomly freeze whenever the WiFi network is enabled.
Large-scale sending of requests to external IP addresses
Support reference 72329
Infected hosts behind protected interfaces will no longer cause a drastic drop in performance or the sudden shutdown of the firewall whenever they launch SYN flooding attacks to a large number of external IP addresses.
Initial configuration via USB key
Support reference 73982
Firmware updates via USB key no longer functioned on firewalls with an initial firmware version that differed from the x.y.z format (e.g.: 3.7.5-). This issue has been fixed.
Intrusion prevention
Support reference 73591
Enabling verbose mode on the intrusion prevention engine that analyzes some protocols (DCE RPC, Oracle, etc.) no longer causes the firewall to suddenly reboot.
DNS protocol
Support reference 71391
On firewalls using only IPv4, the DNS protocol analyzer would unnecessarily add IPv6 addresses in the host table. This would eventually flood the table on small firewall models. This issue has been fixed.