Version 3.1.0 bug fixes

System

 

Authentication

Support reference 52192

Attempts to log on to the web administration interface via Google Chrome and SSL (certificate) or SPNEGO would not only fail but raise a brute force attack alarm as well. This issue has been fixed.

Support reference 56711

During the configuration of the Sponsorship method, the "Expiry of the HTTP cookie" field would not be automatically set to Do not use, thereby causing this authentication method to malfunction. This anomaly has been fixed.

Support reference 56595

Attempts to create new objects through the authentication policy wizard would fail and display a "?" instead of the object name. This issue has been fixed.

Support reference 59731

An encoding anomaly in sponsorship e-mails invalidated the validation link included in such e-mails. This anomaly has been fixed.

 

Objects

Support reference 58476 - 58944

Router objects and time objects were not retained during partial restorations of a configuration. This anomaly has been fixed.

Support reference 56113

Global objects embedded in a router object were not taken into account. This anomaly has been fixed.

Support reference 53218

Whenever an active and operational dialup (PPoE, PPTP, PPP or L2TP modem) was embedded in a router object, the router object would not retrieve its state and would therefore consider it unreachable. This issue has been fixed.

Support reference 59083

Certificates and PKI

During the renewal of certificates via SCEP (Simple Certificate Enrollment Protocol) using the SCEP RENEW command, whenever the Distinguished Names (DN) of such certificates contained more than one attribute of the same type (e.g. OU, CN, O, etc.), only the first occurrence of the attribute would be kept after the operation. This anomaly has been fixed.

Support reference 51618

SSL VPN Portal

Connections to application servers through the SSL VPN portal application no longer functioned in version 3. This issue has been fixed.

 

SSL VPN

Support reference 58856

The maximum number of SSL VPN tunnels physically allowed on Netasq U model S series firewalls was lower than the expected number of tunnels. This anomaly has been fixed.

Support reference 52972 - 53289

An issue that could prevent new SSL VPN tunnels from being set up (connection blocked at the "GET CONF" stage) has been fixed.

 

Proxies

Support reference 52034

Whenever a filter rule used the explicit proxy, the authentication rules contained in the filter policy would not take into account this proxy's different listening port (TCP/8080 by default). This anomaly has been fixed.

Support reference 55700

An anomaly regarding the maximum length of a user name and domain that make up an email address has been fixed.

Support reference 54003

The HTTP proxy would mistakenly consider some downloads as partial downloads. This anomaly has been fixed.

Support reference 56464

An anomaly while reading information located behind the domain name specified in the EHLO command would wrongly cause the corresponding SMTP traffic to be blocked.

Support reference 52848

After sandboxing an email, the name of the attachment referenced in the logs would be wrong. This issue has been fixed.

Support reference 49996

An anomaly in the management of the Internet Content Adaptation Protocol's (ICAP) responses in Request Modification (reqmod) mode would either cause the overconsumption of memory resources or the HTTP proxy to be blocked.

Support reference 57326

Whenever an e-mail contained a wrong end-of-line command in its data, the connection would be reset only between the client and the firewall while the server would have to wait until the connection timed out. This anomaly has been fixed.

Support reference 58824

Whenever a client sent a RESET command to the mail server, the connection would be reset only between the client and the firewall while the server would have to wait until the connection timed out. This anomaly has been fixed.

Support reference 56475

Whenever an e-mail contained a sender or recipient address exceeding the size defined by the RFCs (local part or domain name), the proxy would fail to shut down the connection after sending the error message ("553 Localpart too long" or "553 Domain name too long"). This issue has been fixed.

Support reference 59420

The proxy would occasionally refuse to run on a firewall using a filter rule with at least one of its log destination checkboxes unselected (Advanced properties tab in the Action module in the filter rule editing window). This issue has been fixed.

Support reference 58567

Resetting to factory configuration

The help provided with the reset script (defaultconfig) would offer the wrong explanation for the option "–D" (Only Restore the data partition on G2 hardware). This anomaly has been fixed (Only Restore the data partition).

Support reference 56394

Proxies – SN 910 model firewalls

Limits on the number of connections allowed for proxies (HTTP, SSL, SMTP, POP3 and FTP) on SN910 model firewalls were incorrect. They have been increased in order to match this model's actual performance.

Support reference 57286

IPSec

In configurations that contain a site-to-site IPSec tunnel and an anonymous IPSec policy (nomad users), disabling the site-to-site tunnel (tunnel status off) would not delete the peer of the IPSec configuration file. This anomaly, which would cause nomad connections to malfunction, has been fixed.

IPSec (IKEv2)

Support reference 54831

During Phase 1 renegotiations of IPSec tunnels in IKEv2, the IPSec engine would destroy the existing SA (Security Association) as well as child SAs before negotiating the new SA.

Since this could cause significant packet loss, the behavior of the engine has been modified so that it negotiates the new SA first before destroying older ones.

Support reference 59152

An issue that could prevent the setup of IPSec IKEv2 tunnels to SN150 model firewalls has been fixed.

Support reference 59280

The number of IKE SAs for the same IPSec IKEv2 tunnel would increase over time without diminishing the number of unused SAs. This anomaly has been fixed.

 

High availability

Support reference 56268

Whenever an interface was added to or deleted from an aggregate (LACP), the change was not applied in the quality indicator in the high availability mechanism. This anomaly has been fixed.

Support reference 57056

An optimization in the parameters that detect the loss of an active firewall due to electrical issues (ConsensusTimeout parameter) has considerably shortened the time taken for a cluster to switch.

Support reference 56613

After the high availability management engine has been restarted several times by accident, the associated tokens would not be deleted. The token table could then become saturated, therefore preventing other services on the firewall from starting. This issue has been fixed.

Support reference 56478

Instability on the data synchronizer would cause the high availability management service to restart in loop. As a result of this malfunction, the passive firewall could potentially switch to active mode, making both firewalls in the cluster active. This issue has been fixed.

Support reference 50048

Changing roles after the active member of the cluster has been restarted could cause the IPSec tunnels negotiated by both members of the cluster to be desynchronized.

Support reference 54289 - 58842

After the roles of firewalls have been switched in a cluster, whenever active connections were restored, the parent-child relationship of these connections (connection traffic / data traffic) would not be kept. Data traffic for protocols such as FTP would therefore not be transferred. This issue has been fixed.

 

Support reference 55076

Application protection

In configurations that use the Karspersky antivirus engine, scanning zip bomb files could cause the temporary partition to saturate, leading in turn to a significant CPU load and resulting in an analytical error. This issue has been fixed.

Filter - NAT

Support reference 56570

Whenever the name entered for a filter rule exceeded the maximum length allowed, the length allowed would not be specified in the error message. This anomaly has been fixed and it now indicates that names must not exceed 255 characters.

Support reference 56672

When scrolling over a service group used in a filter rule, the tooltip that sets out all the services included in the group would not appear. This anomaly has been fixed.

Support reference 58535

When scrolling over a service used in a filter rule, incomplete information would be given in the tooltip. This anomaly has been fixed.

Support reference 59297

When scrolling over an IP address range network object used in a filter rule, the tooltip would wrongly display the message "Object not found". This anomaly has been fixed.

Support reference 55190

Policy-based routing (PBR)

In a configuration such as the following:

  • A static route is applied to a network,
  • A filter rule implements policy-based routing (PBR) to the same network for a particular port,
  • Address translation is applied when packets leave the firewall,

reloading filter rules would prevent connections matching the PBR rule from being set up.

Support reference 50977

Dynamic DNS

Changes to the firewall's IP address were no longer applied to the Dynamic DNS provider whenever the SSL protocol was used, and the verification of this provider's certificate would even fail. This issue has been fixed.

Support reference 55728

Configuration

Changes made to the name of the firewall (System > Configuration module) were neither applied to the sender name for email alerts, nor in the SN Real-Time Monitor dashboard. This anomaly has been fixed.

Support reference 56734

System events

The report generated whenever a brute force attack was blocked would not contain the blocked source IP address. This anomaly has been fixed.

Network

Support reference 57328

VLAN

The firewall would not correctly send the last fragment of a UDP packet meant to go through a VLAN to the parent interface of the VLAN. This issue has been fixed.

 

Virtual interfaces

Support reference 53881

Whenever a GRE virtual interface that was initially created as inactive was assigned an IP address, its change in status would not immediately be applied in the web administration interface. The user would therefore need to change modules before going back to the virtual interface module in order to view this change. This anomaly has been fixed.

Support reference 58685

Outbound throughput statistics of virtual IPSec interfaces would always display a null value. This anomaly has been fixed.

Intrusion prevention

Support reference 57396

For certain streams of traffic that always use the same source port, whenever they passed through a rule in firewall or IDS mode, resetting the first connection would prevent the setup of the connections that immediately follow. These connections would, in fact, have been considered reset as well. This issue has been fixed by allowing the same source port to be reused in firewall and IDS modes (TCP Closed FastReuse).

Support reference 53011 - 58465

TeamViewer application

After an upgrade of the TeamViewer application, the IPS scan of traffic relating to this application would wrongly set off an "Unknown SSL protocol" block alarm. This issue has been fixed.

Support reference 53094

RTSP (Real-Time Streaming Protocol)

The intrusion prevention system would wrongly block the Scale header in the Play method. This anomaly has been fixed.

Support reference 51867

HTTP

In configurations that use policy-based routing (PBR) for HTTP traffic, enabling the Apply the NAT rule on scanned traffic option (Global configuration of HTTP in the Application protection > Protocols module) would cause the incorrect routing of packets generated by the proxy.

Support reference 53640

As the YouTube for Education filter mechanism is no longer active, it has been replaced with the Youtube restrictions mechanism. This new mechanism can be enabled and configured (strict or moderate restriction) in the IPS tab in HTTP (Application protection > Protocols module).

Support reference 58409

SIP

The maximum number of child connections allowed for SIP has been increased in order to allow:

  • 127 simultaneous calls on U30S, U70S, SN150, SN160W, SN200, SN210W and SN300 models,
  • 127 simultaneous calls on U30S, U70S, SN150, SN160(W), SN200, SN210(W), SN300 and SN310 models,
  • 1023 simultaneous calls on other models,

instead of 16 as was previously the case on all models.

Support reference 53886

ICMP

Whenever several ICMP requests were received or sent with the same identifier, the same sequence and different data, the firewall would not take into account reply packets from the first request and would block the requests that follow ("ICMP ECHO paylod modified" alarm). This anomaly has been fixed.

Web administration interface

Support reference 54459

SSL protocol

Whenever a checkbox was selected in the SSL negotiation section of a given profile, and such a change was applied, the same checkbox would be selected in all profiles by mistake. This issue has been fixed.

Monitoring - Reports - Audit logs

Support reference 56766

Reports

On firewall models that do not have log partitions (diskless models), an anomaly with the checkbox for enabling reports (Local storage tab in the Notifications > Logs - Syslog - IPFIX module) has been fixed.

Support reference 57247

Monitoring

Whenever reports and history graphs were both disabled (Notifications > Report configuration module), history graphs covering the past 30 days could not be displayed. This issue has been fixed.

Support reference 53352

Logs

Commands to monitor inactive services on the firewall (MONITOR POWER, MONITOR FWADMIN,…) were wrongly logged in the l_server log file. This anomaly has been fixed.

Support reference 54926

Multicast routing

User accounts holding all administration privileges were unable to apply configuration changes made in the Network > Multicast routing module (error message "There is nothing to save"). This anomaly has been fixed.

Stormshield Network Real-Time Monitor

Support reference 58502 - 57414

Users

The command to delete users, available via the pop-up menu (right-click) in the Users module, no longer worked. This issue has been fixed.