Version 4.1.1 bug fixes
Support reference 76762
The Available networks or hosts field was wrongly used to calculate the possible number of SSL VPN clients, and therefore skewed the calculation. This issue has been fixed.
SSL VPN Portal
Support reference 77062
Even though a maximum of servers were accessible via the SSL VPN Portal, additional machines could still be declared. This would cause the firewall's authentication engine to restart repeatedly. Now, servers can no longer be created once the limit is reached, which varies according to the firewall model.
Find out more
Support references 77168 - 77132 - 77388
The SLD would occasionally restart and log off all users whenever two users logged in via the SSL VPN portal and accessed the same resource.
Hardware bypass - SNi40 model firewalls
Support reference 78382
On SNi40 industrial firewalls with the hardware bypass function enabled (Configuration > General configuration tab), an issue that hardware monitoring processes encounter with competing access to the bypass mechanism would sometimes wrongly enable bypass, and provide the wrong status in the firewall’s web administration interface. This issue has been fixed.
Support reference 76576
The default port used to access the backup LDAP server is now the same as the port that the main LDAP server uses.
Support references 71502 - 74524
During the startup sequence of the gateway monitoring mechanism, if any of the gateways used in filter rules switched from an internal "maybe down" status (pinging failed) to an internal "reachable" status, the filter would still consider such gateways disabled. This anomaly has been fixed.
When the status of a gateway changes, it will now be logged as an event.
Support reference 75745
On firewalls that process many connections, and which use configurations with many gateways, replies to pings may take longer to reach the gateway monitoring mechanism. When this occurs, the mechanism would continuously re-send pings, and restart without sending notifications such as logs or system events. This issue has been fixed.
Support reference 77579
The gateway monitoring mechanism, which would sometimes restart unexpectedly, has been fixed.
Support reference 76802
In some configurations, the process that relied on the gateway monitoring engine would consume an excessive amount of the firewall's CPU resources. This issue has been fixed.
URL filtering - Extended Web Control
Support reference 78169
When a firewall is upgraded to a 4.1.x firmware version, it no longer prevents the generation of URL category groups used by Extended Web Control.
Support references 77514 - 76343 - 78378 - 78438 - 78469 - 77896
Issues regarding proxies, which were blocked when the antispam was used together with the Kaspersky antivirus, have been fixed.
Support references 76535 - 75662
Potential competing access between SSL and HTTP proxy queues would sometimes shut down the proxy manager unexpectedly. This issue has been fixed.
Support reference 71870
The proxy daemon no longer shuts down unexpectedly whenever the maximum number of simultaneous connections through the SSL proxy is reached.
Support references 70598 - 70926
The behavior of the HTTP proxy has been changed so that the SLD daemon on the firewall will no longer be overwhelmed when too many requests are redirected to the authentication portal. This new mechanism implements protection against brute force attacks.
Support references 76022 - 76017
Changes to some parameters (e.g., memory buffers or TCP window sizes) of the SSL proxy, meant to optimize the amount of data exchanged through this proxy, are now correctly applied.
Support reference 77207
An anomaly in the SSL decision-making cache mechanism (decrypt, do not decrypt, etc) that occurs when there are simultaneous connections with the same destination IP addresses with different ports, would occasionally corrupt this cache and freeze the SSL proxy. This anomaly has been fixed.
Support reference 78044
When attempts to connect to an unreachable SSL server resulted in the SSL proxy immediately returning an error message, the firewall would not properly shut down such connections. An increasing amount of such connections wrongly considered active would then slow down legitimate SSL traffic. This anomaly has been fixed.
Support reference 77207
In configurations that use the SMTP proxy in an SMTP filter rule:
- In “Firewall” security inspection mode
- In "IDS" or "IPS" security inspection mode but without SMTP protocol analysis (Application protection > Protocols > SMTP module > IPS tab: Automatically detect and inspect the protocol checkbox unselected),
when the SMTP server shut down a connection after sending an SMTP/421 server message, the STMP proxy would occasionally freeze. This issue has been fixed.
Support reference 75301
Firewalls with damaged SD cards (and therefore damaged log storage partitions) would restart in loop. This issue has been fixed.
IPSec VPN IKEv1
Support reference 77679
In IPSec configurations that use mobile peers with certificate authentication, and for which no peer IDs were specified, the message indicating a switch to experimental mode no longer appears by mistake.
Support reference 77358
When IPSec VPN tunnels were set up with remote users (also known as mobile or nomad users), phase 1 of the IKE negotiation would fail because fragmented packets were not correctly reconstructed after they were received. This anomaly has been fixed.
Support reference 65964
The IPSec management engine (Racoon) used for IKEv1 policies no longer interrupts the phase 2 negotiation with a peer when another phase 2 negotiation fails with the same peer.
IPSec VPN IKEv2 or IKEv1 + IKEv2
Support reference 74391
When an extremely large CRL – containing several thousand revoked certificates – is automatically reloaded, the IPSec IKEv2 tunnel manager no longer restarts in loop.
Support reference 75303
When the Bird dynamic routing engine (bird for IPv4 or bird6 for IPv6) was restarted too often, it would cause the IKE daemon to malfunction, preventing IPSec VPN tunnels from being negotiated. This anomaly has been fixed.
Support reference 75137
Creating several mobile peers that use the same certificate no longer causes the certificate to be loaded repeatedly. This behavior consumed much more memory unnecessarily when many peers were involved.
Support reference 77722
The presence of the same trusted certification authority with a CRL in both the local IPSec policy and global IPSec policy no longer causes a failure when the IPSec configuration is enabled on the firewall.
Support reference 77097
The management of the authentication process was enhanced for the setup of IPSec VPN tunnels in configurations where several LDAP directories are declared and one or several of these LDAP directories take longer than usual to respond.
These enhancements now make it possible to stop blocking attempts to set up other tunnels during the waiting phase.
IPSec VPN - Virtual interfaces
Support reference 77032
During the decryption of IPv6 traffic that was transported in IPv4 IPSec tunnels through virtual interfaces, the firewall would no longer look for return routes among the IPv6 virtual interfaces. Such IPv6 packets are now correctly exchanged at each tunnel endpoint.
IPSec VPN - Logs
Support reference 77366 - 69858 - 71797
Text strings exceeding the maximum length allowed when they are sent to the firewall's log management service are now correctly truncated and no longer contain non-UTF-8 characters. This anomaly would cause a malfunction when logs were read through the web administration interface.
- The maximum supported length of a log line is now 2048 characters,
- The maximum supported length of a text field contained in a log line is now 256 characters.
Initial configuration via USB key
Support reference 77603
An anomaly in how special characters (spaces, ampersands, etc.) are managed when CSV files are imported, could prevent some data from being applied (e.g., certificates with names that contain spaces). This anomaly has been fixed.
Support references 77399 - 77369 - 78378 - 78156 - 78579
The antivirus engine no longer freezes at startup, or when its configuration is reloaded in the absence of a Breach Fighter sandboxing license, or when sandboxing is not properly configured.
Support reference 77385
When a global network object linked to a protected interface is created, this object will now be correctly included in the Networks_internals group.
Restoration of network objects
Support reference 76167
When local or global network objects are restored using a backup file (file with a “.na” extension), the firewall's network routes are reloaded to apply changes that may affect network objects involved in routing.
Support reference 76664
When a certificate is revoked, the associated .pkey.tpm file is now properly deleted.
Support reference 76665
When a PEM certificate is imported on the firewall without its private key, the debug command tpmctl -a -v no longer wrongly returns a TPM file reading error message (tpm file read error).
Support references 65418 - 71393
SNMP responses such as SNMP_NOSUCHOBJECT, SNMP_NOSUCHINSTANCE and SNMP_ENDOFMIBVIEW are now correctly interpreted and no longer cause SNMP protocol analyses to stop unexpectedly.
Support reference 71584
The use of the value snmpEngineBoots has changed in order to comply with RFC 3414.
Support references 74522 - 74521
The anomalies observed in table indexing, which reflected the hardware status of cluster members in the HA MIB, have been fixed.
Connection from Stormshield Management Center (SMC)
During the initial connection from SMC to the web administration interface of a firewall in version 4.0.1 or higher, attempts to retrieve the archive containing all the interface data would fail, thereby preventing connections to the firewall from SMC. This anomaly has been fixed.
In some cases, running the system command checkdb -C, which allows the integrity of the report database to be verified, would actually cause it to be deleted. The system that enabled interaction with this database has therefore been enhanced to introduce more thorough verifications, especially in error management.
For more information on the syntax of this command, refer to the CLI /SSH Commands Reference Guide.
Behavior when the log management service is saturated
Support references 73078 - 76030
When the log management service on the firewall is saturated, it is now possible to define how the firewall manages packets that generate alarms and those intercepted by filter rules that have been configured to log events:
- Block such packets since the firewall is no longer able to log such events,
- Do not block such packets and apply the configuration of the security policy even though the firewall is unable to log such events.
The behavior of the intrusion prevention system can be configured in the firewall's administration interface via Configuration > Application protection > Inspection profiles.
A percentage threshold, above which the firewall will consider that its log management service is saturated, can also be set. Once this percentage is reached, the firewall will apply the configured action to packets that need to be logged.
The threshold can be changed only with the following CLI / Serverd commands:
CONFIG SECURITYINSPECTION COMMON LOGALARM BlockOverflow=<0|1> BlockDrop=<0-100>
CONFIG SECURITYINSPECTION COMMON LOGFILTER BlockOverflow=<0|1> BlockDrop=<0-100>
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
Support reference 70003
The validity of the license for the Vulnerability manager option is now verified before the configuration is synchronized to avoid unnecessarily generating error messages in logs such as "Target: all From: SNXXXXXXXXXXXXX Command: SYNC FILES failed: Command failed : Command has failed : code 1".
Support reference 56682
The test process in which nodes in the same cluster confirm the availability of other nodes has been enhanced so that the passive node will not be wrongly switched to active mode, thereby creating a configuration with two active nodes.
High availability - IPSec VPN (IKEv2 policy or IKEv1 + IKEv2 policy)
In high availability configurations that apply IKEv2 or IKEv1+IKEv2 IPSec policies, an anomaly sometimes wrongly detected the replay of ESP sequence numbers and packet loss after two failovers in the cluster. This anomaly has been fixed.
High availability - link aggregation
Support reference 76748
In a high availability configuration, an active node switching to passive mode would no longer wrongly disable VLAN interfaces that belonged to a link aggregate (LACP).
Maintenance - High availability
Support reference 75986
In a high availability configuration, the option that allowed an active partition to be copied to the backup partition from the other member of the cluster is available again (module System > Maintenance > Configuration tab).
Filter - NAT - MAC addresses
Support reference 76399
A rule that has a host object as its destination with a forced MAC address (host in a DHCP reservation, for example) now correctly filters traffic that matches it.
High availability - Filtering and NAT - Time objects
Support reference 76822 - 73023 - 76199
To prevent network instability in high availability clusters, the re-evaluation of filter rules is now optimized when there is a change in the status of time objects used in one or several of these rules.
Support reference 76822
The re-evaluation of filter rules has been optimized when time objects used in several rules in the filter policy change their status.
Support references 75745 - 74524
After a firewall is restarted, the router monitoring service now correctly applies the last known status of these routers.
Certificates and PKI
Attempts to import a certificate already found in the firewall's PKI when the “Overwrite existing content” option is unselected, no longer duplicate this certificate on the firewall.
During a connection to a firewall from an SMC server, the firewall now checks that the certificate of the SMC server contains an ExtendedKeyUsage field with the attribute ServerAuth.
Monitoring certificates and CRLs
Support reference 76169
In a HA cluster, the mechanism that monitors the validity of certificates and CRLs on the passive firewall no longer wrongly generates system events every 10 seconds. Typical events are Passive certificate validity (event 133) or Passive CRL validity (event 135).
In addition, the mechanism that monitors the validity of CRLs now only generates alerts when a CRL exceeds half of its lifetime and is due to expire in less than 5 days.
The certificate used to sign firmware updates now contains a specific OID monitored by the mechanism that verifies the firewall's update files.
Support reference 74824
In a configuration that uses Radius server authentication via pre-shared key, selecting another host object in the Server field, then saving this only change no longer causes the initial pre-shared key to be deleted.
Support reference 75051
The mechanism that checks the certificates of automatic backup servers was modified after the expiry of the previous certificate.
Support reference 77432
The absence of the "/log" folder no longer prevents automatic backups from functioning properly.
Support reference 76645
When a bridge is deleted, all occurrences of this bridge will now be correctly removed from configuration files, and no longer prevents new interfaces from being displayed when new network modules are added.
Support reference 75491
When GRE interfaces are defined on the firewall, selecting “Relay DHCP queries for all interfaces” no longer causes the DHCP relay service to restart in loop.
Bird dynamic routing
Support reference 77707
The check link directive used in the protocol direct section in the Bird dynamic routing configuration file is now correctly applied for IXL network interfaces (fiber 4x10Gbps and 2x40Gbps network extension modules for SN2100, SN3100 and SN6100 models; 4x10G BASE-T modules for SN710, SN910, SN2000, SN2100, SN3000, SN3100 and SN6100 models; fiber 10Gbps onboard ports on SN6100 models) and IGB network interfaces (SNi20, SNi40, SN2000, SN3000, SN6000, SN510, SN710, SN910, SN2100, SN3100 and SN6100).
Support references 73236 - 73504
On SN2100, SN3100, SN6100 and SNi40 firewall models, packets would occasionally be lost when a cable was connected to:
- One of the management ports (MGMT) on SN2100, SN3100 or SN6100 models,
- One of the interfaces of an SNi40 firewall.
This issue has been fixed by updating the driver on these interfaces.
Support reference 75238
Changes to the access password of a Wi-Fi network hosted by the firewall are now correctly applied.
System events (ID 88 and 111) are now generated when a defective power supply module reverts to its optimal status (when the module is replaced or plugged back in).
TNS protocol - Oracle
Support references 77721 - 71272
Analyses of TNS - Oracle client-server communications that undergo packet fragmentation and address translation (NAT) would desynchronize traffic due to packets being rewritten. This issue has been fixed.
Support reference 76621
When a threshold was defined for the Maximum number of simultaneous connections for a source host in the TCP configuration, and when a TCP-based filter rule blocked an attempted Syn Flood denial of service attack, the packets that raised the alarm were correctly blocked but no alarm would be raised in the corresponding log file (l_alarm). This anomaly has been fixed.
Support reference 73084
When an RTSP request that uses an RTP/AVP/UDP transport mode passes through the firewall, the RTSP analysis engine no longer deletes the Transport field and broadcast channels are set up correctly.
Policy Based Routing (PBR)
Support reference 77489
When a firewall-initiated connection was created, the system would query the intrusion prevention engine to determine the need for policy-based routing, which would lead to issues with competing access and cause the firewall to freeze. This issue has been fixed.
The HTTP protocol analysis no longer raises an alarm or blocks traffic when there is an empty field in the HTTP header, especially when SOAP messages are encapsulated in an HTTP request.
Support references 74300 - 76147
Support reference 74654
To improve compatibility with certain vendors, the maximum size of NTP v3 packets considered valid is now set to 120 bytes by default.
Support reference 74110
The mechanism that counts simultaneous connections has been optimized to no longer raise the alarm “Maximal number of connexions per host reached” (alarm tcpudp:364).
Support reference 71552
Requests to update DNS records are now better managed in compliance with RFC 2136 and no longer trigger the block alarm "Bad DNS protocol" (alarm dns:88).
Quarantine when alarm raised on number of connections
Support reference 75097
When “Place the host under quarantine” is the action set for the alarm “Maximal number of connexions per host reached” (alarm tcpudp:364), the host that triggered this alarm is now correctly added to the blacklist for the quarantine period configured.
Filtering - SIP protocol
Support reference 76009
An error message now appears when there is an attempt to enable a filter rule such as:
- The option Redirect incoming SIP calls (UDP) is enabled (Action > Advanced properties> Redirection),
- Two or more destination ports are defined, one relying on ANY as a protocol, and at least another based on UDP or TCP.
Support reference 76999
In PBR, when routers were changed directly in filter rules, IPState connection tables (for GRE, SCTP and other protocols) now apply the new router IDs.
SN6000 model firewalls
Support references 75577 - 75579
In a few rare cases, a message warning of missing power supply modules would be wrongly sent on SN6000 firewalls equipped with an IPMI module in version 3.54. A mechanism that restarts the IPMI module has been set up to deal with this issue.
This mechanism is disabled by default and does not affect traffic going through the firewall, but temporarily prevents the refreshment of component data. The mechanism needs about five minutes to run its course, the time it takes to restart the IPMI module and to refresh data on components.
This new parameter can only be modified through the CLI / SSH command:
setconf /usr/Firewall/ConfigFiles/system Monitord EnableRestartIPMI <0|1>
For more information on the syntax of this command, refer to the CLI /SSH Commands Reference Guide.
EVA on Microsoft Azure
Support reference 76339
The Microsoft Azure Linux Guest Agent log file (file waagent.log) was moved to the "/log" folder on the firewall to avoid saturating the "/var" file system on the firewall.
Web administration interface
Users and groups
Support reference 78413
In directories that have several thousand entries (especially in nested groups), requests to display users and groups for a selection (e.g., the Filter - NAT module) could take an unusually long time and cause the display of the module to freeze. This issue has been fixed.
Support reference 73376
The “Top sessions of Administrators” report now shows all the sessions of the firewall's administrators, i.e., sessions of the admin (super administrator) account and of all users and user groups added as administrators. The report previously contained only sessions of the admin (super administrator) account
40 Gb/s network modules
The maximum throughput indicated in each interface’s configuration panel is now 40 Gb/s for the network modules concerned.
Support reference 75435
The search filter applied to the protocol tree (Application protection > Protocols) now stops being applied after a module is reloaded.
Support reference 76162
The theoretical throughput of Wi-Fi interfaces now factors in the standard used (A/B/G/N) and no longer indicates 10 Mb/s systematically.
Hardware monitoring / High availability
The serial number of both members of the cluster now appears in the list of indicators.
Support reference 69589
Users can now correctly access an external LDAP directory hosted on another Stormshield firewall via a secure connection (SSL) when the option "Check the certificate against a Certification authority” is selected.
Filter - NAT
Support reference 76698
Network objects defined with only a MAC address are now correctly listed as available network objects when a filter rule is being created.
Static routing - Return routes
Support references 77012 - 77013
USB/Ethernet (4G modem) interfaces can now be selected as the routing interface when a static route or return route is added.
Filtering - Implicit rules
Support reference 77095
When the administrator requests to disable all implicit rules, the system command to disable them is now correctly applied.
Support reference 76588
When the SSL VPN configuration module is opened, the window indicating that the captive portal is not enabled on external interfaces no longer appears by mistake when it is enabled.
Global router objects
Support reference 76552
Double-clicking on a router object now correctly opens the window to edit routers instead of the window for hosts.
Protocols - DNS
Support reference 72583
After the action applied to a DNS registration type is changed, displaying other DNS profiles successively no longer causes an error when the table of DNS registration types and applied actions is refreshed.
Support reference 74102
User names are no longer case-sensitive when they are saved in the tables of the intrusion prevention engine. This guarantees that names are mapped to filter rules based on the names of authenticated users.
Support reference 76608
During a user’s initial access to the Users > Authentication module, the message asking the user to save changes before quitting, even though none were made, will no longer appear.