SNS 4.1.3 bug fixes



Support reference 75970

When the proxy must send a block page, the absence of a Content-Length header in the reply (HTTP HEAD reply) does not wrongly raise the alarm "Additional data at end of a reply" (alarm http:150) anymore.

Support reference 78432 - 79297

Issues with memory leaks in proxies, which would sometimes restart the service unexpectedly, have been fixed.

Support references 78802 - 79204 - 78210 - 77809 - 79584

An issue with enabling brute force protection, which could freeze the proxy, has been fixed.

Support reference 67947

In configurations with a filter policy that implements:

  • A global decryption rule,
  • A local filter rule that uses an explicit proxy and has a rule ID that is equal to or lower than the ID of the global decryption rule.

Operations that reload the proxy’s configuration (changing the filter policy, changing the SSL/URL filter policy, changing the SSL/URL filter engine, changing the antivirus engine, etc.) no longer ends connections processed by the proxy.

Support reference 79584

An issue with the management of the SSL context, which could freeze the proxy, has been fixed.

Hardware monitoring

Support reference 77170

On SN2100, SN3100 and SN6100 firewalls, the mechanism that monitors fan rotation speed has been optimized so that it no longer wrongly reports alarms that create doubts about the operational status of fans.

High availability (HA)

Support references 78758 - 75581

Memory leak issues, especially in the mechanism that manages HA status and role swapping in a cluster, have been fixed.

High availability (HA) and IPsec VPN (IKEv2 or IKEv1 + IKEv2)

Support reference 79874

An issue with competing access between the log mechanism on IPsec VPN and the HA cache after the synchronization of the IPsec configuration would sometimes shut down the IPsec VPN service. This issue has been fixed.

DHCP relay

Support reference 79298

The option Relay DHCP queries for all interfaces (Configuration > Network > DHCP > DHCP relay) now excludes interfaces that were created when the PPTP server was enabled (Configuration > VPN > PPTP server), and which prevented the DHCP relay service from starting.


Support references 73353 - 77976

The SSL VPN client now applies the interval before key renegotiation set by default on the SSL VPN server to 14400 seconds (4 hours). Users who do not have the Stormshield Network SSL VPN client must retrieve a new configuration file from the firewall's authentication portal so that the client applies the interval.

Find out more

VPN SSL in portal mode

Support reference 68759

SSL VPN in portal mode now uses a component that is component with:

This makes it possible to work around the suspension of public versions of Java JRE 8, scheduled in the near future.


Support reference 79553

When IPsec VPN x509 topologies deployed via SMC (Stormshield Management Center) were updated to version 4.1 (certificate-based authentication), the IPsec VPN tunnels involved would not be able to set up. This issue has been fixed.

IPsec VPN IKEv1 - Certificate-based authentication

Support reference 79156

In configurations that use only IKEv1 IPsec VPN tunnels, an anomaly in the mechanism that compares the Distinguished Names (DN) defined in the certificates that local and remote peers present, prevented such tunnels from setting up. This issue has been fixed.


Support reference 76120

"Sandboxing license not available" alerts are no longer wrongly raised on firewalls that do not have a sandboxing (Breach Fighter) license and for which sandboxing was not enabled in the configuration.


On firewalls equipped with a TPM (Trusted Platform Module), ondisk certificates can again be encrypted, and the system can access the module when the TPM’s symmetric key is changed.

Certificates and PKI

Support reference 78734

Whenever a request to display CRL distribution points (CRLDP) was applied to a sub-certification authority (sub-CA), the CRLDPs of the sub-CA’s parent authority would be returned instead.
‎This anomaly has been fixed and the command applied to a sub-CA now correctly displays its CRLDPs.


Default gateway

Support reference 78996

Default gateways located in a public IP network outside the firewall’s public address range can again be defined on the firewall.

Bridge - MAC addresses

Support reference 74879

On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall now automatically maps the MAC address of this device to the new interface once a Gratuitous ARP request is received from this device. This makes it possible to ensure uninterrupted filtering on the moved device.
The device will be switched only if the MAC address is the same after it is moved

Interface monitoring - History curves

Support references 78815 - 73024

As the mechanism that retrieves interface names to generate history curves was case sensitive, some history curves were not displayed. This anomaly has been fixed.

Intrusion prevention

DCERPC protocol

Support reference 77417

The DCERPC protocol analyzer would sometimes wrongly create several hundred connection skeletons, causing excessive CPU consumption on the firewall.
This issue, which could prevent the firewall from responding to HA status tracking requests and make the cluster unstable, has been fixed.

sfctl command

Support reference 78769

Using the sfctl command with a filter on a MAC address no longer restarts the firewall unexpectedly.

Web administration interface

Dashboard - Interfaces

Support reference 77313

After a link aggregate is created, the order in which interfaces appear in the Network widget of the dashboard is no longer wrongly changed.

Captive portal

Support reference 78651

Customized logos displayed on the captive portal (Configuration > Users Authentication Captive portalAdvanced properties) are now correctly applied.