SNS 4.1.3 bug fixes
System
Proxies
Support reference 75970
When the proxy must send a block page, the absence of a Content-Length header in the reply (HTTP HEAD reply) does not wrongly raise the alarm "Additional data at end of a reply" (alarm http:150) anymore.
Support reference 78432 - 79297
Issues with memory leaks in proxies, which would sometimes restart the service unexpectedly, have been fixed.
Support references 78802 - 79204 - 78210 - 77809 - 79584
An issue with enabling brute force protection, which could freeze the proxy, has been fixed.
Support reference 67947
In configurations with a filter policy that implements:
- A global decryption rule,
- A local filter rule that uses an explicit proxy and has a rule ID that is equal to or lower than the ID of the global decryption rule.
Operations that reload the proxy’s configuration (changing the filter policy, changing the SSL/URL filter policy, changing the SSL/URL filter engine, changing the antivirus engine, etc.) no longer ends connections processed by the proxy.
Support reference 79584
An issue with the management of the SSL context, which could freeze the proxy, has been fixed.
Hardware monitoring
Support reference 77170
On SN2100, SN3100 and SN6100 firewalls, the mechanism that monitors fan rotation speed has been optimized so that it no longer wrongly reports alarms that create doubts about the operational status of fans.
High availability (HA)
Support references 78758 - 75581
Memory leak issues, especially in the mechanism that manages HA status and role swapping in a cluster, have been fixed.
High availability (HA) and IPsec VPN (IKEv2 or IKEv1 + IKEv2)
Support reference 79874
An issue with competing access between the log mechanism on IPsec VPN and the HA cache after the synchronization of the IPsec configuration would sometimes shut down the IPsec VPN service. This issue has been fixed.
DHCP relay
Support reference 79298
The option Relay DHCP queries for all interfaces (Configuration > Network > DHCP > DHCP relay) now excludes interfaces that were created when the PPTP server was enabled (Configuration > VPN > PPTP server), and which prevented the DHCP relay service from starting.
SSL VPN
Support references 73353 - 77976
The SSL VPN client now applies the interval before key renegotiation set by default on the SSL VPN server to 14400 seconds (4 hours). Users who do not have the Stormshield Network SSL VPN client must retrieve a new configuration file from the firewall's authentication portal so that the client applies the interval.
Find out moreVPN SSL in portal mode
Support reference 68759
SSL VPN in portal mode now uses a component that is component with:
- Java 8 JRE,
- or - - OpenWebStart.
This makes it possible to work around the suspension of public versions of Java JRE 8, scheduled in the near future.
IPsec VPN
Support reference 79553
When IPsec VPN x509 topologies deployed via SMC (Stormshield Management Center) were updated to version 4.1 (certificate-based authentication), the IPsec VPN tunnels involved would not be able to set up. This issue has been fixed.
IPsec VPN IKEv1 - Certificate-based authentication
Support reference 79156
In configurations that use only IKEv1 IPsec VPN tunnels, an anomaly in the mechanism that compares the Distinguished Names (DN) defined in the certificates that local and remote peers present, prevented such tunnels from setting up. This issue has been fixed.
Sandboxing
Support reference 76120
"Sandboxing license not available" alerts are no longer wrongly raised on firewalls that do not have a sandboxing (Breach Fighter) license and for which sandboxing was not enabled in the configuration.
TPM
On firewalls equipped with a TPM (Trusted Platform Module), ondisk certificates can again be encrypted, and the system can access the module when the TPM’s symmetric key is changed.
Certificates and PKI
Support reference 78734
Whenever a request to display CRL distribution points (CRLDP) was applied to a sub-certification authority (sub-CA), the CRLDPs of the sub-CA’s parent authority would be returned instead.
This anomaly has been fixed and the command applied to a sub-CA now correctly displays its CRLDPs.
Network
Default gateway
Support reference 78996
Default gateways located in a public IP network outside the firewall’s public address range can again be defined on the firewall.
Bridge - MAC addresses
Support reference 74879
On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall now automatically maps the MAC address of this device to the new interface once a Gratuitous ARP request is received from this device. This makes it possible to ensure uninterrupted filtering on the moved device.
The device will be switched only if the MAC address is the same after it is moved
Interface monitoring - History curves
Support references 78815 - 73024
As the mechanism that retrieves interface names to generate history curves was case sensitive, some history curves were not displayed. This anomaly has been fixed.
Intrusion prevention
DCERPC protocol
Support reference 77417
The DCERPC protocol analyzer would sometimes wrongly create several hundred connection skeletons, causing excessive CPU consumption on the firewall.
This issue, which could prevent the firewall from responding to HA status tracking requests and make the cluster unstable, has been fixed.
sfctl command
Support reference 78769
Using the sfctl command with a filter on a MAC address no longer restarts the firewall unexpectedly.
Web administration interface
Dashboard - Interfaces
Support reference 77313
After a link aggregate is created, the order in which interfaces appear in the Network widget of the dashboard is no longer wrongly changed.
Captive portal
Support reference 78651
Customized logos displayed on the captive portal (Configuration > Users > Authentication > Captive portal > Advanced properties) are now correctly applied.